Comodo announced today that it requested an independent third-party to notify VeriSign of a security vulnerability affecting its customers’ web sites, including a major financial institution. VeriSign received notification by the independent third-party last Tuesday.

While Comodo is not in a position to fully evaluate the scope of the vulnerability, Comodo believes it is a significant security concern for VeriSign’s customers (and users of their customer’s web sites) that rely on secure SSL Digital Certificates to transmit business and personal data.

Using publicly available information, Comodo found that a VeriSign customer account of a major financial institution can be easily accessed without authentication. Comodo believes that the vulnerability is not limited to this single account.

Communicating through the independent third party, Comodo urged VeriSign to take immediate steps to correct and remediate the vulnerability and notify all their customers who may be affected by this vulnerability.

“When we uncovered this serious security vulnerability, we knew we had to do the right thing to notify VeriSign immediately to correct the design problem,” explained Melih Abdulhayoglu, chief executive officer and founder of Comodo. “With millions of customer’s financial transactions at stake, we wasted no time to help correct the problem even though it wasn’t ours to begin with.”

VeriSign responded, “We thank you for bringing this to our attention, but the information you have accessed is public information that can be found in a multitude of ways. The pages you have accessed are merely pubic portals for our customers authenticated work to be performed.”

Comodo CEO Melih Abdulhayoglu demonstrated the vulnerability to me in confidence. By not notifying its customers, VeriSign seems to be selling people security while not totally secure itself. It would seem as if their customers should be notified to decide on a case by case basis if they are ok with the issue or if they want it fixed.

The independent third party who notified VeriSign on behalf of Comodo does not wish for his identity to be revealed at this time. Comodo followed the Vulnerability Disclosure Guidelines of the Common Computing Security Standards Forum (CCSS) by using an independent third-party as a medium for disclosure. It provided a disclosure document to VeriSign outlining the vulnerability.

But let’s also point out that today, press releases by Comodo went out to the media and were posted on the Web … a mere one week after notifying Verisign of the hole. To its credit, it didn’t completely “pull a Google” and publish the hack on the Web. But how long will it take before the black hats figure it out anyway?

It should be noted that Comodo is Verisign’s competitor and also sells security, antivirus, firewall, and SSL digital certificates.

On May 19th, Symantec Corp. purchased VeriSign authentication-services unit for $1.28 billion in cash. VeriSign’s revenue from authentication-related services was of $410 million for 2009 fiscal year. 85% of it was generated from their SSL business alone. 900 of VeriSign’s employees joined Symantec’s Enterprise Security Group.

Source

At the Kiev offices of Innovative Marketing Ukraine, hundreds of programmers, translators and database engineers created a software product that made the company a world leader — an exceptional achievement in the impoverished former Soviet republic.

But the way the company made its multimillion-dollar profits is nothing to celebrate, according to the criminal charges its owners now face in a district court in Chicago.

Innovative Marketing, say investigators and Internet-security researchers, was one of the biggest and cleverest propagators of “scareware” — programs that run fake scans on computers of unsuspecting users and then claim to find viruses that can only be removed by downloading some software. Except the viruses don’t exist and the software — which can cost between $30 and $70 — is either useless or can infect the computer itself.

Scareware is one of the fastest-growing and most prevalent types of Internet fraud. Security-software firm McAfee says it saw a 400% increase in incidents reported last year and predicts the use of scareware will be the most costly online scam in 2010, infecting around 1 million computers per day and bringing in illegal global profits of over $300 million. Charges against Innovative Marketing, run by Swede Bjorn Daniel Sundin and Indian-born Shaileshkumar Jain, put it squarely in the frame as one of the leading perpetrators of the scam.

Sundin and Jain are yet to appear before the Chicago court, which on May 27 charged them with computer fraud and wire fraud, but two months before that indictment they had already been ordered to pay $163 million by a court in Maryland by a default judgment in a civil suit brought against them by the Federal Trade Commission (FTC). The FTC case was a rare victory in the fight against cybercriminals, who use lax law enforcement in countries like Ukraine to stay beyond the reach of the law. “This is one of the largest Internet-based fraud cases the FTC has ever prosecuted,” says Ethan Arenson, an attorney at the FTC who led that investigation. “[Innovative Marketing] were the biggest players in scareware operations for a long time.”

