Google Search Data: February 2011

Spyware in the office

Computerworld - In a perfect world, corporate laptops and desktops would be outfitted with only authorized software that was appropriately configured, always up to date and patched, and protected by layers of security. Corporate information security policies would be painstakingly followed by professionals who never failed to employ best practices. IT audits, in turn, would be a formality -- a regular activity that simply confirmed a flawless IT environment.
What's far more likely is that corporate laptops and desktops include outdated, misconfigured and even unapproved applications. Users might download free games, utilities and media players on their corporate laptops or desktops or install peer-to-peer file-sharing programs.
In many cases, use of such utilities and programs is against corporate policy and a security risk to the organization. Why? Because many of these popular programs include spyware.
Threat or nuisance?
Spyware, sometimes called adware, snoopware or sneakware, is software that secretly gathers information about a user and relays that information to another party over the Internet. In many cases, users unknowingly install spyware when they download freeware or shareware, even though references -- often obscure -- to spyware might be included in the program's end-user agreement. In other instances, spyware programs are automatically installed when a user simply views an HTML e-mail or visits a certain Web page.
At its mildest, spyware is a simple tool used by advertisers to track users' Web-surfing preferences.
At its worst, spyware is used to monitor keystrokes, scan files, install additional spyware, reconfigure Web browsers, snoop e-mail and other applications, and more. Some of today's spyware can even capture screenshots or turn on webcams.
In a corporate environment, these capabilities pose a major threat to corporate security, especially since much of this activity goes on without anyone's knowledge.
Even in computing environments that encrypt data, spyware remains a threat to the security of corporate data because its keystroke-logging components capture input before it's encrypted.
An aid to spam
But that's not all. Spyware also leads to spam and vice versa. When spyware finds e-mail addresses, it sends them back out over the Internet to be traded, shared or sold to spammers. When unsolicited commercial e-mail finds a user who clicks to see an advertised product, spyware secretly downloads as the advertisement unfolds. This creates an administrative nightmare for corporate IT professionals, not to mention the legal implications it introduces as inappropriate content floods in-boxes.
Spyware also consumes memory and system resources. Because it constantly phones home to deliver user information and then sends back more pop-ups, banner ads

Spyware in the office

Three steps for defending against internal threats

Computerworld - Mydoom and its variants demonstrate the threats that worms and viruses pose to internal corporate networks. They have crawled their way into enterprise networks across the globe, propagating, wreaking havoc and forcing IT administrators to work overtime to rid their systems of the pests.
For years, computer security experts and analysts have been talking about internal threats to enterprise information, yet no elegant solutions have presented themselves. Risks from internal threats are the most difficult to defend against and are generally more damaging than better-known external threats.
Companies today face a delicate balance between empowering employees and protecting corporate resources. Today's firewalls go well beyond traditional packet-header inspection; instead they examine packet contents and reassemble traffic to investigate the data in its intended formats. This progress comes as shifts in the market have reduced costs. It's time to rethink internal enterprise security options.
First let's look at some of these key threats -- worms and internal hackers.

Disruptive worms
Worms such as Mydoom and Sobig are among the latest internal threats. A worm will typically be launched externally, but once inside a network, the IT administrator and staff must stop the worm and minimize the internal damage from the infestation. Blended threats are extremely disruptive, consuming corporate and IT resources to stop their effects and repair damaged systems. Each new worm is more complicated and destructive than the last.

Internal hackers
Once a hacker has access to a network, his work is generally three quarters complete. An internal hacker might be a strong technical resource within an organization. With a keycard to enter the building, the hacker might have all the authorizations needed within a typical enterprise to access just about any information needed. This employee level of access is the main reason internal threats are so detrimental. Further, the introduction of wireless technology into the workplace and the general acceptance of telecommuting have all but made physical security obsolete.

Technology advances, markets shift
Advanced threats combined with market and technology shifts are encouraging businesses of all sizes to deploy enhanced internal threat protection. Meanwhile, the cost of security technology has dropped considerably over the past few years as technologies like firewalls and VPNs have become commodities. As these traditional technologies mature, efforts are made to extend the life of existing security and networking equipment as with complementary departmental gateway antivirus devices.
Below are three simple and relatively inexpensive steps your company can take to better defend against internal threats.

