Perhaps it was only a matter of time. But wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available.

Malicious insiders can exploit the vulnerability, named “Hole 196″ by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried.

Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network and compromise other authorized devices using open source software, according to AirTight.

The researcher who discovered Hole 196, Md Sohail Ahmad, AirTight technology manager, intends to demonstrate it at two conferences taking place in Las Vegas next week: Black Hat Arsenal and DEF CON 18.

The Advanced Encryption Standard (AES) derivative on which WPA2 is based has not been cracked and no brute force is required to exploit the vulnerability, Ahmad says. Rather, a stipulation in the standard that allows all clients to receive broadcast traffic from an access point (AP) using a common shared key creates the vulnerability when an authorized user uses the common key in reverse and sends spoofed packets encrypted using the shared group key.

Ahmad explains it this way:

WPA2 uses two types of keys: 1) Pairwise Transient Key (PTK), which is unique to each client, for protecting unicast traffic; and 2) Group Temporal Key (GTK) to protect broadcast data sent to multiple clients in a network. PTKs can detect address spoofing and data forgery. “GTKs do not have this property,” according to page 196 of the IEEE 802.11 standard.

These six words comprise the loophole, Ahmad says.

Because a client has the GTK protocol for receiving broadcast traffic, the user of that client device could exploit GTK to create its own broadcast packet. From there, clients will respond to the sending MAC address with their own private key information.

Ahmad says it took about 10 lines of code in open source MadWiFi driver software, freely available on the Internet, and an off-the-shelf client card for him to spoof the MAC address of the AP, pretending to be the gateway for sending out traffic. Clients who receive the message see the client as the gateway and “respond with PTKs”, which are private and which the insider can decrypt, Ahmad explains.

From there, “the malicious insider could drop traffic, drop a [denial-of-service] attack, or snoop,” Ahmad says.

The ability to exploit the vulnerability is limited to authorized users, AirTight says. Still, year-after-year security studies show that insider security breaches continue to be the biggest source of loss to businesses, whether from disgruntled employees or spies who steal and sell confidential data.

What can we do about Hole 196?
Solution Video – Business-Class Teleworker : Download now

“There’s nothing in the standard to upgrade to in order to patch or fix the hole,” says Kaustubh Phanse, AirTight’s wireless architect who describes Hole 196 as a “zero-day vulnerability that creates a window of opportunity” for exploitation.

Source

Microsoft released a beta of the new version of its Security Essentials antimalware software on Tuesday, sporting a few changes and enhancements.

Following version 1.0 of the free Security Essentials released in September, the folks in Redmond outfitted the 2.0 beta with an updated antimalware engine. The new engine is smarter at detecting and removing security threats and offers a better performance, according to a Microsoft blog. The software also now integrates directly with Windows Firewall and gives users the option to turn the firewall on or off.

By integrating with Internet Explorer, the Security Essentials beta provides greater protection against Web-based threats, Microsoft said. It can also watch for attacks that come via a network, though this option is only available in Windows Vista and Windows 7. Users of Windows XP can’t take advantage of this particular feature because XP lacks the necessary Windows Filtering Platform.

You can find and download the new beta at Microsoft’s Connect page where you’ll need to log in with a Windows Live account. You’ll then be directed to the download page where you choose whether to grab the 32-bit or 64-bit version.

Microsoft has promised to keep the beta current with the latest virus and spyware definitions and also provide ongoing updates to the software itself. To receive the software updates, you’ll need to subscribe to Microsoft Update and set your preferences to automatically download and install new updates, according to the company.

The beta is only for people in the U.S., Israel (English only), China (Simplified Chinese only) and Brazil (Brazilian Portuguese only). And it’s available on a first-come, first-served basis, apparently just until a certain quota has been reached.

Source

IT Security Services

The federal government is launching an expansive program dubbed “Perfect Citizen” to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program.

The surveillance by the National Security Agency, the government’s chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system, these people said.

Defense contractor Raytheon Corp. recently won a classified contract for the initial phase of the surveillance effort valued at up to $100 million, said a person familiar with the project.

An NSA spokeswoman said the agency had no information to provide on the program. A Raytheon spokesman declined to comment.

Some industry and government officials familiar with the program see Perfect Citizen as an intrusion by the NSA into domestic affairs, while others say it is an important program to combat an emerging security threat that only the NSA is equipped to provide.

“The overall purpose of the [program] is our Government…feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security,” said one internal Raytheon email, the text of which was seen by The Wall Street Journal. “Perfect Citizen is Big Brother.”

