Archive for December, 2008

Microsoft plans quick fix for IE

Microsoft is to due to issue a patch to fix a security flaw believed to have affected as many as 10,000 websites.

The emergency patch should be available from 1800 GMT on 17 December, Microsoft has said.

The flaw in Microsoft’s Internet Explorer browser could allow criminals to take control of people’s computers and steal passwords.

Internet Explorer is used by the vast majority of computer users and the flaw could affect all versions of it.

So far the vulnerability has affected only machines running Internet Explorer 7.

According to Rick Ferguson, a senior security adviser at security firm Trend Micro, the flaw has so far been used to steal gaming passwords but more sensitive data could be at risk until the security update is installed.


Change IE security settings to high (Look under Tools/Internet Options)
Switch to a Windows user account with limited rights to change a PC’s settings
With IE7 or 8 on Vista turn on Protected Mode
Ensure your PC is updated
Keep anti-virus and anti-spyware software up to date

“It is inevitable that it will be adapted by criminals. It’s just a question of modifying the payload the trojan installs,” he said.

It is relatively unusual for Microsoft to issue what it calls an “out-of-band” security bulletin and experts are reading the decision to rush out a patch as evidence of the potential danger of the flaw.

Some experts have suggested that users switch browsers until the flaw is fixed.

Firefox, Opera, Chrome and Apple’s Safari system are not vulnerable to this current flaw.

But Graham Cluley, senior consultant with security firm Sophos, said no browser is exempt from problems.

“Firefox has issued patches and Apple has too. Whichever browser you are using you have to keep it up to date,” he said.

“People have to be prepared and willing to install security updates. That nagging screen asking if you want to update should not be ignored,” he said.

Facebook users hit by virus

Facebook’s 120 million users are being targeted by a virus designed to get hold of sensitive information like credit card details.

‘Koobface’ spreads by sending a message to people’s inboxes, pretending to be from a Facebook friend.

It says “you look funny in this new video” or “you look just awesome in this new video”.

By clicking on the link provided they’re then asked to watch a “secret video by Tom”.

When users try and play the video they’re asked to download the latest version of Adobe Flash Player.

If they do, that’s when the virus takes hold and attacks the computer.

Guy Bunker works for Norton AntiVirus and says there are two ways Koobface gets people’s credit card details.

“It can either wait for you to buy something online and just remember the details you type in on your keyboard.

“Otherwise it can search your computer for any cookies you might have from when you’ve bought something in the past, and take them from there.”

The Facebook case is the latest example of hackers using social networking sites to try to cash in.

MySpace was targeted by Koobface in August.

Security experts say people are far less suspicious about viruses on sites like Facebook because you need to be a member to log in.

Facebook won’t give any specifics on how many users have been hit by the virus, only saying it’s a small percentage.

But they have posted some advice on the site about what to do if you come across it.

“We’re currently helping our users with the recently discovered ‘Koobface’ worm and phishing sites.

“If your account has recently been used to send spam, please visit one of the online antivirus scanners from the Helpful Links list, and reset your password.”

Source: BBC News

Microsoft Office to debut online

The web versions of Microsoft software are due to debut in 2009

Microsoft is preparing web versions of some of its most popular programs.

In 2009 web versions of Word, Excel and other programs in the Microsoft Office suite plus Exchange and Sharepoint will go online.

Users will be able to get at the programs via a web browser rather than install them on a PC.

Some versions of the programs are expected to be free to use provided users are happy to view adverts alongside the software.

“We expect fully that the full range of Office utilities, from the most advanced to simpler lightweight versions, will be available with a range of options: ad-funded, subscriptions-based, traditional licensing fees, and so forth,” Stephen Elop, head of Microsoft’s business division told the Reuters newswire.

The decision by Microsoft marks a significant change by the software giant which, before now, has only dabbled in web-based versions of its programs.

It has offered an ad-supported version of its Works suite that is available pre-loaded on some new PCs.

By contrast many others, such as Google and Adobe, have been pushing web-based versions of word processors and other programs for some time.

The move to web-based versions is also seen as a belated move by Microsoft to bolster its credentials in the move to so-called “cloud computing” in which applications only live online.

Microsoft pledged that the web-based versions would also work with rival browsers, such as Firefox, and would not require users to install its Silverlight software.

So far no date has been given for when the web-based versions will be available – though they are expected to be put online in 2009.

Mr Elop said Microsoft had seen strong interest from many existing customers in the web versions. Using such software would free many from maintaining their own hardware and software to support locally-installed versions.

The economic downturn and need to cut costs could boost the attractiveness of web-based software, said Mr Elop.

“What we think is in five years, 50% of the use of Exchange and Sharepoint could be serviced from the cloud,” he said.