1. Deploy 'intrawalls' (firewalls between departments)
Firewalls are commonplace and

Three steps for defending against internal threats

Top execs urged to zero in on security

Companies should make information security a focus at the top levels of management and corporate strategy, rather than leaving the issue solely to technology departments, the group said as part of a policy statement on digital security.

Making the issue a top-level focus would alert more companies to the dangers and costs of viruses and computer break-ins, as well as improve overall national security, the group said.

Top execs urged to zero in on security

Microsoft investigates 'download warning' flaw

Microsoft has said it will take "appropriate action" to fix a problem in Internet Explorer and Windows XP SP2 that allows a malicious Web site to bypass the browser's warnings when downloading potentially harmful content.

On Monday, French Web site K-otik published exploit codes that could take advantage of the vulnerability. On Tuesday, a Microsoft representative said that the risk from the flaw is low because "significant user interaction and user interface steps have to occur before any malicious code can be executed."

However, the software giant did admit that it was possible to bypass the security warnings in IE--even when using Windows XP with Service Pack 2.

"Microsoft is investigating this method of bypassing the Internet Explorer download warning and will take appropriate action to cover this scenario in order for customers to be properly advised that executables downloaded from the Internet can be malicious in nature," the representative said.

The representative acknowledged that if the file were saved in the start-up folder, it would automatically run the next time the user restarted his computer.

"The user must go to the folder containing that executable and choose to run it, or log off and log back onto the computer if the attacker attempted to save the malicious executable into the user?s Windows start-up folder," the representative said.

However, the representative said the problem was not a security vulnerability but actually a clever use of social engineering.

"It is important to note that this is not the exploitation of a security vulnerability, but an attempt by an attacker to use social engineering to convince a user to save an executable file on the hard drive without first receiving the Internet Explorer download warning," the representative said.

Still, some security experts disagree with Microsoft on this point.

Sean Richmond, senior technology consultant at antivirus company Sophos Australia, agreed that the exploit would require some user interaction but said this was definitely bypassing a security feature in IE and SP2.

"This is certainly something that is bypassing some of the security features that are meant to be there. It is a way of bypassing the dialogs in IE. It will result in the (malicious) file being saved on the user's computer," said Richmond, who added that the matter would be worse if that file could be saved in a computer?s start-up folder.

Richard Starnes, an information security professional with around 20 years' experience in information security, incident response, computer crime investigation and cyberterrorism, said that legislation could be used to force Microsoft--and other software developers--to improve their code and take financial responsibility for their customers' losses.

"I wonder how solid Microsoft's coding would become if strategic governments around the world removed the liability shield that software manufactures now currently enjoy," Starnes said. "They would then have some real financial incentive to get it right the first time, instead of this Computer Science 101 coding they are continually churning out."

Starnes believes the quality of software development has fallen in the past two decades.

"Most commercial releases of software today wouldn't have made it out of beta 20 years ago," he added.

Microsoft investigates 'download warning' flaw

However, the software giant did admit that it was possible to bypass the security warnings in IE--even when using Windows XP with Service Pack 2.

The representative acknowledged that if the file were saved in the start-up folder, it would automatically run the next time the user restarted his computer.

However, the representative said the problem was not a security vulnerability but actually a clever use of social engineering.

Still, some security experts disagree with Microsoft on this point.

Starnes believes the quality of software development has fallen in the past two decades.

"Most commercial releases of software today wouldn't have made it out of beta 20 years ago," he added.

Cyber-security new year resolutions for 2007

Consumers have been led to believe that hacker attacks and social engineering outbreaks will be on the increase over the holiday period, but the chances are that not many users have prepared a checklist to go through to make sure they're secure.

Security firm Perimeter eSecurity claims that users should take six key steps to ensure the maximum possible computer and network security as New Year's Eve approaches in an era rife with data theft, record levels of spam and increasingly innovative computer fraud.

"It doesn't take very long to enhance the security of a computer or its network," said Andrew Greenawalt, founder of Perimeter eSecurity.

"Whether you have a small business network or a vast business enterprise, these seven steps are imperatives to optimise your security as the New Year approaches."
Step One - Change every password you can find before New Year's Eve
Every online commerce site visited, every computer, and any other password-protected device or website will be security enhanced with this simple, time efficient move. Avoid easily discovered passwords such as names or numeric series, and resolve to change your passwords at least quarterly in 2007.