Raytheon declined to comment on this email.

A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It’s a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.

U.S. intelligence officials have grown increasingly alarmed about what they believe to be Chinese and Russian surveillance of computer systems that control the electric grid and other U.S. infrastructure. Officials are unable to describe the full scope of the problem, however, because they have had limited ability to pull together all the private data.

Perfect Citizen will look at large, typically older computer control systems that were often designed without Internet connectivity or security in mind. Many of those systems—which run everything from subway systems to air-traffic control networks—have since been linked to the Internet, making them more efficient but also exposing them to cyber attack.

The goal is to close the “big, glaring holes” in the U.S.’s understanding of the nature of the cyber threat against its infrastructure, said one industry specialist familiar with the program. “We don’t have a dedicated way to understand the problem.”

The information gathered by Perfect Citizen could also have applications beyond the critical infrastructure sector, officials said, serving as a data bank that would also help companies and agencies who call upon NSA for help with investigations of cyber attacks, as Google did when it sustained a major attack late last year.

The U.S. government has for more than a decade claimed a national-security interest in privately owned critical infrastructure that, if attacked, could cause significant damage to the government or the economy. Initially, it established relationships with utility companies so it could, for instance, request that a power company seal a manhole that provides access to a key power line for a government agency.

With the growth in concern about cyber attacks, these relationships began to extend into the electronic arena, and the only U.S. agency equipped to manage electronic assessments of critical-infrastructure vulnerabilities is the NSA, government and industry officials said.

The NSA years ago began a small-scale effort to address this problem code-named April Strawberry, the military official said. The program researched vulnerabilities in computer networks running critical infrastructure and sought ways to close security holes.

That led to initial work on Perfect Citizen, which was a piecemeal effort to forge relationships with some companies, particularly energy companies, whose infrastructure is widely used across the country.

The classified program is now being expanded with funding from the multibillion-dollar Comprehensive National Cybersecurity Initiative, which started at the end of the Bush administration and has been continued by the Obama administration, officials said. With that infusion of money, the NSA is now seeking to map out intrusions into critical infrastructure across the country.

Because the program is still in the early stages, much remains to be worked out, such as which computer control systems will be monitored and how the data will be collected. NSA would likely start with the systems that have the most important security implications if attacked, such as electric, nuclear, and air-traffic-control systems, they said.

Intelligence officials have met with utilities’ CEOs and those discussions convinced them of the gravity of the threat against U.S. infrastructure, an industry specialist said, but the CEOs concluded they needed better threat information and guidance on what to do in the event of a major cyber attack.

Some companies may agree to have the NSA put its own sensors on and others may ask for direction on what sensors to buy and come to an agreement about what data they will then share with the government, industry and government officials said.

While the government can’t force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.

Raytheon, which has built up a large cyber-security practice through acquisitions in recent years, is expected to subcontract out some of the work to smaller specialty companies, according to a person familiar with the project.

Source

There are countless obstacles to achieving anything resembling innovation when outsourcing IT, but the biggest barrier is inertia. To combat the status quo, customers and suppliers have to shake things up, especially the traditional process for procuring IT services.

IT departments say they want innovation from their outsourcing vendors, and the vendors say they want to provide it. So why is innovation in outsourcing so rare?

There are countless obstacles to achieving anything resembling innovation when outsourcing IT, including ineffective change management, toothless governance, inadequate skills, perverse incentives and powerless managers. But the biggest barrier is inertia. When it comes time to draw up an outsourcing contract, everyone reverts to the safety of the status quo.

“One of the root causes behind lack of innovation in outsourced environments is an overemphasis on stability from buyers and service providers,” says Phil Fersht, founder of outsourcing analyst firm Horses for Sources. “After the contract is signed, buyer executives don’t want noise because they want to avoid second-guessing. The provider’s delivery executive wants all their dashboards to have green indicator lights Every action taken by both parties promotes stability, but hinders—even suppresses—innovation.”

To achieve innovation in IT outsourcing, customers and suppliers have to shake things up. And that starts with the traditional IT service procurement process of gathering requirements, issuing an RFP, selecting a vendor and signing a contract—that Holy Writ of the outsourcing relationship.

Ironically, contracting for innovation has precious little to do with the contract itself, say outsourcing experts and attorneys. While the contract codifies deal doctrine, in the most successful and innovative IT outsourcing relationships, it quietly gathers dust after the ink is dry. The contract is a consequence of a much more important negotiation—one that establishes a relationship between IT outsourcing customer and provider that will produce innovation while the legal documents sit on a shelf. To achieve that ideal relationship, all parties need to throw out the old notions that govern the traditional IT services procurement process and instead take the following approach.

