Archive for the ‘Google’ Category
Tuesday, May 1st, 2012
As the head of a bandwidth assessment group at the IEEE (Institute of Electrical and Electronics Engineers) and past chairman of the IEEE’s task force on 40 Gigabit and 100 Gigabit per second Ethernet, John D’Ambrosia is among the people who will help guide the world toward 400 Gigabit and even Terabit per second speeds. But will our capacity to deliver bandwidth keep up with the human race’s ability to consume it?
“That’s the question that keeps me up at night,” said D’Ambrosia, who is also chairman of the Ethernet Alliance industry group and an engineering executive at Dell. “When we were doing the 100 Gigabit project, people were saying as soon as you get 100 Gigabit done, you need to start working on the next speed. We’re past that knee of the curve and we’re getting into real exponential growth.”
An estimated one-third of the world’s population is online now, a proportion that is sure to grow. More users, more devices that connect to networks, and more data-heavy services to ride over the pipes are causing a “bandwidth explosion,” D’Ambrosia said. The data reviewed by his IEEE committees over the past few years indicates that bandwidth demand is growing faster than our capacity to deliver it.
But plenty of organizations are at work on the next generation of Internet and networking technologies, and they provide reason for optimism. The data explosion may not become a giant bottleneck thanks to continued research of the kind profiled below, which has already led to big advances in undersea cables, software-defined networking, and the research-oriented Internet 2 network.
How much bandwidth do we need?
Some of the best numbers we have on bandwidth usage come from Cisco’s Visual Networking Index, which shows that worldwide IP (Internet protocol) traffic hit 20.2 exabytes per month in 2010, and 242 exabytes per year.
An exabyte is, well, really huge, comprising 1,000 petabytes, while a single petabyte is 1,000 terabytes… and one terabyte is 1,000 gigabytes.
According to Cisco, global IP traffic increased eightfold over the five years leading up to 2010 and will quadruple by 2015, hitting 966 exabytes (nearly one zettabyte) for the full year. That will be the equivalent of all movies ever made crossing IP networks every four minutes.
As more users enter the Internet age, the amount of data gobbled up by the busiest ones increases as well. By 2015, the top one percent of households worldwide are on pace to need one terabyte of data each per month, four times the amount generated by the top one percent in 2010.
Global IP traffic by type, in petabytes per month (Cisco)
Lots of applications are driving this growth, but most notable is video. Video surpassed peer-to-peer file sharing as the largest type of Internet traffic in 2010. It’s expected to account for more than 50 percent of consumer Internet traffic by sometime this year. By 2015, on-demand video traffic will be the equivalent of three billion DVDs per month, and one million minutes worth of video will cross global IP networks every second.
It’s not all for consumers, either; videoconferencing is “growing at pretty much the fastest rate from a traffic perspective, more than any other business application,” Thomas Barnett, a service provider marketing manager for Cisco, told Ars.
Of course, traffic to smartphones and tablets is also soaring (with carriers trying to restrict usage with monthly data caps). Cisco has found that mobile Internet devices (including laptops) are on the verge of outnumbering the people of Earth, reaching 10 billion by 2016.
Serving up the necessary bandwidth will be a challenge, of course, but it’s a challenge that tech companies and research groups alike are racing to beat. One of the key technologies in this bandwidth arms race is also one of the oldest: underwater cables.
Submarine cables
With the proliferation of mobile devices, it’s easy to think we’re living in an all-wireless world. But the haphazard jumble of cables in my house proves otherwise, and that’s only the tip of the iceberg when it comes to physical network infrastructure.
“So many people think the Internet is mobile, it’s wireless,” said Alan Mauldin, a research director at telecom market research firm TeleGeography. “Yeah, it’s wireless until it goes to the cell tower or to the WiFi base station. From there it’s all physical. There are cables underground, cables in the ocean, that all link together to give us a global Internet. It’s really just the edges of the network where you’re able to see wireless and mobile technologies.”
Mauldin studies trends in undersea cables, and he has good news about the growth in capacity on this front. While the cables running under the world’s oceans don’t address the issue of bringing Internet capacity to far-flung urban regions, they’re crucial for carrying traffic between countries and continents.
“We focus on undersea cables because that’s the primary way that international communications happen,” Mauldin said. “Satellites haven’t been a real big part of the picture for intercontinental connectivity in quite some time.”
As you can see in the chart below, international bandwidth availability has soared (“used bandwidth” refers to the capacity deployed by providers, rather than bandwidth consumed by end users). From 1.4 terabits per second in 2002, it steadily climbed to 6.7 terabits in 2006 and has now reached 92.1 terabits per second. TeleGeography expects that number to hit 606.6 terabits per second in 2018 and 1,103.3 terabits per second in 2020.
Used international bandwidth (TeleGeography)
The terabits per second shown above represent the total international capacity in IP backbones, private networks, research and educational networks, etc. These numbers show the available capacity for data to travel from one country to another, both through undersea cables connecting nations separated by water and by the terrestrial links between countries with land borders. So links from New York to Washington, DC are not counted, while links from New York to Europe, and from one European country to another, are reflected in the data.
Regional connectivity numbers reveal huge disparities. While Europe in 2011 had 49.8 terabits per second of bandwidth available to flow between countries, and the US and Canada had 20.8 terabits per second, Africa had less than a terabit per second—700 gigabits. (These numbers, you may have noticed, add up to a higher total than the worldwide connectivity—that’s because of some overlap. For example, trans-Atlantic capacity counts toward both the European and US/Canada totals.)
More undersea cables are being built. Consider one $1.5 billion project to reduce latency between London and Tokyo by 60 milliseconds with what’s described as the “first ever trans-Arctic Ocean submarine fiber optic cables.”
Undersea cables connecting the world’s networks (TeleGeography)
Reducing latency is hugely important for certain applications, like those used in high-frequency stock trading. But that particular cable project, actually, isn’t crucial in the grand scheme of providing greater Internet access to more and more people, Mauldin believes.
“It’s not a huge issue, really, I don’t think. Most of the capacity between Asia and Europe now can go across Russia terrestrially anyways, or it can go across the US between those two points,” he said. “And there’s already high-capacity systems that serve and provide capacity between Europe and Asia as it is. There’s no lack of capacity.”
Several companies are looking at stretching cables across the Arctic, and this will benefit remote parts of Alaska and Canada, or even research stations near the North Pole, he said. New submarine cables are being deployed off the west coast of Africa, in the Middle East, South America, and from Singapore to Japan to meet regional demand.
Luckily, the cables under the ocean now don’t all need to be replaced in order to provide huge increases in bandwidth capacity.
Undersea cables are built to last roughly 25 years, yet most don’t stay in service that long because they become economically obsolete by increased speed requirements, Mauldin explains. What’s happening now is the development of so-called “coherent detection” technology, which is widely used in terrestrial networks and is now being applied to submarine cables to improve their speed.
Of course, construction of new cables won’t stop. But cables that were designed to move data at 10 gigabits per second can now be upgraded to 40 gigabits, and perhaps even 100 gigabits, Mauldin said. Equipment has to be replaced on shore to get the speed boost, but crucially the underseas cables themselves can still be used.
“We’re definitely seeing major advances in submarine cable technology that will allow existing cables that have been in service for a decade to have their capacity increased dramatically,” Mauldin said. “That’s one of the biggest changes we’ve seen in the past year or so.”
Software helps define networking
As Mauldin notes, pushing more data to more people isn’t just about having more infrastructure. It’s also about using it smarter. When it comes to using software to improve networking, little is getting more hype these days than OpenFlow, an implementation of software-defined networking. OpenFlow is being used in data centers by Google. It’s also being examined for the Worldwide LHC Computing Grid, the network that moves the massive amount of data produced by particle collisions at the Large Hadron Collider run by CERN, the European Organization for Nuclear Research.
“We’re able to use it at a small scale,” said Phil DeMar, network architect at Fermilab in Illinois. Fermilab is a “Tier 1” site on the LHC network, meaning it’s one of the first 11 research labs in the world to receive CERN data. Data then moves to about 160 Tier 2 sites and on to many Tier 3 sites. OpenFlow makes the movement of scientific data more efficient by dynamically allocating network resources without slowing down the general purpose Internet traffic that ordinary users rely upon, DeMar said.