Source: BBC News

Putting Armageddon on hold

How would our government react to a terrorist attack in the age of social networking? Mumbai and other atrocities have led to draconian plans, says Michael Cross

It’s July 2012, and despite all the precautions – including the most intrusive surveillance exercise ever mounted and the detention of hundreds of suspects under draconian emergency powers – London is under terrorist attack. Social networks are buzzing with rumours and video clips of military units clad in chemical warfare suits gathering outside the Bank of England, where hostages are being held.

In the Cobra emergency room under Whitehall, officials from the Cabinet Office, the Ministry of Defence and the Metropolitan Police ponder their options. Someone mentions Mumbai 2008, when Twitter became the uncontrolled but main source of news, flooding in at the rate of 12 Tweets a second. A decision is taken to seize control of the flow of information from anywhere near the scene of the attack.

Transmission ends

The UK government already has the legal power and technical ability to do it, and contingency plans for filling the information vacuum from official sources.

Step one is to shut down all unofficial mobile communications in the capital. The plan, drawn up by the Directorate of Civil Contingencies and drawing on the lessons of the 2004 Madrid bombings, as well as the July 7 2005 attacks in London, is for a carefully tiered approach, to avoid public panic and political flak.

Close to the hostage sites, the security forces have already deployed jammers to render the terrorists’ GSM and 3G phones – and other wireless devices – unusable. To extend control over the whole network, the Cabinet Office instructs licensed phone operators to restrict calls to numbers registered in advance. Under the telephone preference scheme, a condition of operating licences, this can be done at the flick of a switch. No public announcement is made; frustrated Londoners trapped behind security cordons and trying desperately to phone home assume that the network is simply overloaded.

Step two is to tackle “unhelpful” information on the web. With no time to issue legal takedown notices, the Cobra committee authorises GCHQ to begin denial-of-service attacks. The British public, suddenly bereft of its favourite channels of communication, reverts to the time-honoured technologies of broadcast radio and television – and newspapers.

This isn’t fantasy. Whitehall sources acknowledge that such plans to shut down Britain’s electronic information infrastructure exist, though no one is prepared to go in to details. However, one clue is the extent of measures being put in place to ensure that official communications operate separately from civilian networks.

The principal communications system, used by the military and security services as well as police, fire and ambulance crews, is the Airwave digital radio. The system, based on the Tetra standard (similar to GPRS), was sold as being secure and resilient. The network’s 3,500 transmission stations across the UK operate independently of civilian mobile networks, the operator says. For example, all have backup power batteries, and one third have on-site generators to keep them running for seven days. Likewise, the network switches (the number is secret) have duplicates on hot-standby, the operator says. And if the worst came to the worst and the whole network went down, handsets would still function as mobile radios, capable of talking to each other for as long as their batteries held out.

Network capacity

However, Airwave’s limited ability to handle data – while some police forces use it to transmit images, it is painfully slow – raises questions about its suitability as the sole operational carrier in a national emergency.

Last month, the Home Affairs Select Committee’s report Policing in the 21st century concluded: “The Airwave radio network can struggle to cope where a very large number of users are concentrated in the same area. We are concerned about the potential for the network to fail during the 2012 Olympic Games, given the number of officers who will be deployed. The Home Office should address this as a matter of urgency, including consideration of expanding the radio band assigned to Airwave.” The report quoted evidence by the Academy of Engineering that: “The amount of voice traffic is now reaching the limits of the current system’s spectrum resources in some areas (particularly in London). This suggests that the Airwave system will be inadequate for the future needs of the police forces, particularly in densely populated areas where information needs are likely to exceed the Tetra network’s capacity.”

Airwave executives agree with the need for more bandwidth, but vigorously deny that the network would fall over from excess demand. “We’ve never got anywhere near getting to such levels,” a senior executive said this week. If the network did become overloaded, it would automatically ration calls in a pre-programmed priority rather than shutting down, he said.

Contingency plans to fill the gap left by the blocking of non-official websites appear to be less well prepared. Under the scheme of website rationalisation, two central “supersites” have a role to play.

The main one is the central government site, which the Cabinet Office says will be “the place people turn to in a national emergency”. However, Whitehall sources say that the site’s operators, based at the Central Office of Information but reporting to the Department for Work and Pensions (which hosts the site), are still working on how the information feed from the government’s emergency response teams will work in practice.

Signing off

Meanwhile, in the event of an epidemic or chemical, biological or nuclear attack, the new NHS portal,, has plans to clear its home page to provide graphic-only information about what to do.

Finally, when all else shuts down, the government can fall back on the tried and tested radio – meaning conventional analogue broadcast. In the event of a major national catastrophe, we can assume that Radio 4 will be the last to go off air. According to Whitehall historian Peter Hennessey, captains of Trident missile submarines are instructed that if they lose all communication with the UK, and Radio 4’s Today programme is not broadcast for three days, they may assume the home country has been wiped out and open their instructions for Armageddon.

In which case, it probably won’t matter whether Twitter is working – or not.

Source: Guardian