First potential virus risk for Windows Vista found

By Joris Evers Staff Writer, CNET News.com

Virus writers are targeting a new Microsoft tool that will be part of Windows and is set to ship as part of the next Exchange e-mail server release.

A virus writer has published the first examples of malicious code that targets Microsoft's upcoming command-line shell, code-named Monad, according to Finnish antivirus maker F-Secure. If the technology is included in Windows Vista, these could be one of the first viruses to target the new operating system formerly known as Longhorn, F-Secure said Thursday.

Monad, also known as MSH, is the replacement for the simple command shell in the current versions of Windows. A shell, also called a command line interface, allows a user to give a computer textual commands either from a keyboard or from a script. Monad has much more functionality, similar to shells in competing products such as Bash in Unix. However, by adding the ability to run more-complex scripts, Microsoft could possibly open another door to attackers.

Monad will support Windows Server 2003, Windows XP and Windows Vista, Microsoft representatives said in a Web chat late last year. However, the software maker has not disclosed how it will deliver the tool.

The examples that made it to the Web would cause little harm but could be modified, according to Mikko Hypponen, director of antivirus research at F-Secure.

Hypponen warned that if Microsoft ships Monad with Vista and it is enabled by default this could lead to an "outbreak of scripting viruses." Microsoft may choose to ship the tool as an add-on or disable it by default to reduce the risk, he added.

Microsoft initially planned to include Monad in Vista, formerly known by its Longhorn code-name. However, company representatives have said the tool would first ship as a feature of Exchange 12, due in the second half of 2006. Monad will ship in Windows after that, they said.

Monad is available to testers but is not part of the first Windows Vista beta, which Microsoft released last week, a company representative said Thursday. The shell tool also is not included in the beta of Windows Server 2003 R2, an update to Windows Server due later this year, the representative said.

"At this time, these reports pose no risk for Microsoft customers," the Microsoft representative said.

Microsoft has yet to announce how it will deliver Monad in the Windows operating system. A source familiar with Microsoft's plans said it is too early to say whether the new shell will make it into later beta versions of Windows Vista or the final product. Windows Vista is due on store shelves by the end of 2006.

Microsoft also could offer Monad as a downloadable add-on for Windows.

In a December online chat session with developers, Microsoft representatives specifically addressed the topic of script attacks. The company is taking measures to prevent those. For example, Monad will run only scripts that are digitally signed by a trusted person. Additionally, it won't be possible to double click on a script and have it run, according to a transcript of the session.

The possibility of viruses being aimed at Microsoft's new shell was discussed at the Virus Bulletin event last year. Eric Chien of Symantec said at the antivirus industry event that the new tool could allow the creation of both classic viruses as well as e-mail worms.

Read more!

Phishers cash in on ATM cards

by Dawn Kawamoto , Staff Writer, CNET News.com

Phishing attacks have led to an estimated $2.75 billion in losses related to ATM and debit cards over the past 12 months, according to a new Gartner report.

The report, released Tuesday, includes a recent survey of 5,000 U.S. bank customers. From the survey, Gartner estimates that 3 million Americans have lost an average of more than $900 each due to online scams over the past year.

Scam artists are gleaning bank account numbers and personal identification numbers (PINs) through the use of phishing attacks and keystroke logging technology, according to the report. They are then creating fake ATM and debit cards and using the cards to steal money and make purchases.

Criminals "succeed when the card-issuing bank is not validating security codes on the magnetic strip of the card while authorizing transactions," Avivah Litan, Gartner research director, said in a statement.

Banks, as a result, have it within their control to minimize their losses, Litan noted.

On the magnetic strip of every ATM card, security codes are stored on Track 2. These codes tie the physical card with the customer's account number and add an additional layer of security beyond validating a customer's PIN.

But up to half of U.S. banks fail to validate Track 2 data and only rely on customer PINs to authorize ATM transactions, according to Litan, who based that estimate on conversations with banks and transaction processors.

"Criminals are seeking out customers of banks that are not validating ATM cards' Track 2 magnetic stripe security data," Litan said. "Hackers call these banks 'cashable.'"