While OpenFlow helps move data from CERN to the Tier 1 sites, it hasn’t yet scaled across the entire LHC grid, DeMar said. OpenFlow alone won’t be enough to maximize network efficiency, but DeMar says it’s a good start.
“In terms of just getting bandwidth, it’s a question of economics. How much can you afford to do?” DeMar said. Fermilab has two 10Gbps connections to CERN, and another two connecting Fermilab to Tier 2 sites. But it turns out “it’s a bigger challenge to be able to move data at that rate using the layers of software that have to exist than it is to have to provision 10 to 20 or 30 gigabits, whatever you need, underneath it,” he said. “It’s more a challenge of software, and middleware, actually.”
The second Internet
OK, there is no “second Internet,” but there is an “Internet2.” This is a networking consortium composed of hundreds of universities, government agencies, labs, and research and education networks. Internet2 has been building out its network infrastructure since 1998. Now in its fourth iteration, Internet2 boasts “the first transcontinental 100 Gigabit per second network in the world.”
Internet2′s goal is to be roughly one generation ahead of what’s available in commercial Internet networks, said Rob Vietzke, the consortium’s VP of network services.
Vietzke thinks OpenFlow will be critical for the next generation of the Internet because, he says, the technology lets techies program and configure the network in the same way they can program any other piece of hardware. “In every discipline of computer science right now, except for networking, you can program your hardware,” he said.
There are still scientists shipping disk drives across the country for lack of high-speed network access, Vietzke said. In a future where “bandwidth is no longer a restriction or a constraint,” Vietzke hopes to see all kinds of innovations—perhaps entirely new security models, or newfangled visualizations of scientific data drawing from distributed databases.
Keeping up?
The key question, of course, is whether these bandwidth innovations—along with many others—can exceed demand over the next decade.
Andrew Odlyzko started tracking bandwidth in 1997 at AT&T Labs, and continued tracking Internet traffic as a professor at the University of Minnesota, setting up Minnesota Internet Traffic Studies (MINTS).
Odlyzko is wary of making predictions about bandwidth because, he says, “I sort of got burned back in the late ’90s” when he forecast a doubling of traffic every year and growth ended up slowing. Still, he wouldn’t be surprised if Cisco’s projections turn out to be too low—Cisco is predicting 32 percent compound annual growth in total worldwide IP traffic through 2015.
“I’m skeptical because when I look at the growth of computing power and in storage, those are still doubling each year,” Odlyzko said. (Moore’s law predicts a doubling every 18 months to two years.) “I can see potential sources of such traffic.”
But he also sees plenty of unused current capacity, although it’s hard to measure. That’s in part because of “dark fiber,” cables that have been installed but not yet “lit” or activated by a network provider.
Everyone we spoke with had real reasons for optimism about the ability of all these solutions to collectively provide the bandwidth we need. “Networking technology seems to be staying ahead of the requirements,” said Fermilab’s DeMar. “Certainly the networking requirements for large-scale science are increasing, but similarly we’re getting an evolution in network technologies.”
TeleGeography’s Mauldin notes that even current technology should be able to keep up with undersea cable demand for the next few years.
“The same 10 Gigabit technology that was developed a while back has served us well,” Mauldin said. “Just to be clear: the cables in service now, they are nowhere near having their capacity exhausted. It’s not like there’s a shortage happening. It’s just that going to 40 and 100 gigabits is going to be more favorable, it’s going to help meet demand in the future and it will also help to lower costs. That’s the whole key here as to why bandwidth demand is able to keep soaring. The cost of bandwidth on a per-unit basis keeps going down every year.”
And John D’Ambrosia is looking even further down the road. While Gigabit Ethernet is still widely used, 10 Gigabit and faster products are starting to make headway. And even faster 40 and 100 Gigabit Ethernet standards were ratified by the IEEE in June 2010, though D’Ambrosia is already relishing the technical debate that will take place around moving forward to 400 Gigabit Ethernet or even Terabit Ethernet.
“If we look at this from a technology perspective, you will have a lot of people pointing to 400 Gigabit, because there are ways of making a solution that are believed to be in our reach,” he said. “When you start talking about Terabit, it’s not as clean. There are very wide interfaces, both electrically and optically, that for Ethernet links are going to be problematic. I think that’s going to be an industry debate.”
But that’s the sort of debate he enjoys having—and for the last few decades, the engineers who engage in such work have kept ahead of the looming bandwidth monster. Here’s hoping that all their innovations give us another decade of big bandwidth. Now if we could just get more of that core capacity to home and business users at the network’s edge…
Source:Â arstechnica.com
Tags: Bandwidth, Internet
Posted in Cloud, Electronics, Google, Hardware, Mobile, Network, Software, Web, Wireless | No Comments »
Friday, March 30th, 2012
The formal process of speeding up Hypertext Transfer Protocol is under way with proposals from Google, Microsoft, and others. There are differences — but common ground, too.
PARIS – Engineers have begun taking the first big steps in overhauling Hypertext Transfer Protocol, a seminal standard at the most foundational level of the Web.
At a meeting of the Internet Engineering Task Force (IETF) here yesterday, the working group overseeing HTTP formally opened a dicussion about how to make the technology faster. That discussion included presentations about four specific proposals for HTTP 2.0, including SPDY, developed at Google and already used in the real world, and HTTP Speed+Mobility, developed at Microsoft and revealed Wednesday.
There are some differences in the HTTP 2.0 proposals that have emerged so far — for example, Google’s preference for required encryption contrasting with Microsoft’s preference for it to be optional — and there’s another two-and-a-half months for people to submit new proposals. But notably, there also are similarities, in particular Microsoft’s support for some SPDY features.
“There’s a lot of overlap,” said Greenbytes consultant Julian Reschke, who attended the meeting and is involved in Web standards matters. “There’s a lot of agreement about what needs to be fixed.”
SPDY has a big head start in the market. It’s built into two browsers, Google Chrome and Amazon Silk, with Firefox adopting it in coming weeks. On the other side of the Internet connection, Google, Amazon, and Twitter are among those using SPDY on their servers. And Google has hard data showing the technology’s speed benefits.
Mark Nottingham, chairman of the HTTP Working Group, acknowledged SPDY’s position with a presentation slide titled “Elephant, meet Room.” (PDF). But he was careful to note that SPDY hasn’t carried the day.
“We’ll discuss SPDY because it’s here, but other proposals will be discussed too,” Nottingham said in his presentation, and added, “If we do choose SPDY as a starting point, that doesn’t mean it won’t change.”
Why change HTTP?
Rebuilding standards that touch every device on the Web is complicated, but there’s one simple word at the heart of the work: speed.
Web pages that respond faster are of course nice for anybody using the Web, but there are business reasons that matter, too. Better performance turns out to lead to more time spent on pages, more e-commerce transactions, more searches, more participation.
HTTP was the product of Tim Berners-Lee and fellow developers of the earliest incarnation of the World Wide Web more than 20 years ago. Its job is simple: a browser uses HTTP to request a Web page, and a Web server answers that request by transmitting the data to the browser. That data consists of the actual Web page, constructed using technologies such as HTML (Hypertext Markup Language) for describing the page, CSS (Cascading Style Sheets) for formatting and some visual effects, and the JavaScript programming language.
Web developers can do a lot to improve performance by carefully optimizing their Web page code. But improving HTTP itself gives a free speed boost to everybody on top of that.
It’s no coincidence, therefore, that the first item on the HTTP working group’s new charter is “improved perceived performance.”
SPDY’s technologies for faster HTTP include “multiplexing,” in which multiple streams of data can be sent over a single network connection; the ability to assign high or low priorities to Web page resources being requested from a server; and compression of “header” information that accompanies communications for resource requests and responses.
New proposals
Gabriel Montenegro, who presented and helped develop Microsoft’s proposal, pointed out in an interview that two of his proposal’s four points adopted SPDY’s approach.
