China defends Internet censorship after Obama lauds openness

China on Tuesday defended its control of information on the Internet that it deems sensitive or harmful, one day after U.S. President Barack Obama told students in Shanghai that information should be free. China also aims to prevent "adverse content" online from harming children in the country, he said. The remarks highlighted ongoing tensions between China and the U.S. over human rights, another ideal Obama extolled in China. "For the Chinese government, we hope online communications can move smoothly, but at the same time we need to ensure that online communications do not affect our national security," Chinese Vice Foreign Minister He Yafei told reporters at a question-and-answer session in Beijing. China blocks Web sites including YouTube as part of its efforts to prevent sensitive political content from appearing online.

Obama, making his first visit to China as president, told local students at a question-and-answer session this week that freedom of information online can help people hold their government accountable and encourages them to think for themselves. It added Twitter and Facebook to its blocked list earlier this year after deadly ethnic riots in its western Muslim region, which also led China to cut off virtually all Internet access in Xinjiang province. Obama did not mention China's Internet policies, but his statements went beyond the views usually expressed by Chinese government officials or local media. Chinese President Hu Jintao stood expressionless on the stage beside Obama as he spoke. "We do not believe these principles are unique to America, but rather they are universal rights, and they should be available to all peoples, and to all ethnic and religious minorities." Chinese Web site owners are expected by authorities to censor certain information about sensitive issues like corruption on their domains, including when it is posted by users, and can risk punishment for failing to do so. "All men and women possess certain fundamental human rights," Obama said in a speech in Beijing on Tuesday that was broadcast on live national television.

Avalanche is top phishing gang by far this year

A single group of attackers accounted for a quarter of all phishing in the first half of this year, according to a new study. The group attacks financial institutions, online services and job-search providers using fast-flux techniques that hide its actual attack sites behind an ever changing group of proxy machines, mainly hacked consumer computers, according to APWG's latest Global Phishing Survey. 11 security companies to watch phishing  Rather than dying out after efforts to take down the Avalanche efforts, the gang seems to be increasing its efforts. "Avalanche attacks increased significantly in the third quarter of the year, and preliminary numbers indicate a possible doubling of attacks in the summer of 2009," the report says. Called Avalanche, the gang started work late last year and has been increasing its activity since, according to a report by the Anti-Phishing Working Group.  "This criminal operation is one of the most sophisticated and damaging on the Internet and targets vulnerable or non-responsive registrars and registries," the report says.

The report period ends July 1, so the next report for the second half of this year will examine the apparent surge in detail. By the time the ISPs shut down the IP addresses the attack proxies have moved somewhere else, the report says. Because the IP addresses that the attacks seem to be coming from are constantly shifting, notifying ISPs of the problem doesn't work. The Avalanche gang registers domains at one to three registries or resellers and test whether the registrars notice that they are registering domain names that are nearly identical. An example of these similar domains is given in the report: 11fjfhi.com, 11fjhj.com, 11fjfh1.com, 11 fjfhl.com. If not, they launch attacks from these domains, and if the registrar takes action against them, they just abandon the domains and move on.

Each domain is used to launch up to 30 attacks, APWG says. Because mitigation efforts by ISPs and others focused on Avalanche, the average lifetime of each Avalanche attack was significantly lower than the average for all attacks, the report says. Avalanche attacks just one or two businesses at a time and frequently cycles back to re-attack older targets, the report says. The average uptime for all attacks was 39 hours, 11 minutes; for Avalanche attacks, it was 18 hours, 45 minutes, the study says. These attacks could be started up again after an hour, which would extend their longevity but would not be measured by the report, the researchers say.

APWG researchers consider an attack dead if it stays inactive for an hour. So the lifespan of Avalanche attacks may be longer than the report results indicate. Some 14.5% of phishing attacks came from what APWG called malicious domains registered by phishers themselves. In other study results, it appears that using hacked domains as launch pads for attacks is increasing. That is down from 18.5% in the second half of last year, the period for the group's previous Global Phishing Survey. "Virtually all the rest were hacked or "compromised" domains belonging to innocent site owners," the study says.