Step Two - Download patches and updates
Even the least expensive computer security programs offer downloadable updates or patches that can detect the latest viruses, close backdoors that hackers have discovered, or otherwise enhance network protection. Network owners with less thorough security programs should resolve to check and update patches on a monthly basis.

Step Three - Hire a hacker
Network owners should use the holiday lull to conduct a penetration test to identify weaknesses in network security. Instead of attacking databases and ne twork tools, these scans report back on specific vulnerabilities and recommend ways to solve the problems they identify.

Step Four - Conduct regular check-ups and keep your network safe by scheduling ongoing risk assessments
Automated monthly remote risk assessments can be conducted for less than the cost of a single onsite review and can help ensure that confidential customer and financial data is as secure as possible from external attack. Waiting a full year between risk assessments in today's internet is no longer a viable option.

Step Five - Communicate and review your data security policy
Write a memo to all staff members stressing the importance of protecting critical confidential customer data such as social security, bank account or credit card numbers. State an explicit policy on how and when, if ever, these should be included in unsecured email correspondence with customers and others.

Step Six - Keep the network virus free
With the increasing amount of entry points for viruses to penetrate the network, such as email attachments, shared files, infected websites and downloads, a full evaluation of the network is critical to ensure that safeguards are in place to protect all these entry points and minimise infection. Simply installing antivirus software is not enough. The antivirus system still needs to be monitored to ensure that the most recent definition files are updated on all devices and that you are alerted when a device is not up-to-date.

Read more: http://www.v3.co.uk/vnunet/news/2171423/cyber-security-resolutions-2007#ixzz1DRi1Ptxd
The V3 App store has games, downloads and more. Visit the store now.

Super stealthy Internet messaging method revealed

A pair of Princeton University researchers presented a paper this week on a method for sending secret messages over existing public fiber-optic networks.

Princeton's Bernard Wu and Evgenii Narimanov made their presentation at the annual Optical Society of America meeting in Rochester, N.Y.

Their encryption technology is hardware-oriented and uses the properties of optical fiber to disguise a message. The technique involves sending a signal so faint that it is hard to detect or unscramble, because it is hidden by the natural optical noise of the network.

More specifically, the technique involves use of commercially available optical CDMA encoders that spread short, intense pulses of light carrying messages. The recipient decodes the message using information about how the message was spread out in the first place, plus compression gear.

Wu said in a statement that he does not believe anyone is using this method yet, because optical CDMA technology is still undergoing much research. He also said there could be a speed tradeoff for increased security.

The paper presented is called "Achieving Secure Stealth Transmission via a Public Fiber-Optical Network."

As with any supersecret network technology, the benefits to companies and government agencies would need to be weighed against the benefits criminals could gain from a way of sending undetectable messages.

Cyber-security new year resolutions for 2007

"It doesn't take very long to enhance the security of a computer or its network," said Andrew Greenawalt, founder of Perimeter eSecurity.

Read more: http://www.v3.co.uk/vnunet/news/2171423/cyber-security-resolutions-2007#ixzz1DRi1Ptxd
The V3 App store has games, downloads and more. Visit the store now.

Super stealthy Internet messaging method revealed

A pair of Princeton University researchers presented a paper this week on a method for sending secret messages over existing public fiber-optic networks.

Princeton's Bernard Wu and Evgenii Narimanov made their presentation at the annual Optical Society of America meeting in Rochester, N.Y.

The paper presented is called "Achieving Secure Stealth Transmission via a Public Fiber-Optical Network."

Better late than never: MySpace finally enables data sharing

One of the main reasons that people drag out for not joining new social networks is that they hate having to fill out entirely new profiles by adding all the same info that they've entered a thousand times before. Because there are few easy ways to share data between networks, users feel the need to pick and choose which ones they want to be a part of. As a result, MySpace, long the top dog in the social networking pack, has been suffering a bit over the last few years for its complete lack of integration with... pretty much anything else. Until now, that is. MySpace has announced a new Data Availability initiative that will finally let the site play nice with newer social networks and allow users to share info across the web.

"The walls around the garden are coming down—the implementation of Data Availability injects a new layer of social activity and creates a more dynamic Internet," MySpace CEO Chris DeWolfe said in a statement. "We, alongside our Data Availability launch partners, are pioneering a new way for the global community to integrate their social experiences Web-wide."