Banks could curtail this type of attack by modifying their ATM host systems, which would require the systems to review Track 2 security data, Litan noted.

Because customers are not aware of the Track 2 data housed on their ATM's magnetic strip, phishers cannot dupe them into providing this sensitive information, the report said. And unless a hacker were familiar with a bank's algorithms and security codes, Track 2 data generally could not be duplicated, according to the Gartner report.

Phishing is on a steep rise, according to a report released Tuesday by security software company Postini. The company found nearly 19.3 million phishing attempts in the month of July as it processed customers email--marking a 16 percent increase over June.

The July phishing attempts marked the highest levels the company has seen to date.

Read more!

Key bugs in core Linux code squashed

by Joris Evers , Staff Writer, CNET News.com

Serious security bugs in key parts of the latest Linux code have been fixed, but some small glitches have been introduced, according to a recent scan.

In December, Coverity looked at version 2.6.9 of the Linux kernel, the heart of the open-source operating system, and found six critical defects in the core file system and networking code. In July, the code analysis company scanned the latest version of the Linux kernel, version 2.6.12, and found no such programming errors, Coverity CEO Seth Hallem said.

However, 1,008 defects were discovered in other parts of version 2.6.12. These coding problems, which could indicate security flaws, rest mainly in drivers, Hallem said. That's a slight increase compared with the earlier analysis, when 985 total defects were found, according to San Francisco-based Coverity.

"The bugs that we reported that were in critical pieces of the kernel were fixed," Hallem said. "At the same time, people still write buggy code. As new code gets introduced, there are new bugs."

As a result, the overall bug density--the number of bugs per thousand lines of code--only decreased from 0.17 defects to 0.16 defects, according to Coverity's scan.

The results of the analysis are a sign that Linux is maturing as an operating system and in the security of its core code. That could make it a more attractive option for users, corporate ones especially, as rival OS maker Microsoft works to bolster the security in its own software.

Coverity's code analysis tools look for common mistakes in writing C and C++ programming code. The company did not give details on the scope of the flaws it found. It rated faults in the file system and networking code as more serious because those pieces will be used by all Linux users, Hallem said. The other coding mistakes are considered less critical because bugs in drivers, for example, will only put users at risk if they use those drivers.

The analysis can't be used to measure the security of Linux next to that of Microsoft's Windows operating system. The Windows kernel source code is not available for scanning by Coverity, making an equal comparison impossible.

Microsoft does use analysis tools similar to those in Coverity's study to vet its Windows code. One tool, known as Prefast, runs on each developer's workstation to check code for simple problems. The other tool, Prefix, is run every night on the Windows source code to catch more complex issues.

Like last time, Coverity plans to make the results of its analysis available to Linux developers so the bugs it found can be fixed, Hallem said.

News provided by:

Read more!

CA plugs serious hole in backup software

By Joris Evers, CNET News.com

A serious security flaw in Computer Associates backup products could put corporate systems at risk of cyberattack, security companies have warned.

The vulnerability lies in CA's BrightStor ARCserve Backup Agents and BrightStor Enterprise Backup Agents, according to an alert from the French Security Incident Response Team released Wednesday. The software handles backups of critical systems, FrSirt said.

CA issued software patches to fix the problem on Tuesday.

With the flaw, an intruder could gain full control over the system that runs the backup software by sending an especially crafted request to the agent, said FrSirt, which rates the issue "critical." Code that exploits the flaws is available on the Internet, the French research organization noted.

Data backup tools have become easy targets for attackers, the SANS Institute said in its most recent quarterly security update. Serious security vulnerabilities have been disclosed in products from CA and Veritas in recent months, SANS said

The BrightStor problem is in a remote buffer overflow error in the CA software, according to an advisory from iDefense, which is credited with the discovery of the flaw. Users should apply the fixes or, as a work-around, restrict access to the backup agents from remote networks, iDefense said.

Read more!

Apple's Georgia laptop deal hits snag

by Ina Fried , Staff Writer, CNET News.com

One of Apple Computer's largest ever education deals--a tentative pact to sell 63,000 iBooks to an Atlanta-area school district--has suffered a serious setback following an adverse ruling by a Georgia court.

