Google cuts grace period for vendors of vulnerable software

new-google-favicon2[4]Google is shortening the amount of time it gives to makers of vulnerable software and web services if there is imminent danger. The Google security team say that if they encounter a zero-day issue that is already being actively used for cyber attacks, it will grant the affected manufacturer just seven days grace to fix the vulnerabilities or publish an advisory with mitigation strategies for users.

After seven days, Google wants to publish details of the vulnerability in such a way that users of the vulnerable software can protect themselves from attacks. Previously, the company had given vendors sixty days before it went public with details of vulnerabilities. Google says, though, that it has found zero-day vulnerabilities being used to target a limited subset of people and this targeting makes the attack more serious than a widespread attack and more important to resolve quickly, especially where political activists are being compromised and the attacks can have “real safety implications” in some parts of the world.

Google admits the seven day period is an “aggressive time frame” but that it offers sufficient time for a vendor to either publish advice on how to, for example, temporarily disable a service, restrict access or offer contact information to provide more direct assistance. “Each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised” says Google saying it also plans to hold itself to the same standard and hopefully improve the coordination of both web security and vulnerability management.


Google Overhauls Gmail to Take On E-Mail Overload

gmail-logoNYTimes posted: On Wednesday, Google introduced a new in-box design for its e-mail service, Gmail.

In a blog post announcing the new design, the company said it wanted to help people quickly sort through their messages to determine which ones were important and which ones could wait until later.

The revamped Gmail automatically sorts incoming messages into categories, which appear as three tabs — primary, social and promotions — that users can toggle between in their in-box. The primary tab contains the e-mails that the service thinks are most important. Social contains message updates from various social networks, like LinkedIn, Tumblr and Yelp. Promotions contains newsletters, party invites and concert announcements. Users can also select to add additional tabs to help manage electronic bills, banking statements and messages from forum boards.

“We get a lot of different types of e-mail: messages from friends, social notifications, deals and offers, confirmations and receipts, and more,” wrote Itamar Gilad, a product manager at Google, in the post. “All of these e-mails can compete for our attention and make it harder to focus on the things we need to get done.”

Mr. Gilad said Google’s new in-box is “organized in a way that lets you see what’s new at a glance and decide which e-mails you want to read when.”

The new in-box will begin rolling out for the desktop first, and eventually be available on mobile and tablet applications.

DMC And Wayne Static Join Forces To Shoot Video For New Track

Wayne Static shared this in his facebook page:

DMC And Wayne Static of Static-X Join Forces To Shoot Video For New Track “Noise Revolution”

DMC of the legendary RUN-DMC and Wayne Static will be shooting a video for a new track entitled “Noise Revolution” in the coming weeks. DMC, one of the pioneers of Hip Hop music is also credited as being the first to blend rock with rap most notably with a RUN-DMC rendition of “Walk This Way” by Aerosmith which also featured vocals by Steven Tyler. Once again DMC looks to break new ground by synthesizing the industrial sound of Wayne Static’s undeniable vocal approach with his trail blazing rap style. The video will be directed by Matt Zane (Wayne Static, Zakk Wylde, Orgy, Society 1, Annihilated)

“The Noise Revolution song and video is a powerful statement that shows that our art and creativity is the most important representation of the people. Working with Wayne Static and Matt Zane to knock down walls and bring people together with a positive message is inspiring and empowering!” said DMC

Wayne Static is no stranger to combining different styles and is known for the creation of “Evil Disco” and when the chance to work with one of the all time great Hip Hop artists presented itself there was absolutely no hesitation.

“The opportunity to work with a legend like DMC was a great honor and an experience like no other. We performed onstage together in Austin a while back and I hope we have more opportunities to perform together again.” said Wayne

Wayne also went on to explain how he has always been in favor of combining different genres of music.

“I have always believed combining different genres of music is a great way to create exciting new sounds. In fact I’ve based most of my career on combining unexpected styles in innovative ways. This collaboration with DMC is a prime example of how we can break through traditional expectations of Metal and Rap to create a bad ass new sound, and that is really the theme of the song for me as well. This song is a “Noise Revolution!”

Matt Zane was even in awe to be presented with opportunity to direct the video.

“I was all about The Doors, Van Halen, King Diamond and RUN-DMC when I was growing up. When DMC flew out to Los Angeles to meet I couldn’t believe I was sitting across the table from him discussing concepts for something I was going to direct. I was trying to keep it together but really my mind was going crazy. I didn’t want to let on that I was such a huge fan and had all the records. ” said Zane

Stay tuned to see the “Noise Revolution” in late June.


