News

Google gives UK government “super flagger” status for YouTube

Google has granted the UK security services privileged 'super flagger' status over YouTube videos, enabling the government to demand instant screening of videos it deems threaten national security. The new powers are supposedly intended to help the go...

WhatsApp pooh-poohs report of security flaw

Claims of security hole involving SD cards don't paint an accurate picture, say the makers of the popular chat app. March 13, 2014 5:38 AM PDT What's up with WhatsApp? (Credit: WhatsApp) The people behind WhatsApp are rebutting a report contendi...

Google to encrypt searches in response to NSA surveillance claims

Google has begun routinely encrypting web searches conducted in China as it rolls out a more robust and secure system for handling search traffic. The system is being implemented in response to revelations over widespread surveillance being conducted ...

Antivirus Software Not So Useless as People Say: Report

While companies continue to call out the antivirus industry for the malware it misses, NSS Labs says that most criticism is based on misconceptions. Antivirus software has gotten a bad rap, even though the programs continue to help protect firms and raise the bar for attackers, according to a report released on March 11 by research firm NSS Labs. The report finds that antivirus software has largely been criticized based on two-decades-old misconceptions.

The software running on users' computers does far more than matching patterns, or signatures, for known threats. Instead, it uses a variety of technologies—from firewalls and host intrusion detection to behavioral heuristics and anomaly detection—to find what is likely to be malicious software, or malware, Randy Abrams, research director at NSS Labs, told eWEEK. Today's anti-malware software—the term "antivirus" is another hold out from the days of a less complicated threat—does the equivalent of the credit check required by a bank, looking at a variety of factors to assess risk, he said. "If you want a loan at a bank, you have to have a reputation that they call a credit score," Abrams said. "If you have a low credit score, it does not mean you wouldn't pay the bank back; it just means that you are a greater risk." Despite increasingly nuanced detection strategies, the antivirus industry has become the punching bag of the security industry, mainly because it is the last line of defense against the compromise of a computer that could, and most often does, lead to a major breach. When a computer is infected with malware, users do not blame the firewall or the network intrusion-detection system—they criticize the software that protects the endpoint, Abrams said. When Chinese hackers infiltrated The New York Times, for example, the media latched onto the fact that only a single program used by the attackers was detected by the Symantec anti-malware. In fact, only 24 percent of the malware used in similar incidents has historically been detected by any endpoint-security solution, according to a Mandiant report. While Abrams may sound like an apologist for the endpoint-protection software industry, he is not.

The industry has evolved better defenses but still has not done enough, Abrams said. Because attackers have time to test against the most major antivirus products and find ways to circumvent their defenses, no software program can protect the endpoint indefinitely. Yet, rather than resign themselves to that fact, anti-malware firms need to evolve and build a more holistic defense against attackers, not only detecting and blocking bad software, but detecting signs of, and helping users remediate, a compromise before the breach gets worse, he said. "When some other companies detect a breach, the antivirus firms look bad, but when their software detects the breach, then they look like they are doing their job," Abrams said. "By taking on both tasks, they are creating a much better system of security."

Google fixes 7 Chrome security holes just before CanSecWest

The day before two annual Google-sponsored hacking contests kick off at a security conference in Vancouver, Google tidies up some of Chrome's loose ends. March 12, 2014 6:21 PM PDT Google has fixed seven security flaws in Chrome, just a day bef...

Honor the Web’s 25th Birthday by Upholding Its Founding Principles

[unable to retrieve full-text content]NEWS ANALYSIS: Tim Berners-Lee urges net citizens to become activists that uphold the spirit of open collaboration that made the World Wide Web great.

Apple’s ludicrous demand in next trial: Samsung must pay $40 per...

New demand dwarfs licensing fees charged by Microsoft, and it will go to the jury.

WordPress Feature Leveraged to Launch DDoS Attacks

Core functionality in the open-source content management system is being abused to attack others.   Abusers are leveraging a feature in the popular WordPress open-source content management system to launch distributed denial-of-service (DDoS) attacks, according to multiple sources. Todd Redfoot, chief information security officer at GoDaddy, told eWEEK that he started to see an uptick in WordPress attacks in late February. The attacks leverage the XML-RPC (Remote Procedure Call) "pingback" functionality in WordPress to launch DDoS attacks. XML-RPC is legitimately used within WordPress as a mechanism for content owners to do a pingback of posts.

