Wednesday, November 2, 2011

Stuff mag's surprise gadget award

A hybrid laptop-tablet computer is the unexpected winner of Stuff magazine's gadget of the year award.

Asus's Eee Pad Transformer beat the iPad 2 to the top prize, despite stronger demand for Apple's device.

It is a marketing coup for the Taiwanese company ahead of the busy Christmas shopping period. It may also aid Asus with the imminent launch of an upgraded version to its product.

However, other journalists voiced surprise at the choice.

"Despite the iPad 2 being a finer tablet in the purest sense, the Asus Eee Pad Transformer offers so much more," Stuff's consulting editor, Simon Osborne-Walker, told the BBC.

"The clip-on keyboard means it can be as much about productivity as leisure.

"Best tablet? No. Best netbook? Probably not. But as a combo of the two - awesome."

Competition

It is the second time in less than a month that Apple has missed out on one of the UK's leading technology awards.

T3 magazine picked Microsoft's Kinect full-body motion sensor for its Xbox console as its top gadget of 2011.

Stuff also echoed T3's selection of the Samsung Galaxy S2 as its phone of the year.

However, it was far from a complete washout for Apple. It won Stuff's tablet of the year, the magazine's readers voted the iPad 3 their most wanted future gadget, and the MacBook Air laptop was named the best computer.

Other technology journalists invited to the ceremony were caught out by Stuff's headline award.

Pocket-lint's editor, Stuart Miles, said he was "surprised", while CNET's Andrew Holye described it as an "unexpected decision".

Wired.co.uk's editor, Nate Lanxon, said: "The iPad 2 would have been the obvious guess. But the winner is well-deserved, regardless."

Contrasting sales

Asus recently revealed it shipped 1.2 million Eee Pads over the previous two quarters. By contrast Apple said it sold over 20.3 million iPads over a similar period.

However, Stuff's editor suggested the California-based company's lead is no reason to be complacent.

"Apple's most recent products have been more about evolution rather than revolution, which has allowed some competitors to creep up on them," Mr Osborne Walker said.

Asus is expected to launch a successor hybrid device within the coming weeks. Analysts say the new version is likely to include a faster processor and the latest version of Google's Android system.

Other Stuff winners included Virgin's TiVo video recorder as the top home cinema gadget, the Olympus PEN E-P3 as the best camera, and LA Noire as the best videogame.



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin | Settlement Statement

Duqu linked to Microsoft document

The Duqu computer infection was spread with the help of an infected Microsoft Word document, according to a report.

The research says the Trojan exploited a previously unknown vulnerability embedded in Word files, allowing Duqu to modify computers' security protection.

The code is believed to have been designed to gather intelligence from industrial control-systems.

Microsoft says it is preparing a software patch to address the issue.

The Laboratory of Cryptography and Systems Security (Crysys) at Budapest University made the discovery.

"We carefully analysed the available forensics data from the original incident where Duqu was uncovered," Dr Boldizsar Bencsath, who led the investigation, told the BBC.

"We found suspicious files that we further analysed, and in one case, we were able to prove that the file contains the installer of Duqu and it uses a zero-day exploit."

A zero-day exploit is a computer threat that make use of a previously unknown software error to allow the attacker to gain permissions they should not have.

Dr Bencsath added that it is possible that Duqu may also be installed by other means, but he had not found any evidence to suggest it.

Global attack

The news is being publicised by the internet security firm Symantec.

It says that it has confirmed the Duqu infection at six different computer networks belonging to unidentified organisations across a total of eight countries. They include Iran, India, France and Ukraine.

In addition other security firms have reported suspected infections in a further four countries, including the UK.

Duqu has been compared to last year's Stuxnet worm attack, but Symantec says they operate in two distinct ways.

"Stuxnet was about spreading as far and as wide as possible to hunt down systems that could pass on control of industrial organisations - such as nuclear power plants," said Greg Day, Symantec's director of security strategy.

"Duqu has specifically targeted a number of organisations looking to scan across their internal systems, gather intelligence and pass it back out.

