LinkedIn seeks to assure users following password hack

Social networking company has little new to say about how 6.5 million passwords ended up on Russian hacking site

LinkedIn seeks to assure users following password hack


In an update that raises more questions than it answers, LinkedIn has assured members that the company is working hard to protect their personal data in the wake of a security breach that exposed about 6.5 million hashed LinkedIn passwords.

But the company offered no explanation as to how the passwords had been obtained, how they ended up being posted on a Russian hacker website earlier this week, and what other data might have been compromised.

Instead, he merely noted that most of the passwords on the list appeared to remain hashed and hard to decode. “But unfortunately a small subset of the hashed passwords was decoded and published,” Silveira said.

This is the first time that LinkedIn has alluded to 6.5 million passwords being compromised. In its first official comment on the incident the company had merely noted that “some” hashed passwords might have been compromised.

Silveira’s blog post does not make clear if the hackers who accessed the passwords had also managed to access the associated email logins. Rather, Silveira merely noted that LinkedIn has so far not seen any evidence of LinkedIn email IDs being publicly posted online. “Nor have we received any verified reports of unauthorised access to any member’s account as a result of this event,” he said.

LinkedIn’s first priority in the wake of the incident has been to “lock down and protect” the accounts associated with the decoded passwords, he said. “We’ve invalidated those passwords and contacted those members with a message that lets them know how to reset their passwords,” Silveira said.

“Going forward, as a precautionary measure, we are disabling the passwords of any other members that we believe could potentially be affected,” he said.

Silveira again noted that as part of the improved security measures, LinkedIn’s current production database for account passwords is salted as well as hashed. Some security experts have faulted LinkedIn for using only the SHA-1 hashing algorithm to protect member passwords.

Though the algorithm provides a degree of security, it is not foolproof. Therefore, many companies also use saltinga process in which a string of random characters are added to a password before it is hashed to make hashes harder to crack.

Chester Wisniewski, senior security advisor at Sophos called Silveira’s comments about salting somewhat confusing. “They are saying that their current production database is now salted, which seems to be technically impossible. They either lost the database some time ago and have been adding salts as users log in, which means not all of them are salted, or they have plaintext copies of the passwords, which defeats the purpose of hashing them to begin with,” he said.

“The only way to salt an existing hash is to recalculate the hash after a user logs in, or for the users to have all changed their passwords,” Wisniewski said.

Silveira’s comments about only a few hashed passwords being decoded and published are also puzzling, he said. “Why they believe only a small percentage have been solved is confusing. While only a small percentage have been published, most all of them have been discovered, according to many sources who have been trying to crack them,” he said.









Amazon Web Services cuts prices and revises support plans

Amazon Web Services cuts prices and revises support plans

Amazon has expanded basic free support for Amazon Web Services and lowered the cost of premium support.

The company has also added a number of support features, including alerts and the ability to interact with support personnel through chat.

Launched in 2006, AWS has been widely used by organisations and users looking to outsource their computer infrastructure by tapping into IaaS (infrastructure as a service) offerings. It provides computing nodes, databases, storage, load balancing and other services, all available on pay-as-you-go pricing plans.

The company’s services have been used by developers testing new software services, organisations too small to afford in-house IT systems and by popular internet services that have grown too quickly to build their own IT infrastructure, such as games company Zynga and photo-sharing website Pinterest. Earlier this week, Amazon announced that users had stored over a trillion objects in the company’s Simple Storage Service (S3).

The new support plans reflect the growing diversity in AWS’ customer base.

Amazon has added features to its basic free support plan. Now, users can consult customer service at any time for questions about either accounting or technical concerns, by either phone or email. This new services come in addition to the free access to documentation and developer forums that was already available.

Amazon has rearranged and renamed its paid plans as well, cutting the cost of some. The new Developers tier used to be called the Bronze tier. This tier costs $49 a month and includes a guaranteed 12 hour response time, a direct contact in customer support and email access to AWS technical support engineers.

The Business tier, formerly the Gold tier, offers a one hour response time and access to technical engineers by phone or chat. It also includes support for a range of third-party applications available on AWS. This plan costs $400 per month, $100 less than the old Gold plan. Usage based pricing has been added as well.

The new Enterprise tier, formerly known as the Platinum tier, has been moved to a variable billing model based entirely on usage. This plan used to charge 10% of what the user pays for AWS usage, but that pricing can now be reduced to as low as 3% based on the volume of usage. This plans offers 15 minute response times for critical issues, and a dedicated technical account manager familiar with the customer’s specific AWS architecture.

