Roer.com

Well for quite some time I’ve been thinking about whether to attend the conference. As per the website the advantages of attending the conference are:

• Establish and Develop a strong partnership program
• Exchange information on innovative Cloud Technologies
• Hear what leading Cloud Computing Providers have to say
• How can Cloud Computing benefit your business, from a small start up to a leading brand
• Meet and network with End users, IT professionals, Leading IT providers and vendors
• What are the risks of entering ‘The Cloud’
• Leverage competitive advantage from our other conference stream: Social Media World Forum, Social TV, Mobile Social Media & Enterprise
• Listen and get an insight to future of Cloud

I am quite interested in the “risks” and “perspective of users” about the cloud computing industry and its future. After attending SFDC’s CloudForce2 event in London I was quite impressed with their product but the security issues about the cloud industry were sadly not addressed to by anyone. I hope that I might get to meet some people from security who know what and why (fingers crossed) they are switching to the cloud industry.

The congress has an impressive line-up of professionals from various domains, I believe the event might be a fruitful one. Here is part of the list of the speakers as per the site:

• Jason Hart, Senior Vice President, CRYPTOCard
• Scott Dobson, Managing Director, Cloud Distribution Ltd
• Kenneth Verlage, CIO, DHL Express
• Adrian Steel, Head of Infrastructure Management, Royal Mail

I am looking forward to attend the cloudcomputing congress Europe event on the 15th & 16th of March at Olympia, London. The highlights of show include:

• 2 days of free workshops and exhibitions over 15th/16th March, 1 day Cloud Conference on 16th March

• Building partnerships in the Cloud ecosystem: Free exhibition and workshops designed to build partnerships between systems integrators, application providers, OEM partners, distributors, and service providers.

• Designed for the CIO and IT manager the Cloud Computing Congress event & conference examines SaaS, PaaS, software the technical challenges, and how to the applications outlined in Enterprise Social Media can be controlled and managed in the Cloud?

• A practical guide on cloud computing for your business - how your business can benefit, the value proposition, and the impact on the IT function  Building and managing applications in the cloud - how to manage and control applications and resources in the cloud environment?

• Learn from key cloud computing deployments - their successes and failures

Read further.

Today, you may read a background story about Kai Roer, and how he uses personal branding over at the Personal Branding Blog at the JCI Baltic Conference 2010.

The story is here: http://www.jci.ee/bc2010/personalbrandprofile-kai-roer?c_tpl=1062

Cabinet minister Ed Miliband was left embarrassed after apparently sending saucy messages to thousands of people on social networking site Twitter. Mr Miliband's unusually personal message, which was delivered to around 7,000 of his followers at breakfast time yesterday, boasted: 'hhey, i've been having better sex and longer with this here'.

The 'tweet', which appeared alongside a picture of a smiling Mr Miliband, was followed by a link to another website. Followers are friends and other subscribers who have signed up to receive any messages sent by a certain user. The Energy Secretary later admitted that he had become prey to an internet sex scam sweeping Westminster. In a genuine tweet, he wrote: 'Oh dear, it seems like I have fallen victim to Twitter's latest "phishing scam".' Mr Miliband was not the only person at Westminster to be targeted by internet hijackers. Harriet Harman, leader of the Commons, also revealed that a tweet had been sent from her account without her knowledge to a surprised Alan Duncan, Tory prisons spokesman.

Read more.

Whitehall IT chiefs have been warned by the intelligence agency GCHQ that security problems with cloud computing could foil their plans to use the technology to slash the cost of public services. The assessment forms part of the first report of the Cyber Security Operations Centre (CSOC), seen by The Register.

The new internet intelligence gathering unit, located at GCHQ's "concrete doughnut" in Cheltenham, will begin operations next month. "Cloud computing could form an important part of government cost-cutting exercises, but cloud computing hosts are likely to want to site their storage where it is cheapest for them to do so, which may mean that sensitive information or intellectual property is physically stored in another country, potentially one which might have an interest in using the information for its own purposes," CSOC says.

The report was prepared for the Cabinet Office, which sets overall government IT strategy. CIO John Suffolk recently promoted cloud computing technology and use of private providers as ways to cut costs. "You can't have hundreds of data centres and tens or even hundreds of networks. You have to ask 'Do we need to do all this ourselves?'," he said.

"I just don't think it's a suitable model for the next ten years."

However, CSOC sounds a more sceptical tone. It explains that while for some users cloud computing will bring security benefits, because malware protection will be managed by the service provider, the risks could be great.

Read the article.

(img: kavistechnology.com)

TO the horror of Latvia's political establishment, a mysterious group of computer hackers is threatening to expose the incomes of top officials after stealing millions of government tax records.

