The event is free and open to the general public between 11am and 3pm. According to Symantec, visitors "will leave with a better understanding of the cybercriminal's world, as well as options for protecting themselves online."

Symantec originally devised the Black Market Experience as a one-time exhibit, but it proved so popular that it has taken the show on the road. I went through it at the RSA Security conference earlier this year and came away impressed. Visitors enter a literal "market" whose shelves are loaded with fake security software in boxes, barrels of cloned credit cards ready to be scooped up, and stolen identities in bundles of hundreds, or thousands.

After an informative spiel delivered in the market, visitors proceed through a secret door to a simulated cybercriminal lair complete with realistic demonstrations of just how much can go wrong if you're fooled by an online scam. The lair is loaded with computers, display screens, even a credit card printer. And of course Symantec representatives are available to answer all the questions that the display is sure to evoke.

If you're near Times Square this Wednesday do yourself a favor and pay this black market a visit. It will be located at 43rd and Broadway.

Source: Symantec 'B...

India is apparently taking issue with any communication service that doesn't give it easy access to data. It has a problem with Google-owned Gmail's heavy encryption and with the inability to listen in on conversations over VoIP with Skype.

'If a company is providing telecom services in Indian, then all communications must be available to Indian security services,' a government representative told AFP. 'If Google or Skype have a component that is not accessible, that will not be possible.'

As of this writing, India had not sent notices to comply with its tight data-availability regulations, but the AFP reports that Google and Skype may receive notices as early as Tuesday. The notes will likely require that both companies provide the Indian government with a way to access e-mails in Gmail and conversations in Skype.

The Indian government made waves recently by targeting Research In Motion's BlackBerry devices over data accessibility. The government contends that by safeguarding e-mail, instant messaging, and Web browsing, RIM is preventing India from monitoring communications as part of national security.

Last week, RIM stood firm in opposition to India, indicating that it wouldn't submit to the government's September 1 deadline. India has now given RIM two months to furnish access to its data or face a ban of its service.

Source: Gmail, Skype no...

The Pushdo or Cutwail network of hacked computers ranked in the top five or so botnets for spam, responsible for as much as 10 percent of all spam, said Ed Rowley, product manager for M86 Security. The spam often advertises fake software, so-called designer goods and questionable pharmaceutical products.

But security analysts with the computer security company LastLine took action last week, contacting ISPs that were hosting the command-and-control infrastructure for the botnet.

About 30 servers at eight hosting providers were found to be supporting Pushdo. LastLine contacted the ISPs, and about 20 of the servers were taken offline, according to itsblog. Some ISPs, however, were unresponsive.

Spam levels have dropped, Rowley said. LastLine's action "will almost certainly have a positive effect for two to three weeks," Rowley said. But "the spammers will be able to find other hosting providers where they will be able to get their systems up and running."

LastLine appears to have taken down parts of Pushdo and Cutwail, which work together, wrote Atif Mushtaq of FireEye's Malware Intelligence Lab, in a blog post. Pushdo is a Trojan. Once it infects a computer, it often downloads Cutwail, a piece of malware capable of spamming as well as downloading other bad programs.

Mushtaq confirmed LastLine's success. "After identifying the botnets in question it was very easy for me to go through my botlab logs and try to find leftover command and control servers. There was no doubt that many of the CnC servers were null routed. But as mentioned by LastLine, there were still some servers which were active and serving contents," he wrote.

And it's those active servers that remain a concern. As long as those servers are able to eventually contact the computers infected with Pushdo, it will be possible to resume spamming.

Pushdo has the ability to generate random domain names. If those domains are registered and activated, the botnet controllers can send new instructions to the hacked machines.

"Either way, they'll be up and at it again in the near future," Rowley said.

Send news tips and comments to jeremy_kirk@idg.com

Source: Huge Spamming B...

Of course, your car is probably not a high-priority target for most malicious hackers. But security experts tell CNET that car hacking is starting to move from the realm of the theoretical to reality thanks to new wireless technologies and evermore dependence on computers to make cars safer, more energy efficient and modern.