No plans require long term contracts.

The new chat function will allow users to ask questions to personnel through chat. They can also sign up for alerts, which will notify them of new offers to save money, improve performance of their virtual workloads or close security gaps.

New DDR4 memory will boost tablet and server performance

New DDR4 memory will boost tablet and server performance


IHS iSuppli analysts expect big performance gains in data centres and on consumer devices

By Lucas Mearian | Computerworld US | Published 14:45, 15 May 12

The upcoming shift from Double Data Rate 3 (DDR3) RAM to its successor DDR4 will herald a significant boost in both memory performance and capacity for data centre hardware and consumer products alike, according to IHS iSuppli analysts.

The DDR4 memory standard, which the Joint Electronic Devices Engineering Council (JEDEC) expects to ratify this summer, represents a doubling of performance over its predecessor and a reduction in power use by 20% to 40% based on a maximum 1.2 volts of power use.

“It’s a fantastic product,” said Mike Howard, an analyst with market research firm IHS iSuppli. “Increasing the amount of memory and the bandwidth of that memory is going to have huge implications.”

DDR4’s significant reduction in power needs means that relatively low-priced DDR memory will, for the first time, be used in mobile products such as ultrabooks and tablets, according to Howard.

Today, mobile devices use low-power DDR (LPDDR) memory, the current iteration of which uses 1.2v of power. The next generation of mobile memory, LPDDR3, will further reduce that power consumption (probably by 35% to 40%), but it will likely cost 40% more than DDR4 memory, said Howard. (LPDDR memory is more expensive to manufacture.)

Designed for servers

The impact that DDR4 will have on the server market could be even greater.

Intel, for example, is planning to start using DDR4 in 2014, but only in server platforms, according to Howard. “Server platforms are the ones really screaming for this stuff, because they need the bandwidth and the lower voltage to reduce their power consumption.

“So while Intel is only supporting DDR4 on their server platforms in 2014, I have a feeling they’re going to push it to their compute platforms as well in 2014,” Howard continued.

The draft of the DDR4 specification and its key attributes were released last August.

“With DDR4, we’re certainly seeing some larger power savings advantages with the performance increase,” said Todd Farrell, director of technical marketing for Micron’s DRAM Solutions Group.

Both Samsung and Micron have announced they’re preparing to ship memory modules based on the DDR4 standard. Samsung’s memory modules, expected to ship later this year, purport to reduce power use by up to 40%. Both companies are using 30nm circuitry to build their products, their smallest to date.

By employing a new circuit architecture, Samsung said its DDR4 modules will be able to perform operations at speeds of up to 3.2Gbps, compared with today’s DDR3 speeds of 1.6Gbps and DDR2’s speeds of up to 800Gbps.

Another benefit from the arrival of DDR4 will be greater density and the ability to stack more chips atop one another. Micron’s DDR4 memory module is expected to ship next year, but test modules have already shipped to system manufacturers.

“For DDR3, we see stacking going up to four chips (4H), but for DDR4 this clearly will go up to eight chips stacked on top of each other (8H), which means that, using a 16Gbit memory chip, manufacturers will be able to produce 128Gbit memory boards,” Farrell said.

Farrell described the jump from DDR3 to DDR4 as greater than any other past DDR memory evolution.

“It’s hard to pick just one attribute. DDR4 is one of these devices where you’re getting a lot of benefits at once. Power reduction is key. But at the same time we’re reducing power, we’re getting a substantial increase in performance. They kind of go hand in hand,” Farrell said.

For example, if you run DDR4 at the same bandwidth as DDR3, you can achieve a 30% to 40% power savings. Running at its maximum bandwidth, which represents a doubling of performance, DDR4 will use the same power as its predecessor.

Does power improvement matter?

Historically, memory power consumption has not been considered a big issue because at the motherboard level, processors were responsible for most of the power use in a system.

“Moving forward, as we see a tremendous amount of power reduction – especially in tablets – at that point, if the memory power doesn’t reduce with it all of a sudden the memory is setting your battery life,” Farrell said.

I/O signaling has been improved for added power savings. The I/O uses an “open drain” driver, meaning it only uses power when it writes a zero and not a one at the data bit level. Previous DDR memory used power when writing both zeros and ones.

