George Ayotte

Google's Gmail and Yahoo's Mail were also targeted by a large-scale phishing attack, perhaps the same one that harvested at least 10,000 passwords from Microsoft's Windows Live Hotmail, according to a report by the BBC. Microsoft , for its part, said late yesterday that it had blocked all hijacked Hotmail accounts, and offered tools to help users who had lost control of their e-mail. The BBC also said it has seen a list of some 20,000 hijacked e-mail accounts; the list included accounts from Gmail, Yahoo Mail, AOL, Comcast and EarthLink. Gmail was the target of what Google called a large-scale phishing campaign, the company told the BBC . "We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google spokesperson told the news network.

The latter two are major U.S. Internet service providers. "As soon as we learned of the attack, we forced password resets on the affected accounts," the Google spokesperson also told the BBC. "We will continue to force password resets on additional accounts when we become aware of them." Neither Google's or Yahoo's U.S. representatives responded to e-mails from Computerworld seeking confirmation that their Gmail and Yahoo Mail services were targeted by phishers, or answers to questions about how many accounts had been compromised and what the firms are doing to help users. Late Monday, Microsoft said it was blocking access to all the accounts whose details had been posted on the Web last week. "We are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts," the company said on its Windows Live blog . Microsoft posted an online form where users who have been locked out of their accounts can verify their identity and reclaim control, and also pointed users to a support page from October 2008 that spells out steps users can take if they think their accounts have been hijacked. Neowin.net, the site that first reported the Hotmail account hijacking early Monday, today added that it had seen the same list of compromised accounts as the BBC. "Neowin can today reveal that more lists are circulating with genuine account information and that over 20,000 accounts have now been compromised," said the Windows enthusiast site . "[The] new list contains e-mail accounts for Gmail, Yahoo, Comcast, EarthLink and other third-party popular Web mail services." Microsoft has acknowledged that log-on credentials for "several thousand" Hotmail accounts had been obtained by criminals, probably through a phishing attack that had duped users into divulging their usernames and passwords. After a slump earlier this year, phishing attacks are on the upswing, according to the Anti-Phishing Working Group (APWG). Its most recent data - for the first half of 2009 ( download PDF ) - noted that the number of unique phishing-oriented Web sites had surged to nearly 50,000 in June, the largest number since April 2007 and the second-highest total since the industry association started keeping records. Yesterday, Dave Jevans, the chairman of APWG, called the Hotmail phishing attack one of the largest ever, but cautioned that the usernames and passwords may have been harvested over several months, and not by a single, defined attack.

The Department of Homeland Security is looking to hire 1,000 cybersecurity professionals in the next three years according to the agency's secretary Janet Napolitano. NetworkWorld 8 Extra: 12 changes that would give US cybersecurity a much needed kick in the pants "This new hiring authority will enable DHS to recruit the best cyber analysts, developers and engineers in the world to serve their country by leading the nation's defenses against cyber threats," Napolitano stated. The department now has the authority to recruit and hire cybersecurity professionals across DHS over the next three years in order to help fulfill its mission to protect the nation's cyber infrastructure, systems and networks, she said. DHS his the focal point for the security of cyberspace - including analysis, warning, information sharing, vulnerability reduction, mitigation, and recovery efforts for public and private critical infrastructure information systems.

The need for DHS to bolster its security realm is a hot topic. The hiring authority, which results from a collaborative effort between DHS, the Office of Personnel Management and the Office of Management and Budget, lets DHS staff up to 1,000 positions over three years across all DHS agencies to fulfill critical cybersecurity roles—including cyber risk and strategic analysis; cyber incident response; vulnerability detection and assessment; intelligence and investigation; and network and systems engineering. A Government Accountability Office report this year said that while DHS established the National Cyber Security Division to be responsible for leading national day-today cybersecurity efforts that has not enabled DHS to become the national focal point for security as envisioned. The group told the GAO there also needs to be an independent cybersecurity organization that leverages and integrates the capabilities of the private sector, civilian government, law enforcement, military, intelligence community, and the nation's international allies to address incidents against the nation's critical cyber systems and functions. The GAO said the Defense Department and other organizations within the intelligence community that have significant resources and capabilities have come to dominate federal efforts. The cybersecurity jobs announcement comes on the same day that the FBI said fraudsters are targeting social networking sites with increased frequency and users need to take precautions, the FBI warned.

One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. The FBI said fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. Other spam entices users to download an application or view a video. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected, the FBI stated. Some spam appears to be sent from users' "friends", giving the perception of being legitimate.

