02.01.08
Posted in Cyber Security at 2:15 am by Administrator
Foudn via yahoo news / Techweb
Five Most Overlooked Open Source Vulnerabilities Found By Audits
By Charles Babcock
InformationWeek Tue Jan 22, 5:45 PM ET
After reviewing 300 million lines of code in 2007, Palamida, a vulnerability audit and software risk management company, says it’s identified the five vulnerabilities most frequently overlooked by users in their open source code.
ADVERTISEMENT
The five are listed in alphabetical order. Palamida did not attempt to assign a frequency ranking to the five, CEO Mark Tolliver said. Also, the Palamida list reflects known vulnerabilities that have been aired and fixed by their parent projects but are still encountered in the user base, such as businesses and government agencies. The projects named are not frequent offenders when it comes to security vulnerabilities, but their code is so widely used that unpatched vulnerabilities show up in Palamida’s enterprise and nonprofit agency software scans. In all cases, a patch is available to fix the vulnerability.
Open source code is “not any more vulnerable than commercial software” and in some cases, less so, said Tolliver. Open source projects tend to acknowledge their vulnerabilities and fix them promptly, he added.
The company conducts audits on enterprise software, spotting uses of open source and identifying origins of code. It both sells products to conduct audits and offers audit services and risk management consulting.
Palamida’s list of five frequently overlooked vulnerabilities is as follows:
Geronimo 2.0, the application server from the Apache Software Foundation, contains a vulnerability in its login module that allows remote attackers to bypass authentication requirements, deploy a substitute malware code module, and gain administrative access to the application server. The access is gained by “sending a blank user name and password with the command line deployer in [Geronimo's] deployment module,” the Palamida report said. A blank user name and password should trigger a “FailedLoginException” response in Geronimo 2.0 but doesn’t.
A patch for the vulnerability exists at https://issues.apache.org/jira/secure/attachment/12363723/GERONIMO-3404.patch.
Geronimo competes with Red Hat’s JBoss and other open source application servers.
The JBoss Application Server has a “directory traversal vulnerability in its DeploymentFileRepository class in releases 3.2.4 through 4.0.5. It allows remote authenticated users to read or modify arbitrary files and possibly execute arbitrary code,” the Dec. 7 report concluded.
A patch is available at http://jira.jboss.com/jira/browse/ASPATCH-126.
The third frequently encountered vulnerability on the list is the LibTiff open source library for reading and writing Tagged Image File Format, or TIFF, files. The LibTiff library before release 3.8.2 contains command-line tools for manipulating TIFF images on Linux and Unix systems and is found in several Linux distributions.
Using the LibTiff library in a version before 3.8.2 allows “context-dependent attackers to pass numeric range checks and possibly execute code via large offset values in a TIFF directory,” the Palamida report states. The large values may lead to an integer overflow or other unanticipated result and constitutes an “unchecked arithmetic operation,” the report said.
A patch is available at http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz.
The fourth vulnerability on the list is found in Net-SNMP, or the programs that deploy the SNMP protocol. It’s found in version 1.0, version 2c and version 3.0. When certain versions of Net-SNMP are running in master agentx mode, the software allows “remote attackers to cause a denial of service (crash) by causing a particular TCP disconnect, which triggers a freeing of an incorrect variable,” the report said.
A patch is available at http://downloads.sourceforge.net/net-snmp/net-snmp-5.4.1.zip?modtime=1185535864&big_mirror=1.
The fifth overlooked vulnerability is found in Zlib, a software library used for data compression. Zlib 1.2 and later versions allow a remote attacker to cause a denial-of-service attack. The attack designs a compressed stream with an incomplete code description of a length greater than 1, causing a buffer overflow.
The patch consists of upgrading zlib to version 1.2.3 at www.zlib.net/zlib-1.2.3.tar.gz.
The fact that the vulnerabilities exist doesn’t mean that anyone should stop using open source code. But users should adopt vulnerability patches or update to the latest, stable version of the code, said Theresa Bui, VP of marketing at Palamida. A complete description of the five vulnerabilities, along with their Common Vulnerability and Exposure number, can be found at Palamida’s Dec. 7 Web site listing. The CVE is a project of the Mitre Corp. that gives vulnerabilities a shared definition and reference number across security vendors.
See original article on InformationWeek.com
Permalink
01.27.08
Posted in Cyber Security at 8:57 am by Administrator
Hopefully if they are reporting this it means that we have fixed all the potential problems in this area. Just another reminded that as our society becomes more and more dependent upon technology, we also become more vulnerable to problems - be it intentional maliciousness or just breaking down.
