Archive for June, 2011

Botclouds: a cyberattacker’s dream

OFFLOADING your software and data to a cloud computing service has never been easier.

Apple last week became the latest tech company – after Google and Amazon – to offer cheap online storage, with its new iCloud service allowing users to access music, documents and other files from any Apple device. But cloud services could also be used to launch attacks, send spam and commit fraud.

“Right now it’s just a few attacks, most aren’t well publicised and a lot can go undetected,” says Kassidy Clark of the Delft University of Technology in the Netherlands.

“As long as cloud service providers are not taking proactive steps to prevent these things, I think this trend will increase.”

As well as basic online storage, firms such as Amazon, which provides the largest cloud service, also offer virtual computing.

This allows people to rent as many “virtual computers” as they need.

Now Clark and colleagues have investigated how the cloud could be used to build a botnet, a network of infected computers under an attacker’s control.

Traditional botnets are built over time by taking control of ordinary people’s computers without their knowledge, but a cloud botnet – or botcloud – can be put together in a couple of minutes just by purchasing space in the cloud with stolen credit card details.

“It makes deployment much faster,” says Clark, who presented his findings at the CLOSER cloud computing conference in Noordwijkerhout, the Netherlands, last month.

“You don’t have to wait months for millions of machines around the world to get infected.”

To find out just how easy it is to construct a botcloud, Clark and colleagues hired 20 virtual computers from a leading cloud service provider for around €100 and used them to carry out attacks on their own web server.

They first attempted a distributed denial of service (DDoS) attack, which floods a target with massive amounts of traffic.

The botcloud pumped out 20,000 page requests per second and brought the server down in just 10 seconds.

Clark also built a larger botcloud and used it to simulate “click fraud” – clicking links in pay-per-click adverts in order to generate fraudulent revenue.

Advertising companies normally stop this by tracking the internet protocol (IP) address of each individual computer and blocking one if it clicks a link too many times.

The researchers circumvented this defence by setting up a botcloud of 1000 virtual computers, each with its own address.

Neither botcloud attack was detected or shut down by the cloud provider.

So are botclouds being used? There were certainly rumours that the recent attack on Sony’s PlayStation Network was carried out via Amazon servers rented using stolen credit cards, but these have not been substantiated.

“We have seen spam coming from some of these environments, but not on a massive scale,” says Paul Wood, a senior analyst at Symantec.cloud, which provides cloud-based security services.

He says that it is even possible for a virtual computer in the cloud to become infected by an ordinary botnet, because cloud users don’t normally run anti-virus software.

Thomas Roth, a security researcher in Cologne, Germany, who recently showed how to use Amazon’s servers to crack Wi-Fi passwords, agrees the lack of anti-virus protection in the cloud is a problem.

“I think that Amazon should provide infrastructure for doing vulnerability assessments and virus scans,” he says.

“Amazon Web Services employs a number of mitigation techniques, both manual and automated, to prevent the misuse of the services,” Amazon told New Scientist.

“We have automatic systems in place that detect and block many attacks before they leave our infrastructure.”

But Wood warns that attacks from the cloud could easily take off in countries with more lax web policing.

“It’s only a matter of time before a Russian or Chinese equivalent of Amazon offers similar services,” agrees Clark.

“You put malicious or illegal software there, it doesn’t matter, they will never take you offline.”


Mozilla move spotlights PDF’s ascent on the Web

PDF files have long been an awkward fit with the Web, but a new project from the developers of Firefox shows how online PDFs are changing for the better.

For years, the only way to view them was with viewer software from Adobe Systems, which created the Portable Document Format in the 1990s.

Clicking a link to a PDF often meant a wait as the software loaded, followed by an alien interface, framed within the browser window, that meant actions like searching and printing were different.

It’s faster today, but PDFs still don’t feel like native Web documents.

But PDF has become an international standard, and now PDFs are becoming less obstreperous.

Google started indexing PDF content and showing PDFs in search results years ago, helping to ensure their utility on the Internet.

And browsers have begun handling them better, too.

Google’s Chrome, for example, added a PDF reader directly into the browser so that Adobe Reader, Mac OS X’s Preview, or other third-party applications aren’t required.

(Well, except in cases where Chrome’s plug-in isn’t up to snuff; happily, it now sometimes warns you when a PDF has elements it can’t handle.)

