Related Posts

• The Pirate Bay goes to the museum ...

Read the museum’s press release translated by Google:

PRESS RELEASE 090416

Technical Museum exhibits a data server from The Pirate Bay. The server started in 2004 and had the task of connecting different computers on the Internet in conjunction with file sharing. In May 2006 seized the server of the county crime in Stockholm. In January 2008 the server returned to The Pirate Bay, and in February 2009 was acquired by the Technical Museum.

- This technical gadget must go to a museum! It has great symbolic value because it demonstrated a major problem or a great opportunity, “says Nils Olander, quartermaster of the Technical Museum.

The server can from today be seen in Sweden’s Hall at the Technical Museum.

Technical Museum collects objects that reflect the technology of human life. The museum’s task is to study technical change, as well as the visibility of these and not to avoid controversial phenomena.

Related Posts

• The Pirate Bay found guilty ...

The police conducted a raid against two apartments in Skövde on Thursday and the men were detained.

The prosecutor’s office in Stockholm believes that the men are part of an international network of file sharers and have decoded a large number of films before uploading them to the internet.

Swedish police were acting in collaboration with officers from several other European countries and raids were also carried out in Britain, Belgium, the Netherlands and Spain.

If these guys are charged under the new law, it will be interesting to see how it plays out as the outcome of the first trial will set an important precedent.

Related Posts

• IP Law passed in Sweden - Internet traffic drops 30% ...
• The Pirate Bay goes to the museum ...
• New law forces the use of Anonymizers ...

Some anonymizing companies charging $55 a year are claiming their services are overloaded from the increased demand, according to The local

It will surprise no one to see a surge in the Anonymity Service Provision (ASP) and Privacy Enhancing Technologies (PETs) in Europe as IPRED spreads across Europe. Remember Polippix?

Related Posts

• IPRED law begins to bite - 2 arrested ...
• IP Law passed in Sweden - Internet traffic drops 30% ...

The law will allow courts to order ISPs to hand over information that identify suspected illegal file sharers.  The belief is that commercial infractions of intellectual property law within the EU will eventually be criminalised.

Proponents of the law are already excited because they believe the law is working - having no other explanation for the sudden drop in traffic.

On the same day that the law came into effect, five audio book publishers  applied to the courts to trace a suspected file sharer. They suspect the person behind a particular IP address has been distributing copyrighted material illegally.

It will be interesting to see how this law will operate but with this level of zeal by publishers of digital material it is probably not surprising to have such a drop in traffic

Related Posts

• IPRED law begins to bite - 2 arrested ...
• New law forces the use of Anonymizers ...

Related Posts

• Hypervisors benchmarked - VMware not happy ...
• IBM’s answer to the Endpoint Security problem ...

Information about Worm:Win32/Conficker.D (Info about conficker from Microsoft Malware Protection Center)

The 7 Most Important Things to Know About Conficker (From PCMAG’s Security Watch)

Know Your Enemy: Containing Conficker (From the Honeynet Project)

Detecting Conficker with Nessus (From Tenable)

Containing Conficker (Also published by the Honeynet Project)

No related posts.

The scammer, who is a “college student in Nigeria has been sentenced to 19 years in prison for scamming an Australian woman out of $47,000 online by pretending to be a widowed white businessman desperately in love with her”, CNN reports.

Nurudeen [the scammer] pretended to be a 57-year-old British engineer working with a multinational company in Nigeria. He told her his wife and only child had died in a road accident in Lagos, the former capital of the country.

“He sent the picture of a white man to the victim to foreclose any suspicions,” police said. The woman agreed to marry him.

A few weeks later, Nurudeen called the woman pretending to be a doctor. He told her that her fiance had been in an accident and needed money for treatment.

The woman obliged, the commission said.

Nurudeen let two weeks pass. He then called the woman again, thanking her profusely for her kindness and telling her that he would like to visit her in Australia. He asked her for airfare, cash for customs clearance and other incidentals, police said.