Two top level domains - .pe (Peru) and .th (Thailand) – score highest in a measure of how many second and third level domains within them are used to launch phishing attacks. Of the malicious domains, 43% were launchpads for the Avalanche attack. The average score across all domains was 6.9, and .pe scored 20 while .th scored 16. Overall, attacks came from 30,131 domains distributed among 171 top level domains. The next three most often used top level domains were .eu, .ru and .de, all with less than 3%. Half (50.3%) of these domains fell within the .com top level domain, 8.5% within .net and 5.6 within .org.

Heartland CEO: Credit card encryption needed

Credit card transactions in the U.S. are often not encrypted, and credit card vendors, payment processors and retailers need to embrace an encryption standard to protect credit card numbers, the CEO of a breached payment processor said Monday. Heartland in January announced the discovery of a data breach that left tens of millions of credit card numbers exposed to a gang of hackers. "I now know that this industry needs to, and can, do more to better protect it against the ever-more-sophisticated methods used by these cybercriminals," Carr told the Senate Homeland Security and Governmental Affairs Committee. "I believe it is critical to implement new technology, not just at Heartland, but industrywide." The purpose of the committee hearing was, in part, to determine whether new legislation is needed to fight cybercrime. Credit card numbers are not now required in payment card industry guidelines to be encrypted in transit between retailers, payment processors and card issuers, Robert Carr, chairman and CEO of Heartland Payment Systems, told a U.S. Senate committee. Heartland is pushing for the credit card industry to adopt an end-to-end encryption standard, he said, and the company is deploying tamper-resistant point-of-sale terminals at its member retailers. "Our goal is to completely remove payment account numbers of credit and debit cards and magnetic-stripe data so they are never accessible in a useable format in the merchant or processor systems," Carr said.

The company has also helped to form an information-sharing council for payment processors, where the companies can share information about threats, vulnerabilities and best practices, he said. "We are working on these solutions, both technological and cooperative, because I don't want anyone else in our industry, or our customers, or their customers ... to fall victim to these cybercriminals," he said. Heartland has asked credit card companies to accept encrypted transactions and the company has engaged standards bodies and encryption vendors, Carr said. Carr didn't give details about the Heartland breach, in which the company was compromised for about a year-and-a-half. However, Heartland paid about US$32 million in the first half of 2009 for forensic investigations, legal work and other charges related to the breach, he said. The company remains involved in investigations and lawsuits involving the breach, he said. Senators asked Carr some pointed questions about the breach.

Senator Joe Lieberman, an independent from Connecticut, asked Carr about the extent of the breach. Senator Susan Collins, a Maine Republican, wanted to know how the company could be compromised from October 2006 to May 2008 without discovering the breach. "I was astounded at what a long period elapsed where these hackers were able to steal these credit card numbers," she said. "Explain to me how a breach of that magnitude could go undetected for so long." Card holders were not reporting major breaches, Carr answered. "The way breaches are normally detected is that fraudulent uses of cards are determined," he said. "There was no hint of fraudulent use of cards that came to our attention until toward the end of 2008." Collins pressed him further. "But are there no computer programs that one can use to check to see if an intrusion has occurred?" she asked. "There are, and the cybercriminals are very good at masking themselves," Carr said. In August, Albert Gonzalez of Miami was indicted in New Jersey for the theft of more than 130 million credit and debit cards, according to the U.S. Department of Justice. Gonzalez pleaded guilty last week to separate charges in Massachusetts and New York. He was charged, along with two unnamed co-conspirators, with using SQL injection attacks to steal credit and debit card information from Heartland, 7-Eleven and Hannaford Brothers, a Maine-based supermarket chain. It's too soon to tell how many credit card numbers processed by Heartland were compromised, Carr said. "We don't know the extent of the fraud at this point," he said. "It's a significant compromise."