Chrome is tackling the performance issue, too, making a PDF reader plug-in that uses the Native Client software technology.

Now Mozilla has begun a project of its own called pdf.js: a PDF reader that uses Web technology, not native software, to render PDFs in the browser.

Eventually it will be built directly into Firefox, said programmer Andreas Gal in a blog post last week.

Thus, while Google is working on native-code PDF abilities–software tailored for a specific processor–Mozilla is working on an approach that uses the browser’s engine instead.

Indeed, security has been a problem for PDF reading on the Web.

Adobe’s widely used free Reader software needs regular attention as new security vulnerabilities are uncovered, some of zero-day problems that emerge before a patch is ready.

Browser technology is by no means immune to security problems, but Web applications don’t get the same privileges granted to native software, so that makes attacks harder.

The project uses JavaScript, the programming language of Web pages and Web applications, to interpret the PDF coding.

It should be noted that Gal has been involved for years in improving Firefox’s JavaScript execution speed.

Another Web standard in use is the HTML5 Canvas technology for two-dimensional drawing.

For a look at how well the project compares to other PDF rendering software, check at the screenshots below.

Canvas is fast, something Mozilla likes given the sour sentiments that often arise at the prospect of loading a PDF.

But it’s got drawbacks, too, said Chris Jones in a blog post. For one thing, it’s a low-level interface that doesn’t easily let people select text.

For another, high-quality printing is hard.

To get around those drawbacks, Mozilla also might use a PDF renderer using another Web technology, Scalable Vector Graphics (SVG).

The idea is to render a quick version using Canvas, then swap in a more elaborate SVG-based version after it’s been created, Jones said, mentioning that other approaches are possible, too.

To gauge progress, people can open a Web-based version of pdf.js showing a 2009 research paper about JavaScript that Gal and others wrote.

Ordinarily I’d include a parenthetical warning to readers that they link leads to a PDF, but in this case, it leads to an ordinary Web page that shows a PDF.

Mozilla hopes the pdf.js will improve people’s experience with PDFs, but ultimately help phase out the technology, too.

“It’s important to note that we’re not trying to promote PDF to a first-class web citizen like HTML5 is,” Gal said.

“Instead we hope that a browser-native PDF renderer written on the Web platform allows Web technologies to subsume PDF.”

Perhaps the work will make PDF fade into the background.

But people use PDFs for its advantages in formatting flexibility, archiving information in a standard file format, and sharing documents across a variety of operating systems and programs.

It seems possible to me, therefore, that Mozilla work to make PDFs easier and safer to use on the Web might actually strengthen the technology’s position.


FTC, Senate rachet up Google antitrust probes

 

The Federal Trade Commission and the U.S. Senate appear to be stepping up their antitrust investigations of Google, a development that could prove perilous for the Mountain View, Calif.-based company, which is already fending off a formal investigation in Europe.

The FTC is planning to serve Google with civil subpoenas as part of an examination of market power in Google’s search advertising business, according to a report this morning in The Wall Street Journal.

A Google representative declined to comment on any discussions with the FTC or the possibility of a broad antitrust investigation.

Google has shed market share to Microsoft over the past year, according to data released last week by research firm Compete.

It’s dropped from 73.9 percent to 63.6 percent, while Microsoft’s Bing has increased its market share to 17 percent.

So far, at least, Google has managed to avoid experiencing what happened to Microsoft at the hands of an ungentle Justice Department, which filed a broad antitrust suit in the late 1990s that eventually included a demand that the Redmond, Wash., company be split into halves.

In 2001, a federal appeals court rejected a breakup but allowed the rest of the case to proceed.

Microsoft was not exactly eager to compromise with Washington, D.C., regulators and bureaucrats. Chief Executive Steve Ballmer once said “to heck with Janet Reno,” the attorney general during the Clinton administration.
For a while, it sounded like Microsoft founder Bill Gates was channeling capitalist doyenne Ayn Rand, saying in 1998 that the technology industry’s successes were due to lack of interference from Uncle Sam, and claiming that “the government is still trying to slow Microsoft down.”

It even launched a Web site, FreeToInnovate.com, which let like-minded souls send a pointed note to their member of Congress.
Google, by contrast, has shown more of a willingness to compromise: In March, it settled an FTC investigation into Google Buzz by agreeing to 20 years of privacy oversight.