Iranian Hackers targeting US oil, gas, and electric companies

Iranian-Hackers-targeting-US-oil-gas-and-electric-companiesThe Hacker News reported: For all the talk about China and the Syrian Electronic Army, it seems there’s another threat to U.S. cyber interests i.e. Iran. Series of potentially destructive computer attacks that have been targeting American oil, gas and electricity companies tracked back to Iran.

Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines. Malware have been found in the power grid that could be used to deliver malicious software to damage plants. The targets have included several American oil, gas and electricity companies, which government officials have refused to identify.

The officials stated that the goal of the Iranian attacks is sabotage rather than espionage. Whereas, the cyber-attacks from China however, are more aimed at stealing information from the U.S. government that is confidential, as well as from private business. Mandiant announced that the Chinese government was backing the attacks. However, officials from the government in Beijing vehemently denied any connection to the attacks.

The new attacks, officials said, were devised to destroy data and manipulate the machinery that operates critical control systems, like oil pipelines. Iran has denied being the source of any attacks, adding that it had been a victim of American sabotage.

Tom Cross, director of security research at Lancope, told that industrial control systems such as those used to control oil and gas pipelines are more interconnected with public networks like the Internet than most people realize. “It is also difficult to fix security flaws with these systems because they aren’t designed to be patched and restarted frequently. In the era of state-sponsored computer attack activity, it is not surprising to hear reports of these systems being targeted,” he said.

Government officials also claimed that Iran was the source of a separate continuing campaign of attacks on American financial institutions that began last September and has since taken dozens of American banks intermittently offline, costing millions of dollars. But that attack was a less sophisticated denial of service effort.

Apple closes QuickTime vulnerabilities on Windows

appleApple has released a security update for its QuickTime media framework for Windows. Version 7.7.4 of the software closes 12 critical security holes causing memory corruption and buffer overflows when processing a number of media formats. The vulnerabilities affect Windows 7, Vista and XP SP2 or later and could be exploited to cause arbitrary code execution and application crashes.

The vulnerabilities affected the playback of MP3, H.263, H.264, TeXML, JPEG, QTIF, Sorenson Video and FPX files as well as the handling of dref, enof and mvhd atoms within the program. All of the problems were reported by researchers working with HP’s Zero Day Initiative, five of them by Tom Gallagher and Paul Bates from Microsoft.

At the time of writing, Apple is not yet listing details about the fixed bugs on its security web site, but has announced that it will do so soon. The 40MB update for the free product can be downloaded from Apple’s Support Downloads web site.

via h-online

Symantec planning to discontinue PC Tools security products

Symantec_120Symantec has stopped selling the security-related products in its PC Tools portfolio, according to an announcement on the company’s web site. Customers using the affected programs – Spyware Doctor, Spyware Doctor with AntiVirus, and Internet Security – can continue to use them until their subscription runs out.

Symantec says that the decision is related to consolidating its product range in order to offer customers fewer but higher quality products. To that end, the company suggests that customers looking to replace the discontinued products consider Norton Internet Security.

Symantec acquired PC Tools in 2008. One of the company’s most popular security programs was ThreatFire, a virus scanner that detected malicious programs based on their behaviour; over the last few years, however, it has only been only available as part of PC Tools Internet Security.

via h-online

Korn on mission to find cure for diabetes posted:

The members of Grammy-winning hometown heroes Korn will be preparing to head overseas for the European leg of their current concert tour when the Juvenile Diabetes Research Foundation holds a wine and food event in Bakersfield June 1.

But they will be there in spirit and, better yet, a piece of history that has huge significance to any Korn fan will go home with the highest bidder: the guitar played by Brian Welch at the recent concert marking his return to the band after an absence of eight years.

“And all four of the original band members — my brother, Brian, Reggie (Arvizu) and James (Shaffer) — signed it,”  said Alyssa Davis, who has a small role in planning the event for a very compelling reason:

Zeppelin Davis, her 6-year-old nephew, who has Type 1 diabetes. Zeppelin is the son of Korn frontman Jonathan Davis and his wife, Deven, whose lives changed instantly upon learning of the diagnosis, said Alyssa Davis.