Facebook tool could be exploited by cyber-bullies

A recent Facebook feature can be exploited to be a cyber-bullying tool in the wrong hands, a security vendor warns. Why not just put a gun to your head? Facebook and Twitter? Facebook's new feature – "reply to this e-mail to comment on this status" – gives attackers a way to post messages on other people's Facebook pages, according to a blog by security vendor F-Secure.

The intent of the feature is to allow Facebook users to respond directly from their e-mail when they receive e-mail notifications that include messages that have been posted to their Facebook accounts. These messages could include personal attacks that seem to come from a user but are actually written by someone who has compromised that person's e-mail account, for instance. They can respond without having to go to the Facebook site first, eliminating a step and thereby saving time. Authenticating to the Facebook site before writing a reply drops out of the equation, so someone other than account holders can post. "They can put words in my mouth," he says. But eliminating that step can also leave a crack in Facebook's armor, according to F-Secure security adviser for North America Sean Sullivan. If a user's e-mail account is compromised via phishing or direct hacking, spammers can respond to any Facebook notifications they come across, Sullivan says.

Facebook users can opt out of receiving the e-mail notifications altogether by adjusting their settings. It has posted a demonstration of how this can work here. This story, "Facebook tool could be exploited by cyber-bullies," was originally published at NetworkWorld.com. Follow the latest developments in security at Network World.

Wall Street Beat: Big tech deals stir market

As industry insiders attempt to gauge the impact of economic recovery on IT, acquisitions and legal deals among vendors including Intel, Advanced Micro Devices, Hewlett-Packard, 3Com and Logitech are sparking investor interest by altering the shape of the tech market. The company and its archrival, Intel, announced on Thursday that they have settled all antitrust litigation and patent cross-license disputes between the companies. At first blush, AMD is one of the big winners. Intel will pay AMD US$1.25 billion.

But ultimately the real winner may be Intel, even though it will take a big earnings hit for the quarter. AMD's share price jumped 22 percent to close the day at $6.48, up by $1.16. The deal gives AMD a much-needed cash infusion. As a result of the legal settlement, Intel said it expects its spending in the fourth quarter to be approximately $4.2 billion, up from $2.9 billion. The deal also allows Intel "to focus on its real long-term threat," according to industry analyst Jack Gold. "No, it's not AMD – its ARM Holdings and all of the licensees of the ARM chip designs (e.g., Qualcomm, TI, Freescale, Nvidia, Samsung, Marvel). While PC and server chips are its breadwinner today, Intel rightly understands that the sheer number of personal and consumer intelligent computing devices that will be built over the next several years will far outnumber the traditional PC marketplace," Gold said in e-mail. However, the chip giant needs the competition from AMD to stay fresh and focused, and to allay antitrust concerns. Intel shares dropped $0.16 to close at $19.68. That doesn't mean that IT investors thought the AMD deal was bad for Intel; most tech bellwether shares dropped Thursday on macroeconomic concerns.

The federal deficit for the budget year, ended Sept. 30, set an all-time record in dollar terms of $1.42 trillion. The Treasury Department reported that the federal deficit for October totaled $176.4 billion, higher than economists expected. High deficits may push up interest rates, which could in turn hurt what looks to be a slow, fragile recovery. The purchase is a challenge to networking giant Cisco Systems and a major step toward HP's ability to provide a one-stop shop for computing, storage, services and networking. The signature M&A deal of the week was HP's $2.7 billion acquisition of network switch maker 3Com.

Cisco earlier this year started selling servers, which made it more of a direct competitor to HP. However, the deal may have its biggest impact not on Cisco, but on smaller networking players like Brocade Communications. Cisco shares declined by only 2.17 percent, dropping $0.52 to close at $23.40. The HP acquisition takes Brocade out of play as a possible acquisition target by HP while increasing competitive pressure. Brocade shares Thursday slumped to close at $8.08, down by $1.17 or 12.7 percent. In what would have been the major M&A deal in most other weeks, tString := StoryDateLine + " (" + @Text(StoryFiledDate) + ") - "; @If(datelineinbody = "No"; tString; "")Logitech said Tuesday it will acquire HD video communications equipment maker LifeSize Communications for $405 million in cash. Logitech shares slumped in the wake of the news, however.