Apple announced in February that it was on the verge of striking a deal with the Cobb County School District that would eventually equip each of the district's teachers, middle- and high-school students with a laptop. The district's board gave initial approval for a first round of laptop purchases for teachers and four pilot high schools.

However, opponents of the plan took the school district to court, alleging that voters weren't sufficiently informed that a 1 percent sales tax approved in 2003 would be used to start the program.

A judge agreed last week and ordered a halt to the rollout, prompting the school district to rethink its plans at a special meeting on Monday night.

After the meeting, the board reportedly decided not to proceed with the Apple program, though it may appeal the judge's ruling. The effort to equip all students with laptops "is no longer an option," board President Kathie Johnstone is quoted as saying in an Atlanta Journal-Constitution article. The article said the district may still go ahead with plans to give laptops to teachers since school officials already had promised them a "computing device" in the materials they distributed before the sales tax passed in 2003.

An Apple representative was not immediately able to comment on the recent events. Apple had issued a press release in May touting the importance of the win.

Prior to Monday's meeting, the school board had issued a statement saying, "The Cobb County Board of Education is disappointed in Friday's court decision regarding the use of SPLOST funds for technology improvements in the school district."

Read more!

Big storage on the cheap

by Michael Kanellos , Staff Writer, CNET News.com

Enthusiasts learned to build their own PCs decades ago. Now you can assemble a storage system in your living room that could make the Pentagon jealous.

San Francisco-based Capricorn Technologies has crafted blueprints, available from the Internet Archive on an open source basis, which effectively lets people build multi-terabyte and multi-petabyte storage systems fairly inexpensively. The company also builds its own line of storage systems, called the PetaBox, and has landed deals with several universities and research departments with its low-budget approach.

News.context

What's new:
Capricorn Technologies has developed blueprints that allow users to build multi-terabyte and multi-petabyte storage systems. The company also builds high-capacity storage systems for the relatively low price of $2 a gigabyte.

Bottom line:
Universities and research departments have purchased Capricorn's storage systems, although competitors and industry observers say that those clients tend not to require the higher-performance (and much more expensive) storage systems needed by mainstream businesses. Still, Capricorn says it plans to become a major player in the storage market.

More stories on this topic

How cheap are they? Capricorn's storage systems cost about $2 a gigabyte, said the company's chief executive, C.R. Saikley. At that price, the cost breakdown would be about 65 cents for the gigabyte of storage and $1.35 for racks, software, networking, management tools and other components.

That means that a Capricorn 1-terabyte system (which consists of 1,000 gigabytes) would sell for about $2,000, while a 1-petabyte system (1,000 terabytes) would cost about $2 million.

By contrast, a petabyte-class storage system from EMC might cost $20 a gigabyte, while similar systems from smaller companies might cost $10 a gigabyte, said Arun Taneja, an analyst with Taneja Group. A petabyte-class storage system will run into the millions, said an EMC spokesman.

"We're a fraction of the price of those guys," Saikley said. "Our goal is to become the low-cost leader in storage."

The growth of the Internet and services such as Google's Gmail and Apple Computer's iTunes have caused a corresponding explosion in the amount of data that needs to be archived. A petabyte is a vast amount of storage space. It represents around 450,000 hours worth of TV programming, or all the e-mail produced in the world on a single day, according to storage makers.

Mushrooming amounts of data have in turn fueled demand for large storage systems. Luckily, the drive industry has continued to improve its technology, doubling the density of hard drives every two years or so while dropping the price. While drive makers regularly lose money, consumers and others benefit.

The higher price of commercial storage systems comes with significant performance advantages, said an EMC spokesman. The systems that EMC specializes in are geared toward handling thousands of transactions simultaneously for hours on end without failure. A lot of university labs don't need that sort of horsepower.

"The challenge is providing the performance that scales with capacity," the spokesman said.

A Taneja analyst added that the low price raises red flags about Capricorn's commercial viability and performance of the systems, particularly for mainstream business users. Still, "two dollars is a miserably low price for disk-based storage," the analyst said. "The price they are talking about is about the price of the hardware."

