Dutch chipmaker NXP Semiconductors has sued a university in The Netherlands to block publication of research that details security flaws in NXP's Mifare Classic wireless smart cards, which are used in transit and building entry systems around the world.
NXP, formerly Philips Semiconductors, sued to prevent Radboud University Nijmegen from publishing a scientific paper on the technology in October. A hearing is scheduled for Thursday in the Dutch court, Rechtbank Arnhem.
"We feel the publication would not be responsible," NXP said in an e-mail statement when asked to comment for this article on Wednesday. "We cannot give further comments at this time, as it is in the hands of the court and the court has given a confidentiality order."
A court decision on the matter is expected next week, according to Karsten Nohl, a University of Virginia graduate student who worked with others to break the crypto algorithm last year and has been closely following the case.
The Dutch university's research builds upon Nohl's work. Nohl said he plans to publish his research in August and that NXP has not sued him to halt publication of his work.
"NXP spent most of this year defending the technology," Nohl told CNET News in a phone interview this week. "Only recently have they started admitting that the security is flawed, but they are still not ready for this to leak into the public domain."
"The only thing NXP would achieve if they win the lawsuit is prevent information from getting to other research groups that might very well be looking for solutions to this problem," Nohl said. Meanwhile, information on how to break the cryptography on the smart cards is already available to criminals who are willing to pay tens of thousands of dollars, he added.
A statement issued by the Dutch University in March says: "Because some cards can be cloned, it is in principle possible to access buildings and facilities with a stolen identity. This has been demonstrated on an actual system."
Dr. Bart Jacobs of Radboud University Nijmegen demonstrated last month how he could ride the London transit system for free. Once he obtained the key used by the London transit system, he then brushed up aside passengers carrying the Oyster transit cards and was able to collect their card information on his laptop and make a clone of it.
This YouTube video shows how it is done:
In addition to the transit system in The Netherlands, the technology is used in the subway systems in London, Hong Kong and Boston, as well as in cards for accessing buildings and facilities. The Mifare technology is used in more than 80 percent of the market, Nohl said.
The university defended its plans to publish the research in a statement released Monday in Dutch, saying it has a duty to research and publish data on security technology flaws so that they can be fixed.
Open-source Web conferencing provider Dimdim has raised $6 million in Series B funding, the company is set to announce on Wednesday.
The funding round, which was led by current investors Index Ventures, Nexus India Capital, and Draper Richards, will enable Dimdim to introduce enhancements to the free service and expand its market reach.
Dimdim competes with fee-based services like Webex. Because it is open source, it could become a platform for real-time communications if it garners enough developer support, my CNET colleague Rafe Needleman predicts.
Since its private launch 10 months ago, Boston-based Dimdim has attracted more than 500,000 users in more than 180 countries, the company says.
Video surveillance firm VideoIQ is set to announce on Wednesday morning a $10 million Series B funding round.
Lehman Brothers Venture Partners is leading the round, and current investors Matrix Partners and Atlas Venture are participating.
The funding will be used to help VideoIQ expand to new markets and continue product development of its IP video surveillance and video analytics products, the company says.
Bedford, Mass.-based VideoIQ was spun out of GE Security in 2007 and is headed by Scott Schnell, a former RSA executive.
Google on Tuesday said it is now using an e-mail authentication technology to keep phishers from luring Gmail users to fake eBay and PayPal Web pages in order to steal usernames and passwords.
The technology, DomainKeys, uses cryptography to verify the domain of the sender of an e-mail. It allows e-mail providers to validate the domain from which an e-mail originates, and it enables easier detection of phishing attempts by helping identify abusive domains.
Last October, Yahoo announced that it was protecting Yahoo Mail users with eBay and PayPal accounts from phishing attempts using the same technology.
The DomainKeys technology is covered by a patent assigned to Yahoo. The company released it under a dual-license scheme that allows the companies to use it royalty-free under the GNU General Public License (GPL 2.0), which enabled the Internet Engineering Task Force to approve it as a proposed Internet standard.
Google's Orkut social network isn't just big in Brazil. It's also popular in India, especially among software developers, according to a new survey.
Despite Facebook's efforts to promote that social network as the platform of choice for third-party application developers, Orkut is used by twice as many software programmers in India than either Facebook or MySpace, according to an Evans Data survey of more than 300 developers in India. Software programmers in that country are heavy users of social networks in general.
Seventy-three percent of those surveyed said they had used Orkut, compared with 35 percent for Facebook and 32 percent for MySpace.
"Capturing mindshare with developers in fast-growing emerging development markets like India and Brazil gives them (Google) a strategic advantage going forward in further cultivating this very important community," Evans Data Chief Executive John Andrews said in a statement.