Added SPDY co-creator Mike Belshe, “The Microsoft and Google proposals are almost the same.” Belshe helped develop SPDY at Google but who now works at the startup Twist, where he continues to work on the technology for mobile app purposes.
One difference between the Google and Microsoft proposals is in syntax, but, Belshe said, SPDY developers are flexible on that point and the choice of compression technology.
A bigger difference is that SPDY calls for encrypted connections all the way from a Web server to the browser it’s communicating with. Microsoft believes otherwise. According to its proposal:
Encryption must be optional to allow HTTP 2.0 to meet certain scenarios and regulations. HTTP 2.0 is a universal replacement for HTTP 1.X, and there are some instances in which imposing TLS is not required (or allowed). For example, a “random thought of the day” Web service has very little need for it, nor does a sensor spewing out a temperature reading every few seconds.
Belshe, though, said users care about encryption, and the fact that modern mobile phones can handle encryption means that it’s feasible for other devices to use it, too. And although an encrypted channel all the way from a browser to a Web server can damage the businesses of content delivery networks, which cache data on intermediate servers to speed up Web performance, the user should come first, he said.
“Users care about privacy and security more than whether some guy can cache something in the middle,” Belshe said. “Security is not free, but we can make it so it’s free to users.”
A third proposal, called Network-Friendly HTTP Upgrade and presented by Willy Tarreau, is designed with those intermediate network devices in mind. But that proposal, too, calls for network connection multiplexing.
It’s possible the group could implement the elements where there are agreement and leave other areas aside, Reschke said. “Deploying new HTTP is expensive, but incremental improvements are better than no improvements.”
And improvements will come, he expects.
“We want to standardize this,” Reschke said. “It’s time. It needs to happen.”
Source:Â CNET
Tags: HTTP 2.0, HTTP Speed+Mobility, SPDY
Posted in Google, Microsoft, Web | No Comments »
Tuesday, March 27th, 2012
Google Web Toolkit, Apache Xerces among most downloaded vulnerable libraries, study says
A study of how 31 popular open-source code libraries were downloaded over the past 12 months found that more than a third of the 1,261 versions of these libraries had a known vulnerability and about a quarter of the downloads were tainted.
The study was undertaken by Aspect Security, which evaluates software for vulnerabilities, with Sonatype, a firm that provides a Central Repository housing more than 300,000 libraries for downloading open-source components and gets 4 billion requests per year.
“Increasingly over the past few years, applications are being constructed out of libraries,” says Jeff Williams, CEO of Aspect Security, referring to “The Unfortunate Reality of Insecure Libraries” study. Open-source communities have done little to provide a clear way to spotlight code found to have vulnerabilities or identify how to remedy it when a fix is even made available, he says.
“There’s no notification infrastructure at all,” says Williams. “We want to shed light on this problem.”
He adds that Aspect and Sonatype are mulling how it might be possible to improve the situation overall.
According to the study, researchers at Aspect analyzed 113 million software downloads made over 12 months from the Central Repository of 31 popular Java frameworks and security libraries (Aspect says one basis for the selection of libraries were those being used by its customers). Researchers found:
- 19.8 million (26%) of the library downloads have known vulnerabilities.
- The most downloaded vulnerable libraries were Google Web Toolkit (GWT); Apache Xerces; Spring MVC; and Struts 1.x. (The other libraries examined were: Apache CXF; Hibernate; Java Servlet; Log4j; Apache Velocity; Spring Security; Apache Axis; BouncyCastle; Apache Commons; Tiles; Struts2; Wicket; Java Server Pages; Lift; Hibernate Validator; Java Server Faces; Tapestry; Apache Santuario; JAX-WS; Grails; Jasypt; Apache Shiro; Stripes; AntiSamy; ESAPI; HDIV and JBoss Seam.)
Security libraries are slightly more likely to have a known vulnerability than frameworks, the study says. “Today’s applications commonly use 30 or more libraries, which can compromise up to 80% of the code in an application,” according to the study.
The types of vulnerabilities found in open source code libraries vary widely.
“While some vulnerabilities allow the complete takeover of the host using them, others might result in data loss or corruption, and still others might provide a bit of useful information to attackers,” the study says. “In most cases, the impact of a vulnerability depends greatly on how the library is used by the application.”
The study noted some known well-publicized vulnerabilities.
- Spring, the popular application development framework for Java, was downloaded more than 18 million times by over 43,000 organizations in the last year. However, a discovery last year showed a new class of vulnerabilities in Spring’s use of Expression Language that could be exploited through HTTP parameter submissions that would allow attackers to get sensitive system data, application and user cookies.
- in 2010 Google’s research team discovered a weakness in Struts2 that allowed attackers to execute arbitrary code on any Struts2 Web application.
- In Apache CXF, a framework for Web Services, which was downloaded 4.2 million times by more than 16,000 organizations in the last 12 months, two major vulnerabilities were discovered since 2010 (CVE-2010-2076 and CVE 2012-0803) that allowed attackers to trick any service using CXF to download arbitrary system files and bypass authentication.
Discovery of vulnerabilities are made by researchers, who disclose them as they choose, with some coordinated and “others simply write blog posts or emails in mailing lists,” the study notes. “Currently, developers have no way to know that the library versions they are using have known vulnerabilities. They would have to monitor dozens of mailing lists, blogs, and forums to stay abreast of information. Further, development teams are unlikely to find their own vulnerabilities, as it requires extensive security experience and automated tools are largely ineffective at analyzing libraries.”
Although some open source groups, such as OpenBSD, are “quite good” in how they manage vulnerability disclosures, says Williams, the vast majority handle these kinds of security issues in haphazard fashion and with uncertain disclosure methods. Organizations should strengthen their security processes and OpenBSD can be considered an encouraging model in that respect, the study says.
Williams adds that use of open source libraries also raises the question of “dependency management.” This is the security process that developers would use to identify what libraries their project really directly depends on. Often, developers end up using code that goes beyond the functionality that’s really needed, using libraries that may also be dependent on other libraries. This sweeps in a lot of out-of-date code that brings risk and no added value, but swells the application in size. “Find out what libraries you’re using and which are out of date,” says Williams. “We suggest minimizing the use of libraries.”
The report points out, “While organizations typically have strong patch management processes for software products, open source libraries are typically not part of these processes. In virtually all development organizations, updates to libraries are handled on an ad hoc basis, by development teams.”
Source:Â networkworld.com
Tags: Code libraries
Posted in Apps, Google, Programming, Software | No Comments »
Tuesday, January 3rd, 2012
These cutting-edge programming languages provide unique insights on the future of software development
Do we really need another programming language? There is certainly no shortage of choices already. Between imperative languages, functional languages, object-oriented languages, dynamic languages, compiled languages, interpreted languages, and scripting languages, no developer could ever learn all of the options available today.
And yet, new languages emerge with surprising frequency. Some are designed by students or hobbyists as personal projects. Others are the products of large IT vendors. Even small and midsize companies are getting in on the action, creating languages to serve the needs of their industries. Why do people keep reinventing the wheel?The answer is that, as powerful and versatile as the current crop of languages may be, no single syntax is ideally suited for every purpose. What’s more, programming itself is constantly evolving. The rise of multicore CPUs, cloud computing, mobility, and distributed architectures have created new challenges for developers. Adding support for the latest features, paradigms, and patterns to existing languages — especially popular ones — can be prohibitively difficult. Sometimes the best answer is to start from scratch.
Here, then, is a look at 10 cutting-edge programming languages, each of which approaches the art of software development from a fresh perspective, tackling a specific problem or a unique shortcoming of today’s more popular languages. Some are mature projects, while others are in the early stages of development. Some are likely to remain obscure, but any one of them could become the breakthrough tool that changes programming for years to come — at least, until the next batch of new languages arrives.
Experimental programming language No. 1: Dart
JavaScript is fine for adding basic interactivity to Web pages, but when your Web applications swell to thousands of lines of code, its weaknesses quickly become apparent. That’s why Google created Dart, a language it hopes will become the new vernacular of Web programming.