Story found via PcWorld:
CIA Says Hackers Have Cut Power Grid
Several cities outside the U.S. have sustained attacks on utility systems and extortion demands.
Robert McMillan, IDG News Service
Saturday, January 19, 2008 6:00 AM PST
Criminals have been able to hack into computer systems via the Internet and cut power to several cities, a U.S. Central Intelligence Agency analyst said this week.
Speaking at a conference of security professionals on Wednesday, CIA analyst Tom Donahue disclosed the recently declassified attacks while offering few specifics on what actually went wrong.
Criminals have launched online attacks that disrupted power equipment in several regions outside of the U.S., he said, without identifying the countries affected. The goal of the attacks was extortion, he said.
“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands,” he said in a statement posted to the Web on Friday by the conference’s organizers, the SANS Institute. “In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”
“According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure,” SANS said in the statement.
One conference attendee said the disclosure came as news to many of the government and industry security professionals in attendance. “It appeared that there were a lot of people who didn’t know this already,” said the attendee, who asked not to be identified because he is not authorized to speak with the press.
He confirmed SANS’ report of the talk. “There were apparently a couple of incidents where extortionists cut off power to several cities using some sort of attack on the power grid, and it does not appear to be a physical attack,” he said.
Hacking the power grid made front-page headlines in September when CNN aired a video showing an Idaho National Laboratory demonstration of a software attack on the computer system used to control a power generator. In the demonstration, the smoking generator was rendered inoperable.
The U.S. is taking steps to lock down the computers that manage its power systems, however.
On Thursday, the Federal Energy Regulatory Commission (FERC) approved new mandatory standards designed to improve cybersecurity.
CIA representatives could not be reached immediately for comment.
Permalink
01.01.08
Posted in Internet Users at 8:41 pm by Administrator
Americans more wired, new-media survey finds
From yahoo news / Reuters
By Gail Schiller
NEW YORK (Hollywood Reporter) - About 38 percent of U.S. consumers are watching TV shows online, 36 percent use their cell phones as entertainment devices and 45 percent are creating online content like Web sites, music, videos and blogs for others, according to a new-media survey from Deloitte & Touche.
The findings of the online survey of 2,081 Americans, conducted October 25-31, were provided to The Hollywood Reporter before their official release next month.
The “State of the Media Democracy” notes that in Deloitte’s first edition of the survey just eight months earlier, 24 percent of consumers used their cell phones as entertainment devices, meaning that usage has soared 50 percent.
About 62 percent of “millennials” (consumers 13-to-24-years-old) are using their cell phones as entertainment devices, up from 46 percent in the previous study conducted February 23-March 6, 2007. And among Generation X consumers (25-to-41-year-olds), the number grew to 47 percent from 29 percent in the earlier survey.
About 20 percent of consumers said they are viewing video content on their cell phones daily or almost daily.
The percentage of consumers watching TV online jumped from the 23 percent figure reported in the previous study. Roughly 54 percent of those surveyed said they are making their own entertainment content through editing photos, videos or music, 45 percent said they are producing that content for others to see, and 32 percent said they consider themselves to be “broadcasters” of their own media.
“I think for advertisers one of the conclusions is you don’t make decisions to advertise either on television or the Internet when you want to hit all the demographics, but rather you need to have a multiplatform strategy,” said Ken August, vice chairman and national sector leader for Deloitte & Touche’s media and entertainment practice, which commissioned the study. “It shouldn’t be an either or proposition.”
Among the study’s other findings:
– 54 percent of consumers said they socialize via social networking sites, chat rooms or message boards, and 45 percent said they maintain a profile on a social networking site.
– 85 percent of consumers still find TV advertising to have the most impact on their buying habits, but online ads are second best, with 65 percent of consumers saying they have the most impact, beating out magazines at 63 percent.
Reuters/Hollywood Reporter
More and more Americans getting hooked on electronics. There are many good and bad things I see with this news. We can share information and entertainment quicker, and I enjoy this new era of information sharing. I believe we will see more problems with technology compatibility in several areas as well. We already have competing formats with everything from software and operating systems, to different cell phone companies having various accepted formats for multimedia messages and such. There will certainly be much more confusion among people as to what works with what, but lets hope the barriers come down in those areas in the future as well. More on this in another post later.
Permalink
12.10.07
Posted in Internet Business, Software and Web Apps at 1:32 am by Administrator
from yahoo news / reuters
Pluck hooking up media outlets with social networks
By Robert MacMillan 30 minutes ago
NEW YORK (Reuters) - Online media syndication company Pluck Corp said on Wednesday it would give traditional media companies the ability to link their Web sites to online social networks like MySpace and Facebook.
