HP Thursday confirmed that some users of its AMD-based desktops have had problems after installing Windows XP Service Pack 3 (SP3), and said it would issue a patch this week to prevent machines from spiraling into endless reboots. HP also told users to delay installing XP SP3 until that patch was released.
Microsoft, meanwhile, acknowledged Thursday that it's working on a hotfix of its own.
The confirmations were the latest additions to the weeklong saga of problems some users have encountered after upgrading Windows XP to SP3. Last week, reports began showing up on Microsoft's support forum of "endless reboots" crippling machines running Advanced Micro Devices (AMD) processors. Many of the users said that the out-of-control PCs were from HP.
Users, led by Jesper Johansson, a former program manager for security policy at Microsoft and currently an MVP (Microsoft Most Valuable Professional) who works at Amazon.com, identified several causes, including one limited to HP-branded systems. According to Johansson -- and later, Microsoft itself -- HP used a disk image created on an Intel-powered machine to factory-install Windows XP on AMD-based PCs. Microsoft had advised computer makers against doing that as long ago as 2004.
An errant reference in Windows Registry for an unnecessary device driver -- "intelppm.sys," a power-management driver designed only for Intel-based PCs -- causes the XP SP3 upgrade to install that driver to AMD systems, said Johansson. That causes the PC to fail to reboot when it restarts after the update. Because most XP machines are set by default to reboot on a failure, the PC reboots repeatedly; some users have had trouble interrupting the endless reboots and regaining control of their computers.
HP did not explicitly admit the problem was its fault, but confirmed some details of Johansson's analysis. "The affected HP systems do not have an Intel driver loaded onto them, but there is a services registry entry that SP3 appears to be recognizing as an instruction to load the Intel driver, subsequently causing the failure," HP said in an e-mailed statement Thursday.
"HP is working diligently with Microsoft on a software update and will be proactively distributing a patch this week through HP Update that will prevent this error from occurring," the company continued. "HP recommends consumers with AMD-based desktops wait until after HP's or Microsoft's updates have been deployed on their systems to install Service Pack 3." The patch will be posted to this page of HP's support site when it's available.
"Microsoft is also developing a prerequisite fix that must be downloaded before SP3 will automatically install prior to its proactive distribution of SP3," HP statement added.
The Microsoft update that HP referenced is in the works, a Microsoft spokeswoman confirmed Thursday. "Microsoft is developing a hotfix for this issue, and will be available after it has been rigorously tested and meets our quality bar for release," she said in an e-mail Thursday afternoon.
Neither HP or Microsoft provided any details on what the Microsoft hotfix would do, but the "prerequisite fix" phrasing likely indicates the patch would be applied to either selective PCs or all XP machines before they are allowed to receive SP3 in the coming weeks when Microsoft flips the switch for automatic downloading and installing via Windows Update.
Microsoft has had to release several similar prerequisite updates or filters this year to prevent some users from obtaining service packs through Windows Update (WU). Last month, for instance, it delayed XP SP3 from reaching WU until it could craft a filter to exclude machines running its retail point-of-sale software. Microsoft also blocked significant numbers of users from receiving Windows Vista SP1 from WU beginning in late March.
Users impatient with HP's or Microsoft's patch plans can instead download a free tool crafted by Johansson that detects and fixed PCs that may be susceptible to the endless reboot issue.
Sunday, May 18, 2008
IE attack code released after 'treasure hunt'
One week after hiding Internet Explorer attack code on his Web site, security researcher Aviv Raff has posted details on how to launch the attack.
The bug lies in the "Print Table of Links" feature, which lets IE users print out a Web page along with a list of all the links on the page tacked onto the end. Raff discovered that if an attacker added special scripting code to a Web page, he could then run unauthorized software on the PCs of IE users who printed using this feature.
The flaw affects IE 7 and IE 8, Raff said. Security vendor Secunia said that the bug also affects IE 6.
Because the hack requires that the user be tricked into following so many steps -- not only visiting a Web page, but then printing a page with this feature selected -- Secunia has rated it as a "less critical."
Raff said that the flaw could be a more serious issue if hackers were to add the code to Web pages that were frequently printed out, such as those on Wikipedia.
The bug has not been patched by Microsoft, which was notified of the issue just last week.
Raff disclosed the flaw in an unusual way, embedding it in his own Web site and then inviting other hackers to come and find it. He called this a "treasure hunt."
The Israeli hacker said that the treasure hunt idea came from a local custom of playing such games during Israel's Independence Day. The contest was won Tuesday by someone calling himself "George the Greek."
Microsoft didn't get much time to fix the vulnerability, but Raff said he didn't feel that Microsoft would address the issue quickly unless he went public with the vulnerability.
When he has followed Microsoft's responsible disclosure guidelines in the past, the company has been too slow to fix bugs, he said.
Microsoft is thinking about putting a fix for the problem in an upcoming security update, the company said in a statement. It too downplayed the risk. "Our investigation has shown an attack would require significant user interaction," the company said. " An attacker would need to convince a user to select a non-default printing option and print a malicious web page in order for an attack to be successful."
Though Raff's attack code has been posted to the Millworm Web site, Microsoft says it's not heard of any attacks that exploit this vulnerability.
The bug lies in the "Print Table of Links" feature, which lets IE users print out a Web page along with a list of all the links on the page tacked onto the end. Raff discovered that if an attacker added special scripting code to a Web page, he could then run unauthorized software on the PCs of IE users who printed using this feature.
