STE WILLIAMS

Organised crime is becoming increasingly entwined with hacking, creating a “service-orientated industry” and making the internet “the single most important” factor facilitating major organised crime and drug trafficking, according to the head of Europol.

Speaking to the BBC, Europol director Rob Wainwright highlighted a case from this summer where a gang of drug smugglers were found to have hacked into computer systems at shipping companies operating out of Antwerp, one of Europe’s busiest ports with upwards of 20,000 containers passing through each day.

First using social engineering to trick staff into installing malware which compromised container management systems, and later, when that scheme was blocked, breaking into port premises to install hardware snooping devices, the crooks were able to access data on the whereabouts of shipments and the security codes needed to pick them up.

In the past, when the likes of Howard Marks or Proposition Joe wanted to make sure their shipments made it through customs, they needed inside men in the ports to keep them informed.

Now it seems like they can just cut out the middle man and get the information they need direct from the port computers.

The Antwerp scheme was thought to have been running for two years before it was finally shut down, with a tonne each of cocaine and heroin seized, along with weapons and €1.3 million (around £1.1 million, $1.75 million) in cash.

It seems like a pretty safe bet that similar techniques have been used at other ports around the world, doubtless with at least occasional success.

Port companies in Antwerp claim to have improved their IT security, and hopefully other port operators will have paid attention to the warning given by their experiences, but we can be pretty sure that similar blags will keep being tried, with ever more sophisticated malware, social engineering and digital intrusion techniques. So let’s hope their security measures can keep up.

It sounds like some more effort may need to be made on physical security too, ensuring that simply knowing where a container is sitting is not enough to let gangs stroll in and pick it up.

In line with this week’s National Cyber Security Awareness Month theme of hiring cyber-security savvy staff, they might also do well to spend some time training up their people, to help them avoid being tricked into opening up their systems to the bad guys.

Europol boss Wainwright’s warnings suggest hacking techniques are being leveraged in other criminal areas too, with subcontractor hacking collectives being leveraged to assist with all manner of crimes.

To combat this, he recommends police forces should “change the way they operate, to become much more tech-savvy”, and also advocates more input from parliaments, making sure laws keep up with the ways criminals are exploiting the internet.

Those of you lucky enough to have access to the BBC’s iPlayer service can hear the full interview with Wainright on the Today programme, for the time being at least – starting at about the 2h 20m mark.

Follow @VirusBtn
Follow @NakedSecurity

Image of drugs and money courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dw-rXIEx2m0/

Rebecca Ann Sedwick, a 12-year-old Florida girl, leapt to her death from an abandoned cement factory silo on 10 September.

That did not stop the bullies.

One month after her suicide, the offline and online bullying that tormented Rebecca for over a year was still a sickening miasma thriving in venues such as Facebook.

And now, two girls – ages 12 and 14 – have been arrested and charged in connection with the bullying, after the 14-year-old allegedly bragged on Facebook about her part in Rebecca’s death, signing the post with a little red heart.

The bullying was reportedly started over a boyfriend.

According to the New York Times, the sheriff’s office of Polk County, in the US state of Florida, which has been investigating the suicide, was alerted to the Facebook post over the weekend.

The poster said that she knows, and does not care, that her bullying led to Sedwick’s suicide.

The post, in internet shorthand:

Yes ik [I know] I bullied Rebecca nd she killed her self but IDGAF ♥

Polk County deputies had been investigating around 12 girls for allegedly harassing Rebecca by calling her ugly and worthless, telling her that she deserved to die, and urging her to drink bleach, the Orlando Sentinel reports.

On Monday, police arrested the alleged author of the post along with another 12-year-old girl.

In a news conference on Tuesday, Polk Sheriff Grady Judd said that the poster of the hateful comment did not get the enormity of this tragedy.

An excerpt from Sheriff Judd’s remarks, which can also be heard in this myFox Tampa Bay video clip:

‘Yes, I bullied Rebecca, and she killed herself, but I don’t give a …’ You tell me there’s not major league problems here? You tell me there’s not parents who, instead of taking that device and smashing it into a thousand pieces in front of her child, she says, ‘Oh, her account was hacked?’ We see where the problem is.

