Back at the dawn of the Web, the most popular account password was “12345.”

Today, it’s one digit longer but hardly safer: “123456.”

Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.

According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)

The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.

“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456″ as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123″ and “princess.”

More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”

Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.

To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.

Still, researchers say, social networking and entertainment Web sites often try to make life simpler for their users and are reluctant to put too many controls in place.

Even commercial sites like eBay must weigh the consequences of freezing accounts, since a hacker could, say, try to win an auction by freezing the accounts of other bidders.

Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123″ and “password.”

Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?

Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.

“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”

In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.

Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.

“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”

Source

Four antivirus makers have weighed in on the release of Microsoft Security Essentials, and their opinions are all over the place. We asked various security companies for their opinion on MSE, which launched yesterday, and Symantec, ESET, Avast, and AVG responded with their thoughts.

Microsoft claims it is targeting consumers who currently don’t have any protection on their Windows PC, but of course MSE will end up on many computers that already have third-party security software installed. Since MSE is free, the software security market is going to get a serious shake-up, and here’s what Microsoft’s new competitors think about what’s about to happen.

Symantec, maker of the Norton line of products, says MSE doesn’t stand a chance in today’s market: “While we applaud any vendor that heightens consumer awareness of the need for computer security, it’s clear that the threat landscape has moved on from the product Microsoft is launching,” a Symantec spokesperson told Ars. “Microsoft Security Essentials (MSE) is a stripped down version of their old OneCare product which was poorly rated by industry experts and users alike. From a security perspective, this Microsoft tool offers reduced defenses at a critical point in the battle against cybercrime. Unique malware and social engineering tricks fly under the radar of traditional signature-based technology alone—which is what is employed by free security tools such as Microsoft’s”

ESET, maker of the NOD32 line of products, is unfazed by the product’s launch: “Certainly basic, but free, protection is better than no protection,” Christopher Dale, Public Relations Manager of ESET, told Ars. “For those whose primary concern is price, we would imagine MSE will hold great appeal while making the freeware market more competitive. The product doesn’t directly impact ESET as we offer a full-featured security solution w/ more configuration choices and free phone support.”

Avast is perfectly fine with Microsoft entering the market: “We are glad to see Microsoft joining us in offering free anti-virus/security protection to users,” Vince Steckler, CEO of Avast, told Ars. “We have long believed that top notch security protection should be freely available—that is why nearly 100 million users around the world protect their computers and data with our free avast! antivirus. Around the world there are about 500 million home computer users that need [to be] protected while using the Internet. We believe only around 20 percent of these users are using a traditional paid security product while 250 million are using avast! or one of the other high-quality free products. Users have already decided that security should be free—there are more users of free avast! than users of all paid products combined. But, free users should not be subjected to inferior or ‘basic’ protection.”

AVG, on the other hand, thinks Microsoft will push its product via as many anticompetitive ways as possible: “Microsoft will likely push MSE out via every automated channel available to them—which in and of itself poses all sorts of interesting anti-trust questions,” Siobhan MacDermott, VP Head of Public Policy, Corporate Communications, and Investor Relations for AVG Technologies, told Ars. “They will focus on gaining consumers through the simplicity of installing the product via routine channels of connection. On paper it makes sense, but in reality, we believe this will force consumers to unwittingly enter into a situation that makes them more vulnerable. Experts agree that the biggest nemesis to Windows was not the vulnerability of its code but rather the popularity of the operating system. It is a law of numbers; large communities create large pools of opportunities for thieves. If Microsoft leverages the power of its OS market to rapidly create a large community of MSE users, we believe those customers will be doubly vulnerable.”

There you have it; two antivirus makers are fine with Microsoft Security Essentials and the other two aren’t. We’re more surprised with the ones that are fine with it, since MSE can potentially steal customers away from them (in fact, many of our readers and users on other forums have already declared they are switching). In our first look at MSE yesterday, we were impressed with what Microsoft was offering as a free download for Windows XP, Windows Vista, and Windows 7. For those who have had a chance to install it, how do your thoughts compare to the above statements?

Source

LAS VEGAS -

The company behind the magicJack, the cheap Internet phone gadget that’s been heavily promoted on TV, has made a new version of the device that allows free calls from cell phones in the home, in a fashion that’s sure to draw protest from cellular carriers.