Like JavaScript, Dart uses C-like syntax and keywords. One significant difference, however, is that while JavaScript is a prototype-based language, objects in Dart are defined using classes and interfaces, as in C++ or Java. Dart also allows programmers to optionally declare variables with static types. The idea is that Dart should be as familiar, dynamic, and fluid as JavaScript, yet allow developers to write code that is faster, easier to maintain, and less susceptible to subtle bugs.
You can’t do much with Dart today. It’s designed to run on either the client or the server (a la Node.js), but the only way to run client-side Dart code so far is to cross-compile it to JavaScript. Even then it doesn’t work with every browser. But because Dart is released under a BSD-style open source license, any vendor that buys Google’s vision is free to build the language into its products. Google only has an entire industry to convince.
Experimental programming language No. 2: Ceylon
Gavin King denies that Ceylon, the language he’s developing at Red Hat, is meant to be a “Java killer.” King is best known as the creator of the Hibernate object-relational mapping framework for Java. He likes Java, but he thinks it leaves lots of room for improvement.
Among King’s gripes are Java’s verbose syntax, its lack of first-class and higher-order functions, and its poor support for meta-programming. In particular, he’s frustrated with the absence of a declarative syntax for structured data definition, which he says leaves Java “joined at the hip to XML.” Ceylon aims to solve all these problems.
King and his team don’t plan to reinvent the wheel completely. There will be no Ceylon virtual machine; the Ceylon compiler will output Java bytecode that runs on the JVM. But Ceylon will be more than just a compiler, too. A big goal of the project is to create a new Ceylon SDK to replace the Java SDK, which King says is bloated and clumsy, and it’s never been “properly modernized.”
That’s a tall order, and Red Hat has released no Ceylon tools yet. King says to expect a compiler this year. Just don’t expect software written in “100 percent pure Ceylon” any time soon.
Experimental programming language No. 3: Go
Interpreters, virtual machines, and managed code are all the rage these days. Do we really need another old-fashioned language that compiles to native binaries? A team of Google engineers — led by Robert Griesemer and Bell Labs legends Ken Thompson and Rob Pike — says yes.
Go is a general-purpose programming language suitable for everything from application development to systems programing. In that sense, it’s more like C or C++ than Java or C#. But like the latter languages, Go includes modern features such as garbage collection, runtime reflection, and support for concurrency.
Equally important, Go is meant to be easy to program in. Its basic syntax is C-like, but it eliminates redundant syntax and boilerplate while streamlining operations such as object definition. The Go team’s goal was to create a language that’s as pleasant to code in as a dynamic scripting language yet offers the power of a compiled language.
Go is still a work in progress, and the language specification may change. That said, you can start working with it today. Google has made tools and compilers available along with copious documentation; for example, the Effective Go tutorial is a good place to learn how Go differs from earlier languages.
Experimental programming language No. 4: F#
Functional programming has long been popular with computer scientists and academia, but pure functional languages like Lisp and Haskell are often considered unworkable for real-world software development. One common complaint is that functional-style code can be difficult to integrate with code and libraries written in imperative languages like C++ and Java.
Enter F# (pronounced “F-sharp”), a Microsoft language designed to be both functional and practical. Because F# is a first-class language on the .Net Common Language Runtime (CLR), it can access all of the same libraries and features as other CLR languages, such as C# and Visual Basic.
F# code resembles OCaml somewhat, but it adds interesting syntax of its own. For example, numeric data types in F# can be assigned units of measure to aid scientific computation. F# also offers constructs to aid asynchronous I/O, CPU parallelization, and off-loading processing to the GPU.
After a long gestation period at Microsoft Research, F# now ships with Visual Studio 2010. Better still, in an unusual move, Microsoft has made the F# compiler and core library available under the Apache open source license; you can start working with it for free and even use it on Mac and Linux systems (via the Mono runtime).
Experimental programming language No. 5: Opa
Web development is too complicated. Even the simplest Web app requires countless lines of code in multiple languages: HTML and JavaScript on the client, Java or PHP on the server, SQL in the database, and so on.
Opa doesn’t replace any of these languages individually. Rather, it seeks to eliminate them all at once, by proposing an entirely new paradigm for Web programming. In an Opa application, the client-side UI, server-side logic, and database I/O are all implemented in a single language, Opa.
Opa accomplishes this through a combination of client- and server-side frameworks. The Opa compiler decides whether a given routine should run on the client, server, or both, and it outputs code accordingly. For client-side routines, it translates Opa into the appropriate JavaScript code, including AJAX calls.
Naturally, a system this integrated requires some back-end magic. Opa’s runtime environment bundles its own Web server and database management system, which can’t be replaced with stand-alone alternatives. That may be a small price to pay, however, for the ability to prototype sophisticated, data-driven Web applications in just a few dozen lines of code. Opa is open source and available now for 64-bit Linux and Mac OS X platforms, with further ports in the works.
Experimental programming language No. 6: Fantom
Should you develop your applications for Java or .Net? If you code in Fantom, you can take your pick and even switch platforms midstream. That’s because Fantom is designed from the ground up for cross-platform portability. The Fantom project includes not just a compiler that can output bytecode for either the JVM or the .Net CLI, but also a set of APIs that abstract away the Java and .Net APIs, creating an additional portability layer.
There are plans to extend Fantom’s portability even further. A Fantom-to-JavaScript compiler is already available, and future targets might include the LLVM compiler project, the Parrot VM, and Objective-C for iOS.
But portability is not Fantom’s sole raison d’ĂŞtre. While it remains inherently C-like, it is also meant to improve on the languages that inspired it. It tries to strike a middle ground in some of the more contentious syntax debates, such as strong versus dynamic typing, or interfaces versus classes. It adds easy syntax for declaring data structures and serializing objects. And it includes support for functional programming and concurrency built into the language.
Fantom is open source under the Academic Free License 3.0 and is available for Windows and Unix-like platforms (including Mac OS X).
Experimental programming language No. 7: Zimbu
Most programming languages borrow features and syntax from an earlier language. Zimbu takes bits and pieces from almost all of them. The brainchild of Bram Moolenaar, creator of the Vim text editor, Zimbu aims to be a fast, concise, portable, and easy-to-read language that can be used to code anything from a GUI application to an OS kernel.
Owing to its mongrel nature, Zimbu’s syntax is unique and idiosyncratic, yet feature-rich. It uses C-like expressions and operators, but its own keywords, data types, and block structures. It supports memory management, threads, and pipes.
Portability is a key concern. Although Zimbu is a compiled language, the Zimbu compiler outputs ANSI C code, allowing binaries to be built only on platforms with a native C compiler.
Unfortunately, the Zimbu project is in its infancy. The compiler can build itself and some example programs, but not all valid Zimbu code will compile and run properly. Not all proposed features are implemented yet, and some are implemented in clumsy ways. The language specification is also expected to change over time, adding keywords, types, and syntax as necessary. Thus, documentation is spotty, too. Still, if you would like to experiment, preliminary tools are available under the Apache license.
Experimental programming language No. 8: X10
Parallel processing was once a specialized niche of software development, but with the rise of multicore CPUs and distributed computing, parallelism is going mainstream. Unfortunately, today’s programming languages aren’t keeping pace with the trend. That’s why IBM Research is developing X10, a language designed specifically for modern parallel architectures, with the goal of increasing developer productivity “times 10.”
X10 handles concurrency using the partitioned global address space (PGAS) programming model. Code and data are separated into units and distributed across one or more “places,” making it easy to scale a program from a single-threaded prototype (a single place) to multiple threads running on one or more multicore processors (multiple places) in a high-performance cluster.
X10 code most resembles Java; in fact, the X10 runtime is available as a native executable and as class files for the JVM. The X10 compiler can output C++ or Java source code. Direct interoperability with Java is a future goal of the project.
For now, the language is evolving, yet fairly mature. The compiler and runtime are available for various platforms, including Linux, Mac OS X, and Windows. Additional tools include an Eclipse-based IDE and a debugger, all distributed under the Eclipse Public License.
