A domain-name system (DNS) researcher proposed on Wednesday that the addition of a single character to the popular BIND name server software could severely limit cache poisoning attacks, such as those described by researcher Dan Kaminsky.

By changing a ‘< ' to '<=' in a trust check in the Berkeley Internet Name Domain (BIND) server software, the patch would prevent a previously unknown server from poisoning the cache, unless the time to live (TTL) -- a limit on the age of a name server entry -- had expired. The suggestion, made by computer scientist Gabriel Somlo, would make exploitation of name server caches more difficult.

However, the "one-character patch" also has some serious side effects, Dan Kaminsky, director of penetration testing for IOActive, said in an e-mail interview with SecurityFocus. Some major hosts have no TTLs or very low TTLs and, for those servers, you gain very little, he said. Other hosts have very high TTLs, he added.

"If we can't override them -- can't override high TTLs -- those sites go down for a very long time," Kaminsky said. "You don't get to fix DNS by breaking it. People will just not deploy your patch."

In July, an alliance of software makers and infrastructure providers revealed the existence of a major flaw -- found by Kaminsky -- in the domain-name system (DNS). The flaw could allow an attacker the ability to redirect victim's from trusted Web sites, such as those of banks, to fake sites. One researcher's theorizing on the nature of the flaw led to most of the details of the issue leaking out less than two weeks later. Last week, the White House sent out a memo to the chief information officers at major agencies, mandating that they move to a complex security solution, known as DNS Security (DNSSEC), by December 2009.

Somlo's "one-character patch" has received some attention -- most notably from an uncritical Slashdot post. Yet, the computer scientist had merely proposed the change on a mailing list for BIND users, asking for feedback. Somlo could not immediately be contacted by SecurityFocus.

"I never claimed my one-character patch would fix all bugs in bind (sic) -- I don't have that kind of power," Somlo joked on the mailing list.

Article Source

The Consumer Electronics Association (CEA) announced today that the chief executives of Microsoft, Sony and Ford will deliver keynote addresses at the 2009 International CES tradeshow. Most notably, of course, is the fact that Steve Ballmer now has the honor of delivering the CES opening keynote for the first time, effectively succeeding Bill Gates as the pre-CES keynote speaker.

There was something warm and fuzzy about the 2008 CES pre-show (Day 0) keynote when Microsoft chairman and co-founder Bill Gates spoke for the last time at the event. Gates had grown into an institution over the years with several memorable keynotes delivered in 1998 and from 2000 to 2008 (Sony’s Sir Howard Stringer held the keynote in 1999.)

The CEA now invited Steve Ballmer as the pre-CES keynote speaker for the show for the very first time. And we can’t help but have a warm and fuzzy feeling about that as well, but are certain that Steve Ballmer inevitably will be compared to Gates, his charisma, his visions, promises and stage presence.

Day 1 keynote speakers include Sony CEO Sir Howard Stringer and Alan Mulally, president and CEO of Ford.

Article Source

It is interesting to see a USB gamepad like this come with a detachable micro steering wheel, but I suspect it definitely won’t increase the realism in driving games, but will probably appeal to simple kart-racing types instead. It might be small, but at least it is better to use compared to a standard D-pad. This USB Mini Controller works with Windows-based computers only, so Mac users are left out of the loop yet again. It isn’t wireless, so be prepared to welcome yet another 6-foot long USB cable into your home. No idea on pricing, but it is available for order from Dream Cheeky.

Article Source

Microsoft today released the second beta of its upcoming Internet Explorer 8 web browser with a boatload of new functionality compared to the first beta that made its debut in March of this year. The company highlights 50 features that address usability, security, compatibility, manageability and a couple tools that are unique to IE. The outcome is a browser which engineers clearly designed with innovation in mind. In some parts that works, in others it does not. Expect a browser that is vastly more complex than its predecessor and that offers a completely different browsing experience than Firefox.

Microsoft kept its promise and delivered the second beta of IE8 before the end of this month to give us a taste of what Microsoft believes users expect from a modern web browser. There is a lengthy new feature list, which you can access here and which is nearly impossible (and boring) to cover in this article. The question most people will have is – how does it stack up to the best in the market – Firefox, Safari and, in some instances, Opera? Will it be faster than the painfully slow IE7, is it easier and more secure to use? There is one simple answer: Yes.

Speed

The page load speed is often a very subjective impression and even if you measure it scientifically, there are substantial hurdles - such as varying connection issues – to allow for a fair result. At least subjectively, this author found that IE8 loads about three times as fast as IE7 and loads pages about twice as fast as its predecessor. The performance gains are also significant when compared to IE8.

It is obvious that Microsoft, just like Mozilla, has made huge progress to accelerate the browser engine, while the company surprisingly forgets to highlight this progress in its browser feature list. Subjectively, it appears that Firefox 3 has lost its page load time advantage.

Useful new features

It is obvious that Microsoft’s IE engineers had some innovation pressure from some management levels above and there are, in fact, a few interesting features. First, there is finally a “Find on this Page” feature you can actually use, since it is placed in its own field below the address bar. Searching web pages for certain words or phrases is also enhanced through search result highlighting and search result count.

