Saturday, 24 December 2011

Watch out for fake virus alerts


Watch out for fake virus alerts

Example of a warning from a rogue security program known as AntivirusXP
Rogue security software, also known as "scareware," is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.


How does rogue security software get on my computer?

Rogue security software designers create legitimate looking pop-up windows that advertise security update software. These windows might appear on your screen while you surf the web.
The "updates" or "alerts" in the pop-up windows call for you to take some sort of action, such as clicking to install the software, accept recommended updates, or remove unwanted viruses or spyware. When you click, the rogue security software downloads to your computer.
Rogue security software might also appear in the list of search results when you are searching for trustworthy antispyware software, so it is important to protect your computer.

What does rogue security software do?

Rogue security software might report a virus, even though your computer is actually clean. The software might also fail to report viruses when your computer is infected. Inversely, sometimes, when you download rogue security software, it will install a virus or other malicious software on your computer so that the software has something to detect.
Some rogue security software might also:
  • Lure you into a fraudulent transaction (for example, upgrading to a non-existent paid version of a program).
  • Use social engineering to steal your personal information.
  • Install malware that can go undetected as it steals your data.
  • Launch pop-up windows with false or misleading alerts.
  • Slow your computer or corrupt files.
  • Disable Windows updates or disable updates to legitimate antivirus software.
  • Prevent you from visiting antivirus vendor websites.
Rogue security software might also attempt to spoof the Microsoft security update process. Here's an example of rogue security software that's disguised as a Microsoft alert but that doesn't come from Microsoft.

Example of a warning from a rogue security program known as AntivirusXP.
For more information about this threat, including analysis, prevention and recovery, see the Trojan:Win32/Antivirusxp entry in the Microsoft Malware Protection Center encyclopedia.
Here is the legitimate Microsoft Windows Security Center:
Screenshot of legitimate Microsoft Windows Security Center
Screenshot of legitimate Microsoft Windows Security Center.

To help protect yourself from rogue security software:

  • Install a firewall and keep it turned on.
  • Use automatic updating to keep your operating system and software up to date.
  • Install antivirus and antispyware software such as Microsoft Security Essentials and keep it updated. For links to other antivirus programs that work with Microsoft, see Microsoft Help and Support List of Antivirus Vendors.
  • If your antivirus software does not include antispyware software, you should install a separate antispyware program such asWindows Defender and keep it updated. (Windows Defender is available as a free download for Windows XP and is included in Windows Vista.)
  • Use caution when you click links in email or on social networking websites.
  • Use a standard user account instead of an administrator account.
  • Familiarize yourself with common phishing scams.

If you think you might have rogue security software on your computer:

Scan your computer. Use your antivirus software or do a free scan with the Microsoft Safety Scanner. The safety scanner checks for and removes viruses, eliminates junk on your hard drive, and improves your PC's performance.
Get help from a Microsoft partner. If you have trouble removing the software yourself, you can enter your zip code to find experts in your area

Thursday, 15 December 2011

Facebook virus alert


Facebook virus alert: Worm hidden in image of two blondes

By  | November 29, 2011, 1:55pm PST
Summary: A new worm is spreading on Facebook: once downloaded, it tempts the user into opening it by masquerading as a screensaver with a thumbnail image of two blonde women.
A new piece of malware is spreading across Facebook by leveraging either stolen account credentials or possibly a rogue app. This one is a worm that is being shared via malicious links on the social network, according to the Danish website CSIS, which listed the following domains as sources for the malware:
vinamost.net
ferry.coza
maximilian-adam.com
bacolodhouseandlot.com
servi ceuwant.com
centralimoveisbonitoms.com.br
weread.in.th
villamatildabb.com
fionagh-bennet-music.co.uk
ukseikatsu.com
bzoe-salzkammergut.at
delicescolres.com
dekieviten.nl
If one of your Facebook friends has had his or her account compromised, you may be tempted to click on a link seemingly posted by them. What appears to be a screensaver, with a thumbnail image of two blonde women, will be downloaded onto your computer.
This is in fact a worm: do not download it and do not open it. If you think you have been affected, please read Facebook virus or account hacked? Here’s how to fix it.
When the file is opened, it attempts to download further malware, including a popular Trojan called Zeus. This type of malware can take over your computer and/or attempt to steal your banking information.
The malware’s code is written in Visual Basic 6.0 and includes ways of tricking users on virtual machines. The source appears to be a compromised Israeli website, which is no longer hosting the file in question. Still, hackers can always use additional websites to continue spreading their malware.
As a general word of caution, don’t click on everything your Facebook friends share on the social network. I have contacted Facebook to learn if it has blocked any unusual activity related to this latest worm and if it has any more information to offer.
Update: “Almost all of the domains listed in the article were already blocked by our mitigation efforts, however, we are constantly monitoring the situation and are in the process of blocking domains as we discovered them,” a Facebook spokesperson said in a statement. “We have internal systems in place configured specifically to monitor for variations of the spam and are working with others across the industry to pursue both technical and legal avenues to fight the bug.