The new magicJack uses, without permission, radio frequencies for which cellular carriers have paid billions of dollars for exclusive licenses.

YMax Corp., which is based in Palm Beach, Fla., said this week at the International Consumers Electronics Show that it plans to start selling the device in about four months for $40, the same price as the original magicJack. As before, it will provide free calls to the U.S. and Canada for one year.

The device is, in essence, a very small cellular tower for the home.

The size of a deck of cards, it plugs into a PC, which needs a broadband Internet connection. The device then detects when a compatible cell phone comes within 8 feet, and places a call to it. The user enters a short code on the phone. The phone is then linked to the magicJack, and as long as it’s within range (YMax said it will cover a 3,000-square-foot home) magicJack routes the call itself, over the Internet, rather than going through the carrier’s cellular tower. No minutes are subtracted from the user’s account with the carrier. Any extra fees for international calls are subtracted from the user’s account with magicJack, not the carrier.

According to YMax CEO Dan Borislow, the device will connect to any phone that uses the GSM standard, which in the U.S. includes phones from AT&T Inc. and T-Mobile USA. At a demonstration at CES, a visitor’s phone with a T-Mobile account successfully placed and received calls through the magicJack. Most phones from Verizon Wireless and Sprint Nextel Corp. won’t connect to the device.

Borislow said the device is legal because wireless spectrum licenses don’t extend into the home.

AT&T, T-Mobile and the Federal Communications Commission had no immediate comment on whether they believe the device is legal, but said they were looking into the issue. CTIA — The Wireless Association, a trade group, said it was declining comment for now. None of them had heard of YMax’s plans.

Borislow said YMax has sold 5 million magicJacks for landline phones in the last two years, and that roughly 3 million are in active use. That would give YMax a bigger customer base than Internet phone pioneer Vonage Holdings Corp., which has been selling service for $25 per month for the better part of a decade. Privately held YMax had revenue of $110 million last year, it says.

U.S. carriers have been selling and experimenting with devices that act similarly to the wireless magicJack. They’re called “femtocells.” Like the magicJack, they use the carrier’s licensed spectrum to connect to a phone, then route the calls over a home broadband connection. They improve coverage inside the home and offload capacity from the carrier’s towers.

But femtocells are complex products, because they’re designed to mesh with the carrier’s external network. They cost the carriers more than $200, though some sell them cheaper, recouping the cost through added service fees. YMax’s magicJack is a much smaller, simpler design.

Source

It wasn’t much of a secret, really, but the sleek, Android-powered Nexus One is finally here, and yes: you can buy it directly from Google, over the Web. As expected, the unlocked, no-contract Nexus One will cost you a pretty penny, but subsidized versions will also be available from T-Mobile and … what’s this, Verizon Wireless? You betcha.
Announced this afternoon during a press conference at Google’s Mountain View headquarters, the Nexus One (designed by phone maker HTC under Google’s strict supervision) is available for purchase right now on Google’s new Web store rather than through a carrier—a twist that some observers see as a paradigm shift in the wireless market, where the balance of power is usually tipped in the carrier’s favor.

Then again, Google is sticking with the practice of charging an arm and a leg for an unlocked, no-contract handset. If you want it unlocked for use with any SIM card and without a contract, the phone will set you back a cool $530. Here in the U.S., you’ll be able to use the Nexus One with either an AT&T or T-Mobile SIM card; that said, AT&T users will only be able to tap into the carrier’s EDGE data network, while T-Mobile customers can use both EDGE and 3G.

Another option is to opt for a traditional two-year contract with T-Mobile, which brings the price of the Nexus One down to $180. That detail has already been well leaked; one of the surprises Tuesday, however, was the news that Verizon Wireless in the U.S. (which currently has the Android-powered Motorola Droid) and Vodafone in Europe are also on board with the Nexus One, with versions of the handset for those networks due in the spring. Interesting. (I should note, though, that the current unlocked Nexus One will only work on GSM-based networks, not CDMA carriers like Verizon or Sprint; I’m assuming that the eventual Nexus One for Verizon will be a CDMA phone.)

If you’ve been following all the rumors over the past few weeks about the Nexus One, few of the hardware details revealed by Google on Tuesday will come as a surprise. Yep, the Nexus One is slim and trim, alright, measuring about 0.45 inches thick and weighing in at a relatively light 4.6 ounces, and as predicted, it’ll come with a speedy 1GHz “Snapdragon” processor under the hood, a five-megapixel camera with an LED flash, Wi-Fi, stereo Bluetooth, a slot for microSD memory expansion, and a standard 3.5mm jack for headsets. Missing in action: a slide-out keypad and “multitouch” for the Web browser (for “pinching” or “zooming” Web pages).

