Industry Information Station

Facebook on Friday announced that the company has been the target of unknown hacker groups a series of attacks, led to Facebook staff has implanted malware in your notebook. Facebook issued a blog post saying: “Facebook security personnel last month found that our system has become the target of a sophisticated attack. When employees access a stolen mobile developer site, attacks can occur. ”

Subsequently, the malicious software installed in the notebook of these employees. Hacker groups were using the so-called “Java 0 loophole”, which is a known vulnerability in the Oracle software, concern over the last few months.

Basically, access unauthorized Web sites at the same time turn on Java in the browser feature users are most vulnerable to attack. As a result, son of hacking many Facebook employees has implanted malware in your notebook. Facebook: “found after the malicious software, we’ll try to fix all affected computers notifying law enforcement agencies, launched a major investigation, the investigation continued until now. ”

Facebook points out that the company “has not found any evidence that Facebook user data theft”, but does not give hackers access to what information.

Other big sites have recently suffered a series of attacks. Twitter announced that the site suffered two weeks ago in an attack, which has resulted in more than 250,000 more user account may have been compromised. Other targets also include the Web sites of the Washington Post, the New York Times and the Wall Street Journal Web site.

Thank the zrf posted
An upcoming new standards will enable cell phones, computer makers have the opportunity to eliminate the user’s password theft problem. Although our life is full of all kinds of passwords, but used to protect network account is not secure. Eliminate passwords or reducing the use of passwords, will significantly enhance the safety factor of the Internet.

At present, by companies such as PayPal and associations formed by the “FIDO Union” has published a series of technical standards, would effectively reduce the reliance on passwords, so more on a higher level networks account security.

According to FIDO Union standards, using physical Mullington method to login account, password in the authentication process, Mullington equipment will play a more crucial role. FIDO Federal Chief Information Security Officer Michael Barrett said: “consumer voucher can by guessing, network password stealing credit certificates obtained, phishing and other technical means. FIDO Union appears crucial, crucial because FIDO user password credential storage devices, cyber crime more difficult to get this information, more difficult to carry out cyber-crime. ”

After joining the League of FIDO, computer and mobile phone manufacturers in their devices implanted in a security chip (and now the vast majority of computers are built the chip) to ensure that user accounts, security of information, individual users can also purchase the corresponding technical hardware devices, such as fingerprint readers. Barrett said that this open standard, any company can use and sell devices that match the criteria, so that you can broaden the scope of use of new security technologies to gradually replace “password” in the field of security of personal account status.

Join FIDO Union the enterprise to select one or two passwords, or completely opt out of passwords. Nok Nok laboratories President Phil Dunkerberger said: “(with FIDO standards) finally get rid of the struggle we have decades of passwords. “Nok Nok laboratory recently raised $ 15 million, develop FIDO certified standard security software.

FIDO is an objective of the Union in the better use of computer hardware have come with little-used safety equipment. The vast majority of desktop computers, notebook and a handful of Tablet PC is equipped with a TPM chip is designed to identity. FIDO also allows mobile phone manufacturing business function of NFC technology to achieve the TPM chip. It is understood that ARM and Intel Corporation have hospitals in the next development for mobile phones and tablet computers similar to TPM technology.

Security experts have repeatedly stressed that two-factor authentication (that is, the first step to traditional passwords, part for the physical device certification) the importance, but there are very few users will use the verification steps, only a game player, banks, large companies will adopt two-factor authentication methods. Like Google, Dropbox, Facebook and other companies to provide two-factor authentication measures, but only a very small percentage of users will use.

Enterprise if FIDO authentication method you want to use, you only need to install validation software on the server, and then install the plug-in on the client and staff computer, or install an enterprise application on their mobile phones.

FIDO more secure authentication when authenticating the user. Traditional authentication methods require the client to send the password to the remote server’s password database is checked against, but there are risks of interception and interpretation. And password stored on a remote server, if the Super Admin account has been stolen, the loss is not only a user’s password. Last month Twitter passwords stolen, that is all.

In FIDO’s certification process, any password will not be sent, but in mobile phones, computer software processing. After verification, sending the key software to log on to the server, do not save any login information. At the same time, landing key sent by the server to inform the user equipment “has been certified”.

FIDO Ramesh Kesanupalli said that one of the co-founder of the League, “all in one device, the password handling, if the hackers to steal passwords, you must put the device stolen. ”

FIDO introduced certification standards have attracted the attention of hackers. According to the research firm IDC’s information, “according to such a large system will certainly attract many hackers to find vulnerabilities. Once compromised, FIDO systems would be finished. ”

In order to form a large enough influence, FIDO needs more companies to join. “Joining PayPal, will bring enough attention to FIDO. “FIDO now Union major in the discussion of technical issues, about how business will be discussed in the future.

Thanks Ikimi delivered
February 2013 VB100 test results, test environment: SUSE Linux.
ESET, as always, without any suspense by, AVG, the Republic BitDefender, eScan, f-secure, Kaspersky, Norman, Sophos also agreed, measuring manufacturers, Avast does not pass only, domestic manufacturers have not yet measured.

