Judge rules against Microsoft in email privacy case : The company is compelled to comply with a U.S. warrant for emails held on a server in Ireland, a judge rules

A U.S. district court judge has ruled against Microsoft in the company's effort to oppose a U.S. government search warrant for emails stored in Ireland.

On Thursday, Judge Loretta Preska of the U.S. District Court for the Southern District of New York rejected the company's appeal of an earlier ruling requiring it to turn over emails stored in the company's facility in Dublin. Preska ruled that Microsoft will not have to turn over the emails while it files an appeal.

Preska, in an oral ruling from the bench, sided with a magistrate judge's April ruling quashing Microsoft's opposition to the warrant, related to a criminal case, from the U.S. Department of Justice.
Microsoft will appeal Preska's ruling to the U.S. Court of Appeals for the 2nd Circuit, the company said. Microsoft has argued that the DOJ has no authority to issue warrants related to emails stored outside the U.S.

"The only issue that was certain this morning was that the district court's decision would not represent the final step in this process," Microsoft general counsel Brad Smith said in a statement. "We will appeal promptly and continue to advocate that people's email deserves strong privacy protection in the U.S. and around the world."

U.S. law has long required search warrants to name the specific location of the information they seek, instead of requiring a company receiving the warrant to search multiple locations for the information, as has happened in the Ireland case, Microsoft has argued. U.S. search warrants also haven't been able to reach overseas, just as U.S. residents wouldn't want foreign courts to be able to search domestic locations, Smith has said.

U.S. Attorney Preet Bharara of the Southern District of New York has opposed Microsoft's attempts to invalidate the warrant. If Microsoft's interpretation of the law is upheld, Web services providers could move content around the world in an effort to avoid law enforcement requests, Bharara wrote in a brief to the court.

Microsoft EMET 5.0 security tool puts a leash on plug-ins : Latest version of the free toolkit allows administrators to block third-party plug-ins -- a favored route for attackers

The latest release of a Microsoft security tool that's designed to stop exploits lets administrators control when third-party plugins are launched, a long favored route for attackers.

Microsoft has been steadily improving and adding more capabilities to the Enhanced Mitigation Experience Toolkit (EMET), a free tool that strengthens the security of non-Microsoft applications by using defenses built within Windows, such as ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).

The latest 5.0 iteration, released Thursday, includes something called "Attack Surface Reduction," which can block some of an application's modules or plugins that might be abused, wrote Chris Betz, senior director of the Microsoft Security Response Center.

He wrote that Microsoft Word, for example, can be prevented from loading an Adobe Flash Player plugin or allow Java plugins to only run from intranet-zone sites rather than outside ones.

Third-party software is often favored by hackers as finding vulnerabilities in the Windows operating system has become more difficult. Java, an application framework for running applications, is often targeted, as well as applications from Adobe Systems.

EMET has been configured by default to block Adobe's Flash plugin from being loaded by Word, Excel and PowerPoint.

Another improvement to EMET deals with digital certificates, which are used to secure a SSL (Secure Socket Layer) connection, Betz wrote. EMET now has a blocking mode that will tell Internet Explorer to halt an SSL connection if an untrusted certificate is detected without sending session data.

Microsoft also hardened EMET in light of successful efforts at bypassing mitigations in its 4.0 version. Earlier this year, researchers from Bromium, which develops security technologies based on micro-virtualization, found that more technical hackers could bypass all of EMET's protections.

The company worked on hardening EMET against bypass techniques, which are possible "when a memory corruption within an EMET-protected application can be abused to overwrite selected memory areas and corrupt data belonging to EMET itself," according to a technical writeup.

Microsoft sues Samsung, says it stopped paying for patents : Samsung is requires it to pay licensing fees to Microsoft for the Android phones it sells

Microsoft filed suit against Samsung on Friday, claiming the device maker has backed out of an agreement that requires it to pay licensing fees to Microsoft for the Android phones it sells.
Samsung has not honored the agreement since at least last September, when Microsoft announced it was acquiring Nokia's devices and services business from Google, Microsoft alleged in the complaint.

"Samsung breached the license agreement last fall by refusing to make its Fiscal Year 2 royalty payment on time and then refusing to pay interest on its late payment, and is threatening to breach the License Agreement again with respect to its ongoing royalty payment obligations," says the complaint, which was filed Friday in federal court in New York.