Patch Tuesday December 2011


Patch Tuesday December 2011

Kurt Baumgartner
Kaspersky Lab Expert
Posted December 14, 13:10  GMT
Tags: Microsoft WindowsMicrosoft Internet ExplorerMicrosoft,Vulnerabilities and exploits
0.4
 

Microsoft finishes out this year of patching with a heavy release that's all over place. While techs were notified of an anticipated 14 bulletins, 13 were released for the month of December. Headline grabbing events and code are addressed in one of them, and while fewer are labelled "Critical", are they any less important?
Many speculative bits have been spilled on the group behind Stuxnet and its precursor Duqu, with our own researchers posting at least a half dozen Securelist writeups on Duqu findings alone. MS11-087 patches up the delivery vector for Duqu itself. This kernel mode vulnerability was publicly identified and confirmed at the beginning of November, but could well have been used quietly in attacks around the world for a year or more.
The targeted functionality provides TrueType font parsing capabilities for the OS, and the group abused these components by delivering exploits in the form of Word Documents attached to emails interesting to their individual victims, a technique known as spear-phishing. The flawed code has been known to impact only a very select set of systems throughout the world.
The other headline grabbing event and code that was anticipated to be released is known as the SSL BEAST vulnerability. We covered the potential hysteria surrounding the Ekoparty conference demo in Argentina a couple of months ago, where a researcher demonstrated SSL being cracked on a Windows system. There were no public reports whatsoever of this flaw being attacked, and Microsoft is delaying its release to ensure that its browser cannot be hacked in this way without compatibility issues, following the lead of Google Chrome and Firefox.
A slew of other patches were released this time around, with Internet Explorer, Powerpoint, and other components, including the Chinese font producing Pinyin IME component, all being updated. It's interesting that even Microsoft considers exploit code likely to be published for at least a dozen of them, but does not consider many of them critical for admins to patch. One that stands out as a candidate for "Critical" in my book is the Active Directory problem. Organizations that have been under persistent targeted attacks may consider this one to be very urgent, with Domain Controllers and Active Directory of high interest to their adversaries in past attacks.

Gulf Manorama | Gulf News | Latest News

Gulf Manorama | Gulf News | Latest News

Monday, 12 December 2011

Building Cities on the ocean


Building Cities on the ocean - Seastead

Seasteading: Libertarians dream of creating self-ruling floating cities. But can the many obstacles, not least the engineering ones, be overcome? 


THE Pilgrims who set out from England on the Mayflower to escape an intolerant, over-mighty government and build a new society were lucky to find plenty of land in the New World on which to build it. Some modern libertarians, such as Peter Thiel, one of the founders of PayPal, dream of setting sail once more to found colonies of like-minded souls. By now, however, all the land on Earth has been claimed by the governments they seek to escape. So, they conclude, they must build new cities on the high seas, known as seasteads.



It is not a completely crazy idea: large maritime structures that resemble seasteads already exist, after all. Giant cruise liners host thousands of guests on lengthy voyages in luxurious surroundings. Offshore oil platforms provide floating accommodation for hundreds of workers amid harsh weather and high waves. Then there is the Principality of Sealand, a concrete sea fort constructed off Britain’s coast during the second world war. It is now occupied by a family who have fought various lawsuits to try to get it recognised as a sovereign state.

Each of these examples, however, falls some way short of the permanent, self-governing and radically innovative ocean-based colonies imagined by the seasteaders. To realise their dream they must overcome some tricky technical, legal and cultural problems. They must work out how to build seasteads in the first place; find a way to escape the legal shackles of sovereign states; and give people sufficient reason to move in. With financing from Mr Thiel and others, a think-tank called the Seasteading Institute (TSI) has been sponsoring studies on possible plans for ocean-based structures and on the legal and financial questions they raise. And although true seasteads may still be a distant dream, the seasteading movement is producing some novel ideas for ocean-based businesses that could act as stepping stones towards their ultimate goal.