Those launch partners include Yahoo, eBay, Photobucket, and Twitter, with more possibly on the way. MySpace plans to introduce a centralized location within its own site that will allow users to manage how their data is shared. Theoretically, a user will be able to say that she wants photos to be posted simultaneously to MySpace and Photobucket (instead of having to go to each site separately and upload the same photo twice), or that an updated status message will save both to MySpace and Twitter. MySpace profile details will be able to be imported into Yahoo's universal profile for use with its IM program or even Yahoo Mail, too.

MySpace praises itself heavily by calling the move "ground-breaking" and "the first time that a social web site has enabled its community to dynamically share public profile information with other sites." It may be the first time these tools are available directly from the company that runs the network, but other sites (such as Facebook) have been sharing information across the web for some time now, thanks largely to the widgets and applications created by their communities. For example, there are a number of Facebook apps that allow users to import their updates to Twitter into their Facebook profiles, or cross-post their Facebook status updates to Twitter. Users can also pull in a dynamic feed of their Flickr photos to Facebook, display updates made to other social networking sites, show songs they've recently purchased on iTunes, and more. Clearly, MySpace has taken a hint from Facebook in launching its Data Availability project, but has decided to take all the credit for the idea.

Speaking of which, Facebook (the second largest social network on the web) is noticeably missing from the list of launch partners. This may be because Facebook is MySpace's largest competitor, but MySpace claims that it is open to working with the company. "We're happy to work with Facebook if they want to join up with us on this project. That goes for any other site out there as well," DeWolfe said during a conference call yesterday, according to the New York Times.

Too bad Facebook application developers have already beaten MySpace to the punch—there are (at least) three apps that allow Facebook users to import their MySpace profiles into Facebook, and a large smattering of others that grab info dynamically from MySpace so that it is shared across both sites. Still, loyal MySpace users will likely welcome the site's efforts to be social with other networks, even if it remains several steps behind Facebook in the breadth of sites and services it can share with.

Ex-NASA workers accused of stashing kiddie porn on federal computers

(09-26) 18:02 PDT SAN JOSE - Two former NASA officials were indicted by a federal grand jury in San Jose today on charges of possessing child pornography on their government computers.

Christopher Burt Wiltsee, 56, of Morgan Hill and Mark Charles Zelinsky, 56, of San Bruno were named in separate indictments handed down today.

Wiltsee was employed in at the Ames Research Center of the National Aeronautics and Space Administration in June 2005 when he possessed images of child pornography on a government computer, the indictment against him said.

Zelinsky was employed at the same facility in August 2005 when he also allegedly had child-pornography images on his government computer, authorities said.

NASA Ames spokesman Mike Mewhinney confirmed today that both men no longer work at the center.

Better late than never: MySpace finally enables data sharing

Ex-NASA workers accused of stashing kiddie porn on federal computers

(09-26) 18:02 PDT SAN JOSE - Two former NASA officials were indicted by a federal grand jury in San Jose today on charges of possessing child pornography on their government computers.

Christopher Burt Wiltsee, 56, of Morgan Hill and Mark Charles Zelinsky, 56, of San Bruno were named in separate indictments handed down today.

Zelinsky was employed at the same facility in August 2005 when he also allegedly had child-pornography images on his government computer, authorities said.

NASA Ames spokesman Mike Mewhinney confirmed today that both men no longer work at the center.

Knowledge-Based Authentication for the Internet User

If you shop or bank online you probably noticed an additional security layer in addition to providing your username and password. I’m referring to the additional security questions that ask for your older sibling’s middle name, the name of your first love or even your favorite make of car. This additional layer of security is called Knowledge-Based Authentication.

The idea behind this form of authentication is that the questions are so very vague that no one except you should know your unique answers. Unfortunately, the answers to some questions can be found through online research such as your mother’s maiden name, your favorite movie or your younger brother’s favorite color. Online research can include genealogy websites, search engines and even social networking communities. As we make ourselves available for the whole world to see at social networking communities, we can provide a basic image of our personality, likes, dislikes, aptitudes, limitations, and strengths. If a malicious hacker targets us as an individual, odd bits of information put together can provide enough information where they can try possibilities till one is valid. This is the reason no one should post personal information that can be pieced together to identify your name, location or phone number.

Criminals can also get your information through keystroke loggers and spyware. Installing, updating and using anti-virus and anti-spyware software are very necessary protection when a computer is connected to the internet.