'Now there are computerized systems and they have control over critical components of cars like gas, brakes, etc.,' said Adriel Desautels, chief technology officer and president of NetraGard, which does vulnerability assessments and penetration testing on all kinds of systems. 'There is a premature reliance on technology.'

Illustration for a tire pressure monitoring system, with four antennas, from a report detailing how researchers were able to hack the wireless system.

(Credit: University of South Carolina, Rutgers University (PDF))

Often the innovations are designed to improve the safety of the cars. For instance, after a recall of Firestone tires that were failing in Fords in 2000, Congress passed the TREAD (Transportation Recall Enhancement, Accountability and Documentation) Act that required that tire pressure monitoring systems (TPMS) be installed in new cars to alert drivers if a tire is underinflated.

Wireless tire pressure monitoring systems, which also were touted as a way to increase fuel economy, communicate via a radio frequency transmitter to a tire pressure control unit that sends commands to the central car computer over the Controller-Area Network (CAN). The CAN bus, which allows electronics to communicate with each other via the On-Board Diagnostics systems (OBD-II), is then able to trigger a warning message on the vehicle dashboard.

Researchers at the University of South Carolina and Rutgers University tested two tire pressure monitoring systems and found the security to be lacking. They were able to turn the low tire pressure warning lights on and off from another car traveling at highway speeds from 40 meters (120 feet) away and using low-cost equipment.

'While spoofing low tire pressure readings does not appear to be critical at first, it will lead to a dashboard warning and will likely cause the driver to pull over and inspect the tire,' said the report (PDF). 'This presents ample opportunities for mischief and criminal activities, if past experience is any indication.'

'TPMS is a major safety system on cars. It's required by law, but it's insecure,' said Travis Taylor, one of the researchers who worked on the report. 'This can be a problem when considering other wireless systems added to cars. What does that mean about future systems?'

The researchers do not intend to be alarmist; they're merely trying to figure out what the security holes are and to alert the industry to them so they can be fixed, said Wenyuan Xu, another researcher on the project. 'We are trying to raise awareness before things get really serious,' she said.

Another report in May highlighted other risks with the increased use of computers coordinated via internal car networks. Researchers from the University of Washington and University of California at San Diego tested how easy it would be to compromise a system by connecting a laptop to the on-board diagnostics port that they then wirelessly controlled via a second laptop in another car. Thus, they were able to remotely lock the brakes and the engine, change the speedometer display, as well as turn on the radio and the heat and honk the horn.

Granted, the researchers needed to have physical access to the inside of the car to accomplish the attack and although that minimizes the likelihood of an attack it's not unthinkable to imagine someone getting access to a car dropped off at the mechanic or parking valet.

'The attack surface for modern automobiles is growing swiftly as more sophisticated services and communications features are incorporated into vehicles,' that report (PDF) said. 'In the United States, the federally-mandated On-Board Diagnostics (OBD-II) port, under the dash in virtually all modern vehicles, provides direct and standard access to internal automotive networks. User-upgradable subsystems such as audio players are routinely attached to these same internal networks, as are a variety of short-range wireless devices (Bluetooth, wireless tire pressure sensors, etc.).'

Engine Control Units

The ubiquitous Engine Control Units themselves started arriving in cars in the late 1970s as a result of the California Clean Air Act and initially were designed to boost fuel efficiency and reduce pollution by adjusting the fuel and oxygen mixture before combustion, the paper said. 'Since then, such systems have been integrated into virtually every aspect of a car's functioning and diagnostics, including the throttle, transmission, brakes, passenger climate and lighting controls, external lights, entertainment, and so on,' the report said.

It's not just that there are so many embedded computers, it's that safety critical systems are not isolated from non-safety critical systems, such as entertainment systems, but are 'bridged' together to enable 'subtle' interactions, according to the report. In addition, auto makers are linking Engine Control Units with outside networks like Global Positioning Systems, such as GM's OnStar system can detect problems with systems in the car and warn drivers, place emergency calls and even allow OnStar personnel to remotely unlock cars or stop them, the report said.