Microsoft and Samsung have been meeting for months to resolve a disagreement over the contract, to no avail, Microsoft said Friday in an accompanying blog post.

"We don't take lightly filing a legal action, especially against a company with which we've enjoyed a long and productive partnership," wrote Microsoft corporate vice president and deputy general counsel David Howard.

"Unfortunately, even partners sometimes disagree," he wrote.

The companies entered into a patent cross-licensing agreement in 2011 under which Samsung would pay Microsoft to use its technology in the Android phones and tablets it sells.

But after Microsoft's Nokia acquisition was announced, Samsung decided to stop complying, Microsoft said Friday.

"Samsung began using the acquisition as an excuse to breach its contract," Microsoft's Howard wrote. Samsung did not ask the court whether the Nokia acquisition invalidated the contract, he wrote.
A Samsung spokeswoman said via email that the company would review the complaint in detail "and determine appropriate measures in response."

Since 2011, sales of Samsung-made smartphones running Google's Android operating system have grown substantially, according to industry research firm IDC. Samsung's smartphones, which include the Galaxy S5 and S4, now have a roughly 30 percent share of the global market, according to IDC.

How to protect personal, corporate information when you travel : Today's hotels are unfortunately vulnerable to types of attempted fraud. Here's how to keep data safe

Before flying from Rome to Philadelphia earlier this summer, I stopped in the hotel lobby to print my boarding pass. The hotel had one computer dedicated solely to this task. It was the only public computer available to guests. I could access only airline websites and input my name and confirmation number for the ticket. That was it.

I thought this was the hotel's way of trying to squeeze a few more Euros out of me -- but this setup may also stop fraud. It prevents someone from stealing whatever other information I could have typed into the computer, such as an email login and password.

In July, the U.S. Secret Service and Department of Homeland Security released an alert to the hospitality industry, warning it that business center computers had become a hacker target.
According to Kregs on Security, which posted the nonpublic advisory, the warning came from a task force in Texas that arrested individuals who allegedly targeted computers at hotel business centers in the Dallas/Forth Worth area.

This kind of fraud could be more than just about trying to steal a road tripper's credit card information, said Patrick Peterson, CEO of cybersecurity company Agari. If the hotel in question is near a major corporate headquarters -- where contractors, consultants and employees from other offices stay when visiting -- criminals could target them to steal and then sell company login information. Credit card theft thus becomes possible corporate espionage.

The hotels involved in this case haven't been revealed, but Peterson points out that they could be near the Dallas/Fort Worth-area headquarters for AT&T, Energy Transfer Equity, Southwest Airlines, Texas Instrument and Neiman Marcus.

"If you're in Russia, if you're in China, and you're about to bid on a multibillion-dollar oil field, knowing what your competing bidders know about that oil field is very valuable," he says. It's much easier to steal someone's login through an unsecured business center computer than to infiltrate a heavily protected company.

Travel industry security lags -- and hackers know it

The travel industry lags in its security efforts, Peterson says. Agari's TrustIndex report found a 400 percent increase in the level of threat to the travel industry in the past quarter. Out of 14 companies that Agari studied, only three hit acceptable security marks.

A large part of that threat came from email phishing scams that would either install malware on the victim's computer or let criminals encrypt a hard drive and then demand a ransom to unlock that hard drive, Peterson says.

Attacking business center computers is a different kind of scam. "It's low-tech, and there are so many different ways it can be done," says Bill Hargenrader, cyber security solutions architect at Booz Allen Hamilton, a strategy and technology consulting firm. It's also cheap, he adds: "I can go online right now and, for $60, get a USB keylogger and put it into someone's computer and record all those keystrokes."

On a business center computer, a keylogger stuck into the back of a machine can go undetected for months -- and that's assuming the person who finds it knows it shouldn't be there.

Another attack method: Installing software directly onto the machine, using general-purpose Trojan malware such as Zeus, which will "sit around and look for user names and passwords for people browsing online," Hargenrader says. The Trojan will also look to steal credentials, banking login, credit card information and company logins.

In the Dallas/Forth Worth case, the suspects allegedly used stolen credit cards to register as hotel guests, then logged on to install keylogging software onto those machines.

Security cameras, touchscreens can help hotels prevent data fraud.