The group, calling itself the People's Army of the Fourth Awakening, claimed to have downloaded more than 7.5 million documents, including VAT receipts and income tax returns from the State Revenue Service after exploiting a security loophole on its website.

One hacker used the name Neo, in apparent tribute to the hero of The Matrix films, in which a vast system for enslaving humanity is exposed. "The purpose of the group is to unmask those who gutted the country," Neo told the Latvian television current affairs program Kas Notiek Latvija in an interview posted on its website. Neo has been hailed as a digital Robin Hood by disgruntled Latvians after posting details from the documents on the internet to contrast the earnings of top officials with cuts experienced by other workers. Latvia's economy shrank by almost a fifth last year and is the weakest in the EU.

The government slashed state salaries by up to 50 per cent and raised taxes in return for an EU-led bailout that saved the country from bankruptcy as revenues slumped and unemployment jumped to 23 per cent. Neo published the salaries of Latvian police chiefs and urged rank-and-file officers to "analyse the data and determine whether the salary reform is fair".

Read the article.

(img:voidspace.org.uk)

Cryptographers have broken the proprietary encryption used to prevent eavesdropping on more than 800 million cordless phones worldwide, demonstrating once again the risks of relying on obscure technologies to remain secure.

The attack is the first to crack the cipher at the heart of the DECT, or Digital Enhanced Cordless Telecommunications, standard, which encrypts radio signals as they travel between cordless phones in homes and businesses and corresponding base stations. A previous hack, by contrast, merely exploited weaknesses in the way the algorithm was implemented.

The fatal flaw in the DECT Standard Cipher is its insufficient amount of "pre-ciphering," which is the encryption equivalent of shaking a cup of dice to make sure they generate unpredictable results. Because the algorithm discards only the first 40 or 80 bits during the encryption process, it's possible to deduce the secret key after collecting and analyzing enough of the protected conversation.

"This standard, as with everything else we have broken, has been designed some 20 years ago, and it is proprietary encryption," said Karsten Nohl, one of the cryptographers who helped devise the attack. "It relied on the fact that the encryption was unknown and hence could not be broken. This is a case where something that has some potential for being strong is broken by just this one design decision that in any public review would have been spotted immediately."

Nohl, 28, is the same University of Virginia microscope-wielding reverse engineer to crack the encryption in the world's most widely used smartcard. In December, he struck again after devising a practical attack for eavesdropping on cellphone calls.

He and fellow researchers Erik Tews of the Darmstadt University of Technology and Ralf-Philipp Weinmann of the University of Luxembourg, plan to present their findings Monday at the 2010 Fast Software Encryption workshop in Korea.

Like several of Nohl's previous hacks, it began with nitric acid and an electron optical microscope. After dissolving away the epoxy on the silicon chip and then shaving down and magnifying the section dedicated to the DECT encryption, he was able to glean key insights into the underlying algorithm. He then compared the findings against details selectively laid out in a patent and exposed during a debug process.

The results of all three probe methods revealed the fatally insufficient amount of pre-ciphering in the DECT Standard Cipher.

Read the article.

(img: hypnocrites.blogspot.com)

Microsoft has warned Windows users to be on their guard against a piece of rogue antivirus software passing itself off as Microsoft Security Essentials. Security essentials 2010 is a piece of software Microsoft said installs a fake virus scanner on your machine and]monitors and blocks processes it doesn't like. The software will also block access to websites of antivirus and malware companies and flag up a warning message. You can see the list of blocked sites here.

Security essentials 2010 blocks access by downloading a Win32/Alureon component and another Layered Service Provider component, Microsoft's David Wood wrote on the company's Malware Protection Center blog. "This LSP monitors the TCP traffic sent by various Web browsers that the user might have installed, and blocks any traffic to certain domains," Wood said.

Adding insult to injury, Security essentials 2010 charges you to scan and remove files on your machine, claiming the version you will have initially downloaded is just a trial edition. Microsoft's Security Essentials is available without charge to PC users running a genuine copy of Windows.

Read the article.

Claims made of a major vulnerability in the Microsoft Windows operating system have been refuted.

Jan Fry, head of PCI at ProCheckUp Labs, claimed that the findings by 2X Software, revealed exclusively by SC Magazine yesterday, were a 'little sensationalist'. Yesterday, 2X Software said that with a simple piece of code, an operating system from Windows 7/Server 2008 versions to Windows 2000/Server 2003 could be crashed with malicious applications installed.

However Fry refuted this, saying that the claims indicate that code needs to be run for the vulnerability to be exploited, so an attacker cannot just send some malicious traffic to a Microsoft server and crash it. Fry said: "First scenario, someone is emailed a malicious application. They run it once and their machine crashes. This person is particularly stupid, so after rebooting, they run the executable again and once again the machine crashes. By now, even a potato would see the correlation and would stop running the executable.