1. Delay the RFP

In today’s world of urgent cost cutting and speed sourcing, there’s a rush to get the RFP out the door. But IT outsourcing customers need to decide upon innovation goals before even thinking about soliciting proposals or structuring the vendor selection process.

“If the enterprise wants any innovation, they should understand that the cookie-cutter RFP with the price-driven negotiation is not an effective vehicle,” says Bill Bierce, co-founder of technology law firm Bierce & Kenerson.

2. Define Innovation

It’s easier to agree on what innovation isn’t than what it is. “Innovation is not the service provider meeting or exceeding service level commitments,” says Fersht. “Those service levels are a component of the contractual agreement between the provider and the buyer, and thus should be met, plain and simple.”

True innovation might mean continuous process improvement, emerging technology implementation, new best practices, IT transformation or competitive advantage. A clear definition of innovation is required so that the contract will reflect the appropriate financial and other terms associated with it, says Daniel Masur, a partner in the Washington, D.C. office of law firm Mayer Brown.

The sad fact is, many IT departments have grown so consumed with keeping the lights on over the past few years that they “have lost touch with the innovative spirit and the knowledge of what innovation means to their firm and industry,” says Fersht.

Consequently, they rely on the outsourcer to define innovation for them, which puts the vendor in a difficult position, Fersht adds. A service provider can’t be expected to deliver significant innovation without knowing what types of innovation would help its client attain and maintain its strategic objectives, he says

Fersht recommends drawing up a strategic innovation plan and a process for updating it. It should outline the outsourced environment and those activities retained internally, and how to innovate within the new framework.

3. Use Outsourcers as Consultants

Attorney Bierce recommends to his clients that they approach IT service innovation as a consulting project and solicit recommendations for change from potential providers. “This poses some challenges for outsourcers who claim to have trade secret processes for industry verticals, and that they would be exposed by putting out their trade secrets into an environment where the enterprise customer would then just bid out the work to a third party on a commodity pricing basis,” says Bierce. “But this risk is small compared to the business opportunities.”

Indeed, IT service providers from IBM (IBM) and Infosys (INFY) to Accenture and CapGemini emphasize their consulting business as a complement to traditional IT outsourcing to take deals to a higher level.

“I think the best [IT service providers] start by seeking to understand the complex and sometimes unique needs of IT and business professionals,” says Forrester Research Senior Analyst Chris Andrews. “More and more, I see companies pointing to strategy sessions and methodologies to bring IT and business together to talk about the tactical and strategic role of technology.”

Michael S. Mensik, partner in the Chicago office of Baker & McKenzie, believes IT departments could better ensure true innovation by spending more time with vendors up front, before the contract is signed, examining and modeling precisely how innovation will be achieved. He says both parties should discuss the processes that will need to be put in place to further innovation, the investments that each party will need to make and the change management measures that will be required.

While suppliers may be willing to put in a little extra work up front to get your business, much of this consultation will come at a price. “Whatever the competitive pressures, there is just so much that the vendors will do as part of an RFP process,” Mensik says. “But I think in many cases the ROI on such an investment will be considerable. Coming up with a more detailed blueprint before committing to a vendor is, I think, one way of better ensuring success.”

4. Lock Everyone in a Room

When it comes to the quest for innovation in IT outsourcing, the phrase “too many cooks spoil the broth” doesn’t apply. Invite all key business and IT stakeholders and vendor executives to a conference room, advises Forrester Vice President and Principal Analyst John McCarthy. Then lock the door and hash out the laws that will govern the outsourcing relationship.

This approach ensures commitment from key internal stakeholders, which is important for outsourcing success, particularly transformational deals. “Any organization needing change has constituencies that will resist change,” says Bierce. “This is not the outsourcer’s problem but becomes its problem by default if the groundwork is not in place.”

Arguing over—and ultimately agreeing on—details of the deal establishes a framework for the conflicts destined to come up over the course of the relationship, says McCarthy.

“I asked a CIO from a Fortune 500 company who had just led his company through a huge transformation project with a leading services firm what he would have done differently, and he said, ‘I would have involved business decision makers in the process much, much earlier. I needed their insight and support to make this project work,’” says Forrester’s Andrews.

5. Loosen the Purse Strings

The average outsourcing selection and negotiation process focuses on one point above all else—price. But if you want innovation, you’re going to have to pay for it.