"The sort of things it's collecting are design documents and other information that could be the reconnaissance for a further attack."

Patch

So far neither Symantec nor Crysys have been able to trace who is receiving the data. Efforts to address the exploit are ongoing.

"Microsoft is working with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware," a company statement said.

"We will be providing a security update for customers through our update process."

Experts say these types of focused attacks appear to be on the rise.

Earlier this week Symantec reported that 29 chemicals firms had been targeted by a separate Trojan named PoisonIvy.

"Industrial espionage is the natural evolution from cybercrime," said Mr Day.

"Cybercrime is like pick pocketing. But these latest threats are like great train robberies, where the attackers have taken time to understand the intended victim and have a carefully constructed plan to rob them."



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin | Settlement Statement

Socialbots 'steal' Facebook data

Researchers have demonstrated a new technique capable of stealing personal information from Facebook.

Using 'socialbots', computer programmes that mimic real Facebook profiles, the researchers were able to harvest vast quantities of personal data.

Socialbots are increasingly being used by internet criminals and are being offered for sale on the internet for as little as $29 (�18).

Facebook said that the research was overstated and unethical.

A socialbot is a social networking adaption of the wide-scale botnets used by criminals to send out spam.

Making friends

In a traditional botnet, a network of computers are infected by a virus to allow a hi-tech criminal to use them remotely. Often botnet controllers steal data from victims' PCs or use the machines to send out spam or carry out other attacks.

What makes a socialbot different is that it is able to pass itself off as a real Facebook user.

The software takes over control of a social networking profile and from there performs basic activities such as posting messages and sending requests.

The four researchers from the University of British Columbia in Vancouver, created 102 socialbots for use in their experiment and one 'botmaster' - software that sent commands to the other bots.

The researchers employed their socialbots over a period of eight weeks. In total the bots attempted to make friends with 8,570 Facebook users. 3,055 accepted the friendships.

The researchers found that the more friendships people had on Facebook, the more likely they were to accept the 'fake' friend.

To prevent triggering Facebook's fraud detection software, the fake accounts only sent 25 requests per day.

Phishing

From the profiles of those they befriended and the extended networks of those friends, the researchers claimed to have 'stolen' 46,500 email addresses and 14,500 home addresses.

In their paper, due to be presented at next month's Annual Computer Security Applications Conference in Florida, the researchers wrote: "As socialbots infiltrate a targeted online social network, they can further harvest private users' data such as email addresses, phone numbers, and other personal data that have monetary value."

"To an adversary, such data is valuable and can be used for online profiling and large-scale email spam and phishing campaigns."

Facebook said that the experiment was unrealistic because the IP addresses used came from a trusted university source, whereas the IP addresses used by real-life criminals would raise alarm bells.

It also said that it had disabled more of the fake accounts than the researchers claimed.

"We have numerous systems designed to detect fake accounts and prevent scraping of information. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks," said a spokesperson.

"We use credible research as part of that process. We have serious concerns about the methodology of the research by the University of British Colombia and we will be putting these concerns to them.

"In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behaviour they observe on the site."

Ethical?

The researchers estimated that a real-life malicious attack could have a success rate of 80%.

"Online social network's security defences, such as the Facebook Immune System, are not effective enough in detecting or stopping a large-scale infiltration as it occurs," they concluded.

"We believe that large-scale infiltration in online social networks is only one of many future cyber threats, and defending against such threats is the first step towards maintaining a safer social web for millions of active web users."

Consultant from security firm Sophos Graham Cluley said the research was "interesting"

"Clearly there's a lesson for Facebook users to learn there about the need to carefully vet who you allow to become your Facebook friend, and what information you choose to share online," he said in his blog.

But he questioned how ethical such research was.

"Facebook's security team is unlikely to look kindly on people who conduct experiments such as that done by the university researchers, and users are reminded that under Facebook's terms of service you are not allowed to create fake profiles, should use your real name, and should only collect information from other users with their consent," he said.



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin | Settlement Statement