According to the FTC, in 2003, Innovative Marketing began peddling hundreds of antivirus products under names such as WinAntiVirus and DriveCleaner. Misleading advertisements placed on websites — including those of the National Hockey League, the Economist magazine and Major League Baseball — were used to automatically launch the bogus scans before directing the user to purchase the malicious software.

After receiving more than 1,000 complaints from computer users who had been duped, the FTC began tracking the suspects through shell companies set up around the world. A major breakthrough came when Dirk Kollberg, a researcher with McAfee in Germany, decided to investigate Innovative Marketing’s servers in 2008, after discovering that some of its ads were being used to automatically download software without the user’s consent.

Astonishingly, the company’s servers were not password-protected, meaning the information they held was publicly available. The data gave Kollberg an insight into the inner workings of the company and its products. What he saw convinced him that, behind its smart logo and customer-care hotline, Innovative Marketing was producing and selling fake antivirus software on a massive scale. Using figures obtained from the servers, Kollberg calculates that the alleged scam scored $180 million in sales in 2008 alone. His findings helped the FTC build its case against the company.

Attempts to crack down on the scareware industry are hamstrung by the fact that many of the companies are run out of countries with weak legislation, ineffective law enforcement and corrupt officials. Paul Ferguson, a threat researcher at California-based Trend Micro, says a number of major threats have emanated from Ukraine, including the Zeus trojan, which steals bank-account details and ran rampant in early 2009. According to Ferguson, the shifty business is run by organized criminal gangs who trade control of infected computers — and the information stolen from them — for cash “like at a bazaar.” “It’s like the Wild West,” he says. “There’s no sheriff.”

Ukraine is slowly waking up to the need to take on its cybercriminals. The Interior Ministry set up an anticybercrime unit last year, but according to unit leader Ruslan Pakhomov they are fighting an uphill battle. Pakhomov says he lacks vital resources and laments that judges and prosecutors don’t have the knowledge they need to bring cases to a conviction. And in a country where the average wage is a miserable $200 a month, young computer specialists are queuing up for work wherever they can find it — even if it’s at a scareware company. “There are lots of talented, well-educated programmers, but there aren’t enough jobs,” says Pakhomov. “They try to find a place to use their skills.”

According to profiles posted on the LinkedIn careers networking website, former Innovative Marketing staff are now working at leading banks and consulting companies, while others have moved to another Kiev-based antivirus software company. Innovative Marketing’s former bosses, meanwhile, are facing their day in court. According to the U.S. Department of Justice, Sundin is believed to be in Sweden, while Jain is thought to be in Ukraine and is listed as wanted by Interpol. A third defendant from Ohio is expected to present himself for arraignment at the Chicago court at a later date.

As far as anyone can tell, Innovative Marketing shut its doors last year, but Ukraine’s Interior Ministry says it could still be operating from another location. McAfee researcher Kollberg says many of the scareware scams traced to the company are still running, although it’s difficult to tell who is behind them now. “If you have a business and you’re making hundreds of millions,” he says, “why would you just give it up?”

Cybercriminals sent 3.7 billion phishing e-mails over the last year, in a bid to steal money from unsuspecting web users, says CPP.

Research by the life assistance company revealed that 55 percent of phishing scams are fake bank e-mails, which try and dupe web users into giving hackers their credit card number and online banking passwords.

Hoax lottery and competition prize draws and Nigerian ’419′ scams that involve e-mail requests for money from supposedly rich individuals in countries such as Nigeria, were also among the most popular phishing e-mails.

Furthermore a quarter of Brits admitted to falling for the scams, losing on average £285.

Online banking fraud has surged by 132 percent during the last year. The report also highlighted that 46 percent of web users worry their credit card details will be used to make illegal online purchases.

CPP also revealed social networking scams are on the rise. Nearly one fifth of Brits have received phoney Facebook messages claiming to be from friends or family in the past year.
One in 10 fear that fraudsters are using Twitter to follow them, while a third are concerned their social networking account could be hacked.
“It seems that not a day goes by without a new case of online fraud hitting the headlines. But what’s concerning is that consumers are still falling victim,” said Nicole Sanders, an identity fraud expert at CPP.

“Fraudsters are becoming ever more skilled in their techniques and tactics. It can be extremely difficult to spot a legitimate email from a scam, so we advise caution at all times when online.”

Sanders also said web users should be mindful of what they post on social networks.

“Their identity is as valuable to a thief as a credit card, so protecting personal details is key.”