A few days later, it inked a deal with the Justice Department, including non-discrimination terms, that let it buy ITA Software for $700 million.

Most prominently, Google abandoned a proposed advertising partnership with Yahoo at the last minute, a move that avoided a near-certain DOJ antitrust lawsuit.

Also this week, a U.S. Senate committee probing antitrust and Internet search topics is threatening to subpoena Google CEO Larry Page or Chairman Eric Schmidt to testify on a hearing that will be held before the August recess.

These types of tussles over witness lists are commonplace: politicians know that a CEO’s appearance will draw more press attention, so they tend to ask for it.

But when Apple was pressed for details about location privacy by a Senate committee last month, it sent a vice president, not CEO Steve Jobs.

Google has been reluctant to provide either Page or Schmidt for the Senate antitrust subcommittee’s hearing, saying other executives would be more appropriate.

Utah Sen. Mike Lee, the senior Republican on the panel, said yesterday he was “very disappointed in Google’s response.”

“We’re in talks with the subcommittee and will send an executive who can best answer their questions,” a Google spokesman said this morning.

Google has proposed David Drummond, its senior vice president and chief legal officer, who also heads its business development and acquisition teams, as the executive best able to address the committee’s concerns.

In 2007, Drummond testified before the Senate antitrust subcommittee about the antitrust implications of the Google-DoubleClick merger.

A year later, he returned to the same panel to discuss the proposed advertising relationship with Yahoo.

A June 10 letter to Google from Lee and Wisconsin Sen. Herb Kohl, the Democratic chair of the subcommittee, said: “A hearing on this important topic would be incomplete without the direct perspective and views from one of Google’s top two executives, each of whom has played a prominent role at the company throughout the last decade.”


LulzSec claims attack on US police website

The hacking collective LulzSec says it has hacked into the website and database of the Arizona Department of Public Safety (DPS) and released details of staff, emails and correspondence on public file-sharing sites.

A number of DPS officers told the Associated Press that they had been inundated with calls to their home and mobile phones from strangers on Thursday night, and that they were trying to change their numbers.

A DPS spokesman confirmed that the agency’s computer system had been breached and was taking additional security safeguards that he wouldn’t disclose.

The hackers said they had specifically targeted the department in that state because of its tough immigration law “and the racial profiling anti-immigrant police state that is Arizona”.

Arizona has introduced tough identification laws which have been criticised by President Obama and others.

However, they have been frozen due to legal challenges.

But even as the details were being released, pressure was growing on the group from rival hackers unhappy about what they see as a lack of discretion in the choices of its targets.

LulzSec has taken credit for hacking into Sony Pictures Europe, a number of games sites including Eve Online and Sega, defacing the PBS website and attacking the CIA website, the US Senate computer systems and the UK’s Serious Organised Crime Agency.

The collective said on its website that it was releasing “hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement.”

The LulzSec group also said it planned to release “more classified documents and embarrassing personal details of military and law enforcement” every week but it was unclear whether other Arizona agencies were targeted.

Meanwhile rival hackers, including one called The Jester – an ex-US military member – have been concentrating on tracking down the group’s website and identifying its members.

The Jester said on Twitter on Thursday that he had traced the Lulz Security website to an ISP in Malaysia, and provided a program for people to help track it down.

Other hackers are also trying to gather data about the group, which the Guardian understands was weakened earlier this month after some members worried about the outcome of attacking US government sites.

In the UK one man, Ryan Cleary, has been arrested by the police and charged with offences under the Computer Misuse Act relating to attacks on a number of sites including Soca’s.

The Maricopa County Sheriff’s Office in Arizona was taking unspecified countermeasures to protect its computer system, officials there said on Thursday night.

Manuel Johnson, a spokesman for the FBI’s Phoenix division, said the agency was aware of the situation but couldn’t comment on whether the FBI was investigating it.

The Arizona Republic reported that experts worked Thursday evening to close external access to DPS’ system.


Winklevoss twins end legal row with Facebook

 

The Winklevoss brothers, Harvard contemporaries of Facebook founder Mark Zuckerberg, have ended their legal battle with the social network.

They reached a $65m ($41m) settlement in 2008, after claiming that Mr Zuckerberg stole their idea.