Hotels have a few options on how to prevent this kind of theft. One low-tech but effective tactic is installing video surveillance, says Chris Poulin, IBM security strategist. "Cameras can be a pretty good deterrent." Just knowing that they're being recorded can stop hackers from trying to insert a USB keylogger -- not to mention identify perpetrators if they still try.

Hotels can also swap out standard screens with touchscreens and activate Windows 7 Touch features that come with the device, says Hargenrader. If there are no keys, there are no keystrokes to record.
Going a step further, hotels could replace PCs with tablets, says Poulin, especially as the demand for doing much more than printing boarding passes declines as travelers bring their own devices.

Hotels could also arrange for their computers to set up virtual desktop for every visitor, requiring a login to get into the system. "They get a fresh copy of a known operating system and operating system. When they logoff, it wipes everything out," Poulin says.

More immediately, though, Hargenrader says hotels should remind visitors that lobby and business center computers are public and that they shouldn't put their information at risk.

Another option: They can do what my hotel in Rome did and limit what kind of information customers can enter into the system. "When you put your boarding pass information in, you put in the flight locator code. It's limited information that's not personally identifiable but still gives you access," said Hargenrader. If malware captured that information, it would give criminals nothing in return.

Many antivirus products are riddled with security flaws : Antivirus products increase a computer's attack surface and may even lower an operating system's protections, a security researcher claims

It's generally accepted that antivirus programs provide a necessary protection layer, but organizations should audit such products before deploying them on their systems because many of them contain serious vulnerabilities, a researcher warned.

According to Joxean Koret, a researcher at Singapore security firm Coseinc, antivirus programs are as vulnerable to attacks as the applications they're trying to protect and expose a large attack surface that can make computers even more vulnerable.

Koret spent the last year analyzing antivirus products and their engines in his spare time and claims to have found dozens of remotely and locally exploitable vulnerabilities in 14 of them. The vulnerabilities ranged from denial-of-service issues to flaws that allow potential attackers to elevate their privileges on systems or to execute arbitrary code. Some bugs were located in antivirus engines -- the core parts of antivirus products -- and some in various other components.

Koret presented his findings at the SysScan 360 security conference earlier this month.
"Exploiting AV engines is not different to exploiting other client-side applications," the researcher said in his presentation slides. They don't use any special self-protections and rely on anti-exploitation technologies in the OS like ASLR (address space layout randomization) and DEP (data execution prevention); and sometimes they even disable those features, he said.

Because antivirus engines typically run with the highest system privileges possible, exploiting vulnerabilities in them will provide attackers with root or system access, Koret said. Their attack surface is very large, because they must support a long list of file formats and file format parsers typically have bugs, he said.

According to the researcher, another issue is that some antivirus products don't digitally sign their updates and don't use encrypted HTTPS connections to download them, which allows man-in-the-middle attackers to inject their own malicious files into the traffic that would get executed.

During his SysScan talk, Koret disclosed vulnerabilities and some other security issues, like the lack of ASLR protection for some components, in antivirus products from Panda Security, Bitdefender, Kaspersky Lab, Eset, Sophos, Comodo, AVG, Ikarus Security Software, Doctor Web, MicroWorld Technologies, BKAV, Fortinet and ClamAV. However, he also claimed to have found vulnerabilities in the Avira, Avast, F-Prot and F-Secure antivirus products.

Koret did not report the issues he found to all affected vendors, because he thinks that vendors should audit their own products and run bug bounty programs to attract independent research. Some of his other recommendations for vendors include using programming languages "safer" than C and C++, not using the highest privileges possible when parsing network packets and files because "file parsers written in C/C++ code are very dangerous," running potentially dangerous code in emulators or sandboxes, using SSL and digital signatures for updates and removing code for old very threats that hasn't been touched in years.

Independent of Koret's analysis, researchers from Offensive Security recently found three privilege escalation vulnerabilities in Symantec's Endpoint Protection product. The flaws can be exploited by a local user with limited privileges to gain full system access. Symantec is currently investigating the flaws.

"I won't go to the extent to say that AV software is pointless, since we do know that users still love clicking and installing stuff, and many networks are compromised this way," said Carsten Eiram, the chief research officer at security intelligence firm Risk Based Security and a long-time vulnerability researcher. "However, system administrators should carefully select which security products they buy as well as which features are enabled -- especially when it comes to content inspection. All those file format parsers have proven again and again over the years to be treasure troves to attackers."
Eiram said that while he didn't attend Koret's talk, he looked over the slides and the research appears to be solid.