CPP advises web users to concerned about online fraud to keep their personal information safe and think twice about giving the details to someone that ask for them.

Banks will never ask for your personal information online, CPP said.

According to Steve Furnell, senior IEEE member and head of the Centre for Security, Communications and Network Research at the University of Plymouth, the increasing skill of the fraudsters and other online attackers is effectively raising the bar for what the average user needs to know in order to remain protected.
“Knowing that users tend to rely upon antivirus and internet Security packages, malware writers now seek to block this software from downloading the latest updates,” said Furnell.

“So, while users may see that their package is running and assume all is well, the protection may actually be outdated and therefore not working as effectively as promised.”

Furnell said in order to avoid this happening, users should make periodic manual checks to ensure that their antivirus has downloaded recent signatures.

“Similarly, while the advice to guard against fraud by looking for https and the padlock icon is perfectly sound in web context, this doesn’t prevent people from falling victim in other contexts (e.g. responding to a direct request via email),” he added.

“Consequently, web users need to develop broader skills; to consider the nature and importance of the information they’re being asked for, the likely legitimacy of the request and its source, and whether there are any avenues they can use to check before responding.”

Source

As the iPhone 4′s Thursday release inches closer, Apple whets our appetite Monday with the release of its latest iPhone and iPod Touch operating system. First announced in April, iOS 4 adds a gallery of features, from the long-awaited and expected to the small and surprising.

For a refresher on the look and feel of iOS 4, check out our initial hands-on of the developer release.

To get the update, simply connect your device to iTunes and follow the steps. It’s free for both iPhone and iPod Touch users–in the past the latter group users had to pay a small fee–though iOS 4 is not compatible with first generation models of either device. Also, remember that the iPhone 3G will not support the new multitasking feature.

We’ll follow up with a review of iOS 4 later Monday, but here’s a recap of the new features in the meantime.

Multitasking
Finally, the iPhone joins its smartphone rivals with the ability to run multiple apps simultaneously.

Home screen folders
Now you’ll be able to save home screen by organizing related–or even unrelated–apps into folders.

E-mail in-box
Among other things, you’ll you get a unified e-mail in-box, support for multiple Exchange accounts, and the option for viewing e-mails by thread.

Enterprise
IT departments will welcome enhanced data protection, mobile device management, and wireless app distribution.

iBooks
You can share books between the iPhone and the iPad with one purchase.

Game Center
This feature is scheduled for release later this year so we won’t get it right away. But when it comes it will bring options like a social gaming network, the ability to invite friends to games, and the opportunity for setting up two people to play.

Additional changes

* Spell check
* Larger fonts for e-mail, texts, and alerts
* Persistent Wi-Fi
* Tap to focus in video recorder
* Customizable wallpapers for the home screen
* Search text messages
* Choose image size in mail messages
* Recent Web searches
* 5x digital zoom in camera
* Gifting of apps
* Birthday calendar
* File and delete mail search results
* Web search suggestions in universal search
* Rotate photos
* Playlist creation on the device
* Support for Bluetooth keybords

Source

Toshiba has announced a trio of new devices that it’s hoping will shake up the somewhat-stagnant notebook PC market. There’s the Libretto W100, the AC100, and the Satellite R630. 

The first in the list is the most interesting. It’s a clamshell device that comes with two screens in place of a screen and a keyboard, similar to the one showed off by Asus at CeBIT more than a year ago. Those screens are identical, measuring 7-inches diagonally and are touch-sensitive. An onboard accelerometer allows you to use it in landscape or portrait configuration, and Toshiba’s pre-loaded a boatload of specialist software that’ll let you get the most from the device.

Like a keyboard. Or, to more precise, many keyboards. You can choose from several, including one designed to be used with your thumbs when you’re holding it. You can also create a virtual trackpad, if you prefer not to use the touchscreen functionality and want more of a traditional mousing arrangement. To augment the touchscreens there’s two buttons on either side of the lower screen — one of them launches your chosen keyboard, and the other takes you to a sort-of homescreen/application launcher, that can also be used for notetaking, or displaying recent documents.

It runs Windows 7, which meant (during my time with the device) that things weren’t as speedy as you might hope. In fact, at times they were downright clunky, taking up to five seconds to switch between portrait and landscape modes. Let’s hope that’s just pre-release software, and not an indication of how the final device will perform. It’s powered by an Intel U5400 processor, and comes with 2GB of DDR3 RAM, a 62GB SSD, and the usual array of connectivity options, including 3G and a single USB port. It’ll land in July, 2010.