The company emerged out of a collaboration between Brewster Kahle, founder of the Internet Archive, and Saikley. The archive, which strives to preserve books, Internet pages, music, TV shows and other digitized information, needed to expand its storage capacity but was constrained by its budget. The archive also wanted to keep power consumption down.

"We were unable to find what we knew was possible," said Saikley, who added, "I've been a personal friend of Brewster's since the Carter administration."

In 2004, Saikley devised a 100-terabyte storage system that consumed approximately 60 watts per terabyte.

Subsequently, he formed Capricorn and continued to tweak the technology. The company's flagship product is now the PetaBox TB64, a 64-terabyte storage system that consists of several 1U (1.75 inches high) modules slotted into a rack measuring approximately 2 by 2 by 6 feet. It consumes 50 watts per terabyte. The modules come with 400GB drives from Hitachi and processors from Via Technologies. Versions using Intel chips are also available.

In June, Capricorn shipped a petabyte worth of PetaBoxes to the Internet Archive. The petabyte system occupies about 16 racks and contains a few thousand hard drives.

The Internet Archive submits all of its intellectual property to the open-source community. Since the storage system was designed on a commission from the organization, the organization owns the designs to the system and hence opened them to the public. Still, because customers don't necessarily want to assemble storage systems themselves, Capricorn is landing contracts. The company is also looking at ways to enhance its portfolio.

"I see us expanding our market presence and adding features and services," Saikley said.

Read more!

Novell seeks outside help with Linux

by Stephen Shankland , Staff Writer, CNET News.com

Novell plans to begin opening up development of one of its Linux products to outside programmers in a project called OpenSuse, a strategy similar to that taken by rival Red Hat, Novell is expected to announce next week.

Novell is launching the project in an attempt to attract more outside developers, new users and, ultimately, market share, said Greg Mancusi-Ungaro, director of marketing for Linux and open source. Novell is the No. 2 seller of Linux after Red Hat.

Novell and Red Hat each have two versions of Linux: a slow-changing, higher-priced product intended for conservative customers and a fast-changing version for enthusiasts and developers. For Red Hat, the products are Red Hat Enterprise Linux and Fedora, respectively, and for Novell, they are Suse Linux Enterprise Server and Suse Linux Professional.

Novell is paring down this latter product's name to Suse Linux and plans to invite outsiders to help build it, Mancusi-Ungaro said.

In the past, "We've made (Suse Linux) not widely available--just retail stores or a packaged download from an FTP. It's not the easiest way to gain a large user community," he said. The company is trying to turn that around through the invitation for outside involvement and an effort to distribute more copies of the software, a push called the lizard blizzard, a reference to the company's Geeko mascot.

Novell isn't the only one trying a more open approach. Sun Microsystems has begun opening its Solaris source code in an effort to regain the relevance the Unix version has lost to Linux. Attracting users is key for Novell: Wall Street analysts see Novell's Linux effort as a key factor in the company's financial health as revenue from its older NetWare operating system declines.

But creating a collaboration with the broad community of open-source programmers is a difficult task. Red Hat has tried for more than two years to get its Fedora project fully off the ground, most recently taking the step of creating the Fedora Foundation to try to give the project more independence.

The first stage of Novell's effort will begin next week with the first public beta test release, Mancusi-Ungaro said. Next, Novell will accept bug fixes and suggestions from outsiders, and, eventually, more active development. By the spring of 2006, Novell will make the product's underlying source code available and will provide publicly accessible servers that can be used to build the software, he said.

"We're trying to make it easier for application developers to come to Suse, create forks (variations on Novell's product), create packages and build the software," Mancusi-Ungaro said.

Along with the greater openness will come an effort to spread the software as widely as possible--an effort Novell hopes will distinguish Suse Linux from Fedora.

Where Fedora is available chiefly by downloading multiple large CD images, Novell plans to distribute Suse Linux CDs in magazines, at trade shows and meetings, and possibly by sending them to those who just ask.

"We will give away thousands at user group events," he said.

Read more!