Thursday, June 21, 2007

Beware Harry Potter Spoilers a Phishing Scam

An attacker named "Gabriel" claims to have stolen the text of the upcoming "Harry Potter and the Deathly Hallows" from Bloomsbury Publishing by use of a phishing scam.

He has published what he claims are all of the plot points—including main characters who get killed and the final outcome of the seven-book series.

Gabriel says he used "the usual milw0rm downloaded exploit." The exploit entailed delivering to a Bloomsbury employee an e-mail with an invitation to click on a link, open a browser and click on a maliciously crafted animated icon that allowed the attacker access to the victim's system.

"It's amazing to see how much [sic] people inside the company have copies and drafts of this book," Gabriel wrote in a posting on Insecure.org. "Curiosity killed the cat." (Ed. note: Spoiler alert: Do not click on the link to read Gabriel's posting if you don't want to have the plot spoiled.)

milw0rm is a group of politically motivated "hacktivists" whose most famous exploit was penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Bombay, the primary nuclear research facility of India, on June 3, 1998. They have anti-nuclear and pro-peace agendas and, in this case, anti-Harry Potter and pro-Pope Benedict XVI.

"We did it by following the precious words of the great Pope Benedict XVI when he still was Cardinal Joseph Ratzinger," Gabriel said. "He explained why Harry Potter bring the youngs [sic] of our earth to Neo Paganism faith. So we make this spoiler to make reading of the upcoming book useless and boring."

Gabriel said he did it "to protect you and your families."

This weeks hot offerings from Dell

Prices valid 6/21-6/27

Dimension C521 featured at $419.
AMD Athlon 64 X2 Dual-Core 3600+ 1GB Dual Channel DDR2 19 inch Samsung 941BW Widescreen LCD Monitor and more!!

Inspiron 1501 featured at $549.
AMD Athlon 64 X2 Dual-Core Mobile Technology TK-53 15.4 inch Wide Screen XGA Display 1GB DDR2 and 80 gig hard drive and more

InspironTM 1501 $499
AMD Turion X2 Dual-core Processor, Windows VistaTM or Windows® XP,15.4" Widescreen, 1GB Memory, 60GB Hard Drive, CD/DVD Burner and more


Up to $100 off select* Dell™ laser printers.

Tuesday, June 19, 2007

AT&T Launches $10 DSL

AT&T has quietly begun offering DSL service for $10 per month for new customers. Offered as part of the concessions made to the Federal Communications Commission in order to gain approval for its merger with BellSouth, the speed is nothing to get excited about: 768Kbps down and 128Kbps up. However for the budget minded or those in an area that will only allow these speeds its a great way to save $60/year

AT&T is doing little to publicize the new offering. In fact, most people looking for the low-price service have only been able to find it by clicking on the Terms and Conditions link at he bottom of AT&T's residential high-speed Internet product page. A note on AT&T Yahoo! High-Speed Internet buried six paragraphs down says that the "basic speed ($10.00)" tier is available to new customers only, those who have not subscribed to AT&T or BellSouth DSL during the past 12 months, and the service requires a one-year contract.

Customers must also order phone service to get the budget-priced DSL service; those looking for cheap, naked DSL should look elsewhere. Those living in BellSouth's former territory can get naked DSL for the next two-and-a-half years, however. The terms of the merger state AT&T is only required to offer the $10 per month tier for the next two-and-a-half years. After that, the company is free to make whatever changes it wants to the service.

While this is not a top notch deal, it is fairly good for those that haven't yet made the switch from dial-up, anyone on a tight budget or those of you that only browse the net and check emails.

Monday, June 18, 2007

Hackers compromise 10k sites, launch 'phenomenal' attack

The large-scale attack is based on the multiexploit hacker kit dubbed 'Mpack'

Attackers armed with an exploit tool kit have launched massive attacks in Europe from a network of at least 10,000 hacked Web sites, with infections spreading worldwide, several security companies warned today.

As early as last Friday, analysts reported the opening salvos of a large-scale attack based on the multiexploit hacker kit dubbed "Mpack." The mechanics of the attacks are complex, but essentially attackers taint each compromised site with code that then redirects visitors to a server hosting the Mpack kit -- a professional, Russian-made collection of exploits that comes complete with a management console to detail which exploits are working and against what countries' domains.