Floating some ideas
Seastead designs tend to fall into one of three categories: ship-shaped structures, barge-like structures based on floating pontoons and platforms mounted on semi-submersible columns, like offshore oil installations. Over-ordering by cruise lines means there are plenty of big, second-hand liners going cheap. Ship-shaped structures can pack in more apartments and office space for a given cost than the other two types of design, but they have a big drawback: their tendency to roll in choppy seas. Cruise ships can sail around storms, but static seasteads need to be able to ride them out. And the stabilisers on big cruisers only work in moderate seas and when the ship is moving.




 Enthusiasts have proposed a wide range of designs for seasteads


Pontoon-type structures, or giant barges, are the cheapest of the three options, but they are even more vulnerable than ships to choppy seas. Shipbuilders like Mitsubishi Heavy Industries of Japan have proposed various designs for floating cities based on massive “mega-float” pontoons, with skyscrapers towering above the waterline. But these would only work in calm, shallow waters—and these tend to be within land-based governments’ territorial limits. George Petrie, a former professor of naval architecture at the Webb Institute in New York state who is writing a series of technical papers for TSI, has calculated that even in a relatively benign stretch of water off Hawaii, such structures would leave their residents pretty groggy much of the time.

As oil companies drilling in ever deeper waters have demonstrated, structures built on floating columns are the most rugged, though they are more expensive than ship- or pontoon-type vessels. The shipbuilding industry has plenty of experience in making them, but the expectations of comfort among the permanent residents of a seastead will be much greater than on an oil platform, where workers are paid well for short tours of duty in relative discomfort. Even in placid weather, floating-column structures bob up and down as the sea heaves beneath them, which can make people seasick. To prevent the vessel from drifting due to currents and winds, seasteads may need dynamic-positioning thrusters, but these would increase costs. In waters less than 1,800 metres deep, Mr Petrie calculates, a cheaper option would be to moor the platform to the seabed. As it happens, there are a number of barely submerged islands off the coast of California, the location of preference for early seasteaders. Alas, they tend to be volcanoes.

Even once a viable blueprint for the structure of a seastead is produced, the technical challenges are not over. The more it relies on land-based supplies of fuel and water, the harder it will be to achieve the libertarian dream of escaping the evil ways of existing governments. At sea there is plenty of wind and wave energy, and occasionally sunshine, but building renewable-energy systems that can survive harsh ocean conditions is even harder and more costly than designing land-based ones. Another problem is communication. Satellite-based connections are slow and expensive. Laying a fibre-optic cable would be difficult. A point-to-point laser or microwave link might work, suggests Michael Keenan, the president of TSI. But that would rely on a land-based transmitting station, again making the seastead reliant on landlubbers.

The long arm of the law
The technical challenges are daunting enough. The legal questions that seasteads would face are no less tricky, and call into question whether it would really be possible to create genuinely self-governing mini-states on the oceans. Until seasteaders are ready to cut their ties with the land altogether, they will want to build their colonies not much more than 12 nautical miles (22km) offshore—the limit of countries’ territorial waters—otherwise travelling to and from the seastead will take too long. But the laws of the sea give countries powers to enforce some criminal laws up to 24 nautical miles out and to regulate some economic activities in a 200-mile “exclusive economic zone”. Ships are granted exemptions, but a seastead tethered to the seabed would not qualify.

Some countries (notably America) assert the right to extend their jurisdictions, in matters affecting their citizens, across the entire planet. And like any other seagoing structure, a seastead would be obliged to register with a “flag state”, to whose maritime laws it would be subject. Some flag states are lax about enforcement but if, say, America disapproved of the goings-on aboard a seastead, it could lean on such states to get tough—and offer enforcement on their behalf. In the 1960s Britain’s government shut down pirate-radio ships not by sending the navy to attack them but by banning British suppliers and advertisers from doing business with them.

In all, the leaders of the seasteading movement concede that they will have to avoid getting into anything too provocative—drugs, pornography or money-laundering, for example. As for taxes, America already demands that its citizens pay income tax even when they are living abroad—and that would include living on a seastead. There is nothing to stop other countries following suit and indeed getting extraterritorial about other taxes too. Until seasteaders are able to bank their money with independent, ocean-going financial institutions, they may not be able to escape the taxman’s clutches.
“The ideal builders of seasteads may not be small groups of innovators, but giant engineering firms.”
And escaping the taxman may not, in any case, be enough of an incentive to lure residents to a seastead. Despite their stated preferences even libertarians, it seems, prefer to live in over-regulated, high-tax places like London and New York. Mr Keenan notes ruefully that the Free State Project, a scheme started ten years ago to get 20,000 people to move to New Hampshire and vote in a libertarian local government, has had little success so far. Unless a seastead were the size of Manhattan its citizens would have to forgo the cultural life, the parks and the wide choice of shopping and restaurants offered by large cities. The most realistic designs produced so far would reduce residents to living in cabins that, however sumptuously kitted out, would be little bigger than a typical millionaire libertarian’s bathroom.