The flaw affects IE 7 and IE 8, Raff said. Security vendor Secunia said that the bug also affects IE 6.
Because the hack requires that the user be tricked into following so many steps -- not only visiting a Web page, but then printing a page with this feature selected -- Secunia has rated it as a "less critical."
Raff said that the flaw could be a more serious issue if hackers were to add the code to Web pages that were frequently printed out, such as those on Wikipedia.
The bug has not been patched by Microsoft, which was notified of the issue just last week.
Raff disclosed the flaw in an unusual way, embedding it in his own Web site and then inviting other hackers to come and find it. He called this a "treasure hunt."
The Israeli hacker said that the treasure hunt idea came from a local custom of playing such games during Israel's Independence Day. The contest was won Tuesday by someone calling himself "George the Greek."
Microsoft didn't get much time to fix the vulnerability, but Raff said he didn't feel that Microsoft would address the issue quickly unless he went public with the vulnerability.
When he has followed Microsoft's responsible disclosure guidelines in the past, the company has been too slow to fix bugs, he said.
Microsoft is thinking about putting a fix for the problem in an upcoming security update, the company said in a statement. It too downplayed the risk. "Our investigation has shown an attack would require significant user interaction," the company said. " An attacker would need to convince a user to select a non-default printing option and print a malicious web page in order for an attack to be successful."
Though Raff's attack code has been posted to the Millworm Web site, Microsoft says it's not heard of any attacks that exploit this vulnerability.
Yahoo tells Icahn that its own board knows best
Yahoo has responded to investor Carl Icahn's threat to take control of Yahoo's board and force it back to the negotiating table with Microsoft. The search company said Icahn's proposal shows "a significant misunderstanding" of how it handled Microsoft's offer, and argued that Yahoo's current board remains "the best and most qualified group" to handle its affairs.
In a letter to Yahoo made public earlier Thursday, Icahn said he planned to nominate 10 candidates to replace the incumbent directors on Yahoo's board. He argued that Yahoo was wrong to reject Microsoft's offer to buy the company for $33 per share, and said he hopes to install a new board at Yahoo's shareholder meeting in July that will resume talks with Microsoft.
Later in the day Yahoo released its response to Icahn, signed by board chairman Roy Bostock.
"Unfortunately, your letter reflects a significant misunderstanding of the facts about the Microsoft proposal and the diligence with which our board evaluated and responded to that proposal," the company wrote. "A fair-minded review of the factual record leads to one conclusion: that Yahoo!'s ten-member board, comprised of nine independent directors along with Yahoo CEO Jerry Yang, remains the best and most qualified group to maximize value for all Yahoo stockholders."
The letter describes the negotiations with Microsoft in detail, in a bid to show that Yahoo took the offer seriously. It says it would not be in the best interests of Yahoo's shareholders for Icahn to nominate a slate of directors "for the express purpose of trying to force a sale of Yahoo to a formerly interested buyer who has publicly stated that they have moved on.
"Please may I remind you that there is currently no acquisition offer on the table from that company or any other party," the letter states. "That said, we have been crystal clear in our stance that we have been and remain willing to consider any proposal from any party including Microsoft if it offers our stockholders full and certain value."
Microsoft announced its $44.6 billion bid for Yahoo on Feb. 1, but it walked away from the deal on May 3 after the two companies failed to agree on a price. Microsoft eventually raised its offer to $33 per share, or by about $5 billion, but Yahoo's board wanted $37 per share.
Icahn, a billionaire investor who last year pressured Motorola to spin off its mobile-phone division, has bought up 59 million Yahoo shares since Microsoft walked away from the deal and hopes to buy a further $2.5 billion of Yahoo stock. He argued Thursday that Microsoft's offer of $33 per share is "obviously" superior to Yahoo's prospects as a stand-alone company, and said "a number of shareholders" have asked him to launch the battle for Yahoo's board.
"I am perplexed by the board's actions," he wrote. "It is irresponsible to hide behind management's more than overly optimistic financial forecasts."
Yahoo stuck to its guns and insisted again that Microsoft's offer undervalues the company. It said its board has met more than 20 times to discuss Microsoft's offer and other alternatives. It said it solicited input from shareholders, and that "the senior-most management" from both companies met seven times in person to discuss the deal.
On May 2, Yahoo's board instructed Yang to tell Microsoft that Yahoo was prepared to be sold for $37 per share, provided that Microsoft could show it was reasonably certain it could close the deal without running into regulatory issues.
"This was communicated to Microsoft in-person at a meeting in Seattle on May 3rd. With Microsoft's offer at $33 and Yahoo's counter-proposal at $37, Microsoft elected, within hours, to walk away from the negotiating table and informed us that they were 'moving on,' having never engaged further on price or any of the key non-price deal terms."
The letter concludes that Yahoo is open to a deal "with Microsoft or any other party" for the right price, and that its own board can best steer the company moving forward.
"We look forward to a productive dialogue," it concludes, anticipating a response from Icahn.
In a letter to Yahoo made public earlier Thursday, Icahn said he planned to nominate 10 candidates to replace the incumbent directors on Yahoo's board. He argued that Yahoo was wrong to reject Microsoft's offer to buy the company for $33 per share, and said he hopes to install a new board at Yahoo's shareholder meeting in July that will resume talks with Microsoft.
Later in the day Yahoo released its response to Icahn, signed by board chairman Roy Bostock.