Last five tests at a glance: http://www.virusbtn.com/VB100/archive/summary

All sorts of hidden behind the growing fire of online fraud tricks, Internet Information “as they rush”, traditional regulatory approach is difficult to keep up with the pace, creating regulatory lag. Journalist yesterday learned from the municipal industry and Commerce changning branch, a new pilot service platform has been in the area of Internet governance, lock illegal evidence, tracking illegal merchants IP addresses on the Internet and many other features.

New Jing gongshangsuo in changning district, reporters saw 33 provisional supervision platform include a home Web business Web sites, including public comment, ctrip, MacAulay forests, trade and so on, and by food, household goods, medical equipment and other subtotals. Director Katsutoshi said these transactions by the supervisory personnel perform weekly type of platform content inspection to see if there are false propaganda, advertisements, network “navel” false comments on the emerging fraud have also recently been incorporated into the scope of regulation.

More recently, regulators discovered the mass comment network “Paris wedding” shop comment “unnatural”, not only longer, but “lopsided”, were commended. It was presented by the Deputy Director Jin Yunqin, such phenomena, regulatory platform can play a role: first screenshot of the false comments, gather evidence of offences committed against each other’s posts on or off site and, secondly, the IP address for each Internet platform has directly track you can lock a specific dealer information, identified wherever they operate in a short time, allowing law enforcement officials to quickly to your door.

A few days ago, a professional business network comments on the false “net assessment package architect” Shanghai spring music culture media company to be pulled out. Survey found that most of the “praise” is wanton speculation is a network the Navy, merchant and “navel” company signed the contract, payment of Commission requirements to guarantee a certain number of hits, number of comments and praise. Under the unfair competition act, business-sector Paris wedding and spring respectively sound culture for punishment.

There is also a common violations are the site of exaggerating the number purchased. For example, in group activities at the broadband Forum, a jujube in Xinjiang, launch day purchase only the number of 263 people, a lot more compared to similar products. Supervisory staff by monitoring platform, the taking of illegal platform operating system data, viewing the number of purchased real, only a dozen people. With monitoring platform, Chang Ning industrial and commercial Bureau last year 1272 has been operators involving network operating in the region are implementing a monitoring, investigation network operators for the year 99 cases, confiscation of over more than 6 million Yuan.

But they still control all the transactions on the Internet. Currently in the database is already registered companies, in the business sector, but for some personal violations, monitor blind spots, most consumer complaints go back, it is difficult to proactively identify.

It is learnt that the changning pilot network monitoring services platform for industry and commerce is expected to promote throughout the city this year, Shanghai industrial and commercial sectors will also be targeted at servers in different places network of illegal sales, strengthen exchange and linkage with nearby provinces the business sector.

Oxford University on Monday officially announced that it will temporarily override the Google Docs service on campus. According to the University Computer Services Department said the services being used in phishing attacks and other illegal activities, has severely affected the University system and data security. After discussion decided to temporarily mask this Google Docs service, adjustments in the network is open to students and teachers.

Oxford University students or teachers to access Google Docs currently appears blocked pictures like the one above.

In early 2013, the Chinese net been found serious security vulnerabilities, including Tencent, such as youku and dangdang, large domestic Web sites domain name DNS records can be exploited by malicious tampering with , since nearly half of Chinese domestic Internet network management domain names point to, therefore, if vendors once a vulnerability is exploited, DNS pointing to malicious tampering, losses are not counted!

2013 new year’s day, China Internet and cloud vulnerability reporting platform, is an unforgettable night. Early hours of that day, dark clouds vulnerability reporting platform for domain names is a member service provider “Chinese nets” unknown security breach DNS records by malicious tampering, website was hacked. Team assisting in the investigation after the vulnerability details reveal the clouds, vulnerability to cause very dramatic, dark clouds have been Internet companies warning of “mobile verification code exhaustive defect”.

Hacking process reproduce
1, targeting
Network account for the unpredictable pure digital ID, the attacker ripped through a telephone number for customer service, false claims that he was the site manager, login ID forgotten that want to provide. Customer Service staff did not confirm the caller’s effective identity cases, WAN network numbers, login ID of your website available to the attacker.

2, an attacker attempts to
Attacker uses a dark cloud has been warning for a long time on case—mobile verification code blast vulnerability. To net only 4 bits of pure digital mobile verification code successfully breaking through, without knowing the domain name Manager cell phone cases, forcibly modify password reset password feature on the phone.

Stopped and then blasting the verification code

So we can reset any network account login password.

3, you’re done
Later the attacker found another more serious vulnerabilities by modifying the user ID in the request, you can modify any user’s bound to their mobile phone, and then reset the password directly. Since then, legitimate users will not be able to find your account ownership.

Written your userID to hijack an account ID, phone, write your own, of course. How do I know if ID, already there (you can also go to social workers, call customer service to get the user UID of others).

The vulnerability notifications in a timely manner, does not have a large impact, but also to domestic Internet Enterprise and service provider security situation sounded the alarm.

Due to network bandwidth and increase your computer’s performance, have been using mobile phone text messaging verification code before authentication is not according to the alternate upgrades of the times still uses 4~6-pure-digit verification code, and the error number is not checked, hackers can predict within a short time the correct verification code. Because the hackers did not target account, dial customer service phone directly obtained from the customer service process safety process is not enough victims account directly to a hacker, eventually leading to the user password is modified.