Sheriff Judd said that the detectives hadn’t anticipated making arrests so quickly, but that they were goaded by the online remark, the NYT reports:

We learned this over the weekend, and we decided that, look, we can’t leave [the older girl] out there. Who else is she going to torment? Who else is she going to harass? Who is the next person she verbally abuses and attacks?

The girls, neither of whom had a prior arrested record, were charged with the third-degree felony charge of aggravated stalking.

The older girl was taken into custody in the juvenile wing of the county jail. Police said the younger girl expressed remorse and therefore was released to her parents under house arrest.

I can appreciate Sheriff Judge’s anger, amazement and frustration as he and his deputies, and, of course, Rebecca’s family, have been faced with this horrible situation, which has continued to spread ripples even beyond her death.

Smashing devices in front of children may sound like a decisive and satisfying way to stop the hateful environment that can engulf a cyber bullying victim.

But it won’t stop the harassment, whether you smash the victim’s smartphone or you take a hammer to the bully’s laptop.

In fact, Rebecca’s mother told news outlets that she didn’t take away her daughter’s smartphone because of the fear of alienating her in this way.

As for the bullies, they’ll find a way, device or no device, virtually or in the real world. As Rebecca’s story points out, the abuse spills out in both arenas.

There are many other resources out there to help fight cyber bullying, short of pulverizing kids’ phones.

As Sophos’s John Shier pointed out recently, it’s up to all of us to give children the tools they need to both be good online citizens – see Wheaton’s Law, if all else fails – and to recognize, and report, harmful behaviour.

In the wake of other cyber bullying-related suicides, including that of Amanda Todd, Rehtaeh Parsons and Audrie Pott, their grieving families, concerned legislators and cyber security groups have been working to give parents, caregivers, teens and children those tools and to build awareness around the effects of cyber bullying.

Some of the resources parents, as well as others who have the power to influence children, can turn to:

• National Cyber Security Alliance’s Stay Safe Online campaign provides a comprehensive set of resources for our own personal online safety and for teaching others to be safer online.
• Sophos’s Top 10 tips to keep kids and teens safe online.
• A provincial program named ERASE, rolled out by British Columbia after Amanda’s death, which out addresses bullying and harmful behaviour in schools and provides children and parents with an online resource for discussing and reporting cyber bullying.

Please feel free to share resources and your own tips for keeping teens and children safe in the comments below.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Lo0s4O83lLs/

How much is a tiger worth?

For a poacher, these extremely endangered animals are enormously profitable.

According to the World Wildlife Fund, parts from a single tiger can fetch as much as $50,000 on the black market.

I can’t verify these claims, so take them with a grain of salt, but for what it’s worth, one site, TigersInCrisis.com, says that in Taiwan, a bowl of tiger penis soup (to boost virility) goes for $320, and a pair of tiger eyes (to fight epilepsy and malaria) for $170. Powdered tiger humerus bone (for treating ulcers, rheumatism and typhoid) brings up to $1,450 per lb. in Seoul, the site claims.

The internet, unfortunately, has facilitated this enormously profitable wildlife trafficking.

Special agents with the US Fish and Wildlife Service, for example, began spotting online sale postings for frozen tiger cubs in the late 1990s.

The wildlife-trade monitoring network TRAFFIC found, as of July 2012, 33 tiger products on Chinese online auction websites, including bracelets, pendants, and tiger-bone glue. According to National Geographic, ads even promoted “blood being visible in items.”

Such online sales are part of a much larger wildlife-trafficking industry, which WWF estimates to be worth $7.8 to $10 billion per year.

The WWF estimates that there are now as few as 3,200 tigers left in the wild, while TRAFFIC puts it at 2,500 breeding adult tigers, with the number on the decline.

Those precious few are watched over with considerable anxiety by conservationists.