"Unfortunately, your letter reflects a significant misunderstanding of the facts about the Microsoft proposal and the diligence with which our board evaluated and responded to that proposal," the company wrote. "A fair-minded review of the factual record leads to one conclusion: that Yahoo!'s ten-member board, comprised of nine independent directors along with Yahoo CEO Jerry Yang, remains the best and most qualified group to maximize value for all Yahoo stockholders."
The letter describes the negotiations with Microsoft in detail, in a bid to show that Yahoo took the offer seriously. It says it would not be in the best interests of Yahoo's shareholders for Icahn to nominate a slate of directors "for the express purpose of trying to force a sale of Yahoo to a formerly interested buyer who has publicly stated that they have moved on.
"Please may I remind you that there is currently no acquisition offer on the table from that company or any other party," the letter states. "That said, we have been crystal clear in our stance that we have been and remain willing to consider any proposal from any party including Microsoft if it offers our stockholders full and certain value."
Microsoft announced its $44.6 billion bid for Yahoo on Feb. 1, but it walked away from the deal on May 3 after the two companies failed to agree on a price. Microsoft eventually raised its offer to $33 per share, or by about $5 billion, but Yahoo's board wanted $37 per share.
Icahn, a billionaire investor who last year pressured Motorola to spin off its mobile-phone division, has bought up 59 million Yahoo shares since Microsoft walked away from the deal and hopes to buy a further $2.5 billion of Yahoo stock. He argued Thursday that Microsoft's offer of $33 per share is "obviously" superior to Yahoo's prospects as a stand-alone company, and said "a number of shareholders" have asked him to launch the battle for Yahoo's board.
"I am perplexed by the board's actions," he wrote. "It is irresponsible to hide behind management's more than overly optimistic financial forecasts."
Yahoo stuck to its guns and insisted again that Microsoft's offer undervalues the company. It said its board has met more than 20 times to discuss Microsoft's offer and other alternatives. It said it solicited input from shareholders, and that "the senior-most management" from both companies met seven times in person to discuss the deal.
On May 2, Yahoo's board instructed Yang to tell Microsoft that Yahoo was prepared to be sold for $37 per share, provided that Microsoft could show it was reasonably certain it could close the deal without running into regulatory issues.
"This was communicated to Microsoft in-person at a meeting in Seattle on May 3rd. With Microsoft's offer at $33 and Yahoo's counter-proposal at $37, Microsoft elected, within hours, to walk away from the negotiating table and informed us that they were 'moving on,' having never engaged further on price or any of the key non-price deal terms."
The letter concludes that Yahoo is open to a deal "with Microsoft or any other party" for the right price, and that its own board can best steer the company moving forward.
"We look forward to a productive dialogue," it concludes, anticipating a response from Icahn.
Facebook blocks Google's Friend Connect
The industry momentum for data portability brotherhood hit a bump on Thursday when Facebook blocked Google's Friend Connect service from accessing Facebook members' data.
Friend Connect violates Facebook's terms of service because it "redistributes user information from Facebook to other developers without users' knowledge," Facebook official Charlie Cheever wrote on the company's blog for developers.
"Just as we've been forced to do for other applications that redistribute data in a way users might not expect or understand, we've had to suspend Friend Connect's access to Facebook user information until it comes into compliance," Cheever wrote.
Facebook has already contacted Google "several times" about the issue and is looking forward to finding a resolution, according to Cheever.
For its part, Google doesn't fully understand what it needs to do in order to comply with Facebook's terms of service, said Google Engineering Director David Glazer in a phone interview.
"We think users should be in control of their data. When we built Friend Connect, we designed it very carefully to put users in control of their information at every step of the way. We're disappointed that Facebook chose to disable their users' ability to use Friend Connect with their Facebook friends," Glazer said.
Google shares Facebook's beliefs that users need to be in control of their data and that their privacy needs to be respected. "I agree strongly with the values they assert, and I believe the APIs they have released do a good job of honoring those values. I don't understand at this point why they've chosen to do something that doesn't align with those values," Glazer said.
Google held talks with Facebook before and after the announcement of Friend Connect on Monday around the issue in question, and conversations are ongoing, Glazer said.
Although Friend Connect is in a limited preview, there are four Web sites -- two built as demos and two real ones -- that had been accepting requests from users to grab their Facebook profile data, Glazer said. That functionality is now interrupted, he said.
Facebook didn't respond to a request for comment beyond Cheever's blog posting.
Friend Connect, Facebook Connect and MySpace Data Availability are separate initiatives announced in the past week designed to let people reuse the content from their social network profiles in other sites.
The main idea behind this data portability concept is to save people from having to reenter into multiple sites common profile information like their personal interests, list of friends, photos, video clips, blog postings and the like.
However, none of the three initiatives even comes close to providing a broad data portability solution, although MySpace, Google and Facebook have been commended by industry observers for at least taking some first steps to address the issue.
It's not a secret that data portability itself is a complicated matter to solve due to significant technical as well as commercial and operational challenges that surround it.
Thursday's move by Facebook highlights just one of the considerable obstacles for data portability: the different user-privacy policies and settings that exist among social networks and online service providers. These policies and settings need to be reconciled and harmonized in order for them to share and accept user data from each other.
Friend Connect is designed to let Web publishers add social-networking features to their sites in a simple, straightforward way, by inserting "snippets" of code, according to Google.