Video communications systems, a major thrust for Cisco as well, has become a hot product category as businesses cut travel to pare costs. Often, acquisition announcements have a negative impact on the acquiring company's stock. However, Standard & Poor's Equity Research reiterated its "hold" recommendation on Logitech, stating that the deal will help the vendor in a fast-paced market. A big purchase can dilute earnings for the acquiring company. Tech market reports this week, meanwhile, were generally positive. In the mobile-phone arena, smartphone sales increased 13 percent in the third quarter over the year-earlier period, Gartner said Monday.

IDC Monday said that microprocessor unit shipments in the third quarter rose 23 percent from the second quarter, and by 0.3 percent from the same period in 2008, though the overall value of shipments declined. Overall mobile-phone market growth was much lower, increasing by 0.1 percent, Gartner said. With that all industries will suffer; certainly consumer electronics will have its ups and downs." The big hope for tech is that, just as it has been less affected by the recession than other sectors, it will fare better in the recovery as well. "The good news is certainly consumers continue to gravitate toward technology," DuBravac said. "They continue to spend on technology while trying to cut back on other categories to make room for their tech spend." While economic recovery appears to be underway, economists urge caution. "We believe that the recession is ended, that it ended in July ... but that certainly doesn't mean that we're out of the woods," said Shawn DuBravac, an economist at the Consumer Electronics Association. "We believe that while we're in an expansionary period now that it will be a mediocre, slow recovery where jobs continue to be hard to come by.

ZenNews adds some weight to RSS news feeds

Zensify has a bone to pick with the way mobile devices make you read the news. That's all well and good, says Zensify chief technology officer Tom Campbell, but it doesn't provide much in the way of context-which stories are important and which ones people are talking about. Most RSS apps for the iPhone give you a chronological list of headlines, with the most recently posted stories listed first. Enter ZenNews, the latest iPhone app from Zensify.

It also incorporates the Twitter micro-blogging service to boost the weighting of stories that users are tweeting about. The app not only aggregates news headlines, but relies on analytics technology to highlight stories that are likely of greatest importance to the user. "It's a way to make news discovery more accessible to a mass market," Campbell told Macworld. "With a few swipes of your thumb, you can discover what's news and what people are tweeting about." ZenNews uses the same technology as the company's Zensify social network aggregator to pull stories from its source list, index them, and weight them. All of this happens in real time, so the stories that appear on ZenNews can change from moment to moment. A visual cloud tag of topics, where more heavily weighted stories get prominent play. The result?

You can drill down through the tag cloud as well-if a tag has more than five stories, a tap brings up a second group of tags associated with that story. Zensify believes that the abstract should give users enough of an overview for each story, but you can tap on the abstract to read the full version in an embedded browser. Tapping the "obama" tag, for example, calls up tags like "nobel," "orleans," and "pakistan." ZenNews also offers a list view that provides a headline and abstract of each story tag. Buttons within the browser let you share the story by Twitter or e-mail. Swiping from side to side takes you from the aggregated view of the ZenNews page to the tag clouds for the individual sources. ZenNews ships with 12 sources, including the BBC, New York Times, Washington Post, Al Jazeera, and others.

That gives users a chance to compare the coverage of a story from source to source, Campbell says. (Al Jazeera has precious little to say about Thursday evening's Phillies-Dodgers game, for example.) The developer promises to add three other sources to ZenNews-The Australian, China View, and Ha'Aretz. In addition to viewing stories by source, you can also sort by category. But users who want to add their own news feeds are out of luck, at least with this version. "We wanted an application that you didn't have to configure out of the box," said Campbell, adding that some customization could be introduced in future updates. ZenNews offers 13 categories in all, from Art to World news. Ultimately, Zensify plans to use the features showcased in consumer apps like ZenNews to build custom business-to-business products that deliver business intelligence about a company's products, industry, and competitors. ZenNews is a free App Store download that runs on any iPhone or iPod touch with the iPhone 2.1 software update.