Meanwhile legislators are trying to encourage cooperation among universities and businesses to develop technology needed to carry out a strategic government effort to fight cyber attacks. The Cybersecurity Research and Development Amendments Act of 2009 was approved recently by the House Committee on Science and Technology's Research and Science Education Subcommittee. A US House subcommittee is recommending a bill that calls for a university-industry task force to coordinate joint cybersecurity research and development projects between business and academia. The legislation would set up a scholarship program that pays college bills for students who study in fields related to cybersecurity. In return the students would agree to work as cybersecurity professionals within the federal government for a period equal to the number of years they received scholarships. They would also get summer internships in the federal government.

If there aren't any jobs there, they would work for state or local governments in the same capacity or teach cybersecurity courses.

IBM is trying to hit Microsoft where it hurts, with a new offering designed to lure customers away from Windows 7. The top 7 roadkill victims on the journey to Windows 7 IBM Tuesday said it is teaming up with Canonical to provide cloud- and Linux-based desktop packages in the United States at half the cost of upgrading to Windows 7. It's called the IBM Client for Smart Work package, which was initially launched last month in Africa, as it was designed for emerging markets. Despite announcing the product Tuesday, IBM and Canonical say it won't be widely available from its full lineup of partners until 2010. That gives the industry's dominant operating system vendor a significant head start, with Microsoft's Windows 7 set for general availability on Thursday. But IBM sees an opportunity to extend the product to the United States "to help companies avoid the higher licensing, hardware upgrades and migration costs associated with Microsoft Windows 7," as IBM said in an announcement.

But IBM says the Client for Smart Work package, which is based on IBM's productivity and collaboration software, will give customers a less expensive alternative to Windows by taking advantage of existing PCs or low-cost netbooks and thin clients. "Independent market estimates range up to $2,000 for the cost of migrating to the Windows 7 operating system for many PC users," IBM argues. "New PC hardware requirements account for a significant portion of the added expense." IBM claims its package will help businesses save as much as 50% vs. IBM says Client for Smart Work will consist of the following components, some of which are already available: "Word processing, spreadsheets and presentations from IBM Lotus Symphony, which is a free-of-charge download on the Web; Email from IBM Lotus Notes or the cloud-based LotusLive iNotes launched earlier this month, which starts at $3 per user, per month; Cloud-based, social networking and collaboration tools from LotusLive.com from $10 per user, per month; and Ubuntu, an open platform for netbooks, laptops, desktops, and servers." "Since the IBM Client for Smart Work is based on http://www.eclipse.org/ ">Eclipse, Linux and open Web standards, it can integrate with any third-party software," IBM says. "This gives companies the freedom to use technologies of their choice, extend their functions and preserve existing investments." IBM Client for Smart Work is already being sold as a hosted virtual desktop by partners such as Web hosting provider Midas Networks and desktop virtualization vendor Virtual Bridges.   IBM and Canonical say there will be hundreds of partners offering IBM Client for Smart Work in the United States, but not until 2010. Partners will include systems integrators, virtual desktop providers and others. Windows on software costs. Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin

Apple patched 58 vulnerabilities in its Mac operating systems today, the most since May 2009, including several in the QuickTime media player that it had fixed separately in early September. Today's security update was the sixth from Apple this year, and the second that included patches for Snow Leopard , launched in late August. "Seems a little large, but really, it's par for the course for Apple," said Andrew Storms, director of security operations at nCircle Network Security, referring to the number of individual bugs quashed in today's 2009-006 update. Apple apparently also retired Mac OS X 10.4, aka Tiger, from security support; none of the patches affect that operating system, which debuted in April 2005. Apple traditionally stops providing security updates for its oldest still-supported OS several months after the release of a new edition. In May, Apple patched a record 67 vulnerabilities ; it addressed 55 in February, 33 in September, and 19 in two separate August updates. "Thank goodness Apple didn't release it tomorrow," Storms said.

More than half of the vulnerabilities patched today, 32 out of the 58, were accompanied by the phrase "may lead to arbitrary code execution," which is Apple's way of saying that a flaw was critical and could be used by attackers to hijack a Mac. Microsoft, which unlike Apple sets a regular schedule for its security updates, is slated to deliver six updates Tuesday that will patch 15 vulnerabilities. Apple does not assign ratings or severity scores to the bugs it patches, unlike other major software makers, such as Microsoft and Oracle. Storms said several were worth particular attention, including the four that patched critical vulnerabilities in the version of QuickTime originally packaged with Mac OS X 10.6, aka Snow Leopard . "Those were the vulnerabilities Apple patched in QuickTime 7.6.4," said Storms, noting that Apple issued a separate QuickTime update for Mac OS X 10.4 and 10.5, Tiger and Leopard, respectively, on Sept. 9, just 12 days after debuting Snow Leopard. Apple plugged holes in 37 different components of Mac OS X, ranging from AFP Client and the open-source Apache Web server software to CoreGraphics, the Help Viewer and the Spotlight desktop search engine. Apple delivered Snow Leopard's first security update on Sept. 10 to fix nine flaws in Adobe's Flash Player that it had plugged in late July, but was unable to squeeze into Snow Leopard before its launch.