With Friend Connect, sites can add social features like user registration, friends invitations and message posting, and allow visitors to interact with their existing friends at social-networking sites like Google's Orkut, Plaxo, Hi5 and, until recently, Facebook.
Friend Connect violates Facebook's terms of service because it "redistributes user information from Facebook to other developers without users' knowledge," Facebook official Charlie Cheever wrote on the company's blog for developers.
"Just as we've been forced to do for other applications that redistribute data in a way users might not expect or understand, we've had to suspend Friend Connect's access to Facebook user information until it comes into compliance," Cheever wrote.
Facebook has already contacted Google "several times" about the issue and is looking forward to finding a resolution, according to Cheever.
For its part, Google doesn't fully understand what it needs to do in order to comply with Facebook's terms of service, said Google Engineering Director David Glazer in a phone interview.
"We think users should be in control of their data. When we built Friend Connect, we designed it very carefully to put users in control of their information at every step of the way. We're disappointed that Facebook chose to disable their users' ability to use Friend Connect with their Facebook friends," Glazer said.
Google shares Facebook's beliefs that users need to be in control of their data and that their privacy needs to be respected. "I agree strongly with the values they assert, and I believe the APIs they have released do a good job of honoring those values. I don't understand at this point why they've chosen to do something that doesn't align with those values," Glazer said.
Google held talks with Facebook before and after the announcement of Friend Connect on Monday around the issue in question, and conversations are ongoing, Glazer said.
Although Friend Connect is in a limited preview, there are four Web sites -- two built as demos and two real ones -- that had been accepting requests from users to grab their Facebook profile data, Glazer said. That functionality is now interrupted, he said.
Facebook didn't respond to a request for comment beyond Cheever's blog posting.
Friend Connect, Facebook Connect and MySpace Data Availability are separate initiatives announced in the past week designed to let people reuse the content from their social network profiles in other sites.
The main idea behind this data portability concept is to save people from having to reenter into multiple sites common profile information like their personal interests, list of friends, photos, video clips, blog postings and the like.
However, none of the three initiatives even comes close to providing a broad data portability solution, although MySpace, Google and Facebook have been commended by industry observers for at least taking some first steps to address the issue.
It's not a secret that data portability itself is a complicated matter to solve due to significant technical as well as commercial and operational challenges that surround it.
Thursday's move by Facebook highlights just one of the considerable obstacles for data portability: the different user-privacy policies and settings that exist among social networks and online service providers. These policies and settings need to be reconciled and harmonized in order for them to share and accept user data from each other.
Friend Connect is designed to let Web publishers add social-networking features to their sites in a simple, straightforward way, by inserting "snippets" of code, according to Google.
With Friend Connect, sites can add social features like user registration, friends invitations and message posting, and allow visitors to interact with their existing friends at social-networking sites like Google's Orkut, Plaxo, Hi5 and, until recently, Facebook.
U.S. online ad revenue hit $21.2 billion in 2007
U.S. online ad spending increased 26 percent in 2007 over 2006, as the Google-dominated search format not only remained the market's largest, but also increased its share of the overall pie.
Online ad spending in the U.S. reached US$21.2 billion last year. Search advertising accounted for 41 percent of the spending, one percentage point more than in 2006, the Interactive Advertising Bureau reported on Thursday. In 2007, spending in search advertising grew 30 percent over 2006, explaining the continued financial success of Google, which broadly dominates this format.
It also partly explains Microsoft's continued sense of urgency at trying to boost its underperforming Internet ad business, which hasn't been able to achieve its financial and usage goals, specifically in search advertising, despite heavy investments in recent years. Microsoft cited its desire to compete better against Google as a key incentive in its attempt to acquire Yahoo, an effort that Microsoft has, at least for now, given up on.
Display advertising, which includes formats like banners, sponsorships and video, accounted for 34 percent of the spending, according to the IAB. This is a category in which, according to IDC, Yahoo leads and Google has a minor position. The third-largest format was classifieds, with 16 percent.
A majority of the spending -- 55 percent -- came from companies advertising products and services for consumers, such as retail, automotive, leisure and entertainment companies. Providers of financial services made up the second-largest category with 15 percent of the spending.
In 2007's third quarter, spending reached almost $5.3 billion, and in the fourth quarter it almost hit $6 billion, according to the IAB.
The 10 largest online ad sellers racked up almost 70 percent of the spending, while the top 50 captured 89 percent.
Online ad spending in the U.S. reached US$21.2 billion last year. Search advertising accounted for 41 percent of the spending, one percentage point more than in 2006, the Interactive Advertising Bureau reported on Thursday. In 2007, spending in search advertising grew 30 percent over 2006, explaining the continued financial success of Google, which broadly dominates this format.
It also partly explains Microsoft's continued sense of urgency at trying to boost its underperforming Internet ad business, which hasn't been able to achieve its financial and usage goals, specifically in search advertising, despite heavy investments in recent years. Microsoft cited its desire to compete better against Google as a key incentive in its attempt to acquire Yahoo, an effort that Microsoft has, at least for now, given up on.
Display advertising, which includes formats like banners, sponsorships and video, accounted for 34 percent of the spending, according to the IAB. This is a category in which, according to IDC, Yahoo leads and Google has a minor position. The third-largest format was classifieds, with 16 percent.
A majority of the spending -- 55 percent -- came from companies advertising products and services for consumers, such as retail, automotive, leisure and entertainment companies. Providers of financial services made up the second-largest category with 15 percent of the spending.