The move would allow people to leave comments on news Web sites that then show up on their social network profiles, allowing the traditional media outlets to reach people where they are spending increasing amounts of time on the Internet, said Pluck Chief Executive Dave Panos.
This is important to media companies that are trying to build up their online audiences as they lose readers and advertising revenue for their print editions.
“If I comment on a story about the presidential primary, the story itself is going to be noted on my Facebook profile, and so is the comment I made,” he said.
Companies using Pluck’s technology include USA Today publisher Gannett Co Inc (GCI.N), Discovery Communications, the Canadian Broadcasting Corp, Runner’s World publisher Rodale and Better Homes & Gardens publisher Meredith Corp (MDP.N).
“People are interested in sharing experiences around news,” said Jim Brady, executive editor of The Washington Post Co’s (WPO.N) Web site, washingtonpost.com, which also is participating.
Brady said that could build up more loyal readers for the Web site while exposing the Post’s news to many of Facebook’s 55 million users worldwide. MySpace, owned by News Corp (NWSa.N), has about 110 million users worldwide.
“We’re not trying to be Facebook or MySpace,” he said. “By giving ourselves a hook into the bigger social networks, it allows us to get more pollination.”
The move allows traditional media companies to associate themselves with popular social networks whose members — typically younger than the average newspaper reader — are considered the most valuable to advertisers on- and offline.
“If you’re a media company, you’re now attracting more users to your site,” Panos said. “For them, I think it’s about reaching a broader audience, and maybe a younger demographic.”
Reuters Group (RTR.L) (RTRSY.O) which made a $7 million investment in Pluck last year and has an undisclosed ownership stake, also is a participant.
Media companies will be able to link up with Facebook starting in the first quarter of 2008, Pluck said. Networks that are part of Google Inc’s (GOOG.O) OpenSocial technology for independent software developers — which includes MySpace as a member — will be able to use Pluck’s technology by mid-2008.
(Editing by Carol Bishopric)
I am glad to see so many social network deployments these days. Competition keeps things healthy. Hopefully we will all benefit from multiple companies pushing various software for social networks and they will all keep getting better and better. We are currently testing a few social network platforms for various clients of different sizes with different needs. There is also much talk around the shop about sharing information among the social networks. You can see this similar goal being developed with google’s open social, and the openid platform. Of course avoiding end user privacy issues is always a concern, but making things easier for end users to log into and use the various social sites and choosing which information to share or keep private and semi private is going to be of paramount importance.
Permalink
12.09.07
Posted in Internet Business at 9:15 pm by Administrator
We love to see more niche markets getting creative with public relations, and using newer media to get an unusual message out is just the kind of thing that colleges should be doing. It’s a young hip demographic, certainly viral videos will be more effective online than any amount spent on print advertising. The social aspect of college should be a focus and getting viral videos spread through social networks may get groups of students interested.
From the wired campus blog:
These days colleges’ PR offices are creating more and more videos to promote campus events and get their institution’s name out. And some have tried to adopt the lighthearted or edgy tone that seems most popular on YouTube.
The collegewebeditor blog has been tracking such efforts, and today they point out an unusual holiday video created by the University of Maryland at College Park.
Connie Chung, an alumnus of the university, makes a cameo appearance, but the star is the college’s mascot, Testudo, leading students and staff members from across campus to gather for a holiday photo. The overall feel seems something out of a Disney film, and somehow it seems long, even though it’s only two minutes. It’s too soon to tell whether it will be the next big viral video — so far the version on YouTube has only been viewed a couple hundred times.
Last month, the blog featured a roundup of quirky promotional videos featuring college presidents, highlighting various presidents jumping out of planes, answering questions on a late-night TV show, or riding a motorcycle. None of those have been blockbusters either, though.
Permalink
12.07.07
Posted in Internet Users at 9:18 pm by Administrator
From yahoo news / reuters
For college students, if it’s Facebook, it’s love
By Joanne Kenen Tue Dec 4, 7:20 PM ET
WASHINGTON (Reuters) - For the Facebook generation, love now comes with a drop-down menu.
With profiles on the Facebook social networking site (http://www.facebook.com/) almost de rigueur on college campuses, students can define their relationship status with menu choices ranging from “married” to that perennial favorite, “It’s complicated.”
“It’s complicated” could also describe the emotional calculations people in their late teens and early 20s make as they decide whether their relationships are what they call “Facebook-worthy.”
For Stephanie Endicott and Marcus Smallegan, first year students at George Washington University, announcing to the world that they had found love in a college dorm was a no-brainer.