Also on board the Nexus One: the latest version of Android (version 2.1, to be precise), which adds a series of interface enhancements, more home screens (five, up from three), live news and weather widgets, “live” wallpaper (which, as demonstrated during Google’s press conference, might feature a forest scene with falling leaves and water that ripples when at your touch), and even built-in voice recognition for any text field on the phone (meaning you can simply speak rather than type out a text message).

Now, I haven’t personally seen the Nexus One yet, but the bloggers at Engadget have, and their praise is, well … somewhat guarded. No question, they say, the Nexus One is a sleek, sexy, and speedy handset, but the bloggers conclude that the much-vaunted 2.1 version of Android doesn’t look all that different from the Droid’s version of Android. Also, while the Nexus One is “fast,” says Engadget, it’s “not so much of a leap up from the Droid.”

So yes … it sounds like the big news with the Nexus One is the way in which it’s being sold, not so much the handset itself (although the hardware certainly does sound impressive). But while I’m pleased that Google is selling the Nexus One unlocked out of the gate, the unsubsidized $530 price tag is awfully steep.

In any case, that’s the scoop; if you’re interested in more details about the Nexus One, you can check out Google’s site right here. Nexus One

So, show of hands: Who’s interested in snapping up the unlocked Nexus One?

Source

It was a big year for technology: Twitter and Facebook’s popularity exploded, while new smartphones, e-readers and a host of other gadgets cropped up to compete for our plugged-in affection.

But into each electronic life a little digital rain must fall.

We polled a handful of the most tech-savvy folks we know for their thoughts on the worst moments in technology from 2009 — the most epic “fails” of the year.

Your mileage may vary. If you think something doesn’t deserve to be here, or think we missed a noteworthy clunker, let us know in the comments section. And now, in no particular order, our 2009 Tech Fails …

Y2-what? Zune gets off to a bad start

Technically it was a New Year’s Eve surprise. But many owners of Microsoft’s Zune media player started 2009 with little more than a paperweight with LED lights.

At midnight on December 31, all Zune’s 30-GB MP3 players froze up. Microsoft explained the problem as a problem with the way the device’s internal clock recognized (or didn’t recognize) leap years.

The glitch only lasted a day, but didn’t help a device that was already failing to gain ground on Apple’s iPod.

TwitterPeek fails to pique interest

The reaction of many in the tech community to the release of the TwitterPeek device was a collective, “Huh?”

Sure, there are some people who don’t have smartphones and don’t want to pay for expensive mobile plans. But is there really a market for a $199 device that does nothing but let you manage yourTwitter feed?

“I already have a $200 device to update Twitter,” said one techie we spoke to. “It’s called my iPhone.”

The folks at Peek, makers of TwitterPeek, had already made the Pronto — a device that handled only texts and e-mails. Maybe a combination of the two gadgets is in the works. But even then, would enough people be interested? Probably not.

Facebook backtracks on owning your stuff

OK … so every time Facebook makes even the most minute changes, it sparks an outcry among its 350 million members, not to mention (irony alert) dozens of new Facebook groups geared at making the site change back.

But a terms-of-service change in February went further, implying that Facebook owned the rights to anything users uploaded to the site. Another change suggested that Facebook held those rights forever, even if people quit the site or took the material down.

Facebook responded that it simply needed those rights to be able to post information to other users. But when the backlash continued, the site eventually switched the terms back to their former wording.

Sidekick punts user info

In what one observer called “an almost incomprehensible data disaster,” T-Mobile told users in October that a server error at a Microsoft subsidiary had lost users’ personal data it had stored for the devices.

All of it.

Phone numbers, contact lists, calendars and other information was gone — and even new data would disappear if users turned off or recharged the phone.

Users were offered free service and rebates in the wake of the mess, as T-Mobile scrambled to recover what little of the data it could. But that didn’t stop the lawsuits, Internet griping and ill will generated by the snafu.

Hacking Twitter

It started as a story about someone hacking the accounts of several Twitter employees. Then, after Twitter said the attack was limited to personal information, not sensitive, company-related stuff, the hacker behind the attack struck again — in a different way.