In 2007's third quarter, spending reached almost $5.3 billion, and in the fourth quarter it almost hit $6 billion, according to the IAB.
The 10 largest online ad sellers racked up almost 70 percent of the spending, while the top 50 captured 89 percent.
EU raises privacy issue for Google Street View
Europe's data protection supervisor, Peter Hustinx, urged Google Thursday to respect local privacy rules as it prepares to launch its Street View function this side of the Atlantic.
Although he hasn't been in direct contact with the Internet search giant about Street View, Hustinx is very aware of it.
"Street View is only available in the U.S. still, but I understand that it will work differently when it's launched in Canada, so there is a capacity to deploy the service in different ways to suit different privacy laws," Hustinx said in a press conference, adding: "I'd encourage Google to work closely with European data-protection authorities too."
"Taking pictures on a street isn't in itself a problem but taking pictures anywhere can be. We have sent a very strong message to Google and other Internet search companies in our report on search engines about complying with European privacy laws," he said.
"The same applies here. Respecting data-protection laws is central to Google's business. Success or failure for them in Europe will depend on them respecting the laws. They are smart, I'm confident they won't ignore the laws," Hustinx added.
Last month, cars daubed with the Google logo, carrying what looked like sophisticated laser scanning photographic equipment on their roofs were spotted on the streets of Milan and Rome in Italy.
Earlier this month, similar vehicles were seen in some French cities too.
Google's global privacy counsel, Peter Fleischer, wrote in a blog that the company will respect local laws as it rolls out the Street View service in countries outside the U.S.
"In other parts of the world local laws and customs are more protective of individuals' right to privacy in public spaces, and therefore they have a more limited concept of the right to take and publish photographs of people in public places," he wrote
The feature has already sparked some controversy in the U.S., where Street View is available for several cities including San Francisco. The photographic images of the streets often include pedestrians on sidewalks or in cafes, and car license-plate numbers are clearly visible.
In the U.S. Google will remove images of people if they ask it to do so. However, this retroactive action isn't likely to satisfy Europe's data-protection authorities.
For this reason Google is considering installing blurring technology that would make distinguishing features such as faces and number plates unrecognizable. "We would only consider such action if the process of blurring could be automated," Google's policy communications manager, Jon Steinback, said in a phone interview last month.
One alternative would be to reduce the resolution of the whole image to protect people's privacy, Steinback said, but this would compromise the quality of images for everyone and is seen as a last resort to placate local privacy authorities.
Speaking on the sidelines of a press conference to unveil his annual report on data protection in the E.U., Hustinx said that broadly, Google does take European data protection seriously. "I am encouraged, but compliance with our rules remains a challenge for Google and requires a commitment from the company," he said.
Although he hasn't been in direct contact with the Internet search giant about Street View, Hustinx is very aware of it.
"Street View is only available in the U.S. still, but I understand that it will work differently when it's launched in Canada, so there is a capacity to deploy the service in different ways to suit different privacy laws," Hustinx said in a press conference, adding: "I'd encourage Google to work closely with European data-protection authorities too."
"Taking pictures on a street isn't in itself a problem but taking pictures anywhere can be. We have sent a very strong message to Google and other Internet search companies in our report on search engines about complying with European privacy laws," he said.
"The same applies here. Respecting data-protection laws is central to Google's business. Success or failure for them in Europe will depend on them respecting the laws. They are smart, I'm confident they won't ignore the laws," Hustinx added.
Last month, cars daubed with the Google logo, carrying what looked like sophisticated laser scanning photographic equipment on their roofs were spotted on the streets of Milan and Rome in Italy.
Earlier this month, similar vehicles were seen in some French cities too.
Google's global privacy counsel, Peter Fleischer, wrote in a blog that the company will respect local laws as it rolls out the Street View service in countries outside the U.S.
"In other parts of the world local laws and customs are more protective of individuals' right to privacy in public spaces, and therefore they have a more limited concept of the right to take and publish photographs of people in public places," he wrote
The feature has already sparked some controversy in the U.S., where Street View is available for several cities including San Francisco. The photographic images of the streets often include pedestrians on sidewalks or in cafes, and car license-plate numbers are clearly visible.
In the U.S. Google will remove images of people if they ask it to do so. However, this retroactive action isn't likely to satisfy Europe's data-protection authorities.
For this reason Google is considering installing blurring technology that would make distinguishing features such as faces and number plates unrecognizable. "We would only consider such action if the process of blurring could be automated," Google's policy communications manager, Jon Steinback, said in a phone interview last month.
One alternative would be to reduce the resolution of the whole image to protect people's privacy, Steinback said, but this would compromise the quality of images for everyone and is seen as a last resort to placate local privacy authorities.
Speaking on the sidelines of a press conference to unveil his annual report on data protection in the E.U., Hustinx said that broadly, Google does take European data protection seriously. "I am encouraged, but compliance with our rules remains a challenge for Google and requires a commitment from the company," he said.
Rent-a-botnet makes cyber crime a breeze
Online fraudsters that aren't highly skilled in the arts of cyber crime can now rent a service that offers an all-in-one hosting server with a built-in Zeus trojan administration panel and infecting tools, allowing them to create their own botnet.
EMC's security division, the RSA Anti-Fraud Command Centre (AFCC), cited an increase in the use of the Zeus trojan in attacks against financial institutions in its April online fraud report, claiming the trojan is "extremely user friendly and easy to operate".