In an article entitled 'Smart Phone + Car = Stupid?' on the EETimes site in late July, Dave Kleidermacher noted that GM is adding smart phone connectivity to most of its 2011 cars via OnStar. 'For the first time, engines can now be started and doors locked by ordinary consumers, from anywhere on the planet with a cell signal,' he wrote.

Car manufacturers need to design the systems with security in mind, said Kleidermacher, who is chief technology officer at Green Hills Software, which builds operating system software that goes into cars and other embedded systems.

'You can not retrofit high-level security to a system that wasn't designed for it,' he told CNET. 'People are building this sophisticated software into cars and not designing security in it from the ground up, and that's a recipe for disaster.'

Representatives from GM OnStar were not available for comment late last week or this week, a spokesman said.

'Technology in cars is not designed to be secure because there's no perceived threat. They don't think someone is going to hack a car like they're going to hack a bank,' said Desautels of Netragard. 'For the interim, network security in cars won't be a primary concern for manufacturers. But once they get connected to the Internet and have IP addresses I think they'll be targeted just for fun.'

The threat is primarily theoretical at this point for a number of reasons. First, there isn't the same financial incentive to hacking cars as there is to hacking online bank accounts. Secondly, there isn't one dominant platform used in cars that can give attackers the same bang for their buck to target as there is on personal computers.

'The risks are certainly increasing because there are more and more computers in the car, but it will be much tougher to (attack) than with the PC,' said Egil Juliussen, a principal analyst at market researcher firm iSuppli. 'There is no equivalent to Windows in the car, at least not yet, so (a hacker) will be dealing with a lot of different systems and have to have some knowledge about each one. It doesn't mean a determined hacker couldn't do it.'

But Juliussen said drivers don't need to worry about anything right now. 'This is not a problem this year or next year,' he said. 'Its five years down the road, but the way to solve it is to build security into the systems now.'

Infotainment systems

Meantime, the innovations in mobile communications and entertainment aren't limited to smart phones and iPads. People want to use their devices easily in their cars and take advantage of technology that will let them make calls and listen to music without having to push any buttons or touch any track wheels. Hands-free telephony laws in states are requiring this.

Millions of drivers are using the SYNC system that has shipped in more than two million Ford cars that allows people to connect digital media players and Bluetooth-enabled mobile phones to their car entertainment system and use voice commands to operate them. The system uses Microsoft Auto as the operating system. Other cars offer less-sophisticated mobile device connectivity.

'A lot of cars have Bluetooth car kits built into them so you can bring the cell phone into your car and use your phone through microphones and speakers built into the car,' said Kevin Finisterre, lead researcher at Netragard. 'But vendors often leave default passwords.'

Ford uses a variety of security measures in SYNC, including only allowing Ford approved software to be installed at the factory and default security set to WiFi Protected Access 2 (WPA2), which requires users to enter a randomly chosen password to connect to the Internet. To protect customers when the car is on the road and the Mobile WiFi Hot Spot feature is enabled, Ford also uses two firewalls on SYNC, a network firewall similar to a home WiFi router and a separate central processing unit that prevents unauthorized messages from being sent to other modules within the car.

'We use the security models that normal IT folks use to protect an enterprise network,' said Jim Buczkowski, global director of electrical and electronics systems engineering for Ford SYNC.

Not surprisingly, there is a competing vehicle 'infotainment' platform being developed that is based on open source technology. About 80 companies have formed the Genivi Alliance to create open standards and middleware for information and entertainment solutions in cars.

Asked if Genivi is incorporating security into its platform from the get-go, Sebastian Zimmermann, chair of the consortium's product definition and planning group, said it is up to the manufacturers that are creating the branded devices and custom apps to build security in and to take advantage of security mechanisms provided in Linux, the open source operating system the platform is based on.

'Auto makers are aware of security and have taken it seriously... It's increasingly important as the vehicle opens up new interfaces to the outside world,' Zimmermann said. 'They are trying to find a balance between openness and security.'

Another can of security worms being opened is the fact that cars may follow the example of smart phones and Web services by getting their own customized third-party apps. Hughes Telematics reportedly is working with automakers on app stores for drivers.

This is already happening to some extent, for instance, with video cameras becoming standard in police cars and school buses, bringing up a host of security and privacy issues.