“Our DRAM controller doesn’t drive current to a one,” Farrell said.

Another power-saving feature with the DDR4 standard will be a reduction in refreshes. In DDR3 memory boards, refreshes occur periodically – and more frequently as the temperature of a device rises. DDR4 memory is being tuned to take advantage of mobile device cooling capabilities. For example, as mobile devices like tablets and laptops go into sleep mode, they cool off. As they cool, DDR4 memory modules will refresh less often, thus using less power.

Additionally, DDR4 can be optimised for server use. For example, higher reliability can be configured using a Cyclic Redundancy Check for the data bus to verify the integrity of the memory. The command address bus also has parity built directly into the DRAM module. Traditionally, parity was achieved through the use of a separate register or another chip on a buffer DIMM.

Memory prices plummet, then stabilise

Even as the arrival of DDR4 memory nears, prices for DRAM remain soft, though the market is expected to pick up steam this year.

Last year, IHS iSuppli reported there was an oversupply in the DRAM market as demand came in lower than expected.

ISuppli has released figures showing that DRAM pricing declined to its lowest point at the end of 2010, the latest period for which it has released data. In December 2010, the contract price for a 2GB DDR3 DRAM module stood at $21, less than half the $44.40 the same module cost just six months earlier.

The price dip isn’t restricted to DDR3. Pricing for a DDR2 DRAM module dropped to $21.50 in December 2011, down from $38.80 in June 2010, according to iSuppli.

This year, iSuppli said it has a much more optimistic outlook for DRAM prices. “DRAM prices have stabilised (and look to stay firm), and the dynamic of the world economy looks much more positive in 2012,” it stated in a report last month.

After seeing major price declines in 2011, memory manufacturers cut output, bringing supply more in line with demand.

“Prices have been essentially flat in the commodity memory market since December, specifically DDR3. It is really weird,” Howard said, adding that market consolidation should help firm up memory prices this year.

For example, Japan’s Elpida Memory filed for bankruptcy in February. This week reports circulated that Micron is in talks to acquire Elpida.

“So it looks like there is going to be some really meaningful consolidation in the industry, and that’s pointing to a much better balance between supply and demand,” Howard said. “We’re anticipating prices for commodity products increasing in the second half of the year.”



Microsoft patches 26 bugs, warns users of active attacks

Microsoft patches 26 bugs, warns users of active attacks



Patch Tuesday headache as software giant yanks update and patches worm-ready flaw

By Gregg Keizer | Computerworld US | Published 14:08, 13 June 12

Microsoft has patched 26 vulnerabilities, including one in Internet Explorer (IE) that’s already being exploited. The company also warned customers of a new zero-day attack and quashed yet another instance of a bug that the Duqu intelligence-gathering Trojan leveraged.

The software maker also ditched one security update at the last minute and substituted another in its place, probably because the second was more serious.

Of Tuesday’s seven security updates, three were rated “critical,” Microsoft’s top-most threat ranking, while the other four were marked “important,” the next-most-serious label.

The 26 vulnerabilities — one more than Microsoft last week told users to expect — included 10 critical, 14 important and two judged “moderate” in the company’s four-step scoring system.

Independent researchers almost unanimously pegged MS12-037 as the update Windows users should grab first.

The 13-bug patch collection affects all versions of IE, including IE10 on Windows 8 Consumer Preview, the February sneak peak that was superseded by the Review Preview two weeks ago.

“It’s always important to get an IE update deployed,” said Jason Miller, manager of research and development at VMware, as he cited the browser’s popularity, especially in business, and thus the huge number of possible victims.

Microsoft admitted that one of the baker’s dozen was already being exploited by hackers, raising the importance of applying the update immediately. “Microsoft is aware of limited attacks attempting to exploit the vulnerability,” stated the company’s advisory, which divulged no other details of the ongoing exploits. The vulnerability affects only IE8, the 2009 version that remains the most widely used version of Microsoft’s browser.

A second vulnerability patched by MS12-037 has been publicly disclosed, Microsoft said.

Also included in the 13 was a critical vulnerability that French firm Vupen Security exploited to hack IE9 at March’s Pwn2Own contest, where researchers face off against browsers for cash prizes. For its efforts, which featured a hack not only of IE9 but also Google’s Chrome, the Vupen team took home $60,000.