“Innovation costs the local account team money in terms of leveraging experts, process advancements or new technologies,” says Fersht. “But buyers are often reluctant to spend adequate funds on these efforts.”

Everyone wants value from outsourcers, particularly when times are tough, but stingy clients will get what they pay for, particularly if they haven’t been able to clearly define innovation pre-contract. “The interests of the parties must be aligned,” says Masur. “It is not realistic to expect a service provider to deliver the lowest possible price and still fund innovation initiatives and pass the resulting savings to the customer.”

Even if you think you’re paying a premium for innovation, it pays to verify the employee incentives put in place by the vendor. “Often the account team is very motivated to achieve a profit target and innovation is fluff that cuts into their discretionary funding,” says Fersht. Talk to the provider about unique compensation plans that encourage innovation on your account.

6. Share the Wealth

Of course, the provider as a whole needs some inspiration to innovate, too, particularly of the profit-boosting variety.

The concept of gain-sharing—rewarding the vendor when the client benefits from lower costs, increased revenue or improved efficiency—has always been a controversial one among outsourcing customers. But if there were ever a time to consider it, it’s when you’re seeking something above and beyond from outsourcing.

“I know how hard it is to consider gain-sharing. The discussion becomes a mini-joint venture, with issues of risk, reward, decisional authority, institutional impediments and shifting roles,” says Bierce. “But this kind of discussion can be valuable.”

You might set up a jointly funded pool to pay for agreed upon innovation initiatives or sharing of savings generated by particular innovation projects, says Masur. And the client doesn’t necessarily have to take a financial hit. The IT outsourcing customer might allow the provider to use the resulting products or systems to deliver services to other customers or waive its right to benchmark if a vendor consistently achieves high innovation scores in 360-degree performance reviews.

To discuss an innovative IT solution for your high powered organization, call Percento Technologies: 800.614.7886

Souce

 Google kicked off the first day of its I/O developer conference Wednesday by opening up Wave to the general public, providing a preview of a Chrome Web store, introducing Google Apps Engine for Business, and unveiling a few new APIs.

Executives also talked up the benefits of HTML5.

Wave, which Google debuted at last year’s I/O conference, is a collaboration tool that has been in invite-only public beta mode since September. Invites are now open to everyone at wave.google.com, and Google Apps administrators can now enable Wave for all users at no extra cost, said Lars Rasmussen, Google’s software engineering manager.

Rasmussen acknowledged that early adopters of Wave might have found that it was not ready for primetime, but said Wednesday that “now is the time to come back.” Google has “put a lot of work into basic usability things,” he said, like e-mail notifications, navigating to unread pieces of a Wave, as well as tutorials and templates for new users.

Sundar Pichai, Google’s vice president of product management, also provided a sneak peak at a Chrome Web Store, a Web-based app store.

When live, the Web Store will appear as a new tab within Chrome, Pichai said. The store will feature a gallery of apps, which can then be added to a customized tab. Pichai demoed an HTML5-based version of Twitter client TweetDeck that utilizes Google’s notification and geo-location APIs. He also showed off a Flash-based version of the popular mobile game Plants vs. Zombies for the Chrome Web Store.

“Apps in the Chrome Web Store can be built on standard Web technologies like Flash and we will support all of them in the Chrome Web Store,” Pichai said.

Google is expected to release a Google Chrome OS-based netbook later this year.

On that front, Google also announced WebM, an open Web media format project. As part of the effort, “we are fully open sourcing VP8, [a video codec], under a royalty-free license,” Pichai said. “Video is one of the most important forms of communication on the Web, [and] we think video should have a great, free, open alternative as well.”

WebM also includes Vorbis, an already open-source audio codec, and a container format based on a subset of the Matroska media container. Supporters include Mozilla, Opera, and Adobe, which appeared Wednesday to announce Adobe HTML5 for Dreamweaver. A developer preview can be found at www.webmproject.org.

The effort is part of Google’s August 2009 acquisition of On2 Technologies, a creator of high-quality video compression technology, Pichai said.

On the API front, Google also announced some updates to its APIs. The Google Maps API v3 is now enterprise-ready and part of the Google Maps API Premier, the company introduced new ways to optimize AdSense on your Web site, a new version of the Feed API, and a new Google Font API.

Google also launched Google App Engine for businesses.

Google designed its App Engine for Business for enterprise customers, building the service on top of a 99.9 percent uptime service-level agreement, centralized administration tools, and security. But the pricing is set at an SMB level: $8 per user, per application, per month – capped at $1,000 per application per month. It is still in preview, and will be available later this year.