Google has released new domains specific to India and Brazil as a result of the popularity in those countries.
The independent survey was conducted in late May and early June.
Microsoft issued a security advisory on Monday warning about targeted attacks being launched that exploit a hole in the ActiveX control for the Snapshot Viewer in the Microsoft Access database management system.
Basically, an attacker would have to lure a victim, via a link in an e-mail or IM for instance, to a specially crafted Web page that could exploit the security hole to allow remote code execution. This would provide the attacker with as much access to and rights on the computer as the logged-in user has.
The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, 2002 and 2003.
The ActiveX control, which allows a user to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access, ships with the standalone Snapshot Viewer and with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007.
By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 run in a restricted mode known as Enhanced Security Configuration that sets the security level for the Internet zone to "high." This is a mitigating factor for Web sites that a user has not added to the Internet Explorer Trusted sites zone, according to Bill Sisk, security response communications manager for Microsoft.
In addition, a security feature in Internet Explorer can be set to prevent ActiveX controls from being loaded by the IE HTML-rendering engine, the advisory says.
Microsoft suggests that users adopt a workaround, such as configuring IE to disable Active Scripting or to prompt before running it, or setting Internet and local intranet security zone settings to "high" to prompt before running ActiveX Controls and Active Scripting.
Eventually, Microsoft may provide a security update for the vulnerability, according to the frequently-asked-questions section of the advisory.
"While the attack appears to be targeted, and not widespread, we are monitoring the issue and are working with our MSRA (Microsoft Security Response Alliance) partners to help protect customers," Sisk says.
We all worry about keeping our online passwords safe from prying eyes. But now our faith in ATM PIN codes is being shaken.
Three people face charges in federal court in New York for allegedly breaking into Citibank's ATM network inside 7-Eleven stores and stealing PIN codes, according to court filings reported on by The Associated Press on Tuesday.
The alleged thieves made off with about $2 million between October 2007 until March of this year. Officials believe they remotely broke into the back-end computers that approve cash withdrawals and grabbed the PINs as they were being transmitted from the ATMs to the transaction processing computers, which increasingly use Windows, the report says.
Wired News was the first to report on the ATM network breach.
Adobe announced late Monday night that it was providing optimized Adobe Flash Player technology to Google and Yahoo to help them better index dynamic Web content and rich Internet applications that include the Shockwave Flash file (SWF) format.
It sounds exciting, but what exactly does it mean for Web searchers, Webmasters, and Flash creators? CNET News.com asked Adobe, Google, and Yahoo and got some answers.
Q: What is Adobe doing?
A: Adobe is providing Google and Yahoo with optimized Adobe Flash Player technology so that their search engine spiders will be able to find and index SWF content, including Flash "gadgets" such as buttons or menus and self-contained Flash Web sites.
Q: How does this work?
A: When a search engine spider hits a normal HTML page and encounters Flash content it will load it in an optimized Flash player on the search engine server. Google has developed an algorithm that explores Flash files in the same way a person would, such as by clicking on buttons and entering input. The algorithm then indexes all the text it encounters through the navigation.
Q: How will the search experience change as a result?
A: The text that people see when they interact with Flash files, such as captions and introductions, will now be used when Google generates a snippet that appears below the URL on the search results page. The words that appear in the Flash files can now be used to match query terms in Google searches. In addition, the URLs that appear in Flash files will be fed into Google's crawling system and be indexed.
Overall, more content will be indexed and search engine result rankings will change to reflect the additional content and its relevance. The snippets will give better information about the page on the search results. You can also expect search engine optimizers to figure out ways to improve rankings of Flash-based Web sites just like they do with HTML-based sites.
Q: Why is this necessary?
A: More than 98 percent of the Internet-connected desktops have Flash Player installed and Flash is hugely popular. Until now, the search engines were able to index some static text and links within SWF files, but much of the content was not getting indexed because of the dynamic aspect of the rich media files. Currently, all that content that was essentially invisible to the search engines will appear in the search results and the small amount of content that gets indexed appears on the search results page in jumbled words and code that are of no use to the Web searcher.
"Now, you are losing all the context of what content was near each other and running at the same time," says Justin Everett-Church, a senior product manager for Adobe Flash Player. He likened the impact to the difference between reading the index of a book and reading the contents of the book.
This screen shot shows what results look like on Google for Flash content that is indexed without optimization with the new Adobe Flash Player Technology.
(Credit: Google)Q: Do Flash developers or Web masters have to do anything differently?
A: No. However, blog site Search Engine Land suggested that Flash developers should still spend time on search engine optimization and create distinct URLs for each piece of content.