Therefore, it is understandable that when the head of the monitoring program at Panna Tiger Reserve in central India was alerted in July to an attempt to break into his professional email account – the inbox of which contains the encrypted geographic location of a GPS-collared, endangered Bengal tiger – a frightening new term for a very specific form of internet crime came into being.

The term: cyber poaching.

The head of the monitoring program, Krishnamurthy Ramesh, told National Geographic that the attempted break-in was promptly prevented by the organisation’s server.

National Geographic reports that even if the GPS data had been obtained, it was encrypted and could only be decoded with two data sets: “specialized data-converter software” and specific information from the radio-collar product worn by the tiger in question.

He said:

“They couldn’t even see the data—it would look like unusual numbers or symbols.”

I hope he’s right. After all, as Paul Ducklin said when Adobe was breached earlier this month, when it comes to encryption, the devil’s in the details – details that may include what salting, hashing and stretching algorithms are used, for example. (See Paul’s article for an explanation of these encryption intricacies.)

Does that even come into play when you’re talking about “specialized data-converter software” and specific information from the collar itself?

I hope, for the tiger’s sake, that Ramesh is right, and that the creature’s whereabouts is in data that’s safely tucked away.

That tiger, designated Panna-211, is a 2.5-year-old male who in February 2013 was fitted with a nearly $5,000 collar outfitted with both satellite and ground-tracking capabilities.

The collar, which lasts about eight months, was configured to provide GPS data every hour for the first three months and every 4 hours for the next 5 months.

Computerworld’s Darlene Storm, in her coverage of the story, linked to Telemetry Solutions, a vendor of GPS collars and pods for tracking large mammals.

Telemetry Solutions’s large GPS collar is advertised as providing accuracy within 2.5 meters, or about 8.2 feet.

That sounds like it’s plenty close enough to suit a poacher.

National Geographic reports that the battery for the tiger’s collar expired in July, and the satellite feedback in the collar stopped working.

Around the same time, Ramesh was alerted that someone in Pune—more than 620 miles (1,000 kilometers) away from his office in Dehradun—had tried to access his email.

Was it a poacher with hacking skills, trying to access the GPS location data for a very valuable target? Or was it merely an innocent mistake?

It’s unknown.

But the mere possibility of online data about endangered species falling into the wrong hands was enough for the forest department of the state that contains the reserve to start an inquiry, in collaboration with police.

Whether or not the incident points to the emergence of so-called cyber poachers, experts say that wildlife criminals are growing increasingly tech-savvy.

Wildlife-governance specialist Andrew Zakharenka, of the US-based Global Tiger Initiative, told National Geographic that as internet connectivity and wealth has increased in developing countries, so too has demand increased for the perceived luxury goods of wildlife products.

That demand coincides with criminals using cell phones, SIM cards, and email, as well as online black markets for wildlife goods.

We’ve previously seen GPS hacked in theoretical scenarios, such as in July, when University of Texas/Cockrell School of Engineering graduate students hijacked an $80 million yacht by spoofing GPS signals.

Students from the engineering school did the same thing to a drone in June 2012.

Criminals may also have tracked a burglary victim by sticking GPS devices on her car so they could determine when her house would likely be empty and they might best break in.

Is one isolated attempt to break into an inbox containing encrypted GPS data for a rare, profitable target – an endangered Bengal tiger – enough to warrant the coining of a new term for an exotic new type of cyber criminal that could well be entirely hypothetical?

I don’t know.

But, given the facts – criminals are increasingly tech-literate, the wildlife market is extremely profitable, and some forms of GPS equipment have proved to be hackable – I would refrain from saying that conservationists are overreacting.

With as few as 2,500 tigers left, and numbers dwindling, the stakes are too high not to take even the most unlikely threats very seriously.

National Geographic reports that since the possible hacking attempt, the collared tiger has been seen more than three times and photographed twice.

A dedicated team now stays within 1,600 feet (500 meters) of the tiger at all times to deter poachers.

In January, the conservationists at the reserve will deploy surveillance drones and wireless sensors to detect human intrusions into the forest.

