Malware may be difficult to define but, as former U.S. Supreme Court Justice Potter Stewart famously quipped about pornography “you know it when you see it.” At least that’s the position being taken by Google and anti malware firms about two applications designed for mobile phones running Google’s Android operating system. Now the developer is crying foul.
HED: Security and data integration projects top list of top .GOV IT projectsDEK: Stovepipe busting and data sharing are common themes as Uncle Sam details the top IT projects. The White House’s Office of Management and Budget (OMB) on Monday released its list of the top 26 government IT projects, as part of an Obama Administration effort to reform the way the Federal Government manages IT projects, with a focus on bursting silos that prevent agencies and personnel from sharing valuable data. The top projects, totalling $29.3 billion, stretch across almost all the major government departments, many seeking to tie together disparate government agencies or stovepiped stores of government information. IT and Homeland security projects figure prominently on the list, as well, including efforts to revive now notorious boondoggles like the FBI’s Sentinel data project, and a $473 million request for a Homeland Security Information Network (HSIN) project. The announcement on Monday was part of a larger Obama Administration effort to improve the efficacy of government-funded IT projects, with a goal of faster implementations and fewer cost overruns for a federal bureaucracy that is infamous for allowing IT projects run amok. In a memo dated July 28, Federal CIO Vivek Kundra said that each agency would be asked to identify high-risk IT projects, create a risk profile for them and develop improvement plans for the projects. The projects and improvement plans will ultimately be reviewed by Kundra in so-called “TechStat Accountability Sessions” in the fourth quarter, 2010. The outcome of those sessions will determine budget requests for FY 2012 and on further allocations in FY 2011, according to an OMB memo. Physical and IT security related projects are top priorities, ranging from the Department of Interior’s $122.8 million request for IMARS – the Incident Management Analysis and Reporting System to allow data sharing and analysis, to the FBI’s $3.4 billion frequest for a Next Generation Identification (NGI), an effort to improve the FBI’s automated fingerprint identification system to reduce print match times from hours to minutes for criminal checks. But the list also breathes new life into some moribund government IT projects, notably: the FBI’s Sentinel Web based case management project – now estimated to cost Uncle Sam more than $550 million. Sentinel, originally awarded to Defense giant Lockheed Martin, is described as a “Web-based case management system” for the FBI to manage both case information and other, non-case related data using elements of both document management and search to improve disjointed and outdated investigation tools at the FBI. The project has already consumed some $375 million since its inception in 2004 and is projected to cost more than $550 million by the time it is completed in 2016. In recent months, the FBI announced that it would delay the Sentinel Project and try to shift work on the project to internal IT staff rather than Lockheed Martin contractors. A critical report from the Justice Department’s Inspector General noted that the project was apparently without a clear focus or completion date, despite four years and more than $300 million in taxpayer dollars spent. Estimates at that time put the total cost of the project at $450 million and the completion date in 2011, but the latest report from OMB ups the pricetag by another $100 million, while pushing the completion date out a full five years. That doesn’t bode well for the Obama Administration’s efforts to reign in the cost of IT projects, said David Williams of the non-profit group Citizens Against Government Waste. “What happens is that contracting companies look at government contracts as cash cows, and there’s no history of putting contractors feet to the fire,” he said. Williams said that having a list of priorities is a fine idea – but won’t bring about much change without more accountability. “Its important to prioritize, but its also important to have links to results,” Williams said. Williams said that the U.S. government would do well to harness the energies of the private sector to get important IT projects completed – following the model of NASA with its X prize. “Instead of doing it in house, just say ‘here’s what we want to accomplish. Come up with the design, and we’ll award you the contract.'” The private sector has already proven much more adept at designing inexpensive and user friendly equivalents of many of the most notorious IT boondoggles on the federal government’s roster, said Williams. That could include the Sentinel case management system, or the Department of Transportation’s En Route Automation Modernization (ERAM) program to replace aged air traffic control systems used by the FAA — a 10 year old project that has already cost $2 billion and is now estimated to require another 10 years and $1 billion to complete. “The frustruation is that we live in such a fast paced, technological world,” said Williams “We need to bring technology into this and unleash the private sector.”The White House’s Office of Management and Budget (OMB) on Monday released its list of the top 26 government IT projects, as part of an Obama Administration effort to reform the way the Federal Government manages IT projects, with a focus on bursting silos that prevent agencies and personnel from sharing valuable data.
Google said on Thursday that it patched ten security holes in its Chrome Web browser. The company also paid out more than $10,000 in bounties to security researchers who reported the holes.
They’re the dusty corners of the Web: so-called “parked” domains. But these little trafficked sites are attracting the attention of security experts, who say that it’s time for hosting firms and others that profit from them to clean up malware infections that may be exposing millions of Web users to attacks.
Conventional wisdom has it that Microsoft’s Internet Explorer Web browser is on the way out: succumbing to the death of thousand cuts administered by plucky rivals like Mozilla’s Firefox, Google’s Chrome and even Opera.