"Adding a huge attack surface, which often happens when installing AV software or other security software, in an attempt to make systems/networks more secure does not increase overall security," Eiram said. "I agree that it often decreases it."

The fact that antivirus products have vulnerabilities might not be surprising to security researchers, but many regular users likely assume that security products are inherently secure. After all, it would be fair to expect good coding practices and solid secure development lifecycles from companies that are clearly familiar with the risks of vulnerable code and sell protection against attacks that exploit vulnerabilities in other software.

This problem, however, extends beyond antivirus programs. Ben Williams, a penetration tester with NCC Group, analyzed security appliances, including email and Web security gateways, firewalls, remote access servers and UTM (united threat management) systems, from leading vendors in 2012 and concluded that most of them are poorly maintained Linux systems running insecure Web applications.

"While we do everything possible to ensure that products are fault free, sadly no software is perfect," an Eset representative said via email in response to an inquiry about Koret's research. The company contacted Koret after the researcher tweeted some of his findings on March 1 and fixed the problem he identified in less than three days, the representative said. "Eset always welcomes researchers who follow responsible disclosure procedures of bugs and issues."

A Bitdefender representative said via email that the company also fixed the problems disclosed in Koret's presentation slides within days of their release. However, the company is not in possession of the entire list of bugs that the researcher claims to have found and can't be sure that it has fixed all of them, or if they're even reproducible.

"Since the announcement, we have also conducted an internal code audit, fixed a number of other bugs and made changes to our build and QA [quality assurance] processes which should result in far sturdier code and prevent similar situations in the future," the Bitdefender representative said.
The issues in Kaspersky Lab's antivirus products that were outlined in Koret's presentation, namely the absence of ASLR in some components and a potential denial-of-service issue when scanning nested archives, are not critical to the security protection of the company's customers, a Kaspersky representative said via email. Software that is written without ASLR is not implicitly more vulnerable to exploits, but Kaspersky Lab added ASLR to the product components that were lacking it -- vlns.kdl and avzkrnl.dll -- after Koret's presentation, he said.

The archive issue where scanning of a 3MB 7-Zip file can allegedly produce a 32GB dump file could not be verified or refuted because the company has not received a detailed description of the methodology used by the researcher.

The researcher confirmed in his presentation slides that some of the vulnerabilities he found had been fixed.

Incredible Softwares : Website Designing & SEO/SMO

Security skills shortage is real, and it's not going away anytime soon

There's good news and bad on the cybersecurity skills availability front.

On the positive side, the current shortage of cybersecurity professionals in the U.S will likely resolve itself over the next several years as the result of recent efforts involving education, training and security awareness.

But for the time being, organizations will find it disturbingly difficult to find the skilled workers they need to defend themselves from internal and external threats, the RAND Corp. warned this week.

Not only will cybersecurity skills become increasingly costly, they will also become very hard to come by in the near future, said Martin Libicki, one of the authors of a 125-page report from RAND.

"There's plenty of evidence that there is a shortage" of cybersecurity professionals -- especially within government organizations, Libicki said. "The problem cannot be solved overnight. It will take a long time to get the right people into this profession."

The RAND report examines the nature and the source of the cybersecurity skills shortage in the U.S. and how the private sector and the government have responded to the crisis.

Demand for security professionals has skyrocketed since 2007 as the result of increased connectivity, raised awareness, more vulnerabilities and ever more hacker activity. The sudden and rapid rise in demand has led to substantial increases in compensation packages for security professionals in recent years, but that has done little to attract new cybersecurity professionals, RAND said.

"In the longer term, as long as demand does not continue to rise, higher compensation packages and increased efforts to train and educate people in cybersecurity should increase the number of workers in the field" -- putting downward pressure on salaries, it noted.

Some of the increased demand may also run counter to the underlying realities. Because of the heightened attention paid to cybersecurity, it's possible that some companies think they're at greater risk than they were a few years ago and assume they need more people.

As organizations come to better understand their true security needs, demand for cybersecurity workers may fall in the longer term, RAND said.