'We did a penetration test where we had a police agency that has some in-car cameras and we were able to access the cameras remotely and have live audio and video streams from the police car due to vulnerabilities in the manufacturing systems,' Finisterre of Netragard said.

'I'm sure (eventually) there is going to be smart pavement and smart lighting and other dumb stuff that has the capability of interacting with the car in the future,' he said. 'Technology is getting pushed out the door with bells and whistles and security gets left behind.'

Source: Cars: the next ...

Research In Motion, the maker of the popular BlackBerry smartphone, has averted yet another ban of its e-mail and messaging service, according to news reports Monday.

The Indian government said it will not shut down the service for at least another 60 days as it evaluates proposals RIM has offered that would allow the government to monitor wireless subscribers' communications.

Indian officials said earlier this month that the company had until the end of August to come up with a solution that would allow them to monitor e-mails and other electronic messages from BlackBerry users in the country.

One of the latest proposals likely includes RIM placing one of its servers in India.

'It was also decided that the Department of Telecommunications would study the feasibility of all such services being provided through a server located only in India,' Onkar Kedia, a spokesman for the federal Ministry of Home Affairs, said in a statement.

RIM has been working with Indian officials to come up with a solution since earlier this month, when the government threatened to shut down the service over security concerns. Last week, RIM suggested creating an industry forum to address the government's concerns. In this forum, RIM and other mobile companies would work with the Indian government to support 'the lawful access needs of law enforcement agencies, while preserving the legitimate information security needs of corporations and other organizations in India.'

RIM has faced threats of bans in other countries as well, including Saudi Arabia and the United Arab Emirates. RIM averted a ban in Saudi Arabia by supposedly cutting a deal with Saudi officials, which reportedly also includes putting a server in Saudi Arabia that would allow the security officials to monitor communications.

RIM has been adamant that it has not compromised its core security features. And it claims it has not struck special deals with any country.

'RIM assures both its customers in India and the government of India that RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries,' the company said in a statement last week.

Governments in countries threatening to ban the service say they are concerned that the BlackBerry, which features stronger privacy safeguards than competing devices, could be used by terrorists and other criminals to avoid detection.

Source: RIM sidesteps B...

3M has signed a deal to acquire biometric security firm Cogent Systems for $943 million, the companies announced Monday.

According to 3M, it will pay $10.50 per share for Cogent, representing an 18 percent premium over the stock price at market close Friday. 3M will purchase all shares of Cogent 'within 10 business days,' according to the agreement.

Pasadena, Calif.-based Cogent sells finger, palm, iris, and face biometric systems to governments, law enforcement, and businesses.

The decision of 3M--a massive conglomerate--to acquire Cogent is based on its view that the biometrics market is booming. Cogent is a player in the $4 billion market, which 3M asserts will grow more than 20 percent over the next year. 3M said it is especially interested in using Cogent's services to reach law enforcement agencies.

'Adding Cogent Systems' products to our business strengthens our product portfolio and services in high security credential issuance and authentication systems and positions 3M's business in law enforcement applications,' Mike Delkoski, vice president of 3M's security systems division, said in a statement. 'It also expands our reach into access control and other commercial ID and authentication applications.'

While possibly best known for Scotch tape and Post-it notes, 3M is a huge conglomerate with more than $23 billion in annual sales and dozens of technology platforms, including in graphics, electronics, communications, health care, and security.

Cogent's board has accepted the offer, the companies said, and 3M expects the deal to close in the fourth quarter.

Source: 3M to buy biome...

AMMAN (AFP) – Jordan on Sunday approved a temporary law on cyber crimes after amending it to appease the fury of journalists who said the legislation was a means to control local news websites.

The law had initially allowed the authorities to raid and search offices from which websites are published and to access computers without prior approval from public prosecutors.

But under the new amendments approved by the government, searching such offices requires court permission and enough evidence that these places are used to commit cyber crimes, Information Minister Ali Ayed said.

Journalists have complained that one of the articles of the law banned sending or posting data on the Internet or any information system that involves defamation or contempt or slander, without defining such crimes.