Experimental programming language No. 9: haXe
Lots of languages can be used to write portable code. C compilers are available for virtually every CPU architecture, and Java bytecode will run wherever there’s a JVM. But haXe (pronounced “hex”) is more than just portable. It’s a multiplatform language that can target diverse operating environments, ranging from native binaries to interpreters and virtual machines.
Developers can write programs in haXe, then compile them into object code, JavaScript, PHP, Flash/ActionScript, or NekoVM bytecode today; additional modules for outputting C# and Java are in the works. Complementing the core language is the haXe standard library, which functions identically on every target, plus target-specific libraries to expose the unique features of each platform.
The haXe syntax is C-like, with a rich feature set. Its chief advantage is that it negates problems inherent in each of the platforms it targets. For example, haXe has strict typing where JavaScript does not; it adds generics and type inference to ActionScript; and it obviates the poorly designed, haphazard syntax of PHP entirely.
Although still under development, haXe is used commercially by its creator, the gaming studio Motion Twin, so it’s no toy. It’s available for Linux, Mac OS X, and Windows under a combination of open source licenses.
Experimental programming language No. 10: Chapel
In the world of high-performance computing, few names loom larger than Cray. It should come as no surprise, then, that Chapel, Cray’s first original programming language, was designed with supercomputing and clustering in mind.
Chapel is part of Cray’s Cascade Program, an ambitious high-performance computing initiative funded in part by the U.S. Defense Advanced Research Project Agency (DARPA). Among its goals are abstracting parallel algorithms from the underlying hardware, improving their performance on architectures, and making parallel programs more portable.
Chapel’s syntax draws from numerous sources. In addition to the usual suspects (C, C++, Java), it borrows concepts from scientific programming languages such as Fortran and Matlab. Its parallel-processing features are influenced by ZPL and High-Performance Fortran, as well as earlier Cray projects.
One of Chapel’s more compelling features is its support for “multi-resolution programming,” which allows developers to prototype applications with highly abstract code and fill in details as the implementation becomes more fully defined.
Work on Chapel is ongoing. At present, it can run on Cray supercomputers and various high-performance clusters, but it’s portable to most Unix-style systems (including Mac OS X and Windows with Cygwin). The source code is available under a BSD-style open source license.
Source:Â infoworld.com
Tags: Code
Posted in Apps, Database, Google, Microsoft, Programming, Software | No Comments »
Tuesday, October 4th, 2011
Watch out for whaling, smartphone worms, social media scams, not to mention attacks targeting your car and house
Personal information belonging to a full third of Massachusetts residents has been compromised in one way or another, according to the state’s attorney general, citing statistics gleaned from a tough new data breach reporting law.
RSA recently announced that security of its two-factor SecurID tokens could be at risk following a sophisticated cyber-attack on the company. And Sony suffered a massive breach in its video game online network that led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts. The cost to Sony and credit card issuers could hit $2 billion.
Of course, that’s just a sampling of recent breaches, and if you think it’s bad now, just wait. It’s only going to get worse as more information gets dumped online by mischievous hacker groups like Anonymous, and as for-profit hackers widen their horizons to include smartphones and social media.
For example, in August AntiSec (a collaboration between Anonymous and the disbanded LulzSec group) released more than 10GB of information from 70 U.S. law enforcement agencies.
According to Todd Feinman, CEO of DLP vendor Identity Finder, AntiSec wasn’t motivated by money.
“Apparently, they don’t like how various law enforcement agencies operate and they’re trying to embarrass and discredit them,” he said.
But, he adds, what they don’t realize is that when they publish sensitive personal information, they are helping low-skilled cyber-criminals commit identity theft. Every week, another university, government agency or business has records breached. Feinman estimates that 250,000 to 500,000 records are breached each year. Few details from those breaches are published on the Internet for everyone to see, however.
While certain high-profile attacks, like the one on Sony, may be intended to embarrass and spark change, the U.S. law enforcement breach could represent a shift in hacker thinking. AntiSec’s motivations appear to have a key difference, with the attackers consciously considering collateral damage a strategic weapon.
“In one online post, AntiSec came right out and said ‘we don’t care about collateral damage. It will happen and so be it,’” Feinman says.
Social networking
Experts say the future of malware isn’t so much about how malware itself will be engineered so much as how potential victims will be targeted. And collateral damage won’t be limited to innocents compromised through no fault of their own.
Have you ever accepted a friend invite on Facebook or connected to someone on LinkedIn you didn’t know? Maybe, you thought this was someone from high school you had forgotten about or a former business partner whose name had slipped your mind. Not wanting to seem like an arrogant jerk, you accept this friend and quickly forget about it.
“When people make trust decisions with social networks, they don’t always understand the ramifications. Today, you are far more knowable by someone who doesn’t know you than ever before in the past,” says Dr. Hugh Thompson, program chair of RSA Conferences.
We all know people who discuss every single thing they do on social networks and blogs – from their breakfast choices to their ingrown toenails. While most of us simply consider these people nuisances, cyber-criminals love them.
“Password reset questions are so easy to guess now, and tools like Ancestry.com, while not created for this purpose, provide hackers with a war chest of useful information,” Thompson says.
Thompson believes there are two areas the IT security industry desperately needs to innovate around: 1) security for social media, along with ways to manage the information shared about you on social networks and 2) better methods for measuring evolving risks in a more concrete way.
Thar she blows
Chris Larsen, head of Blue Coat Systems’ research lab, says the most common social engineering attack their lab catches is for fake security products. He also explained that social networks aren’t just being used to target individuals.
Larsen outlined a recent attack attempt where the bad guys targeted executives of a major corporation through their spouses. The logic was that at least one executive would have a poorly secured PC at home shared with a non-tech savvy spouse, which would then provide the backdoor needed to compromise the executive and gain access into the target company.
“Whaling is definitely on the rise,” says Paul Wood, senior intelligence analyst for Symantec.cloud. “Just a couple years ago, we saw one or two of these sorts of attacks per day. Today, we catch as many as 80 daily.”
According to Wood, social engineering is by far the most potent weapon in the cyber-criminal’s toolbox (automated, widely available malware and hacking toolkits are No.2). Combine that with the fact that many senior executives circumvent IT security because they want the latest and trendiest devices, and cyber-crooks have many valuable, easy-to-hit targets in their sights.
Fortune 500 companies aren’t the only ripe targets. “Attacks on SMBs are increasing dramatically because they are usually the weakest link in a larger supply chain,” Wood says.
Today, there’s no sure way to defend against this. Until Fortune 500 companies start scrutinizing the cyber-security of their partners and suppliers, they can’t say with any certainty whether or not they themselves are secure. While it’s common for, say, General Electric to run parts suppliers through the ringer with factory visits that result in the implementation of an array of best practices, companies aren’t doing this when it comes to cyber-security.
Watch your e-wallet
While smartphone threats are clearly on the rise, we’ve yet to see a major incident. Part of the reason is platform fragmentation. Malware creators still get more bang for their buck by targeting Windows PCs or websites.
Larsen of Blue Coat believes that platform-agnostic, web-based worms represent the new frontier of malware. Platform-agnostic malware lets legitimate developers do some of the heavy lifting for malware writers. As developers re-engineer websites and apps to work on a variety of devices, hackers can then target the commonalities, such as HTML, XML, JPEGs, etc., that render on any device, anywhere.
Smartphones are also poised to become e-wallets, and if there’s one trait you can count on in cyber-criminals, it’s that they’re eager to follow the money.
“The forthcoming ubiquity of near-field communication payment technology in smartphones is especially worrisome,” says Marc Maiffret, CTO of eEye Digital Security. Europe and Asia are already deep into the shift to m-commerce, but the U.S. isn’t far behind. “Once the U.S. adopts mobile payments in significant numbers, more hackers will focus on these targets,” he adds.
Over time, smartphones might replace other forms of identification. Your driver’s license and passport could be on your phone instead of in your pocket. In the business world, this shift is already occurring.