As Ramesh told National Geographic, if conservationists’ worst fears about technology-enhanced poaching do come to pass, the cyber poachers will be, in turn, battling technology-enhanced warriors, fighting on behalf of tigers.

Let’s hope the cyber conservationists win.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gdtu-ROGixM/

5 ways to reduce advertising network latency

Updated In a rather shrewd move, Google has said it will provide Chrome updates for Windows XP users for at least a year after Microsoft stops supporting the elderly OS next April.

“We recognize that hundreds of millions of users, including a good chunk of current Chrome users, still rely on XP,” said Mark Larson, superintendent of public safety (yes, really) at Google Chrome in a blog post.

“Moreover, many organizations still run dozens or even hundreds of applications on XP and may have trouble migrating. Our goal is to support Chrome for XP users during this transition process. Most importantly, Chrome on XP will still be automatically updated with the latest security fixes to protect against malware and phishing attacks.”

Of course, using Chrome with an outdated Windows XP system doesn’t provide protection against attacks against Microsoft’s operating system nor any installed applications. In August Redmond warned that Patch Tuesday rollouts could reveal unfixed flaws in XP that can be exploited.

Microsoft has told its resellers that the shift from XP is a “$12bn opportunity” for them to upgrade to Windows 7 or 8, but there are going to be a lot of holdouts.

According to research from Gartner 15 per cent of midsize and large enterprises will still have Windows XP running on at least 10 per cent of their PCs by the time Redmond cuts off vital support, and a lot of consumers around the world show no signs of abandoning the OS.

Google may think its show of largess will help it grow Chrome’s audience still further, but the firm’s not telling El Reg. But the Chocolate Factory may also believe that when XP users finally get sick of their 2001-era machines they consider a Chrome OS thing as a replacement.

Aside from the ludicrously high-priced Chrome Pixel, Chrome OS systems inhabit the lowest end of the cost scale for laptops, and Google has made security a big selling point of such systems. Getting XP users used to the Chrome interface might rub off on them, and Google could maybe snaffle a bit of that $12bn upgrade market for itself. ®

Update

“Third parties may provide ongoing support for their applications, but it’s important to recognize that support will not address fixes and security patches in the core Windows kernel so new vulnerabilities can still be exploited even though applications might be updated,” Microsoft told El Reg in an emailed statement.

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/16/google_extends_chrome_support_for_windows_xp_users_into_2015/

5 ways to reduce advertising network latency

Indonesia has had the dubious honour of supplanting China as the number one source of attack traffic globally in the second quarter, according to the latest stats from content delivery and security firm Akamai.

The vendor’s State of the Internet report for Q2 found Indonesia accounted for 38 per cent of the world’s attack traffic, almost double the previous quarter’s 21 per cent.

China’s share of naughtiness actually dropped by one point, to 33 per cent for Q2, while the US showed another decline – from 8.3 per cent to 6.9 per cent.

However, before we all start training our guns on Indonesia, Akamai admitted in the report that attribution remains problematic. That is, online criminals hiding out in Eastern Europe may simply be using compromised machines in Indonesia through which to route attacks.

If nothing else, then, the stats prove that the country – the world’s fourth most populous – has a major challenge in cleaning up its IP address space, as does China. Using the same rationale, this is an area where the US seems to be doing pretty well of late.

That’s not to say that Indonesia hasn’t had its fair share of home-grown hacking incidents. Back in January the president’s web site was defaced, and after the arrest of a suspect, his supporters began defacing several government sites in protest.

The Asia-Pacific is by far the world’s worst offender, now accounting for a mammoth 79 per cent of observed attacks compared to around 10 per cent each for Europe and the Americas.

As for where the attacks are targeting, the majority were against Port 80 (HTTP traffic) and Port 443 (HTTPS/SSL) which accounted for 24 per cent and 17 per cent respectively.

DDoS attacks also continue to increase globally, by 54 per cent over the first quarter to 318 reported cases. While the Americas were by far the biggest target, accounting for 202 of these, attacks against APAC customers tripled to 79 in Q2.