Q: Will searchers be able to see more Flash-based content composed only of images and video as a result of this optimization?
A: Not at this time. Only text and hyperlinks will be indexed. However, Everett-Church said "there is no reason why images and video can't be supported in the future. It's up to our search partners if and when they choose to do that, but it is a possibility." A Google representative declined to comment on any future plans.
Q: Any other limitations?
A: Yes. Google doesn't crawl all types of JavaScript, which is used to execute most of the Flash content on the Internet. Google won't specify which types of JavaScript are executed, but said the company was working on executing all types. Adobe's Everett-Church says: "This is our initial implementation... I think there will be some areas to expand on there, as well."
In addition, text in all languages is supported with the Flash optimization, except for bi-directional languages such as Hebrew and Arabic.
Q: When will Web searchers see the impact of these changes?
A: Google has already started rolling out the changes. Yahoo expects to offer improved Web search capabilities for SWF content in a future Yahoo Search update, but could not specify when that might come.
Q: Will this optimization mean Web surfers will see more Flash pages?
A: "This will change the way sites are designed," Everett-Church says. "It will allow more creative ways of interacting with the browser...and sites won't have to sacrifice searchability."
Q: Can Google users disable the optimization if they don't want to see more Flash results?
A: Sort of. Google users can go into Advanced Search Features and put a minus sign for "filetype:swf." But this will only eliminate pages that are SWF extensions and not necessarily all pages with Flash embedded in them.
Q: Will Adobe be providing the technology to Microsoft for use on Live Search?
A: An Adobe spokesman said the company couldn't comment on its work with other vendors, but said it is exploring ways to make the technology more broadly available. Microsoft has a competing technology to Flash, called Silverlight. A Microsoft spokesman was attempting to get comment about the company's plans on Tuesday.
More information about the effort is available on Adobe's Web site and through Google's Webmaster Central Blog.
Updated Tuesday at 9:10 a.m. with Google comment.
A few months ago, spam came to Google Calendar. Now phishing has arrived.
Intrepid Google watcher Philipp Lenssen wrote late last week about being the target of a phishing attempt via Google Calendar.
He received an e-mail to his Gmail account with a reference to a legitimate event from his calendar. The sender was listed as "customer care," and it asked him to verify his account by supplying his username and password.
"We are having congestions (sic) due to the anonymous registration of Gmail accounts, so we are shutting down some Gmail accounts, and your account was among those to be deleted. We are sending you this email to so that you can verify and let us know if you still want to use this account," the e-mail said, complete with grammatical and spelling mistakes that can tip people off to phishing attempts.
On May 28, a Google Talk Guide addressed the issue in a Google Groups thread, urging users to click the "Report Phishing" link if they receive suspicious e-mails and not to click on links within the e-mails or open attachments.
Late on Monday, a Google representative e-mailed this statement: "Spam is an issue for all Internet users, and we work very hard to fight it. Using Google Calendar, or any Google product, to send spam is a violation of our product policies. We are actively identifying Calendar accounts that send spam and disabling them."
Google has more information on how to protect against e-mail fraud on its Official Google Blog Web site.
Philipp Lenssen of Google Blogoscope writes about how phishers targeted him via Google Calendar. This is a screenshot of the e-mail he received.
(Credit: Blogoscoped)The makers of World of Warcraft are offering players of the online role-playing game an optional layer of security in the form of an electronic token device called Blizzard Authenticator designed to prevent unauthorized access to an account.
The lightweight device, which fits on a keyring, provides a unique, one-time six-digit numeric code that the account holder includes when logging in. It is used in addition to a password and account name.
It was offered to attendees at the 2008 Blizzard Entertainment Worldwide invitational in Paris over the weekend and will be available for $6.50 through Blizzard's online store soon, according to the company.
"It's important to us that World of Warcraft offers a safe and enjoyable game environment," Mike Morhaime, CEO and co-founder of Blizzard Entertainment, said in a news release distributed last week. "One aspect of that is helping players avoid account compromise, so we're pleased to make this additional layer of security available to them."
World of Warcraft users have had their share of security issues. Last year, hackers were luring players to Web sites and surreptitiously downloading keylogging software onto their Windows computers through vulnerabilities in Internet Explorer. The software allowed the hackers to hijack the victims' WoW accounts and sell off valuable in-game assets.
WoW players also have been targeted by a password-stealing Trojan sent via e-mail and peer-to-peer file-sharing sites.
It's unclear exactly what prompted the company to release Blizzard Authenticator. A company spokesman said on Monday that representatives were still in Paris where it was late at night and could not immediately be reached for comment.