Mobile phones are serving as a second identity factor for all sorts of corporate authentication schemes. Businesses that used to rely on hard tokens, such as RSA SecureID, are moving to soft tokens, which can reside on mobile phones roaming beyond the corporation as easily as on PCs ensconced within corporate walls.
“Two-factor authentication originally emerged because people couldn’t trust computers. Using mobile phones as an identity factor defeats two-factor authentication,” Maiffret says.
For consumers, mobile payments aren’t necessarily all that troubling, especially if m-commerce is tied to credit card accounts and surrounded with the same consumer protections. Banks have been aggressively pushing consumers towards e-banking for years. Obviously, even with the risks involved, e-banking generates better ROI than traditional banking. Otherwise, they wouldn’t do it.
Moreover, m-commerce should have all of the behind-the-scenes security benefits wrapped around it, such as advanced fraud detection. You can’t say that for cash.
Today, Android is the big smartphone target, but don’t be surprised if attackers turn their attention to the iPhone, especially if third-party antivirus programs become more or less standard on Androids. IPhone demographics are appealing to attackers, and when you talk to security pros, they’ll tell you that Apple products are notoriously insecure.
Apple is extremely reluctant to provide third-party security entities with the kind of platform access they need to improve the security of iPhones, iPads, MacBook Airs, etc. “Apple is very much on its own with security,” Maiffret says. “It almost mirrors late-90′s Microsoft, and it’ll probably take a major incident or two to incite change.”
If we’ve learned anything about digital security in the last 20 years, it’s that another major incident is always looming just over the horizon. And then there are the new threats to cars and homes.
During the Black Hat and Defcon conferences in early August, researchers demonstrated a number of disturbing attack scenarios. One particularly scary hack showcased the possibility of hijacking a car. Hackers could disable the alarm, unlock its doors and remotely start it through text messages sent over cell phone links to wireless devices in the vehicle.
Other at-risk embedded devices include airbags, radios, power seats, anti-lock braking systems, electronic stability controls, autonomous cruise controls and communication systems. Another type of attack could compromise a driver’s privacy by tracking RFID tags used to monitor tire pressure via powerful long-distance readers.
“As more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases,” says Stuart McClure, senior vice president and general manager, McAfee. “Many examples of research-based hacks show the potential threats and depth of compromise that expose the consumer. It’s one thing to have your email or laptop compromised but having your car hacked could translate to dire risks to your personal safety.”
Of course, cars represent just one example of hackable embedded systems. With the number of IP-connected devices climbing to anywhere from 50 billion to a trillion in the next five to 10 years, according to the likes of IBM, Ericsson and Cisco, tomorrow’s hackers could target anything from home alarm systems to air traffic control systems to flood control in dams.
Source:Â networkworld.com
Tags: malware
Posted in Anti-Virus, Google, Mac, Microsoft, Mobile, Network, Security, Software, Web | No Comments »
Tuesday, October 4th, 2011
Google has released a new version of Chrome after Microsoft’s antivirus software flagged the browser as malware and removed it from about 3,000 people’s computers on Friday.
Microsoft apologized for the problem and updated its virus definition file to correct the false-positive problem, according to a post from Ryan Naraine at ZDNet.
But not before the damage was done. Even though the problem directly affected only a relatively tiny fraction of Chrome users, Google decided to spin up and distribute updated beta and stable versions of Chrome.
“Earlier today, we learned that the Microsoft Security Essentials tool began falsely identifying Google Chrome as a piece of malware (“PWS:Win32/Zbot”) and removing it from people’s computers,” said Mark Larson, Chrome engineering manager, in a blog post Friday. “We are releasing an update that will automatically repair Chrome for affected users over the course of the next 24 hours.”
Win32/Zbot is a Trojan horse that lets attacker steal passwords and gain access to a victim’s computer–not the sort of product anyone would want associated with their Web browser.
Microsoft had this statement about the mistake:
Information about incorrect detection of Google Chrome as PWS:Win32/Zbot
On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed. Within a few hours, Microsoft released an update that addresses the issue. Signature versions 1.113.672.0 and higher include this update. Affected customers should manually update Microsoft Security Essentials with the latest signatures. After updating the definitions, reinstall Google Chrome. We apologize for the inconvenience this may have caused our customers.
To get the latest definitions, simply launch Microsoft Security Essentials, go to the update tab and click the Update button. The definitions can be updated manually by visiting the following Microsoft Knowledge Base article:
http://support.microsoft.com/kb/971606
PWS:Win32/Zbot is a password-stealing trojan that monitors for visits to certain websites. It allows limited backdoor access and control and may terminate certain security-related processes.
Google also provided detailed instructions on how to update the Microsoft Security Essential virus definition file and to reinstall Chrome. It’s good that both companies worked to tidy this problem up swiftly, but perhaps Microsoft should have included Google, not just its customers, in its apology.
Source:Â CNET
Tags: Chrome, Microsoft Security Essentials
Posted in Anti-Virus, Google, Microsoft, Security, Software, Web | No Comments »
Friday, September 30th, 2011
Browser makers are devising ways to protect people from a security protocol weakness that could let an attacker eavesdrop on or hijack protected Internet sessions. Potential solutions include a Mozilla option to disable Java in Firefox.
The problem–considered theoretical until a demonstration by researchers Juliano Rizzo and Thai Duong at a security conference in Argentina last week–is a vulnerability in SSL (Secure Sockets Layer) and TLS (Transport Layer Security) 1.0, encryption protocols used to secure Web sites that are accessed using HTTPS (Secure Hypertext Transfer Protocol).
The researchers created software called BEAST (Browser Exploit Against SSL/TLS) that can decrypt parts of an encrypted data stream and can be used in what is known as a “man-in-the-middle” (MITM) type of attack. BEAST uses JavaScript running in the browser and can let an attacker snoop on traffic, as well as impersonate a Web surfer by compromising session cookie data used to authenticate a Web surfer with a site. More details and a video of the demo are on Duong’s blog.
Here are responses from representatives of the major browsers:
Firefox
“We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so,” a Mozilla Security blog post says. “Firefox itself is not vulnerable to this attack. While Firefox does use TLS 1.0 (the version of TLS with this weakness), the technical details of the attack require the ability to completely control the content of connections originating in the browser, which Firefox does not allow. The attackers have, however, found weaknesses in Java plugins that permit this attack. We recommend that users disable Java from the Firefox Add-ons Manager as a precaution.”
Internet Explorer
“We consider this to be a low risk issue for customers, but we released Security Advisory (2588513) to provide guidance and protection for customers with concerns,” Jerry Bryant, group manager of Response Communications at Microsoft Trustworthy Computing, said in an e-mail. To be clear, Internet Explorer depends on the Windows implementation of these protocols, so our mitigations and workarounds apply to the operating system and not the browser. We are looking at other ways to address the issue both in our products and within the industry and will update our guidance as it becomes available.”
Chrome
A Google representative referred CNET to a blog post from late last week written by Adam Langley, a member of the Chrome team, that said the company was preparing and testing a workaround. “The attack is still a difficult one; the attacker has to have high-bandwidth MITM access to the victim. This is typically achieved by being on the same wireless network as the victim,” the post says. “Nonetheless, it’s a much less serious issue than a problem which can be exploited by having the victim merely visit a Web page. (Incidentally, we pushed out a fix to all Chrome users for such a Flash bug only a few days ago.)”
Opera
Opera developed a fix and tried shipping it in Opera 11.51 but found that changes made to how the browser connects to servers were “incomprehensible to thousands of servers around the world,” Opera’s Sigbjorn Vik wrote in a blog post. “This issue will have to be solved in close cooperation between browser vendors and Webmasters. Since this cannot be directly exploited in Opera, we decided to wait until we have an industry agreement on how to move forward. We have test systems in place which can connect to millions of secure sites around the world and detect how these sites will react to changes to the protocol. We will be sharing our results from these test runs with other browser vendors and affected parties, to give us a good basis for finding the best solution to the issue.”
Safari
Apple representatives did not respond to e-mail or telephone requests for comment about the Safari browser.