Getting duped by a phishing scam can provide the phisher with your logon credentials (including your personal answers) when you unknowingly respond and unintentionally provide your information at the phisher’s webpages. Phishers are getting more sophisticated in their duplication of websites and try to be as accurate as they can with imitating the interfaces of websites with high traffic. So, they may incorporate the second logon webpage that asks for your answers to security questions.

As internet users, we can help protect our information online by making it as tough as possible for malicious hackers and anyone who knows us to access personal information without permission. Knowledge-based authentication is to confirm you are the same person who originally registered and not an imposter who happens to have your username and password. Banks need personal identification such as mother’s maiden name, driver’s license number, proof of address or social security number when opening an account to verify that you are really you and not an imposter. But, they don’t need truthful answers to the security questions. The security questions at their website are for their network to help identify you as you and not an imposter. Use common everyday words for answers to security-authentication questions such as table, chair, word, or correct. Just be sure of two things: the answer makes no logical sense in response to the question and you use different answers to the same question at different websites just as you do with username/password combinations at different websites. Now, if someone tries to guess the answers, they won’t be able to. Who would think that my older brother’s middle name is chair?

Knowledge-Based Authentication for the Internet User

Cyberattack on Google Said to Hit Password System

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.

Times Topics: Google Inc. | Computer Security (Cybersecurity)

Readers' Comments

Readers shared their thoughts on this article.

Read All Comments (123) »

The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.

The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as “cloud” computing, a single breach can lead to disastrous losses.

The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.

By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

The details surrounding the theft of the software have been a closely guarded secret by the company. Google first publicly disclosed the theft in a Jan. 12 posting on the company’s Web site, which stated that the company was changing its policy toward China in the wake of the theft of unidentified “intellectual property” and the apparent compromise of the e-mail accounts of two human rights advocates in China.

The accusations became a significant source of tension between the United States and China, leading Secretary of State Hillary Rodham Clinton to urge China to conduct a “transparent” inquiry into the attack. In March, after difficult discussions with the Chinese government, Google said it would move its mainland Chinese-language Web site and begin rerouting search queries to its Hong Kong-based site.

Company executives on Monday declined to comment about the new details of the case, saying they had dealt with the security issues raised by the theft of the company’s intellectual property in their initial statement in January.

Google executives have also said privately that the company had been far more transparent about the intrusions than any of the more than two dozen other companies that were compromised, the vast majority of which have not acknowledged the attacks.

Google continues to use the Gaia system, now known as Single Sign-On. Hours after announcing the intrusions, Google said it would activate a new layer of encryption for Gmail service. The company also tightened the security of its data centers and further secured the communications links between its services and the computers of its users.

Several technical experts said that because Google had quickly learned of the theft of the software, it was unclear what the consequences of the theft had been. One of the most alarming possibilities is that the attackers might have intended to insert a Trojan horse — a secret back door — into the Gaia program and install it in dozens of Google’s global data centers to establish clandestine entry points. But the independent security specialists emphasized that such an undertaking would have been remarkably difficult, particularly because Google’s security specialists had been alerted to the theft of the program.

However, having access to the original programmer’s instructions, or source code, could also provide technically skilled hackers with knowledge about subtle security vulnerabilities in the Gaia code that may have eluded Google’s engineers.

“If you can get to the software repository where the bugs are housed before they are patched, that’s the pot of gold at the end of the rainbow,” said George Kurtz, chief technology officer for McAfee Inc., a software security company that was one of the companies that analyzed the illicit software used in the intrusions at Google and at other companies last year.

Rodney Joffe, a vice president at Neustar, a developer of Internet infrastructure services, said, “It’s obviously a real issue if you can understand how the system works.” Understanding the algorithms on which the software is based might be of great value to an attacker looking for weak points in the system, he said.

When Google first announced the thefts, the company said it had evidence that the intrusions had come from China. The attacks have been traced to computers at two campuses in China, but investigators acknowledge that the true origin may have been concealed, a quintessential problem of cyberattacks.

Several people involved in the investigation of break-ins at more than two dozen other technology firms said that while there were similarities between the attacks on the companies, there were also significant differences, like the use of different types of software in intrusions. At one high-profile Silicon Valley company, investigators found evidence of intrusions going back more than two years, according to the person involved in Google’s inquiry.

In Google’s case, the intruders seemed to have precise intelligence about the names of the Gaia software developers, and they first tried to access their work computers and then used a set of sophisticated techniques to gain access to the repositories where the source code for the program was stored.