Storms said that one of today's patches, which Apple labeled as affecting the Libsecurity component, had been patched a month ago by Microsoft in that company's regular October security update. Five other vulnerabilities were also Snow Leopard-only: A pair of bugs in the CoreMedia component's parsing of H.264 movie files, one in ImageIO's handling of TIFF files, and vulnerabilities in the kernel and launch services were patched in today's update. Apple credited Dan Kaminsky, of IOActive, and the Microsoft vulnerability research team for reporting the flaw, which was in the parsing of X.509 certificates. Last month, Microsoft said that proof-of-concept code had been published "which would allow an attacker to exploit this vulnerability in limited scenarios," but said it had not seen active attacks. It could be used to spoof the digital certificate of a Web site, perhaps in league with identity theft attacks. "While it is not yet considered computationally feasible to mount an attack using these weaknesses, this update disables support for an X.509 certificate with an MD2 hash for any use other than as trusted root certificate," Apple said in the accompanying advisory.

Several open-source components of Mac OS X were also patched in Apple's update today, including the Apache Web server, Fetchmail, IPSec, LibXML, OpenLDAP, OpenSSH, PHP, RADIUS and Subversion. "I looked up the release dates of those to get an idea of Apple's response time," Storms said. "Apache was patched in June; Fetchmail, LibXML and Subversion in August; and PHP and RADIUS in September." Storms and other security experts have been critical of Apple's sometimes-lethargic patching pace for open-source pieces it includes in Mac OS X. "To harp on the fact again, if Apple is going to distribute open-source code and applications, they need to close that loophole faster," said Storms. "Some of those, like PHP and LibXML were pretty important to get patched, and they were fairly fast, for them, this time. Snow Leopard users, however, won't see the security update separately, since the patches were rolled into the Mac OS X 10.6.2 upgrade also released today. But OpenSSH's bug was patched more than a year ago." The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service.

Popular online finance service Mint launched a new feature on Thursday that uses Twitter's real-time information stream to keep you up-to-date on the latest financial news and tips. Money Tweets embraces the functionality of Twitter Lists and Twitter search to bring you posts from trusted news sources, tips from popular money management gurus and the hottest money-related discussions happening online. Called Money Tweets, Mint's newest addition is a great example of how businesses and services can exploit Twitter as a source for topical links to important news stories and helpful information.

Money Tweets breaks down the information into five categories: personal finance topics, tweets about Mint, tweets from Mint, Mint's Question of the Day, and popular discussions. Topical tweets are broken down into five money-related categories: saving, investing, budgeting, loans, and retirement. Topics Mint has gathered more than twenty popular finance-related Twitter accounts to keep you informed about the latest news and tips to help keep your finances on track. Selected Twitter accounts include those from popular finance sites, personalities, and news outlets like CNBC, the Financial Times, The Motley Fool, SmartMoney, TopStocksMSN, The Wall Street Journal, StockTwits, and personal finance columnist and author Liz Pulliam Weston. At the top of the page is a graph that shows trending patterns for popular money-related topics over the past 24 hours or the past week.

Popular One of the more interesting sections in Money Tweets is the Popular section, which tracks the hottest financial news on Twitter in real time. Underneath the graph are the latest tweets relating to that subject. In my tests, the popular section had trouble switching between topical tweets. But this feature still has some bugs to work out. Clicking on the Goldman Sachs topic gave me appropriate posts related to that subject, but when I tried switching away to another topic the list of tweets didn't change. When I was looking at tweets related to the government bailout, a post related to Motorola's new Droid smartphone popped up.

You will also end up with the occasional misplaced tweet. Minty Tweets and Questions If you're wondering about what the latest tweets from Mint are, or who's talking about Mint on Twitter, Money Tweets has a section for that as well. These are usually topical questions that you may find interesting, such as "Now that the economy is recovering, what is the first thing you are going to buy?" To play along, you can either answer the daily question right from Mint (you will be redirected to Twitter.com to approve the post) or answer using your favorite Twitter client by adding the '#mintqotd' hashtag at the end of your message. You can also get interactive, by answering Mint's Question of the Day. Room for Improvement Money Tweets is an interesting way to keep an eye on the financial world by pulling in real-time information.