Some seasteaders think the way forward is to build less ambitious offshore communities to demonstrate the potential of the idea. By basing themselves just outside countries’ territorial waters to avoid some of their laws, floating habitats could show land-based governments how such things as low taxes, light regulation and free access for foreign workers can produce wealth without ill effects. Such ocean-based businesses could be a step on the way to true seasteads.

Stepping stones to a seastead
In 2010 a group of marine engineers produced a detailed design study for the ClubStead—a floating resort city which would sit perhaps 100 nautical miles off the Californian coast, with 70 staff and 200 guests. It would combine the comforts of a cruise ship with the resistance to wind and waves of an oil platform, which its design closely resembles. Seven storeys of buildings would be cantilevered off the columns and, in an idea borrowed from bridge design, its extensive open decks are slung from cables. There would be solar panels (and gardens) on the roofs of these buildings, but the ClubStead would also rely on diesel power. It would make its own fresh water from seawater and have two helipads and a dock for boats.

 
How the ClubStead might look

The ClubStead design study includes a lot of detailed work on wind and wave resistance, construction methods, and so on. But its authors admit that much more would need to be done to produce a full blueprint ready for a shipyard to start building it. Nigel Barltrop, professor of naval architecture at Strathclyde University in Scotland, says he has “little doubt that you can do something like this and make it work”. But he thinks the structure may need further reinforcement to prevent fatigue—think of all of those metal joints constantly creaking in the waves. Otherwise the result could be a disaster like the collapse in 1980 of the Alexander Kielland, a floating accommodation block for North Sea oil workers, which broke apart and capsized, killing 123 people.

Besides its moderately spacious apartments, the ClubStead would have room for either a casino resort or a “medical tourism” centre. Many of the staff could be non-Americans who would otherwise struggle to get visas. They could spend most of the time aboard, taking occasional shore leave on tourist visas. The designers reckon it would cost $114m—less than some land-based luxury hotels—of which the biggest item is constructing and kitting out the apartments, at just under $50m. Running costs would be $3.4m a year.

A breakaway group from TSI is working on a simpler and cheaper idea called Blueseed. The idea is to convert a cruise liner into an offshore “incubator” for small, high-tech start-ups and position it just outside American territorial waters off California. The attraction for the start-ups is that they would be able to hire foreign engineers and scientists without the hassle of getting work visas for them.

Dario Mutabdzija of Blueseed says chartering and adapting a cruise ship should cost $15m-50m, depending on its size, and the combined rent for a tenant’s living quarters and office space might be around $2,000 a month, comparable with costs in Silicon Valley. So far the project is at the seed-capital stage, working to overcome venture capitalists’ doubts about getting involved in something subject to maritime law, an unfamiliar matter. Another problem, Mr Mutabdzija admits, is that it is unclear how American officials will choose to interpret the complex and vaguely worded immigration laws. He hopes that they will “just leave us alone for a while and see how it goes”.

If the sort of “just-offshoring” approach of the ClubStead and Blueseed projects can prove itself, it might be attractive for several industries in which large revenues are generated by relatively small numbers of skilled people, and which are subject to onerous taxes or regulation. Financial trading, gambling and cosmetic surgery are obvious candidates. Private hospitals could provide new treatments that have been approved by other countries but not by America’s sluggish regulators.

Rather than deciding in advance which line of business will be a seastead’s livelihood, Mr Petrie has a more Darwinian idea, one that libertarians should warm to: create a large expanse of floating “land” in mid-ocean and rent it out to whoever wants it. Individual homes and business premises would be winched aboard on cranes and bolted down. If their owners don’t pay the rent, they could be lifted out and replaced. The seastead thus “evolves and finds its way”, says Mr Petrie. He has set himself the objective of making the cost of living on a seastead not much more than the average for upper-middle-income housing in a typical American city.

Linguists quip that a dialect is a language without an army and a navy to enforce its status. Theologians likewise say that a cult is simply a church that lacks political clout. Seasteads may end up as wannabe sovereign states without the means to defend their autonomy against land-based governments. The first ones to overcome the many technical challenges, raise the money to construct their vessels and set out for the open seas will be quite dependent on terrestrial authorities’ goodwill. But countries short of available land, or whose leaders are struggling to pass liberalising reforms against resistance from vested interests, may tolerate limited experiments in low-tax, rule-free self-government. So the seasteaders may be in with a chance.