“They’re really trying to raise money to help find a cure for these kids, who are being diagnosed so young,” she said. “It’s a life changer. I had no idea that for a child going through it, what it entails. You change everything.”

Beyond the dietary changes and other lifestyle accommodations, their son’s struggle has prompted the Davises to become deeply involved in raising funds for research, as they’re doing with the 2013 Summer Wine Fest on June 1.

The evening promises to be a delight for food and wine lovers, with hors d’oeuvres and desserts served by Luigi’s Restaurant, the Padre, J&M Cafe, Dewar’s, Chef’s Choice Noodle Bar, Borda Petite Catering, Mexicali, The Mark, Cafe Med, Sweet Surrender, Lassen’s and new-to-Bakersfield restaurant Wiki’s Wine Dive & Grill.

Participating vineyards and breweries include Marchesi Antinori, Constellation Brands, the Estates Group, Epic Wines, Mastro Scheidt Family Cellars, Stella Artois Beer and more.

Entertainment will be provided by Grammy-winning R&B performer Tony Rich, whose biggest hit is the 1996 single “Nobody Knows.” Also performing will be Bakersfield-based band Mystic Red.

In addition to the signed Korn guitar, interesting auction items include lunch with U.S. Rep. Kevin McCarthy in Washington, D.C., and a “wild pig hunt” donated by Tejon Ranch. All proceeds will be donated to research for a cure for Type 1 diabetes and for local support groups that help children and teens.

Tickets are $65 in advance and $75 at the door. Space is limited at the event, which runs from 6 to 11 p.m. at Fleur De Lis, 424 24th St. For information or to buy tickets, call 636-1305 or visit

Chrome 27 comes with better load speeds and security fixes

new-chrome-logoThe Chrome developers at Google have released version 27 of their browser to the Stable release channel for Windows, Mac OS X, Linux, and Chrome Frame for Internet Explorer. The new version, Chrome 27.0.1453.93, includes performance improvements with a new scheduler and fixes a number of security vulnerabilities – most of them rated as High – that Google’s bug bounty program rewarded with almost $15,000 in total.

Chrome 27 also introduces a filesystem API that allows the browser to synchronise application data through the Google Drive service. Among the bug fixes, a dependency problem which stopped Chrome being easily installed on Ubuntu 13.04 has also been fixed, one release earlier than Canonical was expecting.

In an announcement entitled “every second counts”, Google explains that the new scheduler in the browser makes pages render 5% quicker on average. The speed increase should be most notable with documents made up of a large number of images and a lot of JavaScript code. More details on the new technology are available in a white paper published by the Chrome Speed Team.

The Chrome developers have also highlighted 17 security holes closed in Chrome 27 and paid out 13 bug bounties. Arne Kettunen of the Oulu University Secure Programming Group was awarded $3133.7 for finding four different memory safety problems in the Web Audio component. Most of the other High-rated vulnerabilities also have to do with memory management issues and earned their discoverers payouts of between $500 and $2000, totalling almost $15,000. The developers have also shipped a new version of the Flash Player which means Chrome comes with Flash Player version 11.7.700.203.

Chrome 27.0.1453.93 is being delivered as an automatic update on all supported platforms. It is also available to download from Google free of charge. Chrome is proprietary software, built from Google’s open source Chromium project.

Microsoft warns of Facebook-hijacking extensions

FacebookMalicious browser extensions are trying to hijack Facebook profiles, according to a warning from Microsoft’s Malware Protection Center. The extensions, first discovered in Brazil and dubbed JS/Febipos.A by Microsoft, are targeted at Chrome and Mozilla Firefox and appear to be installed by a custom trojan dropper. Microsoft first reported on the trojans in April, but it seems that a recent update to the trojans warrants bringing further attention to them.

The trojan extensions themselves monitor users’ browser activity to see if they are logged into Facebook and then retrieve a configuration file from a site, disguised as a .php file, which contains commands for the extension. The extension is able to like pages, share pages, post, join groups, invite friends to groups, chat to friends or comment on posts. The Microsoft researchers have witnessed the extension posting messages (in Portuguese) about teen suicides with a video link that sends users to a malicious site, liking and commenting on a Facebook page apparently belonging to a car company, and sending out a variety of messages via chat, posts or comments. Links to other Facebook profiles are also posted by the extension in messages.

Microsoft recommends that users review their installed extensions. The extensions are detected by Microsoft’s security software, providing the latest definitions are installed.