Infected computers are fed a diet of malicious code, largely keyloggers that spy out usernames and passwords for valuable accounts such as online banking sites.
"The gang behind the attack has successfully compromised the homepages of hundreds of legitimate Italian Web sites," said Symantec Corp. researcher Elia Florio in a posting to the vendor's security response blog on Friday. "The list of compromised sites is huge and from Mpack statistics this attack is working efficiently."

Florio said that Symantec is uncertain how the sites were originally hacked but that she suspects a common vulnerability or configuration problem at the hosting level.

Paul Ferguson, a network architect at Trend Micro Inc., would only guess at how sites were hijacked but said that "how" is mostly a moot question. What's important, he said, is that "the hackers seem to be able to find a lot of sites to compromise no matter where they look."
By Friday night, Symantec had pegged the number of compromised sites feeding Mpack exploits at 6,000; by today, Websense Inc., a San Diego-based Web security company, said it had tracked more than 10,000. "That's a phenomenal number," argued Ferguson, who said that previous compromised-site attacks using hacker kits could be counted as "several hundred here, a couple hundred there."

Screenshots of the Mpack management console posted by Websense on Monday and Symantec on Friday illustrate the large numbers of computers that have surfed to the compromised sites and the high success rate of the Mpack-delivered exploits. Although the bulk of the victim PCs use Italian IP addresses, U.S.-based machines are not immune.
"The lion's share of the sites we're seeing are in Italy still," said Ferguson, "but we're seeing sites all over the world as well." For instance, Trend Micro has identified hacker-controlled sites hosted in California and Illinois. The California site is hosted by a company Ferguson called "notorious," but he wouldn't divulge the hosting vendor's name.

"The usual advice we give, 'Avoid the bad neighborhoods of the Web,' just doesn't hold water anymore," when legitimate sites have been hacked and are serving up exploits left and right, Ferguson said. "Everywhere could be a bad neighborhood now."

ComputerWorld's summer gadget guide

Whether your summer plans involve hiking, lounging by the pool, hitting the road or doing absolutely nothing, ComputerWorld has yet a list of gadgets to help your summer be as "cool" as possible.

Some of my person favorites include:

EGO Waterproof iPod Case
IPod speaker docks and accessories abound. But how many let you take your iPod safely into the pool? Atlantic's EGO Waterproof Sound Case for iPod ($150) protects your iPod from water -- or even shock damage -- while blasting your tunes all over the backyard or boat through its built-in, waterproof speakers.



ATC2K Waterproof Action Camera
Oregon Scientific's underwater video camera is a perfect fit for today's record-everything society. Waterproof to a depth of 10 feet, the ATC2K captures moving images at 30 frames per second in VGA (640 by 480) resolution.

ATC2K

ATC2K Waterproof Action Camera

Hands-free digital recording options and several different mounting options allow the videographer to place, mount or strap on the half-pound ATC2K anywhere (within reason). It works seamlessly with most video-editing software suites, including Windows Movie Maker, iLife and Final Cut. What's best, however, is the price: At $130, it's an outright steal.

Throw this gadget into the swimming pool with your kids and they'll be occupied all summer. At the very least, it could give you some great blackmail material for later in life.

Friday, June 15, 2007

Sony to cut PS3 prices?

The chairman and chief executive of Sony, Sir Howard Stringer, has said the company was attempting to "refine" how much it could afford to reduce the price of the PS3 console by. Stringer has also been quoted as saying there was "no question" consumers wanted the price to be lower.

In an interview with the Financial Times, Stringer admitted rival console the Nintendo Wii -- which is far outselling the PS3 -- was based on a good business model.

Sony fell short of its PS3 target in the 12 months to 31 March 2007 by 500,000 units. Market analysts are predicting the games division to incur a loss of around $488 million in the current year, despite Sony's claim it has sold more than a million units in Europe and Australasia since the PS3's late March launch there.

Stringer said: "[Price cuts are] what we are studying at the moment. That's what we are trying to refine." He went on to say that he expected "energy [in PS3 sales] by Christmas, and then you will begin to see break-out games".

PS3 sales have been slow -- to be honest, the world over -- owing to its high price and slow, drip-feed supply of games, most of which have been PC game re-writes anyway. Apparently, the Japanese electronics giant has a target of shipping 11 million consoles this year, and with production costs falling many believe Sony will cut prices by USD100 before the crucial Christmas sales period.

Wireless network admins wising up

But drive-by surveys in New York, London and Paris still spot lots of unsecured hot spots


Owners of wireless hot spots are doing better at securing their networks, but about a fifth of corporate access points in London, Paris, and New York remain open to all comers, RSA Security Inc. reported Thursday.

