These are the worst domains for harboring malware

By IDG News Service | PCWorld

Generic top-level domains (gTLDs) that have sprung up in recent years have become a magnet for cybercriminals, to the point where some of them host more malicious domains than legitimate ones.

Spamhaus, an organization that monitors spam, botnet and malware activity on the Internet, has published a list of the world’s top 10 “worst TLDs” on Saturday. What’s interesting is that the list is not based on the overall number of abusive domains hosted under a TLD, but on the TLD’s ratio of abusive domains compared to legitimate ones.

Over the years, lists of spam-friendly top level domains have typically had .com, .net and .org at the top. However, a TLD’s trustworthiness ultimately relies on the ability of the organization that manages it — known as the registry — to police its name space and to enforce rules for its resellers, the registrars.

If, for example, 1 percent of all .com domains were used for malicious activity, one could say that the .com registry, Verisign, is doing a relatively good job at keeping the abuse rate down. The problem is that because the .com TLD is so large, its 1 percent might represent more malicious domains than in a much smaller TLD where the rate of abusive domains is actually 50 percent.

Therefore, comparing good-vs-bad ratios is a better way to determine which registries care more about their TLDs’ reputation, something that ultimately affects their legitimate customers.

“Spam and other types of abuse continue to plague the Internet because bad actors find it very cheap and very easy to obtain thousands of domain names from the Top Level Domain registries and their resellers, the registrars,” Spamhaus said in a blog post. “A few registrars knowingly sell high volumes of domains to professional spammers for profit, or do not do enough to stop or limit spammers’ access to this endless supply of domains. These registrars end up basing their entire business model on network abuse.”

Based on Spamhaus’ data, some of the generic TLDs that have been created in recent years thanks to ICANN’s relaxed policies are not doing enough to stop abuse. This could be either because they’re inexperienced at tackling such issues or because they care more about revenue than a clean Internet.

At this time, Spamhaus’ 10 Worst Top Level Domains list looks like this: .download with 76 percent bad domains; .review with 75.6 percent bad domains; .diet with 74.3 percent bad domains; .click with 72.4 percent; .work with 65 percent; .tokyo with 51 percent; .racing with 50.8 percent; .science with 49.9 percent; .party with 45.3 percent and .uno with 42.5 percent.

Some TLD owners claim that it’s up to resellers to deal with cases of domain misuse and policy violations, but if they don’t force those resellers to take action, nothing will change, Spamhaus said. “A good number of the TLDs succeed in keeping spammers off their domains and work to maintain a positive reputation; this shows that, if they wished to, any TLD registry can ‘keep clean’.”

Advertisements

Microsoft, global law enforcement agencies disrupt Dorkbot botnet

By | Techspot

Microsoft, in cooperation with a number of law enforcement agencies around the world, managed to disrupt a botnet that’s infected over a million PCs across more than 190 countries.

First discovered in April 2011, Dorkbot is an IRC-based botnet that has been commercialized by its creator and is readily available for purchase on underground online forums as NgrBot. The malware relies on USB drives, social networks, IM clients, spam and drive-by downloads for distribution.

It’s most often used to steal login credentials for many of today’s top sites and services including AOL, eBay, Facebook, Gmail, Godaddy, Netflix, PayPal, Steam, Twitter, Yahoo and YouTube.

Over the past six months, Microsoft said it detected Dorkbot on roughly 100,000 systems each month with the majority of infections spotted internationally.

Microsoft said it worked with CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission, the Department of Homeland Security’s United States Computer Emergency Readiness Team, Europol, the Federal Bureau of Investigation, Interpol and the Royal Canadian Mounted Police to disrupt the botnet.

Details on exactly what actions were taken to disrupt Dorkbot weren’t mentioned.

The US Computer Emergency Readiness Team (CERT) advises those that have been infected to use and maintain anti-virus software, change passwords, keep operating system and application software up-to-date, use anti-malware tools and disable Windows Autorun.

China retains supercomputing crown as U.S. representation lingers near historic lows

A supercomputer developed by China’s National Defense University remains the fastest publically known computer in the world while the U.S. is close to an historic low in the latest edition of the closely followed Top 500 supercomputer ranking, which was published on Monday.

The Tianhe-2 computer, based at the National Super Computer Center in Guangzhou, has been on the top of the list for more than two years and its maximum achieved performance of 33,863 teraflops per second is almost double that of the U.S. Department of Energy’s Cray Titan supercomputer, which is at Oak Ridge National Laboratory in Tennessee.