Read the article.

(img:www.maximumpc.com)

Microsoft Corp. today withdrew its demand that Cryptome.org yank the "Microsoft Global Criminal Spy Guide" document from its site and said it had never intended for the whistleblower's domain to be knocked off the Web. "In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed," said a Microsoft spokeswoman in an e-mailed statement early today. "We are requesting to have the site restored and are no longer seeking the document's removal."

The document, a 17-page guide that Microsoft prepared to show law enforcement how to obtain information about users of its online services -- including Windows Live Hotmail, the Xbox Live gaming network and the Windows Live SkyDrive storage service -- was published by John Young, who runs Cryptome.org, on Feb. 20.

Earlier this week, Microsoft demanded that Young remove the document from his site, citing the Digital Millennium Copyright Act (DMCA). When Young refused, his Internet provider shut down the site, and Network Solutions LLC, the registrar of Young's domain, put a "legal lock" on the domain name. That last move prevented him from transferring the URL to another Internet service provider.

Originally, Young had been told he had until today to remove the document from his site or face the consequences. Instead, his ISP pulled the plug and Network Solutions locked the domain name a day early, forcing him to scramble Wednesday to find a temporary home for his site.

Today, Network Solutions unlocked the domain and restored the site. Cryptome.org returned to the Web shortly before 3 p.m. Eastern time.

Read the article.

(img: about.com)

Security experts are split over the effectiveness of Microsoft's efforts to shut down a network of computers that spewed out 1.5 billion spam messages.

The firm persuaded a US judge to issue a court order to cripple 277 internet domains used by the Waledac botnet.

Botnets are armies of infected computers that send spam or malware.

"We aim to be more proactive in going after botnets to help protect the internet," said Richard Boscovich, the head of Microsoft's digital crime unit.

"We will do whatever it takes to look out for our customers and our brand. We hope it will spur similar actions," Mr Boscovich told the BBC.

The impact of Waledac was seen as devastating. Microsoft cited one 18-day period between from 3-12 December when the botnet sent more than 650 million spam e-mails to Hotmail accounts for everything from online pharmacies to fake designer goods, jobs and more.

Read the article.

(img:honeyblog.org)

Intel was targeted by "sophisticated" attacks last month, about the same time that Google reported its network had been breached, allegedly by Chinese hackers. In its annual report filed Monday with the U.S. Securities and Exchange Commission (SEC), Intel confirmed that it had been hit in January.

"We regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software," read the 10-K filing.

"These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful. One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicized security incident reported by Google."

Intel did not reveal whether the attacks had accessed or stolen confidential company information, an admission that Google made last month when it broke the news that it, and other major Western corporations, had been struck with what it called "highly sophisticated and targeted" attacks.

Read the article.

(img:www.net-security.org)

Adobe today shipped a patch for a critical vulnerability in its Download Manager utility, warning that hackers could exploit the issue to take full control of Windows computers. The vulnerability, discovered by Aviv Raff, could potentially allow an attacker to download and install unauthorized software onto a user's system, Adobe said in an advisory. The vulnerability affects Adobe Download Manager on Windows (prior to February 23, 2010).

The Adobe Download Manager, which is used to push security patches to Windows computers, is intended for one-time use and is designed to remove itself from the computer after use at the next computer restart. However, Adobe is recommending that users verify that a potentially vulnerable version of the Adobe Download Manager is no longer installed on their machine. Here are the instructions from Adobe's security advisory

Read the article.

(img: gopaultech.com)

U.S. authorities have tracked down the man who wrote the code used in the hacker attack on Google. He's a "freelance security consultant" in China, and his participation makes it even harder for the Chinese government to deny involvement. The man's role was an oblique one: while he wrote the code that took advantage of a security hole in Internet Explorer, he himself didn't do any actual hacking.

But according to the Financial Times, the Chinese government has "special access" to his work:

"If he wants to do the research he's good at, he has to toe the line now and again," the US analyst said. "He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing. The state has privileged access to these researchers' work."

The "research he's good at," apparently, being breaking into computers and inserting spyware on them.

Read more.

(img:dailyradar.com)

Twitter users are being warned of a new phishing scam that has emerged in the last 24 hours. The official Twitter Trust and Safety account issued the warning yesterday that read "If you receive a DM asking "LOL is this you," it's not. It's phishing. Don't enter your password!" A follow-up tweet directed Twitterers who think their account might have been phished to its support website bit.ly/SecureMyAccount, which contains tips on how to determine if your account has been compromised.

