Microsoft investigates 'download warning' flaw

Microsoft has said it will take "appropriate action" to fix a problem in Internet Explorer and Windows XP SP2 that allows a malicious Web site to bypass the browser's warnings when downloading potentially harmful content.

On Monday, French Web site K-otik published exploit codes that could take advantage of the vulnerability. On Tuesday, a Microsoft representative said that the risk from the flaw is low because "significant user interaction and user interface steps have to occur before any malicious code can be executed."

However, the software giant did admit that it was possible to bypass the security warnings in IE--even when using Windows XP with Service Pack 2.

"Microsoft is investigating this method of bypassing the Internet Explorer download warning and will take appropriate action to cover this scenario in order for customers to be properly advised that executables downloaded from the Internet can be malicious in nature," the representative said.

The representative acknowledged that if the file were saved in the start-up folder, it would automatically run the next time the user restarted his computer.

"The user must go to the folder containing that executable and choose to run it, or log off and log back onto the computer if the attacker attempted to save the malicious executable into the user?s Windows start-up folder," the representative said.

However, the representative said the problem was not a security vulnerability but actually a clever use of social engineering.

"It is important to note that this is not the exploitation of a security vulnerability, but an attempt by an attacker to use social engineering to convince a user to save an executable file on the hard drive without first receiving the Internet Explorer download warning," the representative said.

Still, some security experts disagree with Microsoft on this point.

Sean Richmond, senior technology consultant at antivirus company Sophos Australia, agreed that the exploit would require some user interaction but said this was definitely bypassing a security feature in IE and SP2.

"This is certainly something that is bypassing some of the security features that are meant to be there. It is a way of bypassing the dialogs in IE. It will result in the (malicious) file being saved on the user's computer," said Richmond, who added that the matter would be worse if that file could be saved in a computer?s start-up folder.

Richard Starnes, an information security professional with around 20 years' experience in information security, incident response, computer crime investigation and cyberterrorism, said that legislation could be used to force Microsoft--and other software developers--to improve their code and take financial responsibility for their customers' losses.

"I wonder how solid Microsoft's coding would become if strategic governments around the world removed the liability shield that software manufactures now currently enjoy," Starnes said. "They would then have some real financial incentive to get it right the first time, instead of this Computer Science 101 coding they are continually churning out."

Starnes believes the quality of software development has fallen in the past two decades.

"Most commercial releases of software today wouldn't have made it out of beta 20 years ago," he added.

Microsoft investigates 'download warning' flaw

Microsoft has said it will take "appropriate action" to fix a problem in Internet Explorer and Windows XP SP2 that allows a malicious Web site to bypass the browser's warnings when downloading potentially harmful content.

On Monday, French Web site K-otik published exploit codes that could take advantage of the vulnerability. On Tuesday, a Microsoft representative said that the risk from the flaw is low because "significant user interaction and user interface steps have to occur before any malicious code can be executed."

However, the software giant did admit that it was possible to bypass the security warnings in IE--even when using Windows XP with Service Pack 2.

"Microsoft is investigating this method of bypassing the Internet Explorer download warning and will take appropriate action to cover this scenario in order for customers to be properly advised that executables downloaded from the Internet can be malicious in nature," the representative said.

The representative acknowledged that if the file were saved in the start-up folder, it would automatically run the next time the user restarted his computer.

"The user must go to the folder containing that executable and choose to run it, or log off and log back onto the computer if the attacker attempted to save the malicious executable into the user?s Windows start-up folder," the representative said.

However, the representative said the problem was not a security vulnerability but actually a clever use of social engineering.

"It is important to note that this is not the exploitation of a security vulnerability, but an attempt by an attacker to use social engineering to convince a user to save an executable file on the hard drive without first receiving the Internet Explorer download warning," the representative said.

Still, some security experts disagree with Microsoft on this point.

Sean Richmond, senior technology consultant at antivirus company Sophos Australia, agreed that the exploit would require some user interaction but said this was definitely bypassing a security feature in IE and SP2.

"This is certainly something that is bypassing some of the security features that are meant to be there. It is a way of bypassing the dialogs in IE. It will result in the (malicious) file being saved on the user's computer," said Richmond, who added that the matter would be worse if that file could be saved in a computer?s start-up folder.

Richard Starnes, an information security professional with around 20 years' experience in information security, incident response, computer crime investigation and cyberterrorism, said that legislation could be used to force Microsoft--and other software developers--to improve their code and take financial responsibility for their customers' losses.

"I wonder how solid Microsoft's coding would become if strategic governments around the world removed the liability shield that software manufactures now currently enjoy," Starnes said. "They would then have some real financial incentive to get it right the first time, instead of this Computer Science 101 coding they are continually churning out."

Starnes believes the quality of software development has fallen in the past two decades.

"Most commercial releases of software today wouldn't have made it out of beta 20 years ago," he added.

Cyber-security new year resolutions for 2007

Consumers have been led to believe that hacker attacks and social engineering outbreaks will be on the increase over the holiday period, but the chances are that not many users have prepared a checklist to go through to make sure they're secure.