Google also announced an agreement with VMware to connect its developer tools with the VMware SpringSource tool suite to quickly build Java applications.

Source

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

• You probably use the same password for lots of stuff right?
• Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
• However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
• So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
• Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
• But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

Here are some password tips:

1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link. (Ed. note: Lifehacker readers love the free, open-source KeePass for this duty, while others swear by the cross-platform, browser-based LastPass.)
7. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
8. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

By request I also created a short RoboForm Demonstration video. Hope it helps…

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network — after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.

Please, be safe. It’s a jungle out there.

Source

Facebook is employing aggressive legal means in combination with technical measures in order to stop hackers from abusing its social-networking site, according to its chief security officer, Max Kelly.

The company is constantly under fire from hackers trying to spam its 400 million registered users, harvest their data or run other scams.

Facebook’s security team started off with just a few people, said Kelly, who began working at Facebook in 2005 after a stint as a computer forensic analyst for the U.S. Federal Bureau of Investigation. He gave a keynote presentation at the Black Hat security conference on Tuesday.

Now, as many as 10 percent of Facebook’s 1,200 employees are involved in security-related functions for the site, Kelly said. Its core security team consists of 20 people, a site integrity team of around 15 people and 200 others that are part of a user operations team that monitors illegal activity.

With the right data, it is relatively easy to identity where the attacks are coming from, even if a specific individual can’t be identified. If an attack is under way, it’s important to understand the person’s motivation, Kelly said.

“We diligently go after attackers on this site,” Kelly said. “We want to know what people are attacking us and why.”

Facebook has integrated its security incident response team with its law enforcement team, which allows both groups to use some of the same tools in order to respond to a security incident, Kelly said.

On the technical side, Facebook has automated systems that detect when someone is using the site in a way that is different from the normal user. Those systems can then employ countermeasures, such as limiting the number of messages a user can send, employing CAPTCHAs (Completely Automated Public Turing tests to tell Computers and Humans Apart) and disabling accounts, Kelly said.

Facebook’s security teams tends to worry less about vulnerabilities, focusing instead on the actual attacks, Kelly said. It allows Facebook to focus on the individuals behind the attacks and trying to frustrate those attackers.

The site is also rewarding individuals who responsibly disclose security problems by giving them credit on its security page. “If it’s a really good hack, we’ll probably end up hiring you,” Kelly said.

Facebook has pursued a variety of criminal and civil penalties against those who abuse the site, using laws such as the U.S. CAN-SPAM act, which levies penalties of as much as $100 per spam message, Kelly said. Facebook has “dozens” of lawsuits in the works, he said.

The company has had some notable successes with this strategy.

In November 2008, it was awarded one of the largest judgments ever, winning statutory damages of US$1.3 billion (later reduced to $873 million). That suit charged Adam Guerbuez of Canada, Atlantis Blue Capital and 25 other unnamed people for falsely obtaining login information for Facebook users and then sending spam to those users’ friends. Although the individuals charged are in Canada, Facebook could still pursue the money. Even if it doesn’t, the judgement still has an impact, Kelly said.

“It means that any asset that goes through the United States, we have a claim,” Kelly said. “It makes the cost of doing business in the U.S. much more prohibitive.”

Source

The Energizer Duo USB battery charger has been hiding a backdoor Trojan in its software that affects computers using Windows. According to Symantec the Trojan has probably been there since 10th May 2007.

Energizer has now taken the software for the model CHUSB charger off the market and removed the site from which it could be downloaded, and the company is asking customers who downloaded the Windows version to uninstall it. There are easy steps to fight the Trojan in affected machines, and Macintosh users are not affected.

Symantec’s Director of Global Intelligence, Dean Turner, said it’s impossible to be certain the Trojan has always been in the software that monitors the Duo USB charger, but the Trojan’s binary header states it was created in May 2007. It is not known how the Trojan came to be in the software, but malware has previously been found to be hidden inside products. Energizer is working with the US Computer Emergency Readiness Team (US-CERT) and the US government to try to find out how the code found its way into the software.

The Trojan allows an attacker to operate with the same privileges as the user who is logged in, and to remotely control the system via connections on 7777/tcp to send and receive files, run programs, and list the contents of directories.