Just upgrading to TLS 1.1, which is not vulnerable to the threat, won’t work because nearly all SSL connections use TLS 1.0, according to a Qualys study reported on by Dan Goodin at The Register, which broke the BEAST story. In addition, “upgrading TLS is proving surprisingly difficult, mostly because almost every fix breaks widely used applications or technologies,” he wrote.
Source:Â CNET
Tags: browser, HTTPS, SSL, TLS
Posted in Anti-Virus, Google, Mac, Microsoft, Network, Security, Server, Software, Web, Wireless | No Comments »
Tuesday, August 23rd, 2011
FTP server on which data was stored became searchable by Google in September
Yale University has notified about 43,000 faculty, staff, students and alumni that their names and Social Security numbers were publicly available via Google search for about 10 months.
All of the victims were affiliated with Yale in 1999, and are being offered identity theft insurance and free credit monitoring services for two years, the university said in a statement last week.
The breach resulted when a File Transfer Protocol (FTP) server on which the data was stored became searchable via Google as the result of a change the search engine giant made last September, the Yale Daily News reported
The online publication reported that Yale IT Services Director Len Peters said the FTP server holding the compromised information was used mainly for open-source materials.
In September 2010, Google made a change that allowed its search engine to index and find FTP servers. But university IT officials were unaware of the change, Peters told the Daily News.
When Yale discovered the breach in June, it immediately took the server offline, deleted the sensitive data and evaluated whether there were any other files containing similar data on the FTP server, Peters said.
In a statement to Computerworld, Yale officials make no mention of how the data was compromised. But the school said it has “secured” the file and Google has confirmed that its search engine no longer stores any information from it.
The statement doesn’t say how Yale discovered the breach, nor whether any of the data available via Google was accessed by anyone. Peters told the campus publication that the file and the directory in which the exposed information was stored had innocuous sounding names that are unlikely to have tipped off others about the contents.
This is the second publicly known breach in the last two months involving the inadvertent exposure of sensitive data on the Web. In June, Southern California Medical-Legal Consultants Inc. (SCMLC) said that the names and Social Security numbers of about 300,000 people who had filed for California workers compensation had been potentially compromised. That breach resulted when an internal server on which the data was stored became exposed to web searches.
SCMLC learned of the breach from security firm Identity Finder. In a statement, Identity Finder said that its security researchers had uncovered 3,875 uncompressed files containing several gigabytes of personal data on an SCMLC server that was exposed to the Web.
“The files were neither encrypted nor password-protected and some were cached by at least one major search engine,” Identity Finder said. The company subsequently worked with Google to clear search engine caches, a spokesman for the company said. As of today, Google caches are clear of sensitive personal information from SCLMC, the spokesman said.
Source:Â computerworld.com
Tags: Personally identifiable information
Posted in Cloud, Database, Google, Network, Security, Server, Web | No Comments »
Wednesday, August 3rd, 2011
The governments of the United States, Canada, and South Korea, as well as the UN, the International Olympic Committee, and 12 US defense contractors were among those hacked in a five-year hacking campaign dubbed “Operation Shady RAT” by security firm McAfee, which revealed the attacks. Many of the penetrations were long-term, with 19 intrusions lasting more than a year, and five lasting more than two. Targets were found in 14 different countries, across North America, Europe, India, and East Asia.
The infiltration was discovered when McAfee came across a command-and-control server, used by the hackers for directing the remote administration tools—”RATs,” hence the name “Operation Shady RAT”—installed in the victim organizations, during the course of an invesigation of break-ins at defense contractors. The server was originally detected in 2009; McAfee began its analysis of the server in March this year. On the machine the company found extensive logs of the attacks that had been performed. Seventy-two organizations were positively identified from this information; the company warns that there were likely other victims, but there was not sufficient information to determine what they were.
The attacks themselves used spear-phishing techniques that are by now standard. Apparently legitimate e-mails with attachments are sent to organization employees, and those attachments contain exploit code that compromise the employee’s system. These exploits are typically zero-day attacks. With a PC now compromised, the hackers can install RAT software on the victim PCs, to allow long-term monitoring, collection of credentials, network probing, and data exfiltration.
Many other attacks have followed the same pattern. The same technique was used to break into security company RSA, the French and Canadian Finance Ministries, and many oil and gas companies this year. It was also used in the Operation Aurora attacks against Google and other companies discovered in late 2009.
The first organization to be hacked in this campaign was a South Korean construction company, first broken into in July 2006. Break-ins continued until September 2010, when an Indian government agency was compromised. Data theft continued beyond that date, with both an American think tank and the Hong Kong office of an American news agency—reported by Vanity Fair to be the Associated Press—being pillaged until May of this year.
McAfee says that the total data stolen through these attacks amounted to petabytes. Where it has gone and who has used it remains unknown. The targets were a mix of governments, technology and defense companies, and nonprofit sports bodies and think tanks. Due to this latter category, McAfee argues that the attacks were most likely performed by a state actor as the commercial value of these sporting organizations was low. The firm didn’t specify which country it believed to be responsible, but Jim Lewis of the Center for Strategic and International Studies accused China of being the perpetrator, after being briefed by McAfee. China has been accused of such attacks before; Lewis said that the presence of the International Olympic Committee and the Taiwan government on the list of victims further pointed to China.
The security company is working with US goverment agencies to try to shut down the command-and-control server. The firm has also worked with the victims to inform them of the attacks and offer assistance with their response. These offers have not always been warmly received, with some victims denying that they had been compromised, even when presented with overwhelming evidence that they had.
For all the press that Anonymous and LulzSec have received, McAfee warns that these long-term, targeted attacks are a far more serious threat both to corporations and governments. The damage—loss of intellectual property and secrets—is far greater, and the attackers, motivated not by a desire to get-rich-quick or a quest for lulz, but rather a long-term desire to steal massive amounts of data, are far more measured and tenacious. So widespread are the attacks that Dmitri Alperovitch, McAfee Vice President of Threat Research, said that the only companies not at risk are those who have nothing worth taking, and that of the world’s biggest firms, there are just two kinds: those that know they’ve been compromised, and those that still haven’t realized they’ve been compromised.