"Fraudsters who execute Zeus attacks simply need to take control of a compromised server or have their own back-end servers; once they have a server in place, they merely need to install the Zeus administration panel, create a user name and password, and start launching their attacks," the report stated.
But the AFCC recently traced a new service that does all of the above for would be botnet barons. The service offers access to a "bullet-proof hosting server with a built-in Zeus trojan administration panel and infection tools...the service includes all of the required stages in a single package, meaning that all the fraudster now has to do is pay for the service, access the newly-hired Zeus trojan server, create infection points and start collecting data".
RSA's banking and finance specialist, Geoff Noble, said that those offering the Zeus package are mirroring what legitimate security vendors are offering -- security-as-a-service -- but in their case they are slinging malware-as-a-service.
"Phase one of online threats was stealing credit card numbers, buying stuff on the internet and selling it somewhere else to make a profit. Phase two is this grabbing of user names and passwords online, phase two 'b' is productizing that solution, and phase 2 'c' is offering that solution as a service," Noble said.
"What Zeus means is that you are buying a service with traditional software support and maintenance, so you can go about your business without updating and patching."
RSA said that the exploit package allows fraudsters to easily infect users and grow a botnet of compromised machines, and boasts an easy to use Web hosting control panel that can be used by virtually anyone.
"The bottom line is that with such services, creating the infrastructure for Zeus attacks and actually implementing these attacks is now easier than ever before", the report said.
"It makes it markedly easier because you don't need to bring together the three components. The challenge still remains -- how to get the cash out -- and that will likely be the constriction point getting in the [fraudsters] way; it will be a lot easier to do on the attack front but the cash still needs to come out of the channel," Noble said.
Victims receiving e-mails at home or work offering amazing deals to become the local financial outpost for a multinational company is just one of the ways the fraudsters are getting the cash out.
"People still get sucked into that, and that's one of the variants of getting the cash out. The fact that it's too good to be true doesn't always sink into everyone and people still become mules. And we're seeing a lot more specific approaches to people to become mules in tandem with the ease of use for non-tech spooks and fraudsters," he said.
The Zeus trojan is designed to perform advanced key logging when infected users access specific Web pages. The information it collects is encrypted when it is sent to the collection point, and can be communicated over SSL encryption.
The monthly AFCC report found that US banks continued to be the dominant target of cyber criminals with 62 percent of attacks, followed by the UK with 11 percent. Australia and New Zealand made it into the list for the second month running as phishing in the Asia-Pacific region continues to grow.
The US also topped AFCC's April list of top hosting countries, with 51 percent of phishing attacks originating from there -- a 12 percent decrease from the previous month. China came in second position with 19 percent of attacks, while Australia was responsible for 2 percent of threats.
EMC's security division, the RSA Anti-Fraud Command Centre (AFCC), cited an increase in the use of the Zeus trojan in attacks against financial institutions in its April online fraud report, claiming the trojan is "extremely user friendly and easy to operate".
"Fraudsters who execute Zeus attacks simply need to take control of a compromised server or have their own back-end servers; once they have a server in place, they merely need to install the Zeus administration panel, create a user name and password, and start launching their attacks," the report stated.
But the AFCC recently traced a new service that does all of the above for would be botnet barons. The service offers access to a "bullet-proof hosting server with a built-in Zeus trojan administration panel and infection tools...the service includes all of the required stages in a single package, meaning that all the fraudster now has to do is pay for the service, access the newly-hired Zeus trojan server, create infection points and start collecting data".
RSA's banking and finance specialist, Geoff Noble, said that those offering the Zeus package are mirroring what legitimate security vendors are offering -- security-as-a-service -- but in their case they are slinging malware-as-a-service.
"Phase one of online threats was stealing credit card numbers, buying stuff on the internet and selling it somewhere else to make a profit. Phase two is this grabbing of user names and passwords online, phase two 'b' is productizing that solution, and phase 2 'c' is offering that solution as a service," Noble said.
"What Zeus means is that you are buying a service with traditional software support and maintenance, so you can go about your business without updating and patching."
RSA said that the exploit package allows fraudsters to easily infect users and grow a botnet of compromised machines, and boasts an easy to use Web hosting control panel that can be used by virtually anyone.
"The bottom line is that with such services, creating the infrastructure for Zeus attacks and actually implementing these attacks is now easier than ever before", the report said.
"It makes it markedly easier because you don't need to bring together the three components. The challenge still remains -- how to get the cash out -- and that will likely be the constriction point getting in the [fraudsters] way; it will be a lot easier to do on the attack front but the cash still needs to come out of the channel," Noble said.
Victims receiving e-mails at home or work offering amazing deals to become the local financial outpost for a multinational company is just one of the ways the fraudsters are getting the cash out.
"People still get sucked into that, and that's one of the variants of getting the cash out. The fact that it's too good to be true doesn't always sink into everyone and people still become mules. And we're seeing a lot more specific approaches to people to become mules in tandem with the ease of use for non-tech spooks and fraudsters," he said.
The Zeus trojan is designed to perform advanced key logging when infected users access specific Web pages. The information it collects is encrypted when it is sent to the collection point, and can be communicated over SSL encryption.
The monthly AFCC report found that US banks continued to be the dominant target of cyber criminals with 62 percent of attacks, followed by the UK with 11 percent. Australia and New Zealand made it into the list for the second month running as phishing in the Asia-Pacific region continues to grow.