The drumbeat for more secure application development picked up pace on Tuesday, with news that software giant HP had acquired privately funded Fortify Software, a maker of static code analysis tools, for an undisclosed amount.
usan Wade, Dir. of PR for Network Solutions, Herndon, Virginia. 703.668.5057 ||Web hosting firm NetworkSolutions confirmed on Monday that it had unwittingly served up a malicious Web site widget on customers’ inactive or “parked” Web domains, but the company said that it still didn’t know how many domains had been infected. In a blog post (http://blog.networksolutions.com/2010/security-alert-malware-found-on-widget/), the Herndon, Virginia Web site hosting firm The company acknowledged published reports (http://threatpost.com/en_us/blogs/network-solutions-hacked-widget-081610) on Monday that it allowed a third party widget that was part of a widely installed Web site package to be compromised. A company spokeswoman declined to put a number to how many Web sites may have been serving malicious content. Security experts have estimated that anywhere between 500,000 and five million Web sites may have hosted the malicious widget at one time. The mass infections first came to light after researchers at Web security firm Armorize Technologies analyzed a third party widget (http://blog.armorize.com/2010/08/more-than-500000-network-solutions.html) dubbed the Small Business Success Index that was offered by Network Solutions. Researchers realized that the widget, in addition to being downloadable from Network Solutions, was distributed with a standard package of Web pages that Network Solutions offered to customers who wished to “park” Web domains they had registered using a basic place holder Web site – greatly increasing its prevalence. The Armorize analysis revealed that the widget was similar to one that they had first spotted in May on the Web site of boingboing.com, a high traffic parked domain that is hosted on Network Solutions and that benefits from its similarity to the popular boingboing.net Web site (http://blog.armorize.com/2010/05/beware-of-boingboingcom-malware.html). The malicious widget targets visitors with vulnerable installations of the Internet Explorer Web browser, serving malicious links that exploit known vulnerabilities in IE as well as Adobe’s Acrobat and Reader applications. Once it has compromised user systems, the browsers push remote monitoring software, dubbed lsass.exe, to the infected systems. That software monitors user browsing activity, looking for certain search keywords and redirecting users to pay per click advertising sites. It also looks for file shares and peer to peer networking software, copying and renaming the malicious program to those directories to spread said Caleb Sima, CEO of Armorize. It is not known how long the malicious widget has been part of the default domain package, but infections linked to Network Solutions domains can be traced back to January, 2010 when the company reported large scale compromises and defacement of Websites hosted on Network Solutions Unix servers (http://blog.networksolutions.com/2010/update-web-site-defacement-issue). Sima said his researchers identified accounts on free Web site traffic monitoring sites that were linked to the malicious software programs and that date to early February, 2010. That date conincides with the earlier compromises at Network Solutions, he said. “If you look at the number of page views, it matches up with the Wordpress infections.” That implies that the malicious Widget could have been active for the last year without being noticed. “This (widget) is using the same code base and is from the same attackers,” Sima said. He said the exact number of infected sites isn’t known, but believes it is in the neighborhood of 5 million sites, based on Web searches targeted at code used by the malicious widget.Wade of Network Solutions disputes that number and says the actual number of infected sites is “much lower,” but acknowledged that the company doesn’t have a firm number, and is unlikely to make public a number when it does know. Network Solutions has disabed the offending code she said, adding that since the affected domains were not actively managed, the impact on customers will be minimal. Sima, whose company offers a service dubbed “HackAlert” that monitors Web sites for infections, said the exploit points to a glaring hole in the protections that both companies and third party providers such as Network Solutions rely on. Web -based malware can be updated and modified on the fly. Only half of the anti malware engines that Armorize ran against the malware served by the infected Network SOlutions sites identified it as malicious. MOreover, companies lack the ability to spot malicious links into or out of sites that they manage. <object width=”480″ height=”385″><param name=”movie” value=”http://www.youtube.com/v/qWLX0a3FS_Y?fs=1&hl=en_US”></param><param name=”allowFullScreen” value=”true”></param><param name=”allowscriptaccess” value=”always”></param><embed src=”http://www.youtube.com/v/qWLX0a3FS_Y?fs=1&hl=en_US” type=”application/x-shockwave-flash” allowscriptaccess=”always” allowfullscreen=”true” width=”480″ height=”385″></embed></object>Web hosting firm NetworkSolutions confirmed on Monday that it had unwittingly served up a malicious Web site widget on customers’ inactive or “parked” Web domains, but the company said that it still didn’t know how many domains had been infected.
By most measures, Google’s Android operating system for mobile devices has been a raging success. Since it was introduced in late 2007, Android has climbed (quickly), replacing Research in Motion’s Blackberry as the top-ranked mobile phone operating system in the U.S. when measured by market share.
A new non-profit group is developing certifications for
information technology security professionals that will set a high bar for IT
security practitioners in areas like penetration testing, code auditing and
control systems operation.
Researchers at Microsoft and Harvard University warn that popular passwords pose a bigger risk to online security than weak ones and suggest that many tools to enforce strong passwords actually steer users to choices that are easy to guess.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