Last week, Andrew Storms, director of security operations at nCircle Security, bet that the Vupen bug would be patched this month. But Tuesday, he said it was too close to call between the IE update and a rival, MS12-036, for first-to-fix honors.

“Certainly, [MS12-036] makes it to the top of the worrisome list,” said Storms.

That update, also rated critical, patches just one vulnerability in the Remote Desktop Protocol (RDP), a Windows component that lets users remotely access a PC or server. RDP is frequently used by corporate help desks, off-site users and IT administrators to manage servers at company data centers and those the enterprise farms out to cloud-based service providers.

Most researchers were worried about the RDP bug. “This is potentially wormable,” said Storms. “Definitely wormable,” echoed Miller.

The vulnerability, dubbed CVE-2012-0173, could be exploited by an attacker who simply sends specially crafted data packets to a system with RDP enabled, said Microsoft. All versions of Windows, both client and server, are affected, ranging from Windows XP SP3 to Windows 7 SP1.

Microsoft patched a very similar RDP vulnerability in March with the MS12-020 update. At the time, Miller said he was “spooked” by the bug and its potential exploit in a network-attacking worm. Storms said it “had all the ingredients for a classic worm.”

But there was more to the story: Just three days later, Italian vulnerability researcher Luigi Auriemma, who in May 2011 had discovered one of the just-patched RDP bugs, accused Microsoft of leaking his proof-of-concept (PoC) attack code to Chinese hackers.

Auriemma had submitted that PoC to a Hewlett-Packard bug bounty program to demonstrate the flaw; HP had in turn passed it along to Microsoft.

But Auriemma found the exact same code on Chinese forums and websites, some of them known hacker hangouts.

Seven weeks later, Microsoft tossed one of its Chinese partners, Hangzhou DPTech Technologies, from an information-sharing program it hosts for scores of antivirus firms. Microsoft said that DPTech had “breached our non-disclosure agreement” as it pinned the leak on the firm.

“It looks like Microsoft investigated further after patching the bugs in March and found this one,” said Storms.

Amol Sarwate, manager of Qualys’ vulnerability research lab, agreed. “Actually, this is quite common,” said Sarwate of Microsoft’s discovery of another flaw in code proven to have a vulnerability.

Theoretically, enterprises using RDP would have followed Microsoft’s advice in March to lock down their networks by blocking ports at the firewall or enabling Network Level Authentication, or NLA, to force authentication before an RDP session begins. Doing so would block exploits of both the March and June bugs.

Miller wasn’t optimistic IT administrators had done that. “Unless the mitigations come through with a patch, they’re hard pressed for time to do it manually,” Miller said. “But RDP should only be available to machines on your local network.”

Exactly, added Pierluigi Stella, chief technology officer at Network Box USA, a Houston-based Internet security firm.

“In over 10 years in this job, I still cannot fathom why someone would open [the RDP] port to the Internet without the protection of a VPN or remote connection software like Citrix,” said Stella in an email Tuesday. “Nevertheless, even within our customers, we count several who demanded this port be open from the Internet, despite our strong advice against it.”

Other security updates from Microsoft patched flaws in the .Net framework, the company’s Lync enterprise instant messaging product, Windows’ kernel and kernel mode drivers, and its Microsoft Dynamics AX 2012, an enterprise resource planning (ERP) program.

Some of those need close inspection, said Miller.

“If you don’t review [ MS12-039 and MS12-040] you could miss something,” Miller said. “Quite often we just assume our patch management product will cover all products and patches, [but] it is important to stay vigilant and read all information that is released to ensure your network is 100% covered.”

Miller was referring to footnotes in those bulletins that told customers that some (in the case of MS12-039, the Lync update) and all (for MS12-040, which affects Dynamics AX) of the patches must be downloaded manually from Microsoft’s Download Center. They’re not served up through the usual Windows Update service or the enterprise-grade Windows Server Update Service (WSUS) software.

The Lync update had its own back story that intrigued researchers.

One of the vulnerabilities patched in MS12-039 had been fixed several times in other Microsoft software, first in November 2011, then again in May 2012. In each case, the bug was located in code that parsed TrueType fonts.

Last month, Microsoft acknowledged that the code had been copied and pasted into multiple products, and said it was hunting down each occurrence.

What was noteworthy about the font-parsing code was that it had been exploited last fall by Duqu, a sophisticated cyber-spying Trojan that most experts believe was linked to the even-more-notorious Stuxnet, the worm used to sabotage Iran’s nuclear program in 2009 and 2010.