"That article was removed because these crimes have been already tackled in other laws," said a statement posted on local news websites, adding that "the amendments came in line with King Abdullah II's directives."

"Other changes removed all parts that could be used to affect press freedom and freedom of expression."

The statement quoted Ayed as telling a group of journalists that the law "never targeted local news websites and that the amendments came to clarify things, remove any misunderstanding and make sure the law is implemented the right way."

"The government has consulted several experts, including the National Centre for Human Rights and the Jordan Bar Association, before amending the law."

International and local rights organisations had added their voices to journalists and opposition parties, including the Islamist movement, in harshly criticising the new law before its amendment.

The New York-based Committee to Protect Journalists (CPJ) had urged King Abdullah II to veto the law, saying it gave authorities "sweeping powers to restrict the flow of information and limit public debate."

Source: Jordan amends c...

MANILA (AFP) – The Philippines on Sunday ordered all government offices to tighten Internet security after its main information website was brought down by hackers.

"We are alerting all government agencies to review and improve security of their websites in view of the hacking of the website this afternoon," presidential spokesman Herminio Coloma said.

"We are adopting best practices to lessen the vulnerability of our websites to hacking and other cyber crimes," Coloma said.

The information agency website was inaccessible for several hours in the afternoon with the words "Hacked by 7z1" appearing if searched on Google.

Coloma did not say whether the hacker attack was related to widespread public anger in Hong Kong over police bungling of a hostage crisis that left eight tourists dead on Monday.

President Benigno Aquino's personal Facebook account, which is linked to his official website, has been flooded by hate messages over the incident, with many coming from disgruntled Hong Kong residents accusing his police force of incompetence.

Aquino censored his Facebook page after Internet users ignored his appeal to stop bashing his government over its handling of the hostage crisis, banning slanderous and defamatory comments and posts.

Coloma said only slanderous postings and profanities were erased from the Facebook page.

"But those expressing their feelings -- even if they are negative -- are not being erased from the website because cyberspace should be democratic and different views are permitted," he said.

Source: Hackers attack ...

(Credit: Facebook)

Facebook on Friday afternoon was investigating what appeared to be a new spam scheme that results in users getting messages from friends over Facebook chat that have malicious links.

The messages say 'LOL is this you?' and are accompanied by a link that looks like it leads to a video on Facebook, one victim told CNET. In his case, clicking the link directed to a Web page with a '404-Page Not Found' error message and his account sent the spam out to at least one of his friends, he said.

The spam was also reported on Twitter, but at this point the outbreak seems to be minor.

A Facebook spokesman said the company is looking into the matter.

The spam message is similar to ones used in several phishing attacks on Twitter in February.

Source: 'LOL is this yo...

The bug, which affected less than 2.5 percent of the Gmail userbase, according to Google, involved odd behavior including the repeated messages. The bug was resolved Thursday night, according to Google's Google Apps dashboard.

"The problem with Google Mail should be resolved," Google's tech support staff wrote. "We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better."

The bug affected at least two writers for PCMag.com, who initially dismissed thoughts of a bug, suspecting that their PCs may have become infected with malware. The repeated messages also resulted in several Gmail users being added to spam lists, including www.Backscatterer.org and www.SORBS.net, according to WgtnDan, a user who posted to the Google Gmail support thread describing the problem.

MrEvan, a poster described as a Google employee, also added his own apologies. "Thank you again for the patience you have shown, and sincerest apologies for the inconvenience this has caused you," he wrote. "I too have friends and professional contacts and absolutely understand the value of those relationships and how it could be very frustrating to have bothered some of those folks unintentionally. While I can't take the messages back with some sort of magical Undo Send, I totally sympathize with your situation. Please understand that the Gmail Team has worked tirelessly to investigate this issue and get it solved for you. Your reports were very helpful in our investigation."

At a press conference announcing the integration of Google Voice and Gmail this week, Google executives were asked about the number of Gmail users. Executives declined to provide an exact number, although comScore numbers cited by The Wall Street Journal put the number at over 160 million, putting the maximum number of users affected by the bug at about 4 million users.

Source: Google Fixes Gm...