They then transferred the stolen software to computers owned by Rackspace, a Texas company that offers Web-hosting services, which had no knowledge of the transaction. It is not known where the software was sent from there. The intruders had access to an internal Google corporate directory known as Moma, which holds information about the work activities of each Google employee, and they may have used it to find specific employees.

Lessons from Twitter's security breach

Twitter's latest security hole has less to do with its users than it does with its staff, but lessons can be learned on both sides.

In the case of Jason Goldman, who is currently Twitter's director of product management, the simplicity of Yahoo's password recovery system was enough to let a hacker get in and gain information from a number of other sites, including access to other Twitter staff's personal accounts.

The aftermath of the hack, which took place in May, is just now coming to fruition. Documents that a hacker by the alias of Hacker Croll recovered from Goldman's account and others (including Twitter co-founder Evan Williams) could be a treasure trove of inside information about the company and its plans.

While Croll was planning to release the entire batch publicly (and at once), tech blog TechCrunch posted news late Tuesday that it had received them and was considering posting the details of at least some of them.

Although it seems that Twitter has been thrust into this situation a bit unfairly, a hack along these lines could have happened to the executives of more Web companies than anybody would like to admit. What it really highlights is the extreme interconnectedness of the social Web: with the likes of e-mail contact importing and data-portability services like Facebook Connect now commonplace, a savvy hacker can have access to multiple accounts simply by accessing one.

A post Wednesday on Twitter's official blog highlights just how far-reaching this can be.

"About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked," the post from co-founder Biz Stone read. "From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company."

Following that attack, Twitter conducted a security audit, and Stone's post says that there was not a security vulnerability in Google Apps and that Twitter continues to use the suite internally. A separate hack targeted the account of CEO Evan Williams' wife, and from that some of Williams' personal accounts were accessed as well, Stone explained.

But Twitter is front and center in the news these days, and is now talked about as a communications protocol as much as a Web start-up. Not only does that make it a particularly appealing target, but also that the reverberation in the media will be all the more sensational and lasting. And this isn't the first Twitter security panic to hit the press by any means. A number of celebrities' accounts were hacked in January, which the company blamed on an "individual" hacker rather than any of the various phishing scams that had been popping up occasionally on the microblogging service.

Security of Web apps under fire

Despite the breach, Twitter's executives say they have faith in the cloud and securing data online.

"This is more about Twitter being in enough of a spotlight that folks who work here can become targets," Stone's post read. "This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords."

Stone added that Twitter is communicating with its legal counsel--the company just hired former Google lawyer Alexander Macgillivray, conveniently--to figure out how to deal not only with the hacker but with people who share or publish the documents in question.

As for the log-ins though, it's a wake-up call to the importance of a good password, and having systems in place that make it hard for the wrong people to get in. And not all systems are created equal.

For instance, gaining access to someone's Yahoo account (which is how this all started) can be simple if you have access to one of their other e-mail accounts. Yahoo's process for password retrieval has several steps, with the primary one being the option to send a password reset to another e-mail account it has on file. There's also the option to say you can't access that e-mail account, which is likely the route the hacker went. Doing this takes you to a page where you have to answer a secret question (usually a pet name), the answer of which is penned during the account sign-up process.

Yahoo's password recovery screen.

After three unsuccessful tries at the secret question Yahoo pulls up a screen that gives you the choice to either validate your identity via a credit or debit card number, or go back to answering more questions. If you fail the personal question another five times your account is temporarily locked out from password retrieval for 24 hours, however logging-in with the proper credentials is still allowed.

On a Google Apps account, which Stone says Twitter is still using, it's not quite as simple. A Google representative told CNET News that the company's Apps service handles password recovery differently from how it does on other Google products. For instance, users have to ask for a password directly from their account administrator, instead of through Google. That administrator can also choose how long and complex passwords must be.

Even with this more stringent layer of security, some security experts have their doubts. People shouldn't expect free, online services to provide the same standard of security that they would get from their internal corporate system, said Peter "Mudge" Zatko, technical director of national intelligence at BBN Technologies who spoke to CNET News on Wednesday.

"It's pretty ridiculous. The data is not stored at your place; it's not in your control," and problems could arise if the service provider changes its policies or gets sold, he said. "Nothing is really free."