Quite a harsh but clear message.

No related posts.

The aim?

When it comes to hypervisors, there are many choices now. That’s good news for consumers, who were much more limited even one year ago. Still, when admins go shopping, they look first at hypervisors from VMware Inc. (ESX), Microsoft (Hyper-V) and Citrix Systems Inc. (XenServer). Given that situation, we wanted to do a side-by-side, exact comparison under identical conditions to determine which of these is the best-performing product. After all, the hypervisor is still the engine that drives virtualization, even with all the management and third-party products built on top.

The test favoured Microsoft who had some nice things to say about the results and its publishers:

Rick Vanover and his editor, Keith Ward, deserve kudos for securing VMware approval for the performance comparison without jeopardizing journalistic integrity. Way to go! … We’re pleased to see Hyper-V won 4 of the 11 tests (the others going to XenServer by a less than a horse length).

Microsoft has linked the results to its official blog here

Citrix did not underperform; but it also did to outshine its competitors so it is silent - so far.

The results did not validate VMware’s position as the market leader and so not surprisingly, they are unhappy. VMware has challenged the methodology of the benchmark and has criticised Microsoft for being too quick to accept the results:

It was a benchmark unlike any we’d seen before and it left us scratching our heads because there were so few details and the results made no sense whatsoever. Of course, Microsoft didn’t let the benchmark’s flaws stop them from linking to the article claiming it as proof that Hyper-V performs better than other hypervisors.

You can read about their full reaction here

Of course for those of you considering a hypervisor for your company, you have enough information to begin your search.

Related Posts

• XenServer enterprise edition now available for free ...

They basically set up a small botnet and asked the zombied PCs to spam two email accounts they had set up on Gmail and Hotmail.

What caught my eye was the sheer number of spam that got through both Hotmail and Gmail. For their size, I would think both Google and Microsoft could do much better.

Either their spam filtering technology is  flawed or they have decided to “loosen up” to reduce false positives . I say this because as was explained in the clip, only the sender and subject of the spam changed. The body remained the same and yet 1,271 messages got through to the hotmail account (5,464 got caught)  and 888 got through Gmail (2,948 got caught).

I’m not sure what the final numbers were but the sneak peek was enough to convince me that  more could be done.

No related posts.

The IBM ISS solution delivers endpoint security management designed to address two major problems in the industry today: the escalating cost of security and the growing complexity of endpoint security management…

I think Big Blue is pretty serious about stamping its big blue feet on the security space as the release of this product partly demonstrates.

What is different about this approach to desktop security though is that it allows many small talented security vendors to plug and play thus allowing  customers to still have best-of-breed security. If the trend of such partnerships (between big and small security vendors) continues the whole security industry will benefit.

The product called Proventia Endpoint Secure Control will  allow companies to deploy ( and hopefully easily manage) best-of-breed endpoint products such as

• intrusion prevention systems
• firewalls
• network access control
• data protection devices
• data loss prevention software
• endpoint encryption
• security configuration and compliance
• patch management
• anti-virus/anti-malware

IBM appears to be in sync with the desire of many companies to reduce the number of security vendors they deal with, maintain best-of-breed security and have a simpler way of managing these products.

Companies today face a dilemma, they either have to choose between managing dozens of point security products separately to meet their needs or lock into one vendor who doesn’t. The single vendor suites in the marketplace today are often a result of multiple security acquisitions that haven’t been adequately integrated so that customers still need to manage separate point products.

IBM itself suffers from the same problem of “multiple security acquisitions that haven’t been adequately integrated” because over the past few years they have acquired Internet Security System (ISS), Consul Risk Management, Watchfire, Encentuate etc. If they’d have to wait to integrate the products from these acquisitions, they’ll be out of the market in no time.

Smart move by IBM I think.

Related Posts

• Will your security vendor go bankrupt? ...