The legal spat was immortalised in the film “The Social Network”.

In January they attempted to reopen the case, claiming that they should have received more shares.

They sought to undo the settlement of $20m in cash and $45m in stock – now worth more than $100m.

A US appeals court ruled in April that they could not back out of the deal.

The pair had threatened to go to US Supreme Court to overturn the decision but have now said they will not pursue it.

They offered no statement on what had prompted their decision to abandon the suit.

The twins originally argued that Mr Zuckerberg had stolen their idea after he was hired by them to code their ConnectU site in 2003.

Facebook has always rejected the claims but agreed to the 2008 settlement to end what it called “rancorous litigation”.


FBI targets cyber security scammers

A gang that made more than $72m (£45m) peddling fake security software has been shut down in a series of raids.

Co-ordinated by the FBI, the raids were carried out in the US, UK and six other countries.

The money was made by selling software that claimed to find security risks on PCs and then asked for cash to fix the non-existent problems.

The raids seized 40 computers used to do fake scans and host webpages that tricked people into using the software.

Account closed

About one million people are thought to have installed the fake security software, also known as scareware, and handed over up to $129 for their copy.

Anyone who did not pay but had downloaded the code was bombarded with pop-ups warning them about the supposed security issues.

Raids conducted in Latvia as part of the attack on the gang allowed police to gain control of five bank accounts used to funnel cash to the group’s ringleaders.

Although no arrests are believed to have been made during the raids, the FBI said the computers seized would be analysed and its investigation would continue.

The raids on the gang were part of an international effort dubbed Operation Trident Tribunal.

In total, raids in 12 nations were carried out to thwart two separate gangs peddling scareware.

The second gang used booby-trapped adverts to trick victims.

Raids by Latvian police on this gang led to the arrest of Peteris Sahurovs and Marina Maslobojeva who are alleged to be its operators.

According to the FBI, the pair worked their scam by pretending to be an advertising agency that wanted to put ads on the website of the Minneapolis Star Tribune newspaper.

Once the ads started running, the pair are alleged to have changed them to install fake security software on victims’ machines that mimicked infection by a virus.

On payment of a fee the so-called infection was cured. Those that did not pay found their machine was unusable until they handed over cash.

This ruse is believed to have generated a return of about $2m.

“Scareware is just another tactic that cyber criminals are using to take money from citizens and businesses around the world,” said assistant director Gordon Snow of the FBI’s Cyber Division in a statement.


LulzSec takes down Brazil government sites

Hacker group LulzSec said it has taken two Brazilian government Web sites offline.

The sites Brasil.gov.br and Presidencia.gov.br were both unavailable as of the time this story was written, ZDNet UK can confirm.

“TANGO DOWN brasil.gov.br & presidencia.gov.br LulzSecBrazil”, LulzSecBrazil tweeted in the early hours of Wednesday morning.

The outage, which probably stemmed from a distributed denial-of-service (DDoS) attack, follows the arrest yesterday by the Metropolitan Police’s Central e-Crime Unit of a 19-year-old man who they suspect is involved with the group.

LulzSec has denied that the individual, who it names as Ryan Cleary, is part of the group.

“Ryan Cleary is not part of LulzSec; we house one of our many legitimate chatrooms on his IRC server, but that’s it,” the group tweeted last night.


Google reaches 1 billion users

Google and the various websites it owns were used by more than a billion people for the first time in May.

The landmark figure, revealed in new data from ComScore, shows an 8.4 per rise year on year.

Microsoft remained the second most popular destination with 905 million unique visitors in May.

This was up approximately 15 per cent over the year, but Facebook rose by 30 per cent to 714 million unique users.

Yahoo, which was overtaken by Facebook in October, saw an 11 per cent yearly rise to 689 million users.

A “global measurement panel” of 2million users helps ComScore to compile its estimates, and the data is then refined with page-view data it receives from more than 90 of the 100 publishers of web content.

Google is one of the few publishers that does not contribute. The company declined to comment.

When ComScore first measured traffic, in 2006, Google had slightly fewer than 500million unique users per month, with Microsoft taking the top spot with 539 million.

The addition of users to Gmail and Google has also been helped by the company’s purchase of video site YouTube.


BMW Crash-Severity Algorithm Tells Emergency Room Where it Hurts

bmw_crash_bh

BMW has raised automatic crash notification to a new level.