However, Akamai noted that this statistic is “primarily driven by a continuing series of attacks on a small number of companies within the region, and as such may not indicate a long-term change to the distribution of attacks worldwide”.

Elsewhere in the report, Akamai noted that global average connection speeds climbed 5.2 per cent to 3.3Mbps, while adoption of “high broadband” (10Mbps+) grew an impressive 13 per cent on the previous quarter to account for 14 per cent of connections.

South Korea remains the home of the world’s speediest average connections at 13Mbps, while Hong Kong comes top for highest average peak connection speed (65.1Mbps).

Mobile data grew 14 per cent from the previous quarter while voice traffic saw much slower growth, edging up only 5 per cent since Q2 2012, the report found. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/17/indonesia_number_one_attack_source/

5 ways to reduce advertising network latency

Security researchers have found a major flaw in the Automatic Identification System (AIS), a mandatory tracking system for ships, which could leave the 400,000 vessels currently using it globally wide open to terrorists or pirates.

Trend Micro’s Kyle Wilhoit and Marco Balduzzi and independent researcher Alessandro Pasta presented their findings at the HITB security conference in Kuala Lumpur this week.

They claimed that AIS has been designed “with seemingly zero security considerations”, potentially allowing hackers to create fake vessels, disable tracking or create false SOS or collision alerts.

Given that the system is mandatory for all commercial ships over 300 metric tons and all passenger ships regardless of weight, the security flaws highlighted in the research are nasty.

AIS works by grabbing GPS data on a ship’s position, course and other info and exchanging it with nearby ships and AIS base stations along the coastline.

However, in a blog post, Wilhoit and Balduzzi explained that they’d found vulnerabilities not only in the AIS protocol but also within service providers such as Marine Traffic which use AIS info on their public-facing sites.

They claimed some of the main providers have vulnerabilities which would allow a hacker to “tamper with valid AIS data and inject invalid AIS data”, leading to a variety of possible outcomes.

These include changing vital ship details such as position, course, speed, cargo or unique MMSI (Mobile Maritime Service Identity).

It could also allow the creation of fake vessels – they gave the example of an Iranian ship filled with nuclear cargo turning up off the US coast.

Hackers could force shipwrecks by “creating and modifying Aid to Navigations (AToN) entries, such as buoys and lighthouses”, and even spoof the take-off and flight of search and rescue aircraft.

Wilhoit and Balduzzi also found flaws in the AIS protocol used in hardware transceivers installed in all vessels using the system.

This could lead to the following scenarios, they claimed:

Impersonate marine authorities to permanently disable the AIS system on a vessel, both forcing the ship to stop communicating its position, and stop getting AIS notifications from all nearby vessels (essentially a denial of service attack). This can also be tagged to a geographical area e.g. as soon as ship enters Somalia sea space it vanishes of AIS, but the pirates who carried out the attack can still see it.

Fake a “man-in-the-water” distress beacon at any location that will also trigger alarms on all vessel within approximately 50 km.

Fake a CPA alert (Closest Point of Approach) and trigger a collision warning alert. In some cases this can even cause software on the vessel to recalculate a course to avoid collision, allowing an attacker to physically nudge a boat in a certain direction.

Send false weather information to a vessel, e.g. approaching storms to route around.

Cause all ships to send AIS traffic much more frequently than normal, resulting in a flooding attack on all vessels and marine authorities in range.

The problem, the duo claimed, is that AIS was “designed in a world before the Internet or software-defined radio”.

This means it lacks basic security measures such as geographical validity checks to ensure the accuracy of AIS messages; time-stamping of messages; authentication of message senders; and encryption to prevent message interception/modification.

Trend Micro said it will be releasing a white paper around the findings in due course and has already disclosed its research to all major AIS standards bodies and online AIS tracking info providers. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/17/ais_hacked_trend_micro_ships_wrecked/

5 ways to reduce advertising network latency

Not content with revolutionising shopping as we know it, uber-cool money-transfer outfit Square has launched a peer-to-peer payment system – secured only by an SMTP password.