“Hackers are rarely embraced as being friends, but in this instance it is important to thank the team at Hackersblog for bringing these issues to our attention,” he said.

I may be wrong about this but it just feels especially strange after  appearing to deflect responsibility for the exposure

the hack had exposed a weakness only in partner site search.property.telegraph.co.uk … the problem being highlighted does not affect the main telegraph.co.uk site … the affected site was closed down  immediately to revise the two-year-old third-party code to eliminate the issues that Hackersblog identified.

Is it really so that he was totally unaware of vulnerabilities in his web applications when the Telegraph has been reporting breaches for years? ( here, here, here, and even as recently as last week, etc)

BTW the site - search.property.telegraph.co.uk - is still undergoing maintenance

No related posts.

In response to this changing market dynamic the big boys (IBM, Cisco, EMC etc) are repositioning their products to be attractive to smaller budgets. That puts start-ups and smaller security vendors in a tough spot.

An article here discusses  interesting pros and cons of sticking with big security vendors in these tough times.

Will you stick with a small security vendor or move to the big vendors.

Related Posts

• IBM’s answer to the Endpoint Security problem ...
• XenServer enterprise edition now available for free ...

In 1982 Johnson & Johnson the company making Tylenol had to contend with a major financial and image problem when contaminated Tylenol capsules caused the deaths of 7 people. Investigators discovered that someone had filled Tylenol capsules with solid cyanide compound and replaced the original Tylenol bottles with poisoned ones in some supermarkets and drug stores.

What is noteworthy is the series of actions taken by Johnson & Johnson. It distributed warnings to hospitals and distributors and stopped Tylenol production and advertising, issued a nationwide recall of Tylenol products with an estimated retail value of over US$100 million. The company also asked the public not to consume any products containing Tylenol. “When it was determined that only capsules were tampered with, they offered to exchange all Tylenol capsules already purchased by the public with solid tablets.” In the middle of the scare, the market share of Tylenol shrunk from “35% to 8% but it rebounded in less than a year a move credited to J&J’s prompt and aggressive reaction”.

What is the lesson?

I think most service providers can learn a lot from the approach of being proactive about breach disclosure, being open and honest with the public and actually doing something about the vulnerability that caused the breach in the first place.
This is especially true for companies in the EU which are not mandated to notify users of compromised data.

Granted the Tylenol case involved human life so the public/media reaction will always be bigger but the principle is the same.

Spotify is adopting a similar strategy keeping track of concerned users comments on their blog and addressing them. From the user comments, it is clear that many are understandably not happy but I also read quite a number that were pleased with effort being made to address their concerns. For a small company and the nature of the breach, they have done what many credit-card-number-storing companies failed to do.

Notes:
1. Dont store more information than NECESSARY
2. Notify users early and have mitigating plans before crises boils over
3. Be open and honest with the public
4. Encourage users to use strong passwords
5. Actually DO something about the vulnerability

No related posts.

This is a mail I received from Spotify this evening

Dear Spotify user,

Last week we were alerted to a group that managed to compromise
our protocols. After investigating we concluded that this group
had gained access to information that could allow testing of a
very large number of passwords, possibly finding the right one.
The information was exposed due to a bug that we discovered and
fixed on December 19th, 2008. Until last week we were unaware
that anyone had had access to our protocols to exploit it.

Along with passwords, registration information such as your email
address,birth date, gender, postal code and billing receipt
details were potentially exposed. Credit card numbers are not
stored by us and were not at risk. All payment data is handled
by a secure 3rd party provider.

If you have an account that was created on or before December 19th 2008,
we strongly suggest that you change your password and strongly
encourage you to change your passwords for any other services
where you use the same password.

When choosing your password we provide you with an indicator of
the password strength to help you choose a good one. To change
your password please visit your profile page on our website.

https://www.spotify.com/en/account/profile/

For the technically minded amongst you, the information that may
have been exposed when our protocols were compromised is the
password hashes. As stated, we never store passwords, and they
have never been sent over the Internet unencrypted, but the
combination of the bug and the group’s reverse-engineering of
our encrypted streaming protocol may have given outsiders access
to individual hashes.