Reprising past surveys, RSA personnel drove or walked through swaths of each city, logging each wireless access point detected by a specially-equipped laptop, and recording data including the service set identifier (SSID), security protocol, signal strength, and operational mode. In New York, for example, the team covered Manhattan's Midtown and Downtown, and parts of Uptown as far north as 125th Street.

On average, survey results were encouraging, said Toffer Winslow, a vice president of product management at RSA. "Folks are securing their access points more, and more with advanced encryption such as WPA rather than plain old WEP," he said.

Wired Equivalent Privacy (WEP) is a 1999-era data encryption standard now considered inadequate, and has been supplanted by WPA, or Wi-Fi Protected Access, which requires stronger passwords and uses a 128-bit key rather than WEP's 40-bit key. However, WEP is still offered as the default security technique by most wireless hardware.

In all three cities, the percentage of hot spots that were secured by some kind of encryption was higher than last year. In London, the numbers improved from 76% to 81%, while New York climbed from 75% to 76%, and Paris moved from 78% to 80%. WPA use also grew, Winslow said, with 49% of the business wireless networks in New York locked down with tighter security. London and Paris came in second and third, with 48% and 41% WPA usage, respectively.

But a substantial percentage of business wireless networks still run without security. Eighteen percent of the detected corporate hot spots in both Paris and London were unsecured, while New York topped that at 21%. "This strikes me as very foolish," said Winslow.

Living almost as dangerously were significant minorities of hot spots that used default SSIDs and media access control (MAC) addresses. In London, 30% of the wireless networks relied on the manufacturer's SSID -- usually the name of the hardware maker, such as Linksys -- or preset MAC address. New York ranked slightly better, at 24%, but Paris beat both by a wide margin: Only 13% of the wireless access points sniffed by RSA in the city of light used defaults.

"Change the default network settings, that's No. 1," said Winslow when asked to list recommendations for wireless users. "Use [encryption] protocols stronger than WEP, and when you're at a public hot spot, VPN is essential.

"I wouldn't even call these 'best practices' anymore" he said. "They're just the reasonable practices."

Wednesday, June 06, 2007

14 Great Multimedia Utilities from PcWorld.com

Need to record and clean up music, edit video or sound, burn DVDs, and handle other multimedia tasks? PcWorld has assembled some free and try-before-you-buy tools that you won't want to live without.

Your PC is an entertainment powerhouse, just waiting to be unleashed. Its talents include recording and playing music, supporting editing of audio and video files, and burning DVDs and CDs. Unfortunately, the software that came with your PC probably won't handle these tasks with maximum effectiveness. So to help you unlock your system's multimedia power, we've gathered a group of 15 downloads--most of them free, some of them try-before-you-buy--that all do great jobs.

We've chosen software in three categories: media players and burners, video software, and audio software. For working with media players, you'll find everything from Foxy Tunes (which lets you play media from within Firefox) to several superb players to Online Radio Tuner (which tunes in to Internet radio stations) to Express Burn (the best media burner you'll find anywhere).

Our video software selections include programs for saving YouTube videos to your local hard drive, for uploading YouTube videos, for editing video, for converting video to an iPod-friendly format, and for getting TV shows into your Zune.

Finally, our audio downloads offer unique tools for performing such tasks as recording music from vinyl and cassettes to your PC, and eliminating pops, hisses, and clicks.

So if you want to unlock the entertainment power of your PC, it's time to start downloading.

Next page:Media Players and Burners

Tuesday, June 05, 2007

PcWorlds 100 Best Products of 2007

Each year the editors of PcWorld rank the best PCs, HDTVs, components, sites, and services. Plus: the products they are looking forward to next year, and give insights as to which technologies are rising and falling.

Innovative Web applications, powerful processors, spectacular HDTVs, and creative game consoles--we asked you for your favorites and added lots of our own for our annual roundup of the best hardware, software, and services. Then we looked at each product, rating and debating its design, impact, performance, and value to create our ranking of the best tech products available, from 1 to 100.

Of course, no matter when we plan our best-products story, a few hot contenders--we're looking at you, iPhone--will end up just around the corner. So this year we took time out to run down our five most anticipated products, as well as several hot and not-so-hot technologies. Read on for all that plus slide shows, video, and more.