That way you'd have the option to pull Mint's recommended Twitter sources into your own Twitter feed. But I'd like to see Mint make this feature even better by turning their Topics categories into Twitter lists. It would also be nice if Mint would add a feature that let you retweet particularly interesting posts you find on Money Tweets. For the most part, Money Tweets is a great way to keep on top of financial information and money-related discussions happening online. Those are small complaints though. Check it out at mint.com/twitter.

Connect with Ian on Twitter (@ianpaul).

A Miami man who for three years had evaded prosecution in connection with the theft and reselling of VoIP services is being extradited to Newark from Mexico today and is set to be arraigned in a New jersey federal courthouse on Friday. He had been free on $100,000 bail. Edwin Pena, 26, had been arrested in June, 2006, on multiple computer and wire fraud charges, and then allegedly fled the country about two months later. Pena was apprehended in Mexico in February and federal prosecutors have been working to get him extradited back to the U.S. since then, according to Assistant U.S. Attorney Erez Liebermann . "He's been a fugitive for over three years," said Liebermann, who is prosecuting the case. "We're looking forward to proceeding with the prosecution." Pena faces 20 charges that include conspiracy to commit computer intrusion and conspiracy to commit wire fraud charge.

According to a criminal complaint filed in U.S. District Court in New Jersey, Pena and co-conspirator Robert Moore of Spokane, Wash., sold more than 10 million minutes of VoIP service that had been stolen from 15 telecommunications providers. The U.S. alleges that from November 2004 to May 2006 Pena and a cohort hacked into the computer networks of VoIP service providers and routed calls made by customers of Pena's VoIP service through them. Prosecutors have contended that the lost minutes were valed at $1.4 million to the providers victimized in the alleged scam. In the fall of 2007, Moore pleaded guilty to conspiracy to commit computer fraud and began a two-year prison sentence. Federal investigators contend that Pena was the mastermind behind the scheme and Moore hacked the systems.

Voice-over-IP systems route telephone calls over the Internet or other IP-based networks. The complaint alleges that once Moore found unsecured networks, he would then e-mail Pena the key information needed to access vulnerable networks. Moore scanned telecommunications company networks around the world, searching for unsecured ports - the criminal complaint said that between June 2005 and October 2005, Moore ran more than 6 million scans of network ports within the AT&T network alone. Once the networks were accessed, prosecutors allege that Pena ran brute force attacks to find the proprietary codes needed to identify and accept authorized calls coming into the networks. According to court documents, Pena gained more than $1 million from the scheme.

He allegedly would used the codes to surreptitiously route his clients' calls through the systems. Some was spent to buy real estate in Miami, a 40-foot boat and luxury cars, including a BMW M3 and a Cadillac Escalade.

It may be "a year or two" before Oracle releases a no-cost Express Edition (XE) of its 11g database, according to Andrew Mendelsohn, the company's senior vice president of database server technologies. Oracle took the same approach with the current 10g Express Edition, according to Mendelsohn, who oversees database development at the vendor. That's because Oracle is going to wait until after the first patch set ships for 11g Release 2, which was launched in July, Mendelsohn said in a brief interview following a speech at Oracle's OpenWorld conference in San Francisco on Monday.

Developers and ISVs (independent software vendors) prize XE because it includes many core features, and allows them to prototype, deploy and distribute applications without any licensing costs. Users with greater needs would need to upgrade to a paid database version such as Standard Edition. However, XE is limited to 4GB of user data, 1GB of memory and a single CPU, and is available on only 32-bit Windows or Linux systems. Some Oracle database administrators believe there is a deliberate reason for the protracted rollout. "It's an approach that ensures that adoption is nil," said Paul Vallée, founder of the Pythian Group, a database management outsourcing company in Ontario, Canada. "I don't think they're interested in adoption. ... I think they have to have it out there just for maybe a check box, just to maybe say they have a free edition." IBM and Microsoft also offer certain versions of databases at no cost. Oracle is attempting to buy Sun Microsystems for US$7.4 billion, but the deal is on hold while European officials conduct an antitrust review.

Oracle simply isn't "gunning for market share in the free database segment," Vallée added. "If they were, the strategy would be to release this exactly the way it is and then sell support and commit to patch sets for it." That is essentially the model Sun Microsystems has used for the open-source MySQL database. Instead, Oracle wants lower-end customers to use a paid version of the database, such as Standard Edition One, said Pythian Group CTO Alexander Gorbachev. It's unclear how the arrival of MySQL will affect XE, or any other aspect of Oracle's database strategy, Vallée said. A Standard Edition One processor license costs $5,800, according to Oracle's latest price list. Oracle plans to increase investment in MySQL, CEO Larry Ellison said during a keynote Sunday.