Scientists at Sandia National Laboratories in Livermore have setup a supercomputing cluster of over 1 million Linux kernels as virtual machines. They did so in hopes of better understanding how botnets operate.
"The sheer size of the Internet makes it very difficult to understand in even a limited way," said Ron Minnich, one of the researchers. "Many phenomena occurring on the Internet are poorly understood, because we lack the ability to model it adequately. By running actual operating system instances to represent nodes on the Internet, we will be able not just to simulate the functioning of the Internet at the network level, but to emulate Internet functionality."
Making the project possible, Sandia utilized its Albuquerque-based 4,480-node Dell high-performance computer cluster, known as Thunderbird. it took 250 virtual machines coupled with the physical units in Thunderbird to run the over one million Linux kernels. And this is just the beginning.
"It has been estimated that we will need 100 million CPUs by 2018 in order to build a computer that will run at the speeds we want," said Minnich.
Two security researchers on Saturday have warned that if you use cPanel to administer your website or certain Linksys or Netgear routers, you're leaving yourself open to web-based attacks that could potentially take control of your systems.
The attacks are based on CSRF, or cross-site request forgery, which can be exploited simply by surfing to the 'wrong' website, say Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org.
"CSRF is bad stuff," Bailey said at the Defcon hacker conference in Las Vegas. "It's a very under-appreciated vulnerability, and it's all over the place. Because it usually gets rated as a pretty minimal issue, it almost never gets fixed, and that means we have these kinds of holes all over."
When visiting a malicous website while logged in to the program, the attack is able to trick cPanel into carrying out sensitive commands by duping the device into thinking they came from the victim. And it doesn't look like this will be fixed anytime soon.
"The response I got from cPanel was we can't fix this because it's a feature," Bailey said. "Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."
According to Apple, you should think twice before jailbreaking your iPhone to run software that hasn't been approved for distribution through the iPhone App Store. Should you decide to do it anyway, cellphone towers could come under "potentially catastrophic" cyberattacks, Apple says.
In a filing with the Copyright Office, which is considering a request by the Electronic Frontier Foundation to legalize the practice of jailbreaking, Apple wrote:
"A local or international hacker could potentially initiate commands (such as a denial of service attack) that could crash the tower software, rendering the tower entirely inoperable to process calls or transmit data. Taking control of the BBP software would be much the equivalent of getting inside the firewall of a corporate computer -- to potentially catastrophic result."
Apple went on to say that the technological protection measures in the iPhone were specifically designed to avoid such scenarios, and jailbreaking would undo all of that.
Fred von Lohmann, the EFF attorney who has requested that consumers have the legal right to jailbreak iPhones, isn't buying Apple's claims.
"As far as I know, nothing like that has ever happened," Lohmann said in an interview. "This kind of theoretical threat is more FUD than truth."
The U.S. House Committee on Oversight and Government Reform is taking a hard stance against peer-to-peer file sharing, claiming the practice is "jeopardizing" national security.
"At any time your computer is connected to the Internet, other computer users with similar software could simply search your hard drive and copy unprotected files. Unfortunately, that is the sad reality for many unsuspecting computer users," said Chairman Edophus Towns.
Towns went on to single out LimeWire, a popular P2P file sharing program, noting a startling amount of sensitive data made freely available by using the app. In addition to music and movies, Committee staff also unearthed federal tax returns, the Social Security numbers and family information for every master sergeant in the Army, medical records of about 24,000 patients of a Texas hospital, FBI files, and the safe house location for the First Family.
Naturally, Mark Gorton of the Lime Group saw things differently.
"I am confident that with LimeWire 5.2.8 any sharing is intentional sharing. LimeWire does not share any Documents by default," Gorton explained.
Two high-profile security professionals -- security researcher Dan Kaminsky and former hacker Kevin Mitnick -- were targeted by hackers this week in what appears to be an attempt to call into question the duo's credibility right on the eve of the Black Hat and DefCon security conference.
"There are people who just live press release by press release," the hackers wrote in note posted on Kaminsky's website. "And on top of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry cares about virtualization one year and iPhones the next, every year forgetting the lessons it should have picked up in the last."
The hackers also stole personal data and posted it online, which included private emails between Kaminsky and other security researchers, very personal chat logs, and a list of files Kaminsky downloaded that pertain to dating and other topics, Wired reports.