“It was important for me to share this with my friends since I’m so far away,” Endicott, attending school 3,000 miles
away from her home in Maple Valley, Washington, said as she clasped Smallegan’s hand on a park bench on the campus.
“Neither of us had been in a really good relationship before and ours turned really good really fast,” added Smallegan, who had posted a relationship on Facebook once before, only to have that girl move out of state and break up with him via a text message on his cell phone.
Some of their friends, however, have had less harmonious Facebook experiences. Both Endicott and Smallegan know of other college students who thought they were in a relationship — only to have it all blow up when they tried to link their two Facebook profiles as a couple, an option that requires the consent of both parties.
“It was this major emotional crisis breakdown,” Smallegan said of a close friend at a Midwestern university who was heartbroken when her cyberlink was rebuffed by a young man who thought they were “just friends.”
Not all students post their relationship status. For some, it’s a matter of privacy. For others, it’s all about marketability.
“I have NEVER changed my Facebook status — it has always been single, even when I started to get involved with girls. I think it’s better this way, until you are VERY serious, because people look, people talk, etc., and unless it is super-serious it can ruin any chance with any other girl!” one young man, who asked that his name be withheld to avoid alienating his current and many ex-girlfriends, wrote in an e-mail.
But for many couples, being “Facebook-worthy” confers a status on a relationship.
When a couple was “going steady” in the 1950s, the young man might have let his girlfriend wear his Varsity team sweater or given her his fraternity pin. But the 1960s swept aside those rituals. Now the Facebook link has become a publicly-recognized symbol of a reasonably serious intent short of being engaged or moving in together.
“For those in a relationship, the theme that kept echoing was that Facebook made it official,” said Nicole Ellison, an assistant professor of telecommunication and information studies at Michigan State University who has studied social networking sites. “That was the term they used. And when the relationship fell apart, when you broke up on Facebook, that’s when the breakup was official.”
Facebook even produces a little red broken heart icon when a couple splits up.
Duke University student Adam Zell concurred. “Putting it on Facebook made it official,” said Zell, who had a “serious sit-down relationship talk” with his girlfriend last year after two or three months together. They made a joint decision to put “in a relationship” on Facebook, and link profiles.
Dave Berkman, who does mental health counseling at the University of Wisconsin clinic, finds that some students feel compelled to define themselves on a Facebook page, or to compulsively update their status over and over again.
“People are beginning to use it more than phones, more than text messages, more than instant messaging, even more than talking in person,” he said. “It speeds things up. People are prone to define where they are so they can show other people (online).”
If Facebook can certify a relationship, it can also destroy one. Ellison in her research learned of one young couple in a “Facebook-worthy” relationship. But he cheated with a young woman who naturally looked up his Facebook profile. When she saw he had an “official” Facebook girlfriend, she contacted the other woman.
“Then the two of them were in cahoots to make this guy’s life miserable,” Ellison said. “So if you are in a relationship and it’s listed on Facebook, don’t cheat.”
(Reporting by Joanne Kenen; Editing by Eddie Evans)
I know there have been many other social network dramas played out on Myspace and other social networks for similar reasons stated above. For a while there was even an internet service that would alert you to changes in a person’s relationship status. I have seen many a drama started up by comments from friends and people who change or don’t change their relationship stats to single, or dating, etc on myspace and other social networks myself.
Permalink
Posted in Marketing at 12:58 am by Administrator
From the Tennessean Newspaper in Nashville, TN:
Sunday, 10/14/07
What sort of ad agency does an entrepreneur need?
Answer: One willing to take a few chances to help an owner score big
By RANDY MCCLAIN
Business Editor
Jeffrey Buntin Jr., the 34-year-old president of The Buntin Group, has seen the Nashville advertising agency started by his dad in the 1970s guide the accounts of some of this area’s and the nation’s most entrepreneurial companies.
The Buntin Group, marking 35 years in business this fall, has worked with Cracker Barrel, John Deere, Dollar General, golf pro Jack Nicklaus and others.
Buntin, who now heads the agency, said start-up companies in search of advertising help should look for advisers that can provide more than just flashy slogans or clever commercials.
“We say to potential clients, select someone who wants to be your business partner, not just your ad agency.”
Buntin’s take is that it makes sense to pick an agency that can weigh in on long-term strategy and help an entrepreneur better define his or her target customer.
“The idea is to establish intimacy with your audience, to understand what they want, not just to sell them a product,” Buntin said.
It’s easier to think big early: “In the early stages of a business, there’s an opportunity to think of a new company as a brand, not just as a means of delivering a product. We ask clients to think of the brand, ‘why.’