The US also topped AFCC's April list of top hosting countries, with 51 percent of phishing attacks originating from there -- a 12 percent decrease from the previous month. China came in second position with 19 percent of attacks, while Australia was responsible for 2 percent of threats.
CBS to buy CNET Networks for $1.8 billion
CBS has agreed to pay US$1.8 billion in cash for online media company CNET Networks in a deal that has the backing of both companies' boards.
The acquisition will increase the total of unique monthly visitors to CBS Web sites to around 200 million worldwide, CBS said. CNET online brands include CNET, GameSpot, TV.com, BNET, CHOW, ZDNet and TechRepublic.
CNET was the target of a hostile bid from investment fund Jana Partners in January. The investment fund, CNET's largest shareholder, sought to nominate two members to the company's board.
The CBS statement announcing the deal described CNET as profitable, but the company had a net loss of $6.1 million on revenue of $91.4 million in the first quarter. That was less than the $9.1 million the company lost in the year-earlier quarter, but the company's operating loss widened from $7.7 million in the first quarter of 2007 to $18 million this year, including restructuring charges of $5.1 million.
For the full year 2007, CNET's net income totaled $176.8 million -- including a $184.2 million income tax benefit.
CBS expects to close the deal in the third quarter. Its offer price of $11.50 per CNET share represents a premium of 45 percent over Wednesday night's closing price of $7.95. CNET shares were trading at $11.33 a half hour before markets opened Thursday morning.
The acquisition will increase the total of unique monthly visitors to CBS Web sites to around 200 million worldwide, CBS said. CNET online brands include CNET, GameSpot, TV.com, BNET, CHOW, ZDNet and TechRepublic.
CNET was the target of a hostile bid from investment fund Jana Partners in January. The investment fund, CNET's largest shareholder, sought to nominate two members to the company's board.
The CBS statement announcing the deal described CNET as profitable, but the company had a net loss of $6.1 million on revenue of $91.4 million in the first quarter. That was less than the $9.1 million the company lost in the year-earlier quarter, but the company's operating loss widened from $7.7 million in the first quarter of 2007 to $18 million this year, including restructuring charges of $5.1 million.
For the full year 2007, CNET's net income totaled $176.8 million -- including a $184.2 million income tax benefit.
CBS expects to close the deal in the third quarter. Its offer price of $11.50 per CNET share represents a premium of 45 percent over Wednesday night's closing price of $7.95. CNET shares were trading at $11.33 a half hour before markets opened Thursday morning.
Hacker writes rootkit for Cisco's routers
A security researcher has developed malicious rootkit software for Cisco Systems' routers, a development that has placed increasing scrutiny on the routers that carry the majority of the Internet's traffic.
Sebastian Muniz, a researcher with Core Security Technologies, developed the software, which he will unveil on May 22 at the EuSecWest conference in London.
Rootkits are stealthy programs that cover up their tracks on a computer, making them extremely hard to detect. To date, the vast majority of rootkits have been written for the Windows operating system, but this will mark the first time that someone has discussed a rootkit written for IOS, the Internetwork Operating System used by Cisco's routers. "An IOS rootkit is able to perform the tasks that any other rootkit would do on desktop computer operating systems," Muniz said in an e-mail interview.
Rootkits are typically used to install key-logging software as well as programs that allow attackers to remotely connect with the infected system. However, the most notorious rootkit of all, distributed by Sony BMG Music, stopped unauthorized CD copying.
A Cisco rootkit is particularly worrisome because, like Microsoft's Windows, Cisco's routers are very widely used. Cisco owned nearly two-thirds of the router market in the fourth quarter of 2007, according to research firm IDC.
In the past, researchers have built malicious software, known as "IOS patching shellcode," that could compromise a Cisco router, but those programs are custom-written to work with one specific version of IOS.
Muniz's rootkit will be different. "It could work on several different versions of IOS," he said.
The software cannot be used to break into a Cisco router -- an attacker would need to have some kind of attack code, or an administrative password on the router to install the rootkit, but once installed it can be used to silently monitor and control the device.
The rootkit runs in the router's flash memory, which contains the first commands that it uses to boot up, said EuSecWest conference organizer Dragos Ruiu.
Muniz said he has no plans to release the source code for his rootkit, but he wants to explain how he built it to counter the widespread perception that Cisco routers are somehow immune to this type of malware. "I've done this with the purpose of showing that IOS rootkits are real, and that appropriate security measures must be taken," he said.
Security researcher Mike Lynn offered a similar rationalization for his controversial 2005 Black Hack presentation showing how to hack into a Cisco router and run a small "shellcode" program.
Lynn's presentation was "very shocking because, until then, nobody thought you could actually build exploits for Cisco," Ruiu said. "This rootkit is the next step."
Within hours of his 2005 Black Hat talk, Lynn was sued by Cisco, which claimed he had exposed trade secrets in violation of his Cisco end-user license agreement.
Cisco's suit was quickly settled, but Muniz and his employer clearly have Lynn's experience in mind as they ready for next week's conference. They declined to provide technical details on the presentation ahead of time. "We're still in the process of putting the whole presentation together, and we also need to work with Cisco before we talk to anybody," a Core spokesman said. "The big concern is making sure that everything is cool with Cisco."
Cisco declined to comment for this story.