After discovering a flaw in the DNS protocol, Kaminsky received the Pwnie award for the "Most overhyped security vulnerability" at Black Hat 2008. Mitnick was once considered "the most wanted computer criminal in United States history" by the government but has been accused by some in the hacking community as living off a dated reputation.
During the Black Hat conference in Las Vegas this week, Microsoft plans to provide a progress report on the security initiatives that it launched last summer, as well as release new security tools to better equip IT professionals and security researchers.
"There's a race between attackers and defenders and if we want to win, we have to share information, said Mike Reavey, director of the Microsoft Security Response Center.
One way the software maker plans to do this is by releasing the Microsoft Office Visualization Tool, a utility which provides a graphical overview of the Office binary file format. According to Microsoft, the software will make it easier for programmers to understand how attacks target Office files, noting that most malware attacks application vulnerabilities and not the OS itself.
"In order to build protections, you have to understand how a specific file format is meant to be used, so then you can understand how it's being misused," Reavey added.
During the conference, Microsoft also plans to release Project Quant, an online information resource designed to provide organizations with a framework for evaluating the cost of patch management processes. In addition, the company also plans to release the Microsoft Security Update Guide, a publication that explains the entire Microsoft update process, and a publish a report titled, "Building a Safer, More Trusted Internet Through Information Sharing."
Thanks to Billy Hoffman and Matt Wood, a pair of researchers at Hewlett-Packard who recently created a browser-based darknet, businesses may soon rest easier knowing their confidential information is safe from prying eyes.
For the uninitiated, a darknet consists of an encrypted peer-to-peer network most often used to communicate files between private groups of people. Darknets are often difficult to setup and maintain for the average user, but the HP researchers say that won't be the case for "Veiled," the name they've given to their browser-based darknet project.
"This will really lower the barriers to participation," Wood told ZDNet UK. "If you want to create a darknet, you can send an encrypted email saying, 'Here's the URL.' When (the recipient visits) the website, the browser can just get (the darkent application) going."
Perhaps best of all, Wood said HP isn't interested in turning the project into a commercial product and has no desire to patent or copyright it. Instead, Wood and Hoffman plan to open source their idea (but not the source code), so that other security researchers can "pick up the baton."
Some Apple iTunes users who have AVG installed were in for a bit of surprise last weekend when the antivirus app alerted them to the presence of a Trojan in their music software and blocked it from loading. If you're one of those users, rest assured it was a false positive.
"Unfortunately, a recent virus database update resulted in iTunes being detected as a Trojan by AVG security products," the company explained in a statement. "We can confirm that it was a false alarm. AVG immediately released a new virus database update (definition file 270.13.29/2260) that corrected this issue."
The update came just five hours after the false positive was first reported and was "automatically released to all users by 5:30AM CET," AVG says. Prior to the update, AVG had placed several iTunes DLL files in quarantine, which prevented the music service from working.
If for some reason iTunes still isn't working after applying the update, AVG suggests restoring the deleted iTunes files from the AVG Virus Vault. To do this:
Open the AVG user interface
Choose "Virus Vault" option from the "History" menu
Locate the iTunes file that was incorrectly removed and select it (one click)
Forget about sophisticated attacks and increasingly complex malware schemes, the biggest threat to a company's security might be social networks and the employees who use them.
So says security firm Sophos, who reports that 63 percent of sysadmins worry about employees sharing too much information on Facebook, MySpace, and other social networking portals, ultimately putting their corporate infrastructure -- and the sensitive date on it -- at risk.
"Evidence shows that their worry is justified," Sophos wrote in the July 2009 update to its Security Threat Report. "In June 2009, the personal information belonging to the incoming head of MI6 was exposed to the entire Facebook network, when his spouse allowed members of the 'London' network to view her profile."
Sophos listed several other examples to back the claim, including a MySpace user losing over $210,000 in an email scam after his "Nigerian cyber-pal started asking for money to help her ailing mother."
But Sophos was quick to warn that completely denying access to social networking sites isn't the answer. Doing so runs the risk of driving employees to find a way around the ban, creating an even bigger risk and less oversight by the IT staff.
Think your browsing history is secure from prying eyes so long as you never leave your PC unattended? Think again. A new site, Web2.0collage.com, digs through your browser's history and then constructs a collage of the web2.0 websites that you've visited.
"Web2.0collage.com mixes art and technology to raise privacy concerns," the site states on its homepage. "Many of us consider our browser history to be private, but that is no longer the case. Any website you visit can determine your browser history by exploiting the very features designed to enhance your Internet experience, a fact many people are not aware of."