US-CERT advises that to fix the problem, users can delete the Arucer.dll file from the Windows system32 directory, and then restart the system. An alternative fix is to remove the USB charger software. The Trojan Arucer.dll file will still be present but the code cannot be executed in the absence of the charger software. It is also advisable to block access to port 7777 using a firewall or via network perimeter devices.

Energizer’s Duo USB battery chargers have been available in the US, Europe, Asia, and Latin America since 2007. They allow computer users to recharge the Nickel Metal Hydride (NiMH) batteries either from a wall outlet or a USB connection. It also enabled the user to monitor the status of charging on the PC.

Source

Back at the dawn of the Web, the most popular account password was “12345.”

Today, it’s one digit longer but hardly safer: “123456.”

Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.

According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)

The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.

“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456″ as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123″ and “princess.”

More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”

Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.

To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.

Still, researchers say, social networking and entertainment Web sites often try to make life simpler for their users and are reluctant to put too many controls in place.

Even commercial sites like eBay must weigh the consequences of freezing accounts, since a hacker could, say, try to win an auction by freezing the accounts of other bidders.

Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123″ and “password.”

Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?

Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.

“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”

In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.

Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.

“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”

Source

Four antivirus makers have weighed in on the release of Microsoft Security Essentials, and their opinions are all over the place. We asked various security companies for their opinion on MSE, which launched yesterday, and Symantec, ESET, Avast, and AVG responded with their thoughts.

Microsoft claims it is targeting consumers who currently don’t have any protection on their Windows PC, but of course MSE will end up on many computers that already have third-party security software installed. Since MSE is free, the software security market is going to get a serious shake-up, and here’s what Microsoft’s new competitors think about what’s about to happen.

Symantec, maker of the Norton line of products, says MSE doesn’t stand a chance in today’s market: “While we applaud any vendor that heightens consumer awareness of the need for computer security, it’s clear that the threat landscape has moved on from the product Microsoft is launching,” a Symantec spokesperson told Ars. “Microsoft Security Essentials (MSE) is a stripped down version of their old OneCare product which was poorly rated by industry experts and users alike. From a security perspective, this Microsoft tool offers reduced defenses at a critical point in the battle against cybercrime. Unique malware and social engineering tricks fly under the radar of traditional signature-based technology alone—which is what is employed by free security tools such as Microsoft’s”

ESET, maker of the NOD32 line of products, is unfazed by the product’s launch: “Certainly basic, but free, protection is better than no protection,” Christopher Dale, Public Relations Manager of ESET, told Ars. “For those whose primary concern is price, we would imagine MSE will hold great appeal while making the freeware market more competitive. The product doesn’t directly impact ESET as we offer a full-featured security solution w/ more configuration choices and free phone support.”

Avast is perfectly fine with Microsoft entering the market: “We are glad to see Microsoft joining us in offering free anti-virus/security protection to users,” Vince Steckler, CEO of Avast, told Ars. “We have long believed that top notch security protection should be freely available—that is why nearly 100 million users around the world protect their computers and data with our free avast! antivirus. Around the world there are about 500 million home computer users that need [to be] protected while using the Internet. We believe only around 20 percent of these users are using a traditional paid security product while 250 million are using avast! or one of the other high-quality free products. Users have already decided that security should be free—there are more users of free avast! than users of all paid products combined. But, free users should not be subjected to inferior or ‘basic’ protection.”

AVG, on the other hand, thinks Microsoft will push its product via as many anticompetitive ways as possible: “Microsoft will likely push MSE out via every automated channel available to them—which in and of itself poses all sorts of interesting anti-trust questions,” Siobhan MacDermott, VP Head of Public Policy, Corporate Communications, and Investor Relations for AVG Technologies, told Ars. “They will focus on gaining consumers through the simplicity of installing the product via routine channels of connection. On paper it makes sense, but in reality, we believe this will force consumers to unwittingly enter into a situation that makes them more vulnerable. Experts agree that the biggest nemesis to Windows was not the vulnerability of its code but rather the popularity of the operating system. It is a law of numbers; large communities create large pools of opportunities for thieves. If Microsoft leverages the power of its OS market to rapidly create a large community of MSE users, we believe those customers will be doubly vulnerable.”

There you have it; two antivirus makers are fine with Microsoft Security Essentials and the other two aren’t. We’re more surprised with the ones that are fine with it, since MSE can potentially steal customers away from them (in fact, many of our readers and users on other forums have already declared they are switching). In our first look at MSE yesterday, we were impressed with what Microsoft was offering as a free download for Windows XP, Windows Vista, and Windows 7. For those who have had a chance to install it, how do your thoughts compare to the above statements?

Source