Square – the payment firm developed by Twitter founder Jack Dorsey – has debuted a new service, Square Cash, which authorises transactions with an email. You just email the recipient, CCing [email protected], and specify the quantity of cash to be moved in the subject line.

The money is deducted from one’s debit or credit card (which must be registered with the service – either in advance or Square sends you instructions to do so) and credited to the recipient, who’ll be asked to provide one if not already registered. The key to securing Square transactions, however, is that their security depends entirely on the impossibility of forging an email message.

Looks genuine to me

Square apparently wanted to simplify the process of sending and receiving money, and, having decided that secure credentials are a bit of a faff, thought email should be sufficiently secure to authorise payments totalling up to $2,500 a week. As an SMS is sent to the payee every time money is deducted, they’ve plenty of time to dispute a payment during the 1-2 business days it takes to process.

Forging emails isn’t as trivial as it used to be some years ago, when one could telnet into an SMTP server and spit out a mail from anyone. These days SMTP servers commonly require a username and password, and use Transport Layer Security, but you might not wish to bet your bank account on it.

Square has a history of playing fast and loose with security, touting an iPhone-based magnetic-stripe card reader without any obvious security features, but if the company can get away with it in most cases, then the security is probably good enough.

Square Cash transactions will be free, but the showstopper may be those two business days it takes for transactions to be credited to the recipient’s account, while services such as PingIt can do the same thing in less than 24 hours. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/17/square_launches_payments/

News has been spreading that Twitter is slowly introducing changes to how it handles direct messages (DMs) and controlling the types of links that can be sent through DMs from non-verified accounts.

These changes could have far-reaching implications for Twitter users’ security and privacy.

My first thought when reading this news was “Wow, what an odd way of admitting defeat in the fight against spam.”

Twitter has not rolled out these changes to all users, but it would appear that links in DMs to URLs other than Facebook, Twitter and Instagram will be blocked.

I might strongly recommend against clicking links in email, but Google, Yahoo!, Microsoft and AOL don’t remove links from email messages.

A frighteningly high number of blogs might be compromised by cybercriminals, but I wouldn’t suggest Chrome, Firefox, Safari and Internet Explorer render links unclickable.

Restricting the ability to send private links rather than filtering out spammy or malicious ones could discourage users from sharing content on Twitter rather than other private messaging services like SMS, Facebook Chat or MSN Messenger.

I wouldn’t normally object to policy changes that could prevent users from being exposed to unwanted messages or malciious content, but this seems to be an extreme response to a laregly solvable problem.

The second change appears to be the ability for users to receive direct messages from users they do not themselves follow. This is being rolled out slowly though a new account setting.

This might be particularly useful for organizations that provide customer service and techincal support via Twitter and want to have private communications with customers without already having had to follow those users.

At the time of this writing, none of these changes are available on my accounts, but some are writing about the changes being implemented on their accounts.

This is likely a very bad idea for regular everyday Twitter users though. It is a bit of a blanket invitation for unwanted solicitations.

Other services that allow for private messaging have had to implement the blocking of unsolicited messages. If Twitter changes this option to be the new default it will likely end in tears.

Bottom line? Nothing earth shattering.

Check your Twitter settings and be sure “Receive direct messages from any follower” is unchecked once it is available in your profile.

If Twitter blocks you from sending links to your friends through DMs, use another medium. It isn’t really such a bad thing to avoid clicking shortened links when you don’t really know where they might lead you anyhow.

Look on the bright side, at least they aren’t trying to use your profile to promote products or removing privacy choices.

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wsdsyL2eaK4/

5 ways to reduce advertising network latency

Updated In a rather shrewd move, Google has said it will continue to provide Chrome updates for Windows XP users for at least a year after Microsoft stops supporting the elderly OS next April.

“We recognize that hundreds of millions of users, including a good chunk of current Chrome users, still rely on XP,” said Mark Larson, superintendent of public safety (yes, really) at Google Chrome in a blog post.

“Moreover, many organizations still run dozens or even hundreds of applications on XP and may have trouble migrating. Our goal is to support Chrome for XP users during this transition process. Most importantly, Chrome on XP will still be automatically updated with the latest security fixes to protect against malware and phishing attacks.”