Here are four other takeaways from the report

Government organizations are hurting the most
The increased demand for cybersecurity professionals has pushed compensation packages to levels that government organizations have a hard time matching. This is especially true for their ability to attract or retain top-level security professionals, Libicki said.

Government compensation is often constrained by rigid pay scales and grade levels that restrict the ability of agencies to hire the skills they need in a supply-constrained labor market. The problem is less acute for lower to mid-tier IT security pros.

"However, once professionals can command more than $250,000 a year, the competitiveness of the U.S. government as an employer suffers correspondingly," the report noted. Though special rates are often available to senior level IT specialists, the long recruitment processes, vetting and security clearance delays can discourage candidates.

Companies can pay all they want and still not find enough people
In the short term, the supply side of the manpower equation will not be responsive to higher salaries because there simply aren't enough professionals to go around. Since training and educating a new generation of cybersecurity workers can take years, organizations that need security skills will be hard pressed to find them.

On a positive note, the higher compensation packages offered to security professionals could begin to attract would-be hires from other areas such as engineering.

Organizations should look at alternate approaches
Companies and government entities should consider adopting more secure system architectures and best practices to reduce their dependence on manpower. Organizations spend close to $70 billion on cybersecurity annually around the world, Libicki said. If even a 10th that amount was invested in making software more secure, there would be less of need for so many cybersecurity professionals.

"We have a model that basically says 'I accept the world of software as is and I am going to patch everything at a systemic level,'" he said. It is an approach that is basically unsustainable in the long term. A company that has 600 security professionals today might require 1,000 in a few years -- and still not be secure.

Twitter keeps sending texts to recycled phone numbers, lawsuit says

Promotional texts and other messages from Twitter are fine if you consent to them, but some are going out to old phone numbers that have been around the block, according to a new lawsuit.

A Massachusetts woman alleges that the social network is sending unsolicited texts via SMS (Short Message Service) to recycled phone numbers. People who have never used Twitter or have not opted into receiving texts from the company are getting messages just because their number was previously used by someone who may have consented. She wants to turn her lawsuit into a class action for other consumers like her.

Around the time that Beverly Nunes, of Taunton, Massachusetts, got a new phone last November, she started getting promotional texts several times per day from "40404," a Twitter SMS short code, according to the complaint. "There's a new Swagcode out!" one message read, referring to virtual currency that could be redeemed for retail items or gift cards.

Nunes never had a Twitter account, according to the filing.

The suit, filed Thursday in federal court in San Francisco, may point to a larger issue as Internet companies try to grow their businesses using mobile messaging. Twitter makes the bulk of its advertising revenue from mobile devices, and the company is pushing hard to get more mobile users.

The suit claims Twitter automatically sends unsolicited messages to people without verifying that they have actually opted into the messages. "Twitter simply treats the new recycled cellular telephone number owner as if he or she were the previous owner," it says.

The suit also alleges that Twitter sends SMS texts to people who have expressly opted out of receiving them.

Those practices, the suit alleges, violate the U.S. Telephone Consumer Protection Act, which prohibits companies from sending automated texts to mobile phones without first receiving permission. Depending on what data plan they have, consumers may have to pay for those unwanted texts.

The suit seeks US$500 in damages for each violation of the TCPA.

John Jacobs, the lead attorney for Nunes, said the claims laid out in the suit are a substantial problem within the tech industry that would not be hard to fix. Companies such as Infutor and NextMark can identify disconnected telephone numbers before they're recycled, but Twitter does not use their services, according to the filing.

Nunes, the plaintiff, could not be immediately reached for comment. Twitter did not immediately respond to comment.

But Mike Mothner, founder and CEO at Wpromote, a digital marketing agency, said the blame belongs to both the carrier and the Internet company. "The carrier shouldn't sell consumers' numbers -- that's an issue of privacy and customer service," he said.

Twitter can capture people's cellphone numbers under a variety of circumstances. People can sign up for the service via SMS, and tweet via text message. Twitter also offers two-factor login using cellphone numbers.

In 2010 Twitter acquired Cloudhopper to scale its SMS service by connecting directly to mobile carrier networks.

Nunes may not have a case against Twitter. Yahoo was hit with a similar suit last year, but a judge recently threw it out on the grounds that Yahoo didn't use an automated redialer to transmit its text messages.

Incredible Softwares

OUR PROCESS