Users of Yahoo Mail and Google Docs need to understand the convenience-security tradeoff, and that they compromise sensitive corporate data if they put it on publicly accessible systems or use the same passwords for internal and external networks, Zatko said.

"These services are very much about convenience and providing convenience for their users and part of convenience is ease of accessibility," he said. "You can't make something easy to access and terribly secure at the same time. Those are diametrically opposed goals."

Cyberattack on Google Said to Hit Password System

Times Topics: Google Inc. | Computer Security (Cybersecurity)

Readers' Comments

Readers shared their thoughts on this article.

Read All Comments (123) »

Lessons from Twitter's security breach

Twitter's latest security hole has less to do with its users than it does with its staff, but lessons can be learned on both sides.

A post Wednesday on Twitter's official blog highlights just how far-reaching this can be.

Security of Web apps under fire

Despite the breach, Twitter's executives say they have faith in the cloud and securing data online.

Yahoo's password recovery screen.

Mobile network cracked by hackers

Simple technology can be used to eavesdrop on the network used for most mobile phone calls and texts, security researchers have shown

Young woman using mobile phone telephone: UK mobile phone data 'was sold'

The software used to make most phone calls has now been comprehensively hacked Photo: GETTY

By Matt Warman, Consumer Technology Editor 8:00AM GMT 01 Jan 2011

6 Comments

Security researchers have shown that the network used to make 80 per cent of the world’s phone calls is vulnerable to hacking, building on work demonstrated in previous years.

Karsten Nohl and Sylvain Munaut demonstrated their “toolkit” at the Chaos Computer Club Congress (CCC) in Berlin. They showed off an "end-to-end" hack, from identifying a phone to stealing its data, which completes work they showed last year indicating that it was easy to crack the GSM network’s security codes.

Simon Bransfield-Garth, chief executive of mobile phone security firm Cellcrypt, said that "Businesses must plan now for the eventuality that their mobile voice calls will come under increasing attack. A ‘policy of hope’ towards mobile phone security is not adequate." He said that voice services should be treated with the same caution as emails.

Most mobile phone calls worldwide are made using the GSM standard. GSM calls are protected by a 22-year-old encryption algorithm, known as A5/1. The algorithm, which was first cracked in 1999, is designed to prevent mobile phone calls from being intercepted by eavesdroppers. It works by forcing mobile phones and base stations to continually change frequencies. A typical phone conversation changes frequencies around 60 times.

The GSM Association has had a stronger algorithm, called A5/3, available since 2007 but few mobile network providers have made the upgrade.

Mobile network cracked by hackers

Simple technology can be used to eavesdrop on the network used for most mobile phone calls and texts, security researchers have shown

The software used to make most phone calls has now been comprehensively hacked Photo: GETTY

By Matt Warman, Consumer Technology Editor 8:00AM GMT 01 Jan 2011

6 Comments

Security researchers have shown that the network used to make 80 per cent of the world’s phone calls is vulnerable to hacking, building on work demonstrated in previous years.

The GSM Association has had a stronger algorithm, called A5/3, available since 2007 but few mobile network providers have made the upgrade.

Cybercrime: one in 10 computers vulnerable to attack

A new report reveals that cybercriminals are attacking millions of computers every month – and infecting approximately 10 per cent

Computer hacker: Hackers hijack 1.9 million computers worldwide

Computer hackers have been able to infect one in 10 of the PCs they've attacked, a new survey found Photo: CLARE KENDALL

By Matt Warman, Consumer Technology Editor 11:42AM BST 22 Jul 2010

6 Comments

Cybercriminals are increasingly focussing on money, a new report suggests, and improved organisation means that “toolkits” have been developed to methodically infect PCs so that illegally obtained information can be bought and sold.

In a survey by security firm AVG, 165 internet domains were found to have attacked 12 million visitors over the course of two months. More than 1.2 million computers were subsequently infected.

The research looked at criminals using the so called “Eleonore toolkit”, which aims to use malware contained on specially created websites to steal information such as credit card details, emails and national insurance numbers.

The software targets known vulnerabilites, primarily in older versions of Microsoft’s web browser. Internet Explorer 6 alone accounted for one-third of all infections. Apple Browser Safari proved the most resistant to Eleonore attacks, allowing just 2.78 per cent of machines using it to be infected. Adobe Acrobat and Sun Javascript also accounted for a significant number of infections.