He sent 310 documents to leading technology blog TechCrunch. The blog published a small portion of them and sent the documents to Twitter, which is when the company learned that they included financial projections and notes from high-level executive meetings.

Twitter responded by reportedly closing the security holes that allowed the attack.

Enough with the updates, already!

This was the year that online social media exploded. That’s good news for the future of Facebook, Twitter and the like.

But sometimes it just got to be a bit too much.

Members of Congress abandoned any pretense of paying attention to President Obama’s State of the Union speech by updating their Twitter feeds as he was speaking.

There was the groom who updated his Facebook relationship status at the altar. And the women who tweeted during childbirth. [In fairness, the most high-profile tweeting new mom was Sara Williams, wife of Twitter CEO Evan Williams].

And that’s not even mentioning all those friend requests you got from your grade-school teachers and members of your mom’s knitting circle.

Hyped-up Conficker fails

This is a failure we’re glad to report.

The Conficker worm was, by all accounts, a serious bit of malware that infected as many as 10 million computers worldwide. Instead of attacking those computers, it was designed to control them, paving the way for later attacks.

When researchers spotted the date April 1 in the worm’s coding, speculation began mounting that a major April Fools’ Day attack was on its way. Instead, it was mostly quiet — a false alarm of Y2K proportions.

“I think the joke’s on us a little bit, which you would have expected, having an April 1 date,” Holly Stewart, threat response manager for IBM’s X-Force, a computer security service, said at the time.

Attacks cripple Twitter, Facebook

On August 6, the concept of computer addiction didn’t seem so silly.

A massive denial-of-service attack hit Twitter, Facebook and the LiveJournal blogging site. Twitter was by far the hardest hit, completely blacking out for several hours.

The attacks were believed to have targeted a blogger in the country of Georgia who had been critical of Russia. The attacks, the blogger said, coincided with the one-year anniversary of renewed violence between the two countries.

What was telling was how freaked out people became. Users described feeling naked, jittery and upset without the ability to post on Twitter. When the site came back up, the top topic of conversation was the hashtag for “When Twitter Was Down.”

Gmail crashes

We heard some different views on this year’s string of outages or slowdowns of Google’s popular e-mail system.

Some thought coverage was overblown.

But as more computing power moves “into the cloud,” people and businesses are relying on programs like Gmail not just for e-mails, but to archive documents, chat with friends or co-workers and store contact information.

Gmail went through several high-profile crashes in 2009, including one in February and two in September. While e-mail crashes are nothing new to any provider, 2009′s were the first since Google begain offering offline support.

Response to the crashes simultaneously showed how many people depend on Gmail and how easy it is to make fun of those people. Social-networking blog Mashable responded with a list of five things to do while Gmail is down (No. 1: “Immediately flood Twitter with tweets alternately proclaiming, ‘Gmail is down!’ and inquiring, ‘Is Gmail down?’ “)

I got Google Wave — now what?

OK, so it’s a little early in the game to call this one a total fail. But after the breathless anticipation that greeted Google Wave and the hot rush to get an invitation for its beta testing, lots of users found themselves asking, “OK … now what?”

Google, for its part, released an 80-minute tutorial video — leading some observers to argue that if you need an hour and 20 minutes to explain what your product does, you might be in trouble.

It’s designed as a platform to allow users to communicate and collaborate in real time — a tool some predict will be used effectively by developers in the future.

But for now, it’s inspired the creation of a Web site — Easier to Understand Than Wave — on which users compare the online tool to other sometimes obtuse subjects (Both Ozzy Osbourne and the geopolitical climate of Southeast Asia are easier to understand than Wave, users voted, while Sarah Palin and Scientology are both more difficult).

Source

There are many ways to measure how Windows 7 is doing. There are reports on new PC sales, tallies of boxed copy sales, and surveys of planned enterprise adoption, to name a few.

But one of the most encouraging signs for Microsoft is the lack of phone calls it is getting from people with problems. Overall, Microsoft said the volume of calls to its support lines is half of what it expected.

“Overall we are finding our call center volume is down significantly more than we expected,” said Barbara Gordon, vice president of customer support for Microsoft.