Who will jump in first?
Given the huge costs and risks involved, perhaps the ideal builders of seasteads will not be small groups of innovators like the Blueseed team, but giant engineering firms such as Mitsubishi, India’s Tata group or Samsung of South Korea. Indeed, as Mr Keenan notes, the most viable political model for a seastead may not be a libertarian democracy but an enlightened corporate dictatorship.
Sceptics will say that floating pies in the sky are more likely to materialise than floating cities on the oceans. But the seasteaders are undeterred. Nobody anticipated the immense variety of uses that would be dreamed up for the internet, Mr Keenan observes, and the same may apply to the idea of creating colonies on the high seas. As Mr Petrie puts it: “All that is lacking is for the first one to go into the water and say, ‘Hey, come on in, the water’s fine.’”

Saturday, 10 December 2011

Google Chrome is the Most Secured Browser


Chrome is the most secured browser - new study

Firefox finishes last in 3 browser security race
Free whitepaper – IBM System Networking RackSwitch and IBM System Networking solutions


Google Chrome offers more protection against online attacks than any other mainstream browser, according to an evaluation that compares exploit mitigations, malicious link detection, and other safety features offered in Chrome, Internet Explorer, and Firefox.
The 102-page report, prepared by researchers from security firm Accuvant, started with the premise that buffer overflow bugs and other security vulnerabilities were inevitable in any complex piece of software. Rather than relying on metrics such as the number of flaws fixed or the amount of time it took to release updates, the authors examined the practical effect protections included by default in each browser had on a wide class of exploits.
Their conclusion: Chrome is the most secured browser, followed closely by Microsoft IE. Mozilla's open-source Firefox came in third, largely because of its omission of a security sandbox that shields vital parts of the Windows operating system from functions that parse JavaScript, images and other web content.
"We found that Google Chrome did the most sandboxing," Chris Valasek, who is a senior research scientist for Accuvant, told The Register. "It restricted the movements more than any other browser. Internet Explorer came up a close second because it implemented a sandbox where you could do certain things but you were allowed to do more things than you could in Chrome. Lastly, Firefox came in last because it didn't implement a sandbox yet."
The report was commissioned by Google, but the authors insist they had complete autonomy in deciding what metrics to use and what conclusions they made. The researchers have released more than 20MB worth of data, software tools, and methodologyso peers may review or build upon the research. The study focused solely on the security offered by Chrome, IE, and Firefox, which when combined account for more than 93 percent of web users, according to the report. All three browsers tested were run on Windows 7.
Their finding is backed up by anecdotal evidence, as well. Chrome has emerged unscathed during the annual Pwn2Own hacker contest for three years in a row, something no other browser entered has done. Reports of in-the-wild exploits that target the browser are also extremely rare.

Not all sandboxes are equal

In much the way traditional sandboxes prevent sand from mixing with grass on a playground, security sandboxes isolate application code inside a perimeter that's confined from sensitive OS functions. By placing severe restrictions on an application's ability to read and write to the hard drive and interact with other peripheral resources, sandboxes are designed to lessen the damage attackers can do when they successfully exploit a vulnerability in the underlying code base.
The so-called token in the Chrome sandbox, for instance, doesn't allow browser processes to access files outside of an extremely limited set of directories. It also forbids them from creating connections known as network sockets to communicate directly with servers over the internet. The sandbox in IE, by contrast, allows browser resources to read almost all parts of a hard drive and puts few restrictions on the creation of network sockets, the researchers said.
As a result, attackers who exploit a vulnerability in the Microsoft browser will have an easier time accessing contacts, documents, and other data stored on the hard drive of a targeted computer and uploading it to a command and control server.
"The Google Chrome token is far more restrictive," said Accuvant Chief Research Scientist Ryan Smith, who compared tokens to a driver's license that spells out what vehicles a holder is permitted to drive and other conditions, such as whether eyeglasses are required. "It's more like a learner's permit, whereas the Internet Explorer token is more like a Class C regular driver's license."
The researchers analyzed each browser's ability to read files, write files, and perform 13 other actions. As indicated in the graphic below, Chrome blocked all but two of them. Of those, one known as "system parameters" was partially blocked. IE, meanwhile, completely blocked only two actions, and partially blocked seven more actions. Seven additional actions, including the ability to read files, access networks, and create processes, were completely unrestricted.
In last place was Firefox, which allowed nine actions and partially blocked the remaining six actions