The AC100 is a little larger and more traditional. It’s got a keyboard and a trackpad, but weighs just 870g, with a 10.1-inch display. It’s 21mm thick, and will be running Android 2.1, placing it in a strange middle ground between mobile phone, a tablet and a netbook.

Oddly, it doesn’t have a touchscreen — just a traditional TFT. Controlling Android with a mouse and keyboard is an odd experience, but you get used to it relatively quickly, especially once you get used to the custom software that Toshiba has preloaded the device with. That software allows your homescreen to change based on what network you’re connected to — allowing you to have one for home, one for work, etc.

Dataviz’s Documents To Go software gives you the ability to read documents, spreadsheets, presentations and PDFs, but you won’t be able to edit them unless you spring for a paid update to the app.

Inside, there’s an Nvidia Tegra graphics chip, which allows for some very nifty graphics acceleration, along with an 8GB SSD for storage, 512MB of RAM, an eight-hour battery, Wi-Fi and Bluetooth. There’s also an HDMI port on the side so that you can plug the device into a television or other display, to play back HD content, which Toshiba promises that it does faultlessly.

I should mention the design, too. Unlike the Libretto W100, which is short and chunky, the AC100 looks great. It has a black textured shell, with orange highlighting and orange keys on the keyboard. It looks and feels sturdy, and you won’t be embarrassed to whip it out in a coffee shop to check your emails. It’ll be out in August, 2010.

Lastly, there’s the altogether more familiar-looking Satellite R630, which falls under the Portege banner for business users. Toshiba promises that it’s “Europe’s thinnest, lightest 13.3-inch laptop”, explaining that the world’s thinnest and lightest is another model that the company sells in Japan. Leaving aside the question of why Toshiba didn’t bring that to Europe instead, there’s still some innovations inside.

Firstly, the cooling system’s been rebuilt from scratch. A smaller motherboard, with a new design that places all the heat-generating components in one place, allows for a fan that sucks cool air in, rather than pushing heat out of the case. That might not sound much different, but it increases efficiency, meaning lower temperatures, fan noise, and better battery life.

That battery should last around nine hours before it needs recharging, or 14 if you plump for a nine-cell version. The device itself is 20mm thick, and weighs 1.3kg with an optical disk drive. It’s powered by a full-performance Intel Core i3, i5 or i7 chip, not the ultra-low voltage versions which you’ll find in many competitors’ machines. Externally, the design is plain and utilitarian, but it’s not ugly. Far from it. It’s just not overstated, and all the better for it.

Pricing for all three devices isn’t yet set. I’m not entirely convinced that we’ll see hordes of copycat dual-screen devices — the Libretto isn’t pretty and doesn’t run too well. Similarly, the R630 is evolutionary, rather than revolutionary. Instead, it’s the AC100 that I’m most interested in. A version with a touchscreen, and the ability to spin the screen 180 degrees to turn it into a tablet, would be a very exciting product indeed.

Source

Google and Rumblefish are set to announce a new version of an existing deal that allows licensed music to be used on YouTube.

The companies are planning a press conference for June 29 with Rumblefish founder and CEO Paul Anthony and an unnamed YouTube executive, according to an e-mail pitch received by CNET. Representatives for Rumblefish and YouTube declined to comment further on their plans, but it appears they are likely set to expand their current relationship.

Rumblefish is a music-licensing company that cuts deals with musicians and companies looking for background music to use in marketing campaigns or products. Google started offering Rumblefish music on YouTube in 2008 to give its users a legal option for using music in their videos.

Source

Microsoft, eBay and Citizens Bank have launched a new Internet fraud alert service designed to allow them to better share information about compromised accounts with each other in an effort to better fight online fraud.

Microsoft, eBay and Citizens Bank have launched a new Internet fraud alert service designed to allow them to better share information about compromised accounts with each other in an effort to better fight online fraud.

Companies conducting investigations of fraudulent activity online often find compromised accounts of other firms’ customers, but until now, there wasn’t an easy way to report the findings, said Nancy Anderson, corporate vice president and deputy general counsel at Microsoft. The Internet Fraud Alert service, launched Thursday, will allow investigators to report stolen account credentials, such as passwords or credit card numbers, to the appropriate online vendor, she said.

It’s “not uncommon” for Microsoft and other companies doing internal fraud investigations to find compromised accounts from other vendors, Anderson said.