Now Internet security situation in the country has been in a passive state, was in line with “it is never too late too late”, after problems with his idea of the importance of security issues, other problems look crowded and even cynicism, and does not take the initiative to look at and look for their own problems (some even already existed a long time). Users are increasingly at a disadvantage, the interests of safeguarding security weakness, inability of service support, inability to …

This appeal to the major Internet service providers, the user data is a trusted, money given to you and look forward to, don’t let users easily suffer, be kind to the God, their intentions, responsible number.

According to foreign media reports, recently, Symantec researchers found that the Stuxnet virus in 2007 on Iran’s nuclear facilities before the attack had been “lurking” for 2 years. Researchers published in the 19-page report noted that the Stuxnet virus already existed as early as 2005, known as Stuxnet 0.5. However, the report did not specify whether the virus had been attacked.

In 2007 found that Stuxnet had infected Iran 14 centrifuge system in the territory, which makes centrifugal machines shut themselves down for the uranium hexafluoride gas valves, ultimately resulting in centrifuges were damaged.

In 2009 to 2010, the Stuxnet virus attack at Iran’s Natanz became more intense. It is learned that, at the time, the virus destroys the local more than 1000 sets of centrifuges.

Symantec said Stuxnet is an extremely complex virus. As of now, people still do not know what started the virus, but outside many people believe that it is the United States and Israel cooperation crystallization.

United States Montana, Great Falls area emergency alert system hacked, hackers sent out corpses from graves in the warning. Local television stations KRTV issued a statement denying the warnings, said there had been no emergency, said engineers were investigating the matter. In order to prevent zombie invasion, the United States Centers for disease control and prevention Web site has published a “Guide on how to survive in a zombie infested area security”.

If you are not satisfied with the regular old USB password protector, “my ID key” (myIDkey) biological, Bluetooth, and voice search feature, dumped outside of couple of blocks to the older devices, it can even self-destruct. I do not like to use the “sexy” to describe a gadget, but if the myIDkey is not “sexy”, or at least “TM” (damn fine). It is able to protect all of your passwords, u-look, you can also use voice-activated search, biometric fingerprint and Bluetooth.

This password-protected device can, in “Mission: Impossible” movie up?

I’m not only one who think myIDkey is worth a try. This project on Kickstarter only launched recently, raised more than $ 87,000 (and growing fast), are currently advanced toward its goal of $ 150,000.

Just like most other USB keys, you can plug it into the computer, and automatically complete your information. Of course, you treat it as an ordinary USB flash drive to use is properly completed.

More cool is the voice search feature.

For example, say a bank name, it will display information on the OLED screen.

But not everyone can “talk”–you have to slide your finger (finger) to unlock. If you do not consider the fingerprint security, you can also set the “slap” the order (tap sequence).

For example, you can set when you scan your thumb, and tap twice to unlock.

MyIDkey also have a supporting Smartphone application, enable online backup of your data.

If your USB key is lost or stolen, it is also very convenient. Users can use the backup system or loaded into a data recovery on the new key.

A sufficient number of errors after the attempt, the device will erase all the data itself – is it somewhat “Mission: Impossible” taste like?

Digital security are essential components of life in modern technology, but very few devices make you want to show off to my friends “cool” element. MyIDkey can change this situation. Currently it is only a prototype, but it looks pretty good, should reach the Kickstarter fundraising goals and entered production. Ready for your thumb.

[Source: Kickstarter]
[Compiled from: CNET]

Akamai reports showed that the third quarter of 2012, nearly one-third of cyber-attacks from China more than doubled in the second quarter.
The second quarter of 2012, global 16% cyber-attack from China, but for the three quarters to the end of September, rose to 33% per cent. United States ranked second, global 13% network attacks from the United States, during the second quarter of 12%.

As far as the broadband connection speeds, Korea ranked first, up to 14.7Mbps, the United States ranked 9th, only 7.2Mpbs. During the second quarter, United States 6.6Mbps, Korea 14.2Mbps.

Global average speed third-quarter 2.8Mbps, 6.8% than second quarter. Although the chain declined, but the global average speeds up 11%. Japan speeds up to 10.7Mbps, Hong Kong, China for 8.9Mbps, enter the first three digits. Global high-speed broadband (more than 10Mbps) penetration rose 8.8%, 11%, global broadband (more than 4Mbps) penetration rose 4.8%, 41%.

Peak global average broadband connection speed the chain slightly decreased 1.4%, up to 15.9Mbps. Hong Kong peak connection speeds of 54Mbps, the world’s first.

The third quarter of 2012, the global total of 680 million IPV4 addresses connected Akamai’s intelligent platform, from 243 countries and regions.

2012 is a cross between 7.8Mbps and global mobile network connection speed. 7 the average connection speed of broadband operators (greater than 4Mbps) level, there are 68 carriers the average connection speeds over 1Mbps. Three quarters of the global average connection speed of mobile networks is a cross between 39.2-2.8Mbps peak.