Criminal servers were typically hosted in the Ukraine, where more than a quarter were found, the Russian Federation and Kazakhstan. Hackers appeared to target the Russian Federation, too: 8,906,025 attacks were recorded, and 916,430 (10.3%) were successful. The United States and Britain attracted approximately half a million attacks each, which met with a similar level of success.

Cybercrime: one in 10 computers vulnerable to attack

A new report reveals that cybercriminals are attacking millions of computers every month – and infecting approximately 10 per cent

Computer hackers have been able to infect one in 10 of the PCs they've attacked, a new survey found Photo: CLARE KENDALL

By Matt Warman, Consumer Technology Editor 11:42AM BST 22 Jul 2010

6 Comments

In a survey by security firm AVG, 165 internet domains were found to have attacked 12 million visitors over the course of two months. More than 1.2 million computers were subsequently infected.

Cyberwar Is Hell

While we obsessed over Russian spies, top diplomats were working to stop a greater espionage problem: the threat of cyberwarfare.

Simon D. Warren / Corbis

We’ve been focused on the wrong spies. When 11 Russian sleeper agents were discovered living in the United States—and then sent home in exchange for their counterparts—it was hard to resist the sexy espionage tale with echoes of the Cold War. But while we’ve fixated on Anna Chapman and her cohorts, top diplomats were working on a wonkier but more important advance in spycraft. This month, experts from 15 countries agreed to begin serious negotiations on establishing international norms on cybersecurity. This story is far more significant in the long run because, without basic agreements about cyberspace, cyberattacks, and even cyberwars could become a daily danger.

Sure, spy stories are irresistible—particularly when a sexy redhead like Chapman is involved and there are plenty of racy photos to titillate readers. It’s also true that the press may have been too quick to write off the Russian sleeper agents as a bunch of bunglers who accomplished nothing. We don’t know what support roles they may have had for more serious operations; human intelligence can still trump electronic spying in many situations, and spying will always be with us.

But, increasingly, international relations will be shaped by new challenges that require new tactics—and new assumptions about where we can and should cooperate, even with former enemies. Look at the United Nations group of experts that overcame at least some of their mutual suspicions to take a first step toward international cooperation on cybersecurity last week. After years of talks that went nowhere, they—United States, Russia, China, India, and several others—agreed to begin discussing ways to exchange information about national cyberstrategies, strengthen protection of computer systems around the world, including in less-developed countries, and even set some ground rules on cyberwarfare. Other nations in attendance may not be G7 economies, but online they are powerhouses: Israel, Brazil, South Korea, and Estonia.

The idea that Russian and Estonian experts, in particular, could join forces to issue cybersecurity recommendations would have sounded absurd until recently. Just three years ago, Estonia was the target of a massive cyberattack, which now is held up as Exhibit A when it comes to cyberwarfare. The Estonians, and much of the rest of the world, were convinced that this was an attack orchestrated by the Kremlin in retaliation for Tallinn’s decision to remove a World War II memorial honoring Red Army troops. Moscow and local Russians were furious about this “desecration,” and there were violent clashes in the streets. Although the Russian authorities denied any involvement, the concerted cyberattacks on Estonia’s government and private-sector Web sites, designed to cripple the country’s digital infrastructure, certainly looked like angry and organized retaliation.

What’s changed? Those hard feelings haven’t disappeared, but there’s a growing realization that no country can protect itself from cyberattacks on its own. One key problem is attribution—the inability to definitely pinpoint the source of an assault. Terrorists, criminals, and political groups can now launch sophisticated salvos using “botnets”—armies of computers around the world that they have commandeered without the knowledge of the people who own those machines. That makes it hard to prove—and easy to deny—any state’s role in a specific cyberattack. And it makes everyone and everything, including critical infrastructure such as transportation and electricity grids, vulnerable.

Related

Times Topics: Google Inc. | Computer Security (Cybersecurity)

Readers' Comments

Security of Web apps under fire

Related

Times Topics: Google Inc. | Computer Security (Cybersecurity)

Readers' Comments

Security of Web apps under fire

A new report reveals that cybercriminals are attacking millions of computers every month – and infecting approximately 10 per cent

A new report reveals that cybercriminals are attacking millions of computers every month – and infecting approximately 10 per cent

Subscribe To

Blog Archive

Popular Posts

OUR WORLD

Popular Posts