The new program is “an important new piece of our arsenal to fight online fraud and protect consumers,” Anderson said. “The institution responsible for that account … will receive an immediate alert so they can take immediate action. It’s an effort to get the right information into the right hands of the right people.”

The Anti-Phishing Working Group estimates that 1 million U.S. residents had accounts compromised in phishing attacks in 2009. “I don’t think it’s a big secret that online fraud continues to be a pernicious problem for consumers,” Anderson said.

Also participating in the program is eBay subsidiary PayPal, but members of the program hope other companies will sign up as well, Anderson said. The National Cyber-Forensics and Training Alliance (NCFTA) will administer the program, and supporting the effort are Accuity, a provider of payment routing data, the American Bankers Association, Anti-Phishing Working Group, the U.S. Federal Trade Commission and the National Consumers League.

“Internet Fraud Alert is a promising and innovative approach to help financial and online institutions discover hijacked accounts and close them or inform the affected consumers,” Chuck Harwood, deputy director of the FTC, said in a statement. “We hope that someday there won’t be a need for a secure database of stolen account credentials.”

Companies that want to join the program will have to apply and be confirmed as legitimate, Anderson said. But the current members want the program open to all reputable companies that do business online, she said.

Microsoft developed the reporting tool and will donate it to the NCFTA.

Source

You know that 32GB iPhone 4 you just pre-ordered? The amount of internal storage is going to seem comparatively quaint if Toshiba follows through with its plan to mass produce 128GB embedded NAND flash memory modules by the end of this year.

That’s right folks, 128 awesome gigabytes of storage capacity could become standard on everything from high-end smartphones to tablet PCs, digital cameras, and everywhere else you find embedded flash chips. It’s the highest capacity yet achieved in the industry, part of which is the result of Toshiba’s 32nm manufacturing technology. The other part of the equation involves stuffing sixteen 64Gbit (equal to 8GB) NAND chips onto a dedicated controller into a package measuring just 17 x 22 x 1.4mm.

The implications here are huge, especially with competition ramping up in the mobile market. With 1GHz Snapdragon chips strutting through the smartphone scene and 2GHz chips on the horizon, smartphones are finally powerful enough to truly be considered handheld PCs. And with a spate of Android, WebOS, and Windows 7 tablets on the horizon, Apple’s flagship 64GB iPad could suddenly become far less appealing, and for reasons other than lack of Flash support.

Starbucks is stirring up a few changes to its Wi-Fi access that should make Web-surfing coffee drinkers happy.

Starting July 1, the coffee brewer said it will launch free Wi-Fi access throughout all of its stores nationwide, with no special registration or account required and no limits on the time people can spend online.

Available through AT&T, the enhanced Wi-Fi improves on the current access, which is free to customers who use their AT&T accounts or Starbucks cards to log in, $3.99 for everyone else, and restricts the time online to no more than two hours.

Appearing at Wired’s business conference Disruptive by Design on Monday, Starbucks CEO Howard Schultz spoke about the new Wi-Fi access as part of the company’s goal to embrace social and digital media and look for new ways to bridge a customer’s coffeehouse experience with the digital world.

Beyond the enhanced Wi-Fi access, Schultz also unveiled plans for a new in-store service called the Starbucks Digital Network, slated to come online this fall. Teaming up with Yahoo, Starbucks will offer customers free and unrestricted access to different paid sites and services. Content partners will include WSJ.com, iTunes, The New York Times, Patch, USA Today, Yahoo, and Zagat. Additionally, Schultz said the new network will provide exclusive content, free downloads, and local community news.

Though Starbucks has offered its limited brand of Wi-Fi service for years, first through T-Mobile and then through AT&T, the company has lagged some of its competitors in offering unlimited free access.

McDonald’s, which sells coffee alongside its thick milkshakes, added free, unrestricted Wi-Fi access via AT&T to its menu in January, while nationwide cafe chains like Panera Bread also offer instant and free Wi-Fi.

Since his return to the CEO role in 2008, Schultz has been busy trying to promote Starbucks as a spot where people can work and socialize, especially online. He has spoken before about creating a third place between work and home and reiterated that point at the Wired business conference.

Given the company’s track record at tapping into the online world, Schultz’s new Wi-Fi initiatives may pay off. In a study from last July, Starbucks was named the biggest brand on the Web at using social media to promote itself and engage its customers.

Source