More on the Best Products of 2007



The Number 1 Product of the Year
Google Apps

1. Google Apps Premier Edition

(Web applications; $50 per user per year) Google is much more than just a search engine, and with its invaluable Google Apps suite, the company is well on its way to challenging Microsoft for productivity-suite supremacy. Google's Docs & Spreadsheets (soon to be joined by a PowerPoint-esque presentation application) already makes for an interesting alternative to Microsoft Office. Combine it with Gmail, Google Talk, and Google Calendar, and suddenly nearly all of your basic productivity programs and data can be available online.

For small businesses that need more than the free versions offer, Google Apps Premier Edition adds capacity, support services, and tools for integrating existing infrastructure so that all your employees can use Google's powerful Web apps--no matter where they are. Printouts may never die, but if Google has its way, the office-less office may become a reality long before the paperless one does.

Next page:The Top 100 Products, Numbers 2 to 10

Thursday, May 31, 2007

FireFox add-ons may open doors to hackers

The majority of Firefox extensions are hosted and updated from Mozilla's own SSL-secured site and are not vulnerable to this attack. However a number of broadly used third-party extensions, including Google Toolbar, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, Netcraft Anti-Phishing Toolbar and PhishTank SiteChecker are among the at-risk add-ons that update from their own unsecured servers.

Christopher Soghoian, a Ph.D. student at Indiana University, outlined how "man in the middle" attackers, especially in public wireless networks, could disguise malware as a Firefox extension and surreptitiously plant their code in lieu of a normal update to one of the vulnerable extensions.

"It's sort of a compounding of errors," Soghoian said. "Mozilla didn't tell developers that they should update from a secure link; they erred in assuming everyone would know to do that. But the add-on developers are at fault for not using a secure server."

"It was really frustrating. Firefox was fantastic, but some of the other firms, they either ignored my e-mails or didn't reply," Soghoian said. He fingered Google Inc. as especially uncooperative. Between April 16 and May 24, he sent Google's security team five e-mails but received only one reply, on May 25, that said the group was working on a fix that was to be deployed before today. As of today, however, Google Toolbar was being served from an unsecured URL.

"This was really eye-opening," said Soghoian, who interned with Google's Application Security Team last summer.

"Vendors should be doing everything possible to encourage researchers," he said. "They should be encouraging us to come to them rather than sell the vulnerabilities to iDefense or Tipping Point. Ignoring researchers isn't the best way to encourage an open dialog."

Soghoian recommended that until affected extension vendors release secure updates, users should either remove or disable all Firefox extensions and toolbars that have not been downloaded from the official Mozilla Add-Ons site.

In an e-mail today, Mozilla's director of ecosystem development, Mike Shaver, acknowledged the danger that insecurely hosted and updated add-ons pose, and he urged extension developers to fix the problem.

"We strongly encourage the providers of such add-ons to remedy their hosting situation promptly to minimize the exposure to the users of their software," Shaver said. "Users of add-ons hosted on AMO, including all of the ones we've been working on, are not at risk here."

On another note Mozilla released 6 new patches for FireFox today. The updates bring the current browser to Version 2.0.0.4, and the 2005 edition to 1.5.0.12. Firefox 2.0.0.4 can be downloaded from the Mozilla Web site for Windows, Mac OS X and Linux; Firefox 1.5.0.12, meanwhile, is available from a different page. Current users can also update using the Check for Updates command in the help menu.

Tuesday, May 29, 2007

Google Adds Street-Level Pictures to Google Maps

Initially, Street View images are available in Denver, Las Vegas, Miami, New York, and San Francisco. Additional cities will be covered in the future.

Google today launched Google Maps Street View, a new Google Maps feature that shows a 360-degree view from the streets of select cities.

"With Street View, you can virtually explore city neighborhoods by viewing and navigating within 360-degree scenes of street-level imagery," said Stephen Chau, product manager for Google Maps, in a blog post. "It feels as if you're walking down the street!"


Initially, Street View images are available in Denver, Las Vegas, Miami, New York, and San Francisco. Additional cities will be covered in the future.

At some point, these images may include live video feeds. While Google has other engineering priorities right now, Alan Eustace, senior VP of engineering & research, expressed interest in live video feeds while speaking with reporters at Google's recent Searchology event and noted that company co-founder Larry Page felt similarly.

Amazon's A9.com search engine pioneered the use of street images in its local search service back in January 2005. The company spent eight months compiling a database of 35 million images in 22 cities by sending drivers around the streets of major cities in vehicles equipped with GPS devices, cameras, and computers. Former A9.com CEO Udi Manber now works at Google as a VP of engineering.