The drop in calls isn’t just due to the fact that Windows 7 appears less problem-plagued than its predecessor, though. In the weeks leading up to and following the operating system’s release, Microsoft also added two new ways to get help–through an online forum called Microsoft Answers and via the Microsoft Helps feed on Twitter.

“What we have found is we are seeing far more take-up of self-service…forums and Twitter to get responses,” Gordon said in an interview this week.

With the Microsoft Answers forums, which launched late last year, users submit questions and experienced community members offer answers that Microsoft workers later validate to make sure they are correct.

So far, Microsoft has validated some 60,000 solutions. The company says that 83 percent of English-language queries are answered within seven days. Those in other languages have a slightly lower rate, but even of those 78 percent are taken care of within a week.

Meanwhile, Microsoft went live with its Twitter help site in October. Users can post a tweet with “@microsofthelps” in the message and Microsoft will respond. A team of seven employees dedicated full time to the project work with the broader support organization to respond to the many tweets. The goal is to either answer simple questions or to point people to a place where they can get a more detailed answer.

“It’s hard to answer (most questions) in 140 characters,” Gordon said.

But, she said, social networks like Twitter, Gordon said, allow the company to realize a problem that could be affecting thousands of people via a single short message.

“It’s really like a customer megaphone,” Gordon said.

Gordon hopes the new online options will not only cut down on call center expenses, but ultimately improve overall customer satisfaction with Windows. Customer satisfaction an area where the Mac has traditionally outpaced the various PC brands.

But Gordon says she hopes to see Windows gain ground. “We are really working on this,” she said.

Although Apple touts its personal touch with its stores, Gordon suggests Microsoft’s high-tech approach might ultimately win it more fans. “If I can help myself without having to go to the mall and sit at a geek bar I will be happier,” she said.

Nonetheless, one of the main features of Microsoft’s two retail stores is an answer desk very similar to the “Genius Bar” found in Apple stores.

As for the questions people ask on Twitter, they range from the expected range of bugs and problems to inquiries about future versions of products. This week, for example, one user asked when to expect Windows 8. Although vague, the answer was at least as direct as anything a reporter would get by asking Redmond.

“It will be a few years until the next official version comes out,” Microsoft replied on the Twitter feed. “Keep an eye out on microsoft.com for future updates.”

In addition to building goodwill and cutting costs, the online forums also allow Microsoft to quickly see when a problem is affecting a significant number of users. Such mechanisms helped Microsoft to recognize and then solve a video driver problem that was causing some users to have their systems hang when they reached 62 percent completion on an upgrade to Windows 7.

Within a week, Microsoft had a solution on its Website and shortly thereafter it posted an automated “Fix It,” essentially a script that a user can click on to have the proper steps done automatically. The Windows 7 upgrade fix has already been used more than 35,000 times, Microsoft said.

“We’re getting people able to meet their needs themselves,” Gordon said.

Source

For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients’ networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from de­­fense to offense. And Mega-D–a powerful, resilient botnet that had forced 250,000 PCs to do its bidding–went down.

Targeting Controllers

Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure. A botnet’s first wave of attack uses e-mail attachments, Web-based offensives, and other distribution methods to infect huge numbers of PCs with malicious bot programs.

The bots receive marching orders from online command and control (C&C) servers, but those servers are the botnet’s Achilles’ heel: Isolate them, and the undirected bots will sit idle. Mega-D’s controllers used a far-flung array of C&C servers, however, and every bot in its army had been assigned a list of additional destinations to try if it couldn’t reach its primary command server. So taking down Mega-D would require a carefully coordinated attack.

Synchronized Assault

Mushtaq’s team first contacted Internet service providers that unwittingly hosted Mega-D control servers; his research showed that most of the servers were based in the United States, with one in Turkey and another in Israel.

The FireEye group received positive responses except from the overseas ISPs. The domestic C&C servers went down.

Next, Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to no­­where. By cutting off the botnet’s pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down.

Finally, FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming. The controllers intended to register and use one or more of the spare do­­mains if the existing domains went down–so FireEye picked them up and pointed them to “sinkholes” (servers it had set up to sit quietly and log efforts by Mega-D bots to check in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.
Down Goes Mega-D

MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had “consistently been in the top 10 spam bots” for the previous year (find.pcworld.com/64165). The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw.
Three days later, FireEye’s action had reduced Mega-D’s market share of Internet spam to less than 0.1 percent, MessageLabs says.