“There’s a purpose or a mission behind every brand. It’s alive and authentic and it helps when you’re able to put it into words,” Buntin said. “For an entrepreneur, the ‘why’ is what they wake up every morning thinking about as they’re brushing their teeth,” what drives them in the business world.
Companies can get it right from the outset or they can evolve.
Servpro, a clean-up and restoration franchisor, has been based in Gallatin, Tenn., since relocating there from the West Coast in the late 1980s. It started years before that as a painting company and morphed into a maintenance firm that worked with insurers to clean up after fire and water damage.
But in more recent years, the Buntin Group client evolved to work directly with homeowners in addition to the commercial insurers. Servpro now targets individual consumers who need big clean-up jobs after storms or other mishaps.
The brand — reflected in Servpro’s identifying slogan — is: “Like it never even happened.”
Reaching out to homeowners was a big change in strategy, but it helped Servpro keep growing, Buntin said. The common thread all along was “about restoring control,” he said. “That thought process allowed them to diversify and accelerate overall growth. It provided brand clarity.”
Trust your intuition or partner with someone whose intuition you trust: Entrepreneurs generally have a sixth sense about the direction their business should take, but “they’re also more willing to embrace risk,” Buntin said.
Don’t fret about starting small. You can still clobber larger competitors with deeper pockets and bigger budgets.
“Being a challenger brand is more about mindset than the dollars in someone’s budget,” Buntin said. “The key is to know your audience deeply, and to know them as people.
“It’s not enough to have a megaphone and talk loud. You want to build a three-way dialogue,” something that lets the customer talk back to the brand, while also spreading the word about the product or service to others who think, behave and spend like they do.
It’s a new world of delivering messages, Buntin said, and even more-established companies can benefit by thinking of customers differently.
One example: Goodyear hired Buntin’s agency some time ago to study women as tire buyers. Goodyear wanted to learn how to market to a customer that its brand at one time hadn’t truly embraced.
“Even established businesses can launch into a new entrepreneurial era,” Buntin said.
Business and marketing are all about thinking in win and outside the hum drum box in our opinion. Glad to see the are others out there following a similar path.
Permalink
12.06.07
Posted in Internet Users at 8:59 pm by Administrator
Google Making Street View Anonymous
from yahoo news / PcWorld
Robert McMillan, IDG News Service Fri Nov 30, 2:50 PM ET
In the face of ethical concerns, Google is considering changes to its Street View Google Maps feature that would protect the privacy of those it photographs.
When Street View is rolled out in Europe, Google will alter Street View photos to make sure that faces and license plate numbers are no longer visible, and the company is also thinking about doing the same with the U.S. version of the product, said Jane Horvath, senior privacy counsel with Google.
Developed by Immersive Media, Street View lets users click on a city street and then see a panoramic photograph of the area. The pictures are taken by special 360-degree cameras roof-mounted on Volkswagen Beetles that cruise around town, constantly snapping photographs. The photos are often so clear that people on the street can be identified.
Soon after its May launch, photographs of scantily clad women and men apparently entering adult book stores or strip clubs appeared, and privacy advocates complained that the Street View was invasive. Electronic Frontier Foundation attorney Kevin Bankston was photographed by the service and was among those who complained.
Google responded by creating a way for people to remove their photos, but in many other countries the company will have to take the more aggressive privacy measures. “In other jurisdictions… like Canada and the E.U., when we launch our product there, we’ll be under an obligation to ensure that faces are not recognizable, nor are license tags,” Horvath said at a Thursday discussion at the Commonwealth Club in San Francisco. “As we launch those products we will be thinking within our product teams whether this is something that we’d like to do within the U.S. also.”
Street View maps are available for 15 U.S. cities, including San Francisco, Los Angeles, New York and Miami.
In the U.S., Google can legally publish photographs taken in public places without securing permission from people who happen to pop up in the shots, but this practice violates privacy laws in many other countries.
And even if it’s legal, some may still be uncomfortable with the photographs, Horvath admitted.
“It’s sort of that ‘ick’ feeling that something makes you feel uncomfortable,” she said. “Our products are not static and we’re always open to changing them to make sure our users feel comfortable and trust us with their information.”
“I think this calls into question the whole idea of whether privacy is something that needs to be regulated by law or if there’s this other concept of privacy that we need to look at, which is the right to autonomy.”
Glad to see that google is making some changes to account for privacy with people. Theere has been much debate about google’s (and other search engines and internet sites) disregarding privacy for users in many ways. Something positive with internet user privacy is always good to read.
Permalink