Sony, Philips Unveil Flexible OLED Displays

Two of the world's biggest flat-panel display makers unveiled flexible full-color displays this week.




Two of the world's biggest flat-panel display makers, Sony Corp. and LG.Philips LCD Co. Ltd., unveiled flexible full-color displays at a display industry show in California this week.

Sony took the wraps off its prototype on Thursday and released an impressive video showing the display being bent to form a semi-circle while still displaying a moving video image. The 2.5-inch display has a resolution of 160 pixels by 120 pixels making it a little larger than the typical cell phone screen and a little lower resolution.

The screen from LG.Philips LCD is larger at 4 inches in diagonal width and has a higher resolution of 320 pixels by 240 pixels. In contrast to Sony's video, LG.Philips LCD released only a photo that showed the display curved at a slight angle.

Typically flat-panel displays are built onto thin sheets of glass but the Sony and LG.Philips screens are made on thin sheets of plastic and metal respectively. That allows them to be bent but also introduces a range of other problems such as keeping everything aligned and working while the panel is flexed. Indeed the video of Sony's prototype showed several bad pixels and other problems.

Neither company has said when it thinks the displays will be ready to go on sale but early customers might be attracted to them for reasons other than their flexibility, said Paul Semenza, an analyst with iSuppli Corp., who attended the Society for Information Display conference where they were announced.

"What tends to get forgotten is that these displays are also rugged and lightweight," he said. "Those are valuable properties."

Sony sees OLED technology as important for its future products and is putting a lot of research and development resources behind screens like that unveiled this week.

The screens are different from today's LCD (liquid crystal display) and PDP (plasma display panel) screens in that OLED pixels use an organic material that emits its own light, so no backlight is needed. That means the screens consume less power and can be made thinner. OLEDs also handle fast-moving images better and offer good color reproduction.

At the Consumer Electronics Show in Las Vegas in January the company showed off prototype televisions based on larger, non-flexible 11-inch and 27-inch OLED panels. Thanks to the lack of a backlight the 11-inch prototype was just 11 millimeters thick but displayed a vibrant, colorful image. Sony plans to have its first OLED TVs on sale in Japan this year.

Last week in Tokyo Sony unveiled its latest OLED TV prototypes, which appeared to be close to commercialization. The sets had an integrated digital TV tuner and could also accept a high-definition input via an HDMI (high definition multimedia interface) connector.

Michigan man dodges prison in theft of Wi-Fi

A Michigan man who used a coffee shop's unsecured Wi-Fi to check his e-mail from his car could have faced up to five years in prison, according to local TV station WOOD. But it seems few in the village of Sparta, Mich., were aware that using an unsecured Wi-Fi connection without the owner's permission--a practice known as piggybacking--was a felony.

Each day around lunch time, Sam Peterson would drive to the Union Street Cafe, park his car and--without actually entering the coffee shop--check his e-mail and surf the Net. His ritual raised the suspicions of Police Chief Andrew Milanowski, who approached him and asked what he was doing. Peterson, probably not realizing that his actions constituted a crime, freely admitted what he was doing.

"I knew that the Union Street had Wi-Fi. I just went down and checked my e-mail and didn't see a problem with that," Peterson told a WOOD reporter.

Milanowski didn't immediately cite or arrest Peterson, mostly because he wasn't certain a crime had been committed. "I had a feeling a law was being broken," the chief said. Milanowski did some research and found Michigan's "Fraudulent access to computers, computer systems, and computer networks" law, a felony punishable by five years in prison and a $10,000 fine.

Milanowski, who eventually swore out a warrant for Peterson, doesn't believe Milanowski knew he was breaking the law. "In my opinion, probably not. Most people probably don't."

Indeed, neither did Donna May, the owner of the Union Street Cafe. "I didn't know it was really illegal, either," she told the TV station. "If he would have come in (to the coffee shop), it would have been fine."

But apparently prosecutors were more than aware of the 1979 law, which was revised in 2000 to include protections for Wi-Fi networks.

"This is the first time that we've actually charged it," Kent County Assistant Prosecutor Lynn Hopkins said, adding that "we'd been hoping to dodge this bullet for a while."

However, Peterson won't be going to prison for piggybacking. Because he has no prior record, Peterson will have to pay a $400 fine, do 40 hours of community service and enroll in the county's diversion program.