Just like Firefox, IE8 can also store a browsing session and reopen it when the software is restarted.

The “Smart Address Bar, which offers a neatly structured, instant search feature when you are entering a URL, is also new. Similar to the Firefox idea, the Address options are very organized, easy to read and in most cases actually useful – especially when you are looking for a certain section on a website and simply don’t know its sub-level address.

The best new feature, hands down, is Tab grouping. At least I tend to have countless tabs open and once you exceed ten or more tabs, it gets confusing and you have to start reorganizing those tabs. IE8 does that for you in a color-coded fashion. The colors themselves are a matter of taste, but as long as you are opening tabs through the context menu (right mouse click), a new tab will appear in the color of the originating website. This feature is a perfect example how simple ideas can have a huge impact.

Tabs now also come with “crash recovery”, which means that the content in a tabbed window is automatically restored and reloaded - and any information the user may have already entered on the page (such as when writing an e-mail or filling out a form) is restored.

Under the hood, there are new features you won’t see in the user interface - which, however, are milestones for Microsoft. First, the browser is much closer to common web standards than any other version before (Microsoft says it passes the Acid2 browser test), CSS 2.1 will be implemented in the final version of the browser, there are Document object model (DOM) and HTML 4.01 improvements and there is support for W3C’s HTML 5 Draft DOM Storage standard and the Web API Working Group’s Selectors API.

Useless new features

Microsoft would not be Microsoft if there wasn’t an overload of features that in fact make the browser (12.7 MB download) appear bulky. Each user may have a different opinion what these features may be, but at least in this version it seems to be Microsoft’s Web Slices and Accelerators (renamed from “Activities”). On one side, Microsoft promises to stay within general HTML guidelines and on the other the company cannot resist to create proprietary features that are not part of any standard and are not supported by any other browser. Is it just me or does this sound strange?

Both Web Slices (a way to subscribe to certain content) and Accelerators (quick access to maps, for example) are obviously a try to standardize certain features and convince web developers and other browser developers to adopt this functionality. To me, both features are nice and may be certainly useful in some cases, but will they improve your browsing experience in general? No. In some scenarios, IE8 feels too heavy. The browser interface clearly needs another workout to trim some of the fat it has gained over the years.

Security

IE8’s new “over the shoulder privacy” features were revealed two days ago. “InPrivate” appears to be a new word under which Microsoft will combine a range of security configuration options, with the first ones being InPrivate Browsing, InPrivate Blocking and InPrivate Subscriptions. All three add another layer of flexibility and complexity, which may be welcomed by some and may confuse others.

12 additional big security improvements include per-user and per-site ActiveX rules, domain warnings and highlighting, enhancements to IE7’s phishing filter and data execution prevention:

Old Microsoft habits

The installation process of the browser remains unacceptable and one big annoyance. Even on my relatively speedy PC, the installation process took 28 minutes from beginning to end. For 17 minutes, the PC was unusable, since the PC needs to be restarted and updates need to be reconfigured.

Why is it that Firefox can be downloaded and installed on the go without the need for a restart of the PC and Microsoft takes my PC hostage for 17 minutes for a simple browser update? I may be picky here, but iE8 is not particularly convenient (and transparent) to install.

You can download IE8 Beta 2 here.

Article Source

A breach in a key computer system holding data for the Best Western hotel chain may have allowed the Russian mafia to steal information on 8 million customers, if an uncritical story in Scotland’s Sunday Herald proves accurate.

The article, which appeared on Sunday, claims that an Indian hacker with no prior cybercriminal background managed to get a Trojan-horse program installed on a key system inside Best Western’s network. The malicious code reportedly recorded the login credentials of one of the hotel chain’s employees, which the hacker proceeded to sell to a group of Russian cybercriminals.

Yet, the news report is long on hyperbole. Phrases such as “one of the most audacious cybercrimes ever” and “the greatest cyber-heist in world history” pepper the article and ignore a long list of previous — and larger — data thefts, such as the breach of TJX and the hacking of CardSystems Solutions. Moreover, in two press releases, Best Western debated details of the article and denied that the extent of the attack was as bad as claimed by the Sunday Herald.

“We can confirm that on August 21, 2008, three separate attempts were made via a single log-on ID to access the same data from a single hotel,” the company said in a statement released late Monday. “The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel’s antivirus software.  The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use.”

Best Western said that it had narrowed down the number of customers affected to 10.

While companies and organizations frequently downplay the impact of breaches — the University of Southern California, for example, did not initially acknowledge the full extent of a breach of its online application system — the lack of sources in the original Sunday Herald article leave the newspaper’s claims in doubt. Other media outlets repeated the story uncritically.

Best Western referred to the Sunday Herald story as “largely erroneous.”

The hotel chain has pledged to continue to monitor for fraudulent activity, work with law enforcement authorities and credit-card companies to investigate the breach, and institute greater security measures. Best Western has already notified the FBI and international law enforcement, the company said in its statement.

Article Source