“Microsoft has done a source code audit to find instances where this [font parsing code] was in use,” said Wolfgang Kandek, chief technology officer at Qualys. “This month’s might be a leftover of that audit.”

Storms speculated that Microsoft added MS12-039 at the last moment — the Lync update had not been mentioned in last week’s advance notification — because of the ties to Duqu.

Another expert, Marc Maiffret, chief technology officer at BeyondTrust, chided Microsoft for the constant patching of the same bug.

“Here we are seven months after the original Duqu fix for TrueType font parsing and this same code reuse bug has reared its ugly head [again],” said Maiffret in an email.

In fact, the Lync update took the place of one that Microsoft had intended to ship Tuesday, but pulled for some reason. The company did not explain why it yanked that update, which was to patch all versions of Microsoft Office on Windows, but when it’s made last-minute changes before, it’s been because it found a flaw in the update or encountered compatibility issues with its own or important third-party software.

Researchers, including Storms, expect that Microsoft will ship the delayed Office update next month.

Microsoft also issued a new security advisory on Tuesday, admitting that a critical unpatched vulnerability in all versions of Windows — as well as in Office 2003 and Office 2007 — was being exploited by attackers who duped victims into visiting malicious websites.

“Our investigation is underway,” said Angela Gunn of Microsoft’s Trustworthy Computing team in a blog post Tuesday.

Until a patch is ready, Gunn urged customers to run the free “Fixit” toolMicrosoft made to block attacks aimed at IE users.

Google, whose security team uncovered the attacks, and along with a Chinese security company, reported the bug to rival Microsoft, reiterated Gunn’s advice in a blog post of its own Tuesday. It also offered a bit more information than Microsoft.

“These attacks are being distributed both via malicious Web pages intended for Internet Explorer users and through Office documents,” said Andrew Lyons, a Google security engineer.

Microsoft did not set a delivery date for a patch, but Miller said he wouldn’t be surprised if the company went “out-of-band” and released an emergency update for Windows and Office before July 10, the next scheduled Patch Tuesday.

June’s seven security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through WSUS.







Apple's iWallet will use Bluetooth rather than NFC, says analyst

The iPhone 4S and iPad already come with Bluetooth 4.0 technology, negating the need for NFC

Apple's iWallet will use Bluetooth rather than NFC, says analyst

Retail industry analyst Pablo Saez Gil of ResearchFarm is convinced that Apple’s iWallet digital wallet will use Bluetooth 4.0 instead of Near Field Communication (NFC), despite the enormous amount of backing behind NFC for mobile payments.

His reasoning lies in the fact that Apple has yet to adopt NFC, even though big names like Google, as well as financial institutions and card operators such as MasterCard with its Paypass Wallet, Visa with the PayWave system and Barclays’ Barclaycard, have all given NFC the go-ahead and designed digital wallets which enable consumers to tap a card or phone to readers in shops, or even tap-to-pay technology on ultrabooks.

However, Apple has aggressively upgraded its Bluetooth offering toBluetooth Low Energy (BLE) on their entire portfolio of devices, with the new iPad and the iPhone 4S being the only major tablet and smartphone that had Bluetooth at the time they were shipped.

“[Bluetooth Low Energy] allows low-consumption chips to act passively in the form of stickers in a similar fashion to NFC tags and devices can automatically and passively connect and transfer information seamlessly,” said Gil.

“The technology also enables long-distance connections between devices of up to 50m. This feature will eventually enable payments on the go, without the need of fixed POS and traditional checkouts.”

The idea is that Apple could introduce an app that enables the Bluetooth transaction but relies on the cloud. This would completely negate the need for NFC, cash registers or even credit cards and thus allow retailers and SMEs to bypass costly hardware upgrades.

“Cloud-based payment solutions will produce the largest number of value benefits for retailers and consumers,” said Gil.

“While NFC still has the largest momentum behind it, it is clearly losing steam. Payments incumbents are embracing NFC because it simply represents an update of their delivery format rather than a threat to their business model. Innovators are instead focusing on solutions that can be launched into the market right away and we think there is nothing more ubiquitous and ready-to-use available today than the cloud.

“In contrast, cloud-based payments can gain mass adoption overnight, as cloud-based payment solutions will arrive in the form of mobile apps, be they digital wallets or mobile retailer apps.”