It recommends that "it's best to take action as soon as possible if updates are appearing in your account that you did not intend to have posted or approve". This was closely followed by a third warning: "In general, if you see any msg, DM or no, asking "LOL is this you" or some variant, it's usually a scam/spam. Be aware of phishing attempts!"

Phishing scams try to trick web users into clicking on a link that directs them to a bogus website. The website is designed to look like an official service or institution, but has been setup to capture login and password details from unsuspecting users.

Read More.

(img:webdoctus.com)

Attention: there is no Facebook Gold account. The new scam is released and do not fall for it. This is attacker's way of seeking a quick profit.

Facebook pages have been set up with names like “GET YOUR UPGRADE WHILE THEIR FREE!!” Moreover, it promises a simple use of the account and freedom from advertisements. However, bogus Facebook Gold account looks like a real one, but actually the spelling error in the page title is a clue that account is a fake. What is more, comments are not real at all. It is just an image file which itself links to the scam web page.

Scammers make money from the quick quizzes users are filling. First of all, if you follow all the instructions, first you invite all your friends to come and check out this Gold account. If you are credulous enough you are able to click on the button for the one free survey. The main goal for the survey like that is to make user put his mobile phone number and agree to pay an amount of money. From that moment you are joining to fee followed by your first payment every week until you cancel your membership via SMS.

Read more.

Two Chinese schools with links to the armed forces have become implicated as suspects in the ongoing Operations Aurora attacks against Google and at least 33 other western conglomerates last December.

Security experts, including investigators from the National Security Agency, now reckon the attacks date from April last year, far earlier than previously suspected, the New York Times reports. Although the attacks originated from China, it's by no means clear that they were orchestrated by the Chinese government. It's even possible that hackers from outside China ran, or had an involvement in, at least some of the attacks.

However one prominent strand in the ongoing investigation is focusing on two Chinese computer science facilities - Shanghai Jiaotong University and the Lanxiang Vocational School - according to unnamed investigators, the NYT reports. Lanxiang is a vocational school involved in training some military computer scientists. Jiaotong is a top flight university that runs well-regarded computer science courses.

Officials at the two schools said they are yet to hear from US investigators. An unnamed professor at Jiaotong's school of information security engineering told the NYT that students sometimes hack western websites while also noting that hijacking of its IP addresses by external hackers is commonplace. Staff at Lanxiang told The Guardian that its students were middle-school students learning skills such as Photoshop.

Read the article.

(img:nexus404.com)

If you haven't changed the default password on your home router, you may be in for an unwanted visit from Chuck Norris -- the Chuck Norris botnet, that is.

Discovered by Czech researchers, the botnet has been spreading by taking advantage of poorly configured routers and DSL modems, according to Jan Vykopal, the head of the network security department with Masaryk University's Institute of Computer Science in Brno, Czech Republic.

The malware got the Chuck Norris moniker from a programmer's Italian comment in its source code: "in nome di Chuck Norris," which means "in the name of Chuck Norris." Norris is a U.S. actor best known for his martial arts films such as "The Way of the Dragon" and "Missing in Action."

Security experts say that various types of botnets have infected millions of computers worldwide to date, but Chuck Norris is unusual in that it infects DSL modems and routers rather than PCs.

It installs itself on routers and modems by guessing default administrative passwords and taking advantage of the fact that many devices are configured to allow remote access. It also exploits a known vulnerability in D-Link Systems devices, Vykopal said in an e-mail interview.

Read the article.

(img: pcworld.co.nz)

Over the next few weeks, Microsoft will begin offering a “Web browser choice screen” to Internet Explorer users in Europe, as required by the European Commission.

Internal testing of the choice screen is underway now. We’ll begin a limited roll-out externally next week, and expect that a full scale roll-out will begin around March 1, a couple of weeks ahead of schedule. If you are an Internet Explorer user in Europe, here is what to expect.

First, a little background. In December, the European Commission and Microsoft arrived at a resolution of a number of long-standing competition law issues. Microsoft made a legally binding commitment that PC manufacturers and users will continue to be able to install any browser on Windows, to make any browser the default browser, and to turn access to Internet Explorer on or off.

In addition, Microsoft agreed to use Windows Update to provide a browser choice screen to Windows users in Europe who are running Internet Explorer as their default browser. This browser choice screen will present a list of browsers, with links to learn more about them and install them. The design and operation of this choice screen was worked out in the course of extensive discussions with the Commission and is reflected in the commitment that Microsoft made. Users who get the choice screen will be free to choose any browser or stick with the browser they have, as they prefer.

External testing of the choice screen will begin next week in three countries: the United Kingdom, Belgium and France. Anyone in those countries who wishes to test it can download the browser choice screen software update from Windows Update. We plan to begin a phased roll-out of the update across Europe the week of March 1.

Read the article.