Security firm Perimeter eSecurity claims that users should take six key steps to ensure the maximum possible computer and network security as New Year's Eve approaches in an era rife with data theft, record levels of spam and increasingly innovative computer fraud.

"It doesn't take very long to enhance the security of a computer or its network," said Andrew Greenawalt, founder of Perimeter eSecurity.

"Whether you have a small business network or a vast business enterprise, these seven steps are imperatives to optimise your security as the New Year approaches."
Step One - Change every password you can find before New Year's Eve
Every online commerce site visited, every computer, and any other password-protected device or website will be security enhanced with this simple, time efficient move. Avoid easily discovered passwords such as names or numeric series, and resolve to change your passwords at least quarterly in 2007.

Step Two - Download patches and updates
Even the least expensive computer security programs offer downloadable updates or patches that can detect the latest viruses, close backdoors that hackers have discovered, or otherwise enhance network protection. Network owners with less thorough security programs should resolve to check and update patches on a monthly basis.

Step Three - Hire a hacker
Network owners should use the holiday lull to conduct a penetration test to identify weaknesses in network security. Instead of attacking databases and ne twork tools, these scans report back on specific vulnerabilities and recommend ways to solve the problems they identify.

Step Four - Conduct regular check-ups and keep your network safe by scheduling ongoing risk assessments
Automated monthly remote risk assessments can be conducted for less than the cost of a single onsite review and can help ensure that confidential customer and financial data is as secure as possible from external attack. Waiting a full year between risk assessments in today's internet is no longer a viable option.

Step Five - Communicate and review your data security policy
Write a memo to all staff members stressing the importance of protecting critical confidential customer data such as social security, bank account or credit card numbers. State an explicit policy on how and when, if ever, these should be included in unsecured email correspondence with customers and others.

Step Six - Keep the network virus free
With the increasing amount of entry points for viruses to penetrate the network, such as email attachments, shared files, infected websites and downloads, a full evaluation of the network is critical to ensure that safeguards are in place to protect all these entry points and minimise infection. Simply installing antivirus software is not enough. The antivirus system still needs to be monitored to ensure that the most recent definition files are updated on all devices and that you are alerted when a device is not up-to-date.

Read more: http://www.v3.co.uk/vnunet/news/2171423/cyber-security-resolutions-2007#ixzz1DRi1Ptxd
The V3 App store has games, downloads and more. Visit the store now.

Super stealthy Internet messaging method revealed

A pair of Princeton University researchers presented a paper this week on a method for sending secret messages over existing public fiber-optic networks.

Princeton's Bernard Wu and Evgenii Narimanov made their presentation at the annual Optical Society of America meeting in Rochester, N.Y.

Their encryption technology is hardware-oriented and uses the properties of optical fiber to disguise a message. The technique involves sending a signal so faint that it is hard to detect or unscramble, because it is hidden by the natural optical noise of the network.

[ Stay connected with the latest on networks and the NBN in Computerworld's Networking newsletter ]

More specifically, the technique involves use of commercially available optical CDMA encoders that spread short, intense pulses of light carrying messages. The recipient decodes the message using information about how the message was spread out in the first place, plus compression gear.

Wu said in a statement that he does not believe anyone is using this method yet, because optical CDMA technology is still undergoing much research. He also said there could be a speed tradeoff for increased security.

The paper presented is called "Achieving Secure Stealth Transmission via a Public Fiber-Optical Network."

As with any supersecret network technology, the benefits to companies and government agencies would need to be weighed against the benefits criminals could gain from a way of sending undetectable messages.

Cyber-security new year resolutions for 2007

Consumers have been led to believe that hacker attacks and social engineering outbreaks will be on the increase over the holiday period, but the chances are that not many users have prepared a checklist to go through to make sure they're secure.

Security firm Perimeter eSecurity claims that users should take six key steps to ensure the maximum possible computer and network security as New Year's Eve approaches in an era rife with data theft, record levels of spam and increasingly innovative computer fraud.

"It doesn't take very long to enhance the security of a computer or its network," said Andrew Greenawalt, founder of Perimeter eSecurity.

"Whether you have a small business network or a vast business enterprise, these seven steps are imperatives to optimise your security as the New Year approaches."
Step One - Change every password you can find before New Year's Eve
Every online commerce site visited, every computer, and any other password-protected device or website will be security enhanced with this simple, time efficient move. Avoid easily discovered passwords such as names or numeric series, and resolve to change your passwords at least quarterly in 2007.

Step Two - Download patches and updates
Even the least expensive computer security programs offer downloadable updates or patches that can detect the latest viruses, close backdoors that hackers have discovered, or otherwise enhance network protection. Network owners with less thorough security programs should resolve to check and update patches on a monthly basis.

Step Three - Hire a hacker
Network owners should use the holiday lull to conduct a penetration test to identify weaknesses in network security. Instead of attacking databases and ne twork tools, these scans report back on specific vulnerabilities and recommend ways to solve the problems they identify.