Microsoft passes its first SAML 2.0 interoperability test

Microsoft's federated identity platform passed its first SAML 2.0 interoperability test with favorable marks, signaling the end to the vendor's standoff against the protocol. 11 security companies to watch The eight-week, multivendor interoperability workout conducted by the Liberty Alliance and the Kantara Initiative also resulted in passing marks for two other first-time entrants – SAP and Siemens. Results were announced Wednesday. "The Liberty Interoperable testing was a great opportunity to verify that Active Directory Federation Services (AD FS) 2.0 is interoperable with others' SAML 2.0 implementations. Return testers Entrust, IBM, Novell and Ping Identity also passed. This should give our customers confidence that their federation deployments using ADFS will 'just work,'" says Conrad Bayer, product unit manager for federated identity at Microsoft.

The company previously supported the SAML token, but never the transport profiles of the protocol. "It is significant that Microsoft participated given their previous stance on the SAML protocol," says Gerry Gebel, an analyst with the Burton Group. "For the first product version that supports SAML, they have covered the core bases." Microsoft's interoperability testing focused on SAML's Service Provider Lite, Identity Provider Lite and eGovernment profiles. In the past, Microsoft has been dismissive of the Security Assertion Markup Language (SAML), a standard protocol for exchanging authentication and authorization data between and among security checkpoints, preferring the WS-Federation and other protocols it helped develop. The company says it plans to support other SAML profiles based on demand. In addition, it was the first test to include an international group to test the eGovernment SAML 2.0 profile v1.5. The test featured the United States, New Zealand and Denmark. "The fact that we were able to put so many new implementations through a full matrix, rigorous interoperability test speaks to the maturity of the SAML 2 protocol," says Brett McDowell, executive director of the Kantara Initiative. "And it is not just implementation; there is a tremendous amount of deployments." "Full matrix" testing means all participants must test against each other. The interoperability event featured the largest group of participants ever for the testing, which has been run twice previously.

The test was conducted over the Internet from points around the globe using real-world scenarios between service providers and identity providers as defined by the SAML 2.0 specification. ADFS 2.0 is part of a larger identity platform that includes Windows Identity Foundation and Windows Cardspace. Microsoft participated in the testing with Active Directory Federation Services 2.0 (formerly code-named Geneva), which is slated to ship later this year. Microsoft said earlier this year it would have SAML 2.0 certification before it released Geneva. ADFS 2.0 provides identity information and serves as a Security Token Service (STS), a transformation engine that is key to Microsoft's identity architecture. The SAML profiles ADFS 2.0 supports cover the core features of federation.

ADFS lets companies extend Active Directory to create single sign-on between local network resources and cloud services. The issue was noted in a report by the Drummond Group, which conducted the testing, and centered on long URL values mostly when encryption was enabled during specific operations. It wasn't all smooth sailing for Microsoft, however, as some participants reported problems using Internet Explorer 6.0 and 7.0 for SAML single sign-on, which is primarily a Web browser action. Internet Explorer does not accept URLs longer than 2,083 characters. Microsoft tested against IE 8 and Firefox 3.5.2. While Microsoft's participation was an important milestone for the advancement of SAML, McDowell says the current testing is significant on other fronts.

Testers got around the issue by using other browsers. The test marks a transition with the Kantara Initiative now taking over future tests. The level of cooperation between governments will serve as a model for other industries, he says. The group will adopt the Liberty Alliance testing methods and expand the scope of tests to include other protocols in addition to SAML. And it will build off the eGovernment profile testing as new profiles for other vertical markets, including healthcare and telecommunications, are developed. "Having countries come together and agree on a deployment profile, that is not to be understated," McDowell says. In addition, next year Kantara will pick two other protocols to test from a list made up of WS-Security, Information Card, Identity Metasystem Interoperability, OAuth and XRD. Kantara also will take cues from Project Concordia and eventually begin to test cross-protocol interoperability.

Follow John on Twitter. The next Kantara interoperability test is slated for next year.