FireEye plans to hand off the anti-Mega-D effort to ShadowServer.org, a volunteer group that will track the IP addresses of infected machines and contact affected ISPs and businesses. Business network or ISP administrators can register for the free notification service.
Continuing the Battle

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive.

“FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks. “The question is, will it have a long-term impact?”

Like FireEye, Stewart’s security company protects client networks from botnets and other threats; and like Mushtaq, Stewart has spent years combating criminal enterprises. In 2009, Stewart outlined a proposal to create volunteer groups dedicated to making botnets unprofitable to run. But few security professionals could commit to such a time-consuming volunteer activity.

“It takes time and resources and money to do this day after day,” Stewart says. Other, under-the-radar strikes at various botnets and criminal organizations have occurred, he says, but these laudable efforts are “not going to stop the business model of the spammer.”

Mushtaq, Stewart, and other security pros agree that federal law enforcement needs to step in with full-time coordination efforts. According to Stewart, regulators haven’t begun drawing up serious plans to make that happen, but Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, and he’s hopeful.

Until that happens, “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”

Source

Militants in Iraq have used $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations.

Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.

U.S. officials say there is no evidence that militants were able to take control of the drones or otherwise interfere with their flights. Still, the intercepts could give America’s enemies battlefield advantages by removing the element of surprise from certain missions and making it easier for insurgents to determine which roads and buildings are under U.S. surveillance.

The drone intercepts mark the emergence of a shadow cyber war within the U.S.-led conflicts overseas. They also point to a potentially serious vulnerability in Washington’s growing network of unmanned drones, which have become the American weapon of choice in both Afghanistan and Pakistan.

The Obama administration has come to rely heavily on the unmanned drones because they allow the U.S. to safely monitor and stalk insurgent targets in areas where sending American troops would be either politically untenable or too risky.

The stolen video feeds also indicate that U.S. adversaries continue to find simple ways of counteracting sophisticated American military technologies.

U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds.

In the summer 2009 incident, the military found “days and days and hours and hours of proof” that the feeds were being intercepted and shared with multiple extremist groups, the person said. “It is part of their kit now.”

…………

Source

BRUSSELS – More than 100 million Europeans will get to pick a Web browser after Microsoft agreed to offer Internet users a choice to avoid fresh fines — a move that could represent a real thawing of long-standing tensions between the software company and the European Union.

In a deal with regulators Wednesday, Microsoft Corp. will from March provide a pop-up screen to all users of its Windows operating system, asking them to choose one or more of five major browsers — including Microsoft’s Internet Explorer, Google’s Chrome and Apple’s Safari — and seven smaller rivals.

In return, the European Commission will drop charges it filed against Microsoft in January, when it said tying Internet Explorer to Windows — already-installed on most computers — gave the browser an unfair advantage. That was the latest in a long list of concerns — in more than a decade of EU antitrust action, Microsoft has been fined euro1.7 billion.

Neelie Kroes, the EU’s competition commissioner, said the deal resolves “a serious competition concern” for a key market in the development of the Internet.

“It is as if you went to the supermarket and they only offered you one brand of shampoo on the shelf, and all the other choices are hidden out the back, and not everyone knows about them,” she said. “What we are saying today is that all the brands should be on the shelf.”

Microsoft is not totally out of the woods yet, as it can still be fined up to 10 percent of yearly global turnover without regulators having to prove their case if it doesn’t stick to its commitment for the next five years.

The EU is also still investigating a complaint that Microsoft isn’t sharing enough technical information that would help developers make compatible products; regulators reacted coolly to Microsoft’s offer Wednesday to provide developers more information to make their products compatible, saying they would check to see if it does help rivals.

The U.S. Department of Justice welcomed the deal which it said could enhance competition. It investigated Microsoft during the 1990s for trying to squeeze browser rival Netscape and settled the case in 2002 in a deal ordering the company to share some data with rivals.

However, U.S. regulators did not follow up more recent complaints, leaving the EU as the most active global antitrust enforcer probing Microsoft’s move into server, media and Web software.

Google said more competition among browsers would boost innovation and promote a shift to “cloud computing” where people use Internet-based applications to perform tasks that they now do offline — often using Microsoft programs for word processing or bookkeeping.