The pingback allows content owners to track where their content is getting linked. Redfoot noted that GoDaddy put counter-measures in place in late February to mitigate the XML-RPC DDoS risk, but has seen another big spike in activity during the first two weeks of March. Security firm Sucuri is also seeing a large uptick in WordPress-related DDoS activities. Sucuri reported March 10 that it is aware of more than 162,000 WordPress sites participating in the DDoS activity. Security blogger Brian Krebs reported March 12 that his own site is being attacked by 41,000 WordPress blogs. Back in April of 2013, Web security firm Incapsula warned about the WordPress DDoS risk. On March 11, Incapsula posted a visualization of the current WordPress DDoS attack, which is hitting its network, fueled by 10,700 WordPress sites. The current WordPress DDoS attack is particularly dangerous in that there is no patch that WordPress users can deploy to mitigate the risk. Daniel Cid, CTO of Sucuri, told eWEEK that his firm is seeing attacks from all versions of WordPress. "They patched a similar flaw recently, but not this one, which allows for a site to be misused for DDoS," Cid said. "It is actually one of these pingback features that can be misused to attack others. So, yes, 3.8.1 is still affected." WordPress 3.8.1 is the most recent update of WordPress and was released at the end of January. Mitigation From GoDaddy's perspective, the risk of the WordPress DDoS attack is twofold. GoDaddy hosts WordPress Websites from which attacks can originate. In addition to being a hosting provider, it is also a target of DDoS attacks. GoDaddy is employing both inbound and outbound measures to protect its customers and its own infrastructure, Redfoot said, explaining that GoDaddy has multiple layers of technology that are being used to monitor traffic and mitigate risk. A key challenge of this particular attack is that it leverages a legitimate feature that some users need. "It's not a vulnerability in the WordPress platform; it's core functionality, and WordPress is reacting as it was designed to react," Redfoot said. The question is about the volume of pingbacks, which is where the DDoS is occurring by overwhelming hosts with a large number of pingback requests. Redfoot suggested that setting the right threshold for normal pingback activity is one of many ways that GoDaddy is dealing with the risk. Users who don't need pingback functionality can also disable it from their own WordPress installations, he said. "This attack won't go away because it works," Redfoot said. "So I hope, over time, we'll see more solutions and maybe a WordPress core tweak to try and distinguish good versus bad traffic." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Microsoft Pushes Privacy in Education

The company says that it protects kids from risks to their private information while taking a moment to bash Google. Data privacy is a touchy topic these days. When it affects kids, Microsoft is making its stanc...

Volunteers in metadata study called gun stores, strip clubs, and more

Stanford research shows even when offering up metadata, it's very revealing.

NSA’s automated hacking engine offers hands-free pwning of the world

With Turbine, no humans are required to exploit phones, PCs, routers, VPNs.

Feinstein Goes Public With CIA’s Dirty Practices, Snowden Rolls Eyes

Sen. Dianne Feinstein has accused the CIA of illegally tampering with an investigation into U.S. interrogation practices. A day after National Security Agency (NSA) whistleblower Edward Snowden told South by South West (SXSW) attendees that U.S. government agencies' mass surveillance techniques are "setting fire to the future of the Internet," U.S. Sen. Dianne Feinstein, D-Calif., went public with what she said was a CIA Internet scandal that for months she had been trying to resolve in a "discreet and respectful way." "However, the increasing amount of inaccurate information circulating now cannot be allowed to stand unanswered," Feinstein said during a March 11 speech on the Senate floor. Feinstein alleges that after the Senate Intelligence Committee received approval, in 2009, to conduct an "expansive and full review" of CIA detention and interrogation practices that went into effect in 2002, the CIA searched Senate committee computers, as well as a separate network drive containing committee members' work and internal notes, and removed hundreds of pages of documents while the investigation was underway. Sen. Lindsey Graham, R-S.C., responded to Feinstein's speech by saying that if what Feinstein said is true, "this is Richard Nixon stuff.

This is dangerous to a democracy.

Heads should roll. People should go to jail, if it's true.

The legislative branch should declare war on the CIA, if it's true," NPR reported March 11. Sen. John McCain, R-Ariz., the report added, called it "very disturbing," while according the Wall Street Journal, former CIA General Counsel John Rizzo, who was involving in overseeing the interrogation program, dismissed Feinstein's account of events as a "pissing contest about committee access." In her near 40-minute speech (the Guardian has posted a full transcript), Feinstein explained that after receiving approval to begin the investigation, the committee requested that it be sent the relevant documents. However, then-CIA Director Leon Panetta instead suggested providing "literally millions of pages of operational cables, internal emails, memos, and other documents pursuant to the committee's document requests at a secure location in Northern Virginia." Panetta, Feinstein and then-committee Vice Chairman Christopher Bond agreed that the CIA would provide the committee with a stand-alone computer system and a network drive that would be "segregated from CIA networks." Before handing over the sensitive documents—6.2 million pages—the CIA had them reviewed not only by a committee at a CIA facility but also, at a great cost and loss of time, by outside consultants, said Feinstein. When the documents finally arrived, they weren't indexed and included no electronic search tools, but the committee ultimately developed practices for dealing with and setting aside notable materials. In May 2010, committee staff realized that certain documents that were provided were suddenly no longer accessible, and on two occasions Feinstein, heading the committee, learned that CIA personnel had electronically removed documents—in one instance a group of roughly 50 documents and in another, approximately 870 documents. Feinstein went to the White House to complain and received an apology and assurances that the CIA would stop removing documents. Later, the committee came across drafts of what would later become known as the "Internal Panetta Review," a detailed account of what The New York Times would later call "particularly scorching" interrogation techniques, such as waterboarding.    "What was unique and interesting about the internal documents was not their classification level, but rather their analysis and acknowledgement of significant CIA wrongdoing," said Feinstein.