The hashes are salted, making attacks using rainbow tables unfeasible.
Short or otherwise bad passwords could still be vulnerable to
offline targeted brute-force or dictionary attacks on individual
users, but you could not run attacks in parallel. Also, there
has been no known breach of our internal systems. A complete user
database has not been leaked, but until December 19th, 2008 it was
possible to access the password hashes of individual users had
you reverse-engineered the Spotify protocol and knew the
username.

We are really sorry about this and hope you accept our apologies.
We’re doubling our efforts to keep the systems secure in order
to prevent anything like this from happening again.

Regards,
The Spotify Team

Its definitely better than not being informed even though I wish Spotify had discovered it much earlier.

Related Posts

• Companies can learn from the Tylenol-Cyanide case ...
• Telegraph CIO thanks folks at Hackersblog ...

In the latest case a national database called “the Emergency Care Summary system, which holds the details of 2.5million people in Scotland” was breached. The millions include the Prime Minister - Gordon Brown - other high politicians and a BBC journalist.

The report added that “everyone affected has been informed by letter. There does not appear to be any suggestion of the information being used for anyone’s financial or personal gain”

Well there’s hardly an accidental data breach especially by external entities, I’d venture. There’s always a reason why a breach occurred and the reasons are usually not very innocent.

I’m not familiar with the data breach notification law in the UK but one wonders whether any one would have been notified had the breached occured on database of ‘ordinary’ persons.

If the UK draws its data privacy laws from the EU then I’m sure they are still waiting for the EU whip which will someday be cracked.

No related posts.

I think the concept is very good because it addresses an important security gap in virtual environments.

Virtualization will no doubt leap frog as corporate downsizing increases (and hypervisors become free). We will soon see a host of network security vendors flooding the virtual firewall market as significant traction is shown in this area.

What I find lacking is platform coverage. The Virtual firewall from Altor Networks works only for VMware and so are others I have heard about being planned for release. Are we going to see something for Hyper-V and XenServer?

Does anyone know of a commercial/open source virtual firewall for Xenserver and/or Hyper-V?

Related Posts

• Hypervisors benchmarked - VMware not happy ...
• XenServer enterprise edition now available for free ...
• Will your security vendor go bankrupt? ...

**********************************

The life of tech support is hard! If you don’t believe me see here

No related posts.

Features packed into the 64-bit XenServer Enterprise edition include an enterprise management software called XenCenter, VM live migration technology, resource sharing  and the enterprise storage management.

This offer makes VMware’s offering (VMware ESXi) look like child’s play.

Time for small data centers to think green and virtualize whiles saving on electric bills and hardware costs. Yes you can eat your cake and have it!

But you’ll have to wait until end of March 2009 to download the free copy.

Related Posts

• XenServer enterprise edition now available for free ...
• Hypervisors benchmarked - VMware not happy ...
• IBM’s answer to the Endpoint Security problem ...

The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer’s debit card to generate one-time codes for both login and transaction authentication …. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses.

The paper discusses vulnerabilities in the protocol but also highlights some policy implications such as shifting liability to customers. Probably the one worrying weakness with the design is the personal harm it can bring to the customer:

Previously, muggers marched a victim to an ATM to ensure he gave them the right PIN. Now, with CAP, criminals have a portable device that will tell them if their victim is lying. While the EMV protocol always permitted such a device to be built, that requires technical skill, and wasn’t in practice done. CAP has made the capability ubiquitous. It reduces the risk to muggers, as now they can keep their victims in a quiet place, and not risk being caught or seen by CCTV by going near an ATM. It would have been easy enough for the banks to design CAP without revealing the result of the PIN verification, but they failed to foresee the risk.

Good thing Ross Anderson and group keep higlighting these dangers to the public.

No related posts.