Meanwhile Mozilla — the maker of Internet Explorer’s nearest challenger, Firefox — said it was happy to see that the EU deal would stop Microsoft repeatedly prompting users to switch from other browsers to Internet Explorer

Internet Explorer has some 64 percent of the global browser market, followed by Firefox at nearly 25 percent, Apple’s Safari at 4 percent and Google’s Chrome at 3.9 percent, according to figures from Net Applications.

Opera, the Norwegian browser company that made the initial complaint to the EU, said it thought the browser screen would help it attract more users even though it will be competing against major brand names. Opera’s share is just over 2 percent.

Most European users of Windows XP, Vista or 7 will get the new choice screen from Microsoft’s automatic updates if they have Internet Explorer installed as their default browser. Users outside the 30 countries in the European economic area — the 27-nation EU plus Norway, Iceland and Liechtenstein — won’t get the update.

Users will see a box that asks them to find out more about browsers before they click to download one or more of them. They can close the box to keep Internet Explorer if they want.

The EU says some 100 million computers will get the update by mid-March and another 30 million new computers will see it over the next five years. The choice of browsers will be updated every six months based on new market share information.

Microsoft must also report back to regulators in six month’s time to check how the program is working — and could make changes in the EU asks. The EU is also able to review the entire deal at the end of 2011.

Microsoft’s general counsel Brad Smith said he was pleased to resolve long-standing competition law issues.

Microsoft also pledged Wednesday to offer far more technical documentation on its most popular products to makers of rival software — including open source developers — and support some industry standards.

“We believe it represents the most comprehensive commitment to the promotion of interoperability in the history of the software industry,” he said in statement.

Thomas Vinje, a lawyer for the group of companies that complained about Microsoft’s interoperability, said it was “not yet clear” if Microsoft’s offer would tackle competitive problems in the industry.

Source

Microsoft and the European Commission have settled their differences over the choice of Web browsers in Windows.

European Commissioner for Competition Policy Neelie Kroes on Wednesday formally announced a resolution to the Internet Explorer antitrust case against Microsoft. As part of the settlement, Windows PCs sold in the European Economic Area will now present users with a Choice Screen, allowing them to install alternative browsers beyond Internet Explorer.

The Choice Screen will offer users the ability to install up to 12 of the most widely used Web browsers that run under Windows, including Firefox, Safari, Google Chrome, and Opera. Users can download as many of the browsers as they wish or stick with Internet Explorer. Additionally, computer makers and users in Europe will be able to turn off IE totally and set up other browsers as the default. As part of the settlement, Microsoft is also prohibited from preventing the choice of different browsers through any contractual or technical means.

Microsoft initially proposed stripping a browser out of Windows 7 entirely, a move first reported by CNET. Both competitors and the EU balked at that idea though, instead favoring some sort of ballot screen. Microsoft eventually relented, though the company and its rivals have gone back and forth for a while over the details.

Based on feedback it received, Microsoft modified and improved its design, according to the EC. The screen now appears in a neutral window, rather than an Internet Explorer window, and displays the browsers in a random order. The screen itself looks cleaner and less cluttered to the EC, which it believes will help users better focus on making their browser choice.

Microsoft has promised to make the screen available for five years in the European Economic Area and to offer it for Windows XP, Vista, and Windows 7, according to Europe’s antitrust regulators.

“Millions of European consumers will benefit from this decision by having a free choice about which web browser they use,” said Kroes. “Such choice will not only serve to improve people’s experience of the internet now but also act as an incentive for web browser companies to innovate and offer people better browsers in the future.”

Starting six months from now, Microsoft must report regularly to the Commission on its progress in implementing the new commitments, and the Commission can review the commitments two years from now.

After the EU announced the news, Microsoft issued its own statement on the resolution of the long-running, and expensive, antitrust case.

“We are embarking on a path that will require significant change within Microsoft. Nevertheless, we believe that these are important steps that resolve these competition law concerns,” Microsoft general counsel Brad Smith said in the statement. “This is an important day and a major step forward, and we look forward to building a new foundation for the future in Europe.”

The U.S. Justice Department, which waged its own years-long antitrust battle with Microsoft, applauded the outcome of the EU’s case.

“As we understand it, the settlement is based on measures to enhance competition and is designed to preserve industry participants’ incentives and ability to compete going forward. A settlement that helps to clarify obligations under European law allows the industry to move forward,” Christine Varney, assistant attorney general in the Justice Department’s antitrust division, said in a statement.

Source