The on-board BMW Assist telematics system already calls 911 after a crash, just as many other brands do.

But BMWs can also report to the 911 call center the likely severity of occupant injuries, and now BMW says it can transmit the injury information to a nearby hospital trauma center.

BMW’s enhanced automatic collision notification (enhanced ACN or EACN) uses a sophisticated set of algorithms to instantly read the car’s crash sensor data and make an informed estimate of how to respond to the accident – police  car? ambulance? helicopter? – and what injuries to look for when the victims get to the hospital or trauma center.

That quick response has the potential to save thousands of lives.

You’re in luck if you have your car crash in Miami, in a BMW.

It’s where BMW and the University of Miami’s William Lehman Injury Research Center have a cooperative project to wring out enhanced ACN.

BMW has worked with the Lehman Center since 2001 and now they’re midway through a three-year project that began in October 2009 to gather data on crashes and the value of quick, appropriate response and treatment during the golden hour, or the first hour after the crash.

If you can get the victim stabilized and to a trauma center within an hour of a bad crash, the odds of survival and recovery are highest.

The most recent announcement, this week at the Enhanced Safety of Vehicles Conference in National Harbor, Md., extends BMW’s ability to transmit extensive crash information not just to the 911 system but also directly to hospital trauma centers, starting with Miami’s Ryder Trauma Center.

With the current automatic crash notification that’s on most telematics-equipped cars (meaning they have integrated on-board cellphones for data as well as voice, such as GM’s OnStar), here’s what happens in a crash: The car senses the severity of impact, the angle of impact, multiple impacts (crash and rollover), which airbags deployed, and whether the occupants are belted, says Peter Baur, manager of product analysis at BMW of North America.

But there’s no interpretation of the data beyond: airbags-went-bang-send-help-to-this-geographic-coordinate.

Police would respond (often just a patrol car), check out the crash, then call for an ambulance or occasionally a medical helicopter, then, says Baur, “EMS would drop off the trauma patient, but not necessarily describe what the accident looked like.” Meanwhile, in the most severe cases, the clock is running down on that golden hour.

With enhanced ACN, Baur says, “We collect the sensor data, massage it, evaluate it,” and then draw conclusions as to the likely severity of the accident, the odds of severe injury, even the chances of serious hidden injuries.

 That enhanced ACN information is what BMW and sibling Rolls-Royce transmit via the BMW call center to the nation’s 6,100 public safety answering points (PSAPs, or 911 call centers) and now to Miami’s Ryder Trauma Center for a Miami-area accident.

Other automakers also have just as many sensors on their cars, incidentally — but they don’t yet analyze and make recommendations based on the crash data.


British Library agrees digital deal with Google

The British Library has struck a deal with Google to make a portion of its enviable collection of 17th and 18th century texts available to search and view online.
Despite its stuffy connotations, the British Library has not shied away from the brave new digital world, with smartphone apps, Kindle deals and newspaper digitisation among its digital arsenal.
250,000 texts written between 1700 and 1870 are included in the Google deal, with the out of copyright books and manuscripts available to be read, searched and copied for free either on the British Library’s website or through Google Books.
The texts will be selected by the British Library, while Google will carry out and pay for all the digitising.

Education, education, education

Dame Lynne Brindley, chief executive of the British Library, stressed the Library’s focus on access to all:
“Through this partnership we believe that we are building on this proud tradition of giving access to anyone, anywhere and at any time. Our aim is to provide perpetual access to this historical material, and we hope that our collections coupled with Google’s know-how will enable us to achieve this aim.”
Meanwhile, Peter Barron at Google said that the project would bring old works to life in new ways:
“What’s powerful about the technology available to us today isn’t just its ability to preserve history and culture for posterity, but also its ability to bring it to life in new ways.
“This public domain material is an important part of the world’s heritage and we’re proud to be working with the British Library to open it up to millions of people in the UK and abroad.”
The deal also gives Google Books a leg up in the ebook catalogue stakes, setting it apart from competitors like the Amazon Kindle library and Apple’s iBooks.
It’s only really a bonus if you’re after 18th century texts, like an account of a stuffed Hippopotamus owned by the Prince of Orange, though.
If 19th century philosophy, history, poetry and literature are more your thing, you’d better head to the Kindle.