Source:Â arstechnica.com
Tags: McAfee, Operation Shady RAT
Posted in Anti-Virus, Google, Network, Security, Web | No Comments »
Monday, August 1st, 2011
National Cyber Alert System
Cyber Security Bulletin SB11-213
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
- Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
- Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
| High Vulnerabilities |
Primary
Vendor — Product |
Description |
Published |
CVSS Score |
Source & Patch Info |
| azeotech — daqfactory |
AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal. |
2011-07-28 |
7.8 |
CVE-2011-2956 |
| ca — gateway_security |
Icihttp.exe in CA Gateway Security for HTTP, as used in CA Gateway Security 8.1 before 8.1.0.69 and CA Total Defense r12, does not properly parse URLs, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and daemon crash) via a malformed request. |
2011-07-28 |
10.0 |
CVE-2011-2667 |
| cisco — sa500_software |
The web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote authenticated users to execute arbitrary commands via crafted parameters to web forms, aka Bug ID CSCtq65681. |
2011-07-28 |
9.0 |
CVE-2011-2547 |
| cisco — asr_9006_router |
Unspecified vulnerability in Cisco IOS XR 4.1.x before 4.1.1 on Cisco Aggregation Services Routers (ASR) 9000 series devices allows remote attackers to cause a denial of service (line-card reload) via an IPv4 packet, aka Bug ID CSCtr26695. |
2011-07-28 |
7.8 |
CVE-2011-2549 |
| drupal — drupal |
Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table. |
2011-07-26 |
7.5 |
CVE-2011-2687 |
| gimp — gimp |
Heap-based buffer overflow in the read_channel_data function in file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long run count at the end of the image. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4543. |
2011-07-26 |
7.5 |
CVE-2011-1782 |
| google — picasa |
Google Picasa before 3.6 Build 105.67 does not properly handle invalid properties in JPEG images, which allows remote attackers to execute arbitrary code via a crafted image file. |
2011-07-28 |
9.3 |
CVE-2011-2747 |
| ibm — lotus_symphony |
Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before FP3 have unknown impact and attack vectors, related to “critical security vulnerability issues.” |
2011-07-27 |
10.0 |
CVE-2011-2884 |
| jan_wolter — mod_authnz_external |
SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field. |
2011-07-28 |
7.5 |
CVE-2011-2688 |
| nrl — opie |
Multiple off-by-one errors in opiesu.c in opiesu in OPIE 2.4.1-test1 and earlier might allow local users to gain privileges via a crafted command line. |
2011-07-26 |
7.2 |
CVE-2011-2489 |
| nrl — opie |
opielogin.c in opielogin in OPIE 2.4.1-test1 and earlier does not check the return value of the setuid system call, which allows local users to gain privileges by arranging for an account to already be running its maximum number of processes. |
2011-07-26 |
7.2 |
CVE-2011-2490 |
| Back to top |
| Medium Vulnerabilities |
Primary
Vendor — Product |
Description |
Published |
CVSS Score |
Source & Patch Info |
| chyrp — chyrp |
upload_handler.php in the swfupload extension in Chyrp 2.0 and earlier relies on client-side JavaScript code to restrict the file extensions of uploaded files, which allows remote authenticated users to upload a .php file, and consequently execute arbitrary PHP code, via a write_post action to the default URI under admin/. |
2011-07-26 |
6.5 |
CVE-2011-2745 |
| cisco — sa500_software |
SQL injection vulnerability in the web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtq65669. |
2011-07-28 |
5.0 |
CVE-2011-2546 |
| debian — apt |
APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message. |
2011-07-26 |
4.3 |
CVE-2011-1829 |
| ecava — integraxor |
Multiple cross-site scripting (XSS) vulnerabilities in Ecava IntegraXor before 3.60 (Build 4080) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
2011-07-28 |
4.3 |
CVE-2011-2958 |
| fabfile — fabric |
Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a /tmp/fab.*.tar file or (2) certain other files in the top level of /tmp/. |
2011-07-26 |
4.4 |
CVE-2011-2185 |
| google — search_appliance |
Cross-site scripting (XSS) vulnerability in Google Search Appliance before 5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
2011-07-28 |
4.3 |
CVE-2011-1339 |
| ibm — lotus_symphony |
IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via the sample .doc document that incorporates a user-defined toolbar. |
2011-07-27 |
4.3 |
CVE-2011-2885 |
| ibm — lotus_symphony |
IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via a .docx document with empty bullet styles for parent bullets. |
2011-07-27 |
4.3 |
CVE-2011-2886 |
| ibm — lotus_symphony |
IBM Lotus Symphony 3 before FP3 on Linux allows remote attackers to cause a denial of service (application crash) via a certain sample document. |
2011-07-27 |
4.3 |
CVE-2011-2887 |
| ibm — lotus_symphony |
IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application hang) via complex graphics in a presentation. |
2011-07-27 |
4.3 |
CVE-2011-2888 |
| ibm — lotus_symphony |
The DataPilot feature in IBM Lotus Symphony 3 before FP3 allows user-assisted remote attackers to cause a denial of service (application crash) via a large .xls spreadsheet with an invalid Value reference. |
2011-07-27 |
4.3 |
CVE-2011-2893 |
| joomla — joomla! |
Joomla! before 1.5.23 does not properly check for errors, which allows remote attackers to obtain sensitive information via unspecified vectors. |
2011-07-27 |
5.0 |
CVE-2011-2488 |
| joomla — joomla! |
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_content component, as demonstrated by the filter_order parameter to index.php; (3) the query string to the com_newsfeeds component, as demonstrated by an arbitrary parameter to index.php; or (4) the option parameter in a reset.request action to index.php; and, when Internet Explorer or Konqueror is used, (5) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. |
2011-07-27 |
4.3 |
CVE-2011-2509 |
| joomla — joomla! |
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URI to includes/application.php, reachable through index.php; and, when Internet Explorer or Konqueror is used, (2) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. NOTE: vector 2 exists because of an incomplete fix for CVE-2011-2509.5. |
2011-07-27 |
4.3 |
CVE-2011-2710 |
| joomla — joomla! |
templates/system/error.php in Joomla! before 1.5.23 might allow remote attackers to obtain sensitive information via unspecified vectors that trigger an undefined value of a certain error field, leading to disclosure of the installation path. NOTE: this might overlap CVE-2011-2488. |
2011-07-27 |
5.0 |
CVE-2011-2889 |
| joomla — joomla! |
The MediaViewMedia class in administrator/components/com_media/views/media/view.html.php in Joomla! 1.5.23 and earlier allows remote attackers to obtain sensitive information via vectors involving the base variable, leading to disclosure of the installation path, a different vulnerability than CVE-2011-2488. |
2011-07-27 |
5.0 |
CVE-2011-2890 |
| joomla — joomla! |
Joomla! 1.6.x before 1.6.2 allows remote attackers to obtain sensitive information via an empty Itemid array parameter to index.php, which reveals the installation path in an error message, a different vulnerability than CVE-2011-2488. |
2011-07-27 |
5.0 |
CVE-2011-2891 |
| joomla — joomla! |
Joomla! 1.6.x before 1.6.2 does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. |
2011-07-27 |
4.3 |
CVE-2011-2892 |
| likewise — likewise_open |
SQL injection vulnerability in lsassd in Lsass in the Likewise Security Authority in Likewise Open 5.4 through 6.1, and Likewise Enterprise 6.0, allows local users to execute arbitrary SQL commands via unspecified vectors. |
2011-07-26 |
5.8 |
CVE-2011-2467 |
| linux — kernel |
The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space. |
2011-07-28 |
4.9 |
CVE-2011-2689 |
| linux — kernel |
Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer. |
2011-07-28 |
4.9 |
CVE-2011-2695 |
| mega-nerd — libsndfile |
Integer overflow in libsndfile before 1.0.25 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PARIS Audio Format (PAF) file that triggers a heap-based buffer overflow. |
2011-07-26 |
6.8 |
CVE-2011-2696 |
| redhat — network_satellite_server |
Cross-site request forgery (CSRF) vulnerability in the Spacewalk Java site packages (aka spacewalk-java) 1.2.39 in Spacewalk, as used in the server in Red Hat Network Satellite 5.3.0 through 5.4.1 and other products, allows remote attackers to hijack the authentication of arbitrary users for requests that (1) disable the current user account, (2) add user accounts, or (3) modify user accounts to have administrator privileges. |
2011-07-26 |
6.8 |
CVE-2009-4139 |
| redhat — jboss_enterprise_application_platform |
jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. |
2011-07-26 |
6.8 |
CVE-2011-1484 |
| redhat — jboss_enterprise_application_platform |
jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1484. |
2011-07-26 |
6.8 |
CVE-2011-2196 |
| rockwellautomation — factorytalk_diagnostics_viewer |
Unspecified vulnerability in Rockwell Automation FactoryTalk Diagnostics Viewer before V2.30.00 (CPR9 SR3) allows local users to execute arbitrary code via a crafted FactoryTalk Diagnostics Viewer (.ftd) configuration file, which triggers memory corruption. |
2011-07-28 |
6.9 |
CVE-2011-2957 |
| videolan — vlc_media_player |
Heap-based buffer overflow in the DemuxAudioSipr function in real.c in the RealMedia demuxer in VideoLAN VLC media player 1.1.x before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Real Media file. |
2011-07-26 |
6.8 |
CVE-2011-2587 |
| videolan — vlc_media_player |
Heap-based buffer overflow in the AVI_ChunkRead_strf function in libavi.c in the AVI demuxer in VideoLAN VLC media player before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted AVI media file. |
2011-07-26 |
6.8 |
CVE-2011-2588 |
| Back to top |
| Low Vulnerabilities |
Primary
Vendor — Product |
Description |
Published |
CVSS Score |
Source & Patch Info |
| linux — kernel |
The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. |
2011-07-28 |
1.9 |
CVE-2011-2492 |
Source:Â CERT.org
Tags: IBM, Java
Posted in Anti-Virus, Cisco, Google, Network, OS, Security, Server, Software, SQL, Web | No Comments »
|