Step Four - Conduct regular check-ups and keep your network safe by scheduling ongoing risk assessments
Automated monthly remote risk assessments can be conducted for less than the cost of a single onsite review and can help ensure that confidential customer and financial data is as secure as possible from external attack. Waiting a full year between risk assessments in today's internet is no longer a viable option.

Step Five - Communicate and review your data security policy
Write a memo to all staff members stressing the importance of protecting critical confidential customer data such as social security, bank account or credit card numbers. State an explicit policy on how and when, if ever, these should be included in unsecured email correspondence with customers and others.

Step Six - Keep the network virus free
With the increasing amount of entry points for viruses to penetrate the network, such as email attachments, shared files, infected websites and downloads, a full evaluation of the network is critical to ensure that safeguards are in place to protect all these entry points and minimise infection. Simply installing antivirus software is not enough. The antivirus system still needs to be monitored to ensure that the most recent definition files are updated on all devices and that you are alerted when a device is not up-to-date.

Read more: http://www.v3.co.uk/vnunet/news/2171423/cyber-security-resolutions-2007#ixzz1DRi1Ptxd
The V3 App store has games, downloads and more. Visit the store now.

Super stealthy Internet messaging method revealed

A pair of Princeton University researchers presented a paper this week on a method for sending secret messages over existing public fiber-optic networks.

Princeton's Bernard Wu and Evgenii Narimanov made their presentation at the annual Optical Society of America meeting in Rochester, N.Y.

Their encryption technology is hardware-oriented and uses the properties of optical fiber to disguise a message. The technique involves sending a signal so faint that it is hard to detect or unscramble, because it is hidden by the natural optical noise of the network.

[ Stay connected with the latest on networks and the NBN in Computerworld's Networking newsletter ]

More specifically, the technique involves use of commercially available optical CDMA encoders that spread short, intense pulses of light carrying messages. The recipient decodes the message using information about how the message was spread out in the first place, plus compression gear.

Wu said in a statement that he does not believe anyone is using this method yet, because optical CDMA technology is still undergoing much research. He also said there could be a speed tradeoff for increased security.

The paper presented is called "Achieving Secure Stealth Transmission via a Public Fiber-Optical Network."

As with any supersecret network technology, the benefits to companies and government agencies would need to be weighed against the benefits criminals could gain from a way of sending undetectable messages.

Better late than never: MySpace finally enables data sharing

One of the main reasons that people drag out for not joining new social networks is that they hate having to fill out entirely new profiles by adding all the same info that they've entered a thousand times before. Because there are few easy ways to share data between networks, users feel the need to pick and choose which ones they want to be a part of. As a result, MySpace, long the top dog in the social networking pack, has been suffering a bit over the last few years for its complete lack of integration with... pretty much anything else. Until now, that is. MySpace has announced a new Data Availability initiative that will finally let the site play nice with newer social networks and allow users to share info across the web.

"The walls around the garden are coming down—the implementation of Data Availability injects a new layer of social activity and creates a more dynamic Internet," MySpace CEO Chris DeWolfe said in a statement. "We, alongside our Data Availability launch partners, are pioneering a new way for the global community to integrate their social experiences Web-wide."

Those launch partners include Yahoo, eBay, Photobucket, and Twitter, with more possibly on the way. MySpace plans to introduce a centralized location within its own site that will allow users to manage how their data is shared. Theoretically, a user will be able to say that she wants photos to be posted simultaneously to MySpace and Photobucket (instead of having to go to each site separately and upload the same photo twice), or that an updated status message will save both to MySpace and Twitter. MySpace profile details will be able to be imported into Yahoo's universal profile for use with its IM program or even Yahoo Mail, too.

MySpace praises itself heavily by calling the move "ground-breaking" and "the first time that a social web site has enabled its community to dynamically share public profile information with other sites." It may be the first time these tools are available directly from the company that runs the network, but other sites (such as Facebook) have been sharing information across the web for some time now, thanks largely to the widgets and applications created by their communities. For example, there are a number of Facebook apps that allow users to import their updates to Twitter into their Facebook profiles, or cross-post their Facebook status updates to Twitter. Users can also pull in a dynamic feed of their Flickr photos to Facebook, display updates made to other social networking sites, show songs they've recently purchased on iTunes, and more. Clearly, MySpace has taken a hint from Facebook in launching its Data Availability project, but has decided to take all the credit for the idea.

Speaking of which, Facebook (the second largest social network on the web) is noticeably missing from the list of launch partners. This may be because Facebook is MySpace's largest competitor, but MySpace claims that it is open to working with the company. "We're happy to work with Facebook if they want to join up with us on this project. That goes for any other site out there as well," DeWolfe said during a conference call yesterday, according to the New York Times.

Too bad Facebook application developers have already beaten MySpace to the punch—there are (at least) three apps that allow Facebook users to import their MySpace profiles into Facebook, and a large smattering of others that grab info dynamically from MySpace so that it is shared across both sites. Still, loyal MySpace users will likely welcome the site's efforts to be social with other networks, even if it remains several steps behind Facebook in the breadth of sites and services it can share with.