Jennifer Granick, the Electronic Freedom Foundation lawyer who represented Lynn in 2005, said that Cisco could bring these trade-secret claims against Muniz, but because the technical community reacted so negatively to the 2005 lawsuit, she believes that this may not happen. "Cisco thinks of itself as really researcher-friendly," she said. "I think they will be very careful before filing legal action."
Still, the rootkit comes at a sensitive time for Cisco. Last week, the New York Times reported that the U.S. Federal Bureau of Investigation considers the problem of fake Cisco gear a critical U.S. infrastructure threat.
In late February the FBI culminated a two-year investigation by breaking up a counterfeit Cisco distribution network and seizing an estimated US$3.5 million worth of components manufactured in China. According to an FBI presentation on Operation Cisco Raider, fake Cisco routers, switches and cards were sold to the U.S. Navy, the U.S. Marine Corps., the U.S. Air Force, the U.S. Federal Aviation Administration, and even the FBI itself.
The U.S. Department of Defense has expressed concerns that the lack of security in the microelectronics supply chain could threaten the country's defense systems, and the idea that an attacker could sneak a rootkit onto a counterfeit Cisco system has security experts worried.
Cisco routers are typically compromised by hackers who are able to guess their administrative passwords, said Johannes Ullrich, chief research officer with the SANS Institute. But there are few tools around to check these systems for signs of hacking. "How would you find out?" he said. "That's the big problem."
Sebastian Muniz, a researcher with Core Security Technologies, developed the software, which he will unveil on May 22 at the EuSecWest conference in London.
Rootkits are stealthy programs that cover up their tracks on a computer, making them extremely hard to detect. To date, the vast majority of rootkits have been written for the Windows operating system, but this will mark the first time that someone has discussed a rootkit written for IOS, the Internetwork Operating System used by Cisco's routers. "An IOS rootkit is able to perform the tasks that any other rootkit would do on desktop computer operating systems," Muniz said in an e-mail interview.
Rootkits are typically used to install key-logging software as well as programs that allow attackers to remotely connect with the infected system. However, the most notorious rootkit of all, distributed by Sony BMG Music, stopped unauthorized CD copying.
A Cisco rootkit is particularly worrisome because, like Microsoft's Windows, Cisco's routers are very widely used. Cisco owned nearly two-thirds of the router market in the fourth quarter of 2007, according to research firm IDC.
In the past, researchers have built malicious software, known as "IOS patching shellcode," that could compromise a Cisco router, but those programs are custom-written to work with one specific version of IOS.
Muniz's rootkit will be different. "It could work on several different versions of IOS," he said.
The software cannot be used to break into a Cisco router -- an attacker would need to have some kind of attack code, or an administrative password on the router to install the rootkit, but once installed it can be used to silently monitor and control the device.
The rootkit runs in the router's flash memory, which contains the first commands that it uses to boot up, said EuSecWest conference organizer Dragos Ruiu.
Muniz said he has no plans to release the source code for his rootkit, but he wants to explain how he built it to counter the widespread perception that Cisco routers are somehow immune to this type of malware. "I've done this with the purpose of showing that IOS rootkits are real, and that appropriate security measures must be taken," he said.
Security researcher Mike Lynn offered a similar rationalization for his controversial 2005 Black Hack presentation showing how to hack into a Cisco router and run a small "shellcode" program.
Lynn's presentation was "very shocking because, until then, nobody thought you could actually build exploits for Cisco," Ruiu said. "This rootkit is the next step."
Within hours of his 2005 Black Hat talk, Lynn was sued by Cisco, which claimed he had exposed trade secrets in violation of his Cisco end-user license agreement.
Cisco's suit was quickly settled, but Muniz and his employer clearly have Lynn's experience in mind as they ready for next week's conference. They declined to provide technical details on the presentation ahead of time. "We're still in the process of putting the whole presentation together, and we also need to work with Cisco before we talk to anybody," a Core spokesman said. "The big concern is making sure that everything is cool with Cisco."
Cisco declined to comment for this story.
Jennifer Granick, the Electronic Freedom Foundation lawyer who represented Lynn in 2005, said that Cisco could bring these trade-secret claims against Muniz, but because the technical community reacted so negatively to the 2005 lawsuit, she believes that this may not happen. "Cisco thinks of itself as really researcher-friendly," she said. "I think they will be very careful before filing legal action."
Still, the rootkit comes at a sensitive time for Cisco. Last week, the New York Times reported that the U.S. Federal Bureau of Investigation considers the problem of fake Cisco gear a critical U.S. infrastructure threat.
In late February the FBI culminated a two-year investigation by breaking up a counterfeit Cisco distribution network and seizing an estimated US$3.5 million worth of components manufactured in China. According to an FBI presentation on Operation Cisco Raider, fake Cisco routers, switches and cards were sold to the U.S. Navy, the U.S. Marine Corps., the U.S. Air Force, the U.S. Federal Aviation Administration, and even the FBI itself.
The U.S. Department of Defense has expressed concerns that the lack of security in the microelectronics supply chain could threaten the country's defense systems, and the idea that an attacker could sneak a rootkit onto a counterfeit Cisco system has security experts worried.
Cisco routers are typically compromised by hackers who are able to guess their administrative passwords, said Johannes Ullrich, chief research officer with the SANS Institute. But there are few tools around to check these systems for signs of hacking. "How would you find out?" he said. "That's the big problem."
Subscribe to:
Posts (Atom)