Of course, using Chrome with an outdated Windows XP system doesn’t provide protection against attacks against Microsoft’s operating system nor any installed applications. In August Redmond warned that Patch Tuesday rollouts could reveal unfixed flaws in XP that can be exploited.

Microsoft has told its resellers that the shift from XP is a “$12bn opportunity” for them to upgrade to Windows 7 or 8, but there are going to be a lot of holdouts.

According to research from Gartner 15 per cent of midsize and large enterprises will still have Windows XP running on at least 10 per cent of their PCs by the time Redmond cuts off vital support, and a lot of consumers around the world show no signs of abandoning the OS.

Google may think its show of largess will help it grow Chrome’s audience still further, but the firm’s not telling El Reg. But the Chocolate Factory may also believe that when XP users finally get sick of their 2001-era machines they consider a Chrome OS thing as a replacement.

Aside from the ludicrously high-priced Chrome Pixel, Chrome OS systems inhabit the lowest end of the cost scale for laptops, and Google has made security a big selling point of such systems. Getting XP users used to the Chrome interface might rub off on them, and Google could maybe snaffle a bit of that $12bn upgrade market for itself. ®

Update

“Third parties may provide ongoing support for their applications, but it’s important to recognize that support will not address fixes and security patches in the core Windows kernel so new vulnerabilities can still be exploited even though applications might be updated,” Microsoft told El Reg in an emailed statement.

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/16/google_extends_chrome_support_for_windows_xp_users_into_2015/

5 ways to reduce advertising network latency

A bunch of boffins from Carnegie Mellon University is proposing that inkblot-style patterns form the basis of a system to replace CAPTHCAs, and is offering an open challenge to see how well it works.

While the CAPTCHA has been successful in preventing some forms of attack, such as comment-spam on Web forums, CAPTCHA-protected pages and passwords still come under attacks of various kinds, all the way down to paying people cents-per-hour to attack them.

The Carnegie Mellon proposal is for randomly-generated inkblots be presented instead of CAPTCHAs. Dubbed “GOTCHAs” (Generating panOptic Turing Tests to Tell Computers and Humans Apart) by the researchers, the aim is to defeat dictionary attacks, since the password cracker needs human feedback, even if it has access to the bits that generated the puzzle.

Since people are good at discovering something meaningful in patterns, a person presented with a series of inkblots will probably be able to come up with some kind of meaningful phrase to label an inkblot image.

Tell me what you see … better still, don’t

Image: GOTCHA Password Hackers! http://arxiv.org/pdf/1310.1137v1.pdf

As they explain in this paper at Arxiv, the idea of inkblot-based challenge-response isn’t new: however, in most such schemes, once a user has associated a phrase with a challenge, he or she needs to remember that phrase exactly when presented with the prompt. In GOTCHAs, the researchers instead ask users to recognise, rather than recall, the phrases they originally applied to the inkblots.

Here’s how the process works:

Create account:

• Select username and password
• Present random inkblots to user, requesting imaginative labels
• Salt and store inkblots and users’ responses

For password recovery, the user would be presented with the same inkblots and asked to remember the labels they gave at “create account” time.

While this is a human-attackable scheme, the researchers say it protects against computer-based dictionary attacks, since a computer reading the bits that comprise the inkblots can’t assign semantic meaning to the image they would generate.

Of course, if a user failed the challenge, the system would merely generate a new password, as would be the case today.

Usability is still variable, the researchers note. The Mechanical Turk recruits they used to test the scheme could only manage 29 per cent completely accurate recall, although 69 per cent of users could recall at least five out of the ten labels they created. Interestingly and perhaps counter-intuitively, they found that long, descriptive phrases were recalled more accurately than one or two-word labels – as they write, “A happy guy on the ground, protecting himself from ticklers” is more memorable than “voodoo mask”.

The researchers present a challenge here for others to test – and try to crack – the GOTCHA scheme.

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/17/inkblots_proposed_as_captcha_replacement/