The IBM Sequoia computer at Lawrence Livermore National Laboratory in California is the third fastest machine, and fourth on the list is the Fujitsu K computer at Japan’s Advanced Institute for Computational Science. The only new machine to enter the top 10 is the Shaheen II computer of King Abdullah University of Science and Technology in Saudi Arabia, which is ranked seventh.

The Top 500 list, published twice a year to coincide with supercomputer conferences, is closely watched as an indicator of the status of development and investment in high-performance computing around the world. It also provides insights into what technologies are popular among organizations building these machines, but participation is voluntary. It’s quite possible a number of secret supercomputers exist that are not counted in the list.

With 231 machines in the Top 500 list, the U.S. remains the top country in terms of the number of supercomputers, but that’s close to the all-time low of 226 hit in mid-2002. That was right about the time that China began appearing on the list. It rose to claim 76 machines this time last year, but the latest count has China at 37 computers.

While there are few major changes in the top positions in the ranking, the aggregate computing power of the 500 companies continues to advance, but the pace is slowing. The current list represents 361 petaflops per second of performance, up 31 percent on this time last year, but a noticeable slowdown in growth, according to the authors of the study.

The rise of the use of graphics processors, so-called GPU computing, is reflected in the top 10. Two machines used Nvidia K20x processors: the second-ranked Cray Titan and sixth-ranked Cray Piz Daint, which is installed at the Swiss National Supercomputing Centre.

But Intel’s Xeon E5 chip continues to outrank all others. Taken together, three generations of the chip (SandyBridge, IvyBridge and Haswell) are in 80 percent of systems, representing 67 percent of total performance.

The Top 500 list is compiled by supercomputing experts at the University of Mannheim, Germany; the University of Tennessee, Knoxville; and the Department of Energy’s Lawrence Berkeley National Laboratory.

via China retains supercomputing crown as U.S. representation lingers near historic lows | PCWorld.

It’s official: North America out of new IPv4 addresses

Remember how, a decade ago, we told you that the Internet was running out of IPv4 addresses? Well, it took a while, but that day is here now: Asia, Europe, and Latin America have been parceling out scraps for a year or more, and now the ARIN wait list is here for the US, Canada, and numerous North Atlantic and Caribbean islands. Only organizations in Africa can still get IPv4 addresses as needed. The good news is that IPv6 seems to be picking up the slack.

ARIN, the American Registry for Internet Numbers, has now activated its “IPv4 Unmet Requests Policy.” Until now, organizations in the ARIN region were able to get IPv4 addresses as needed, but yesterday, ARIN was no longer in the position to fulfill qualifying requests. As a result, ISPs that come to ARIN for IPv4 address space have three choices: they can take a smaller block (ARIN currently still has a limited supply of blocks of 512 and 256 addresses), they can go on the wait list in the hopes that a block of the desired size will become available at some point in the future, or they can transfer buy addresses from an organization that has more than it needs.

“If you take a smaller block, you can’t come back for more address space for 90 days,” John Curran, CEO of ARIN, told Ars. “We currently have nearly 500 small blocks remaining, but we handle 300 to 400 requests per month, [so] those remaining small blocks are going to last between two and four weeks.”

Doesn’t this allow for strategic behavior, where each ISP tries to request a block slightly smaller than the requests already on the wait list? “The wait list is a last resort as very little address space is returned to ARIN,” Curran said. “Trying to figure out how to game the wait list is not strategic. Trying to figure out how to use IPv6 for new customers is strategic.”

“ISPs will have to get used to the transfer market. If you need IPv4 addresses, go there,” Curran continued. “But I’m not sure how long a market is going to be around. Seven billion people with smartphones and home connections, a connection at work, then add Google, YouTube, Facebook, Bing… Four billion addresses, even with a perfectly working market, isn’t going work in the future.”

IPv4 address markets

We spoke to Janine Goodman, vice president of Avenue4, a broker of IPv4 addresses, about what to expect in the short term.

“IPv6 is going to happen, that’s the direction it’s going,” she said. “But it’s going to take a while. Organizations are not ready to turn to IPv6 tomorrow; this will take a few years. A transfer market allows for the transition from IPv4 to IPv6 in a responsible way, not a panicked way.”

“The price for blocks of IPv4 addresses of 65,536 addresses (a /16) or smaller is about $7 to $8 per address in the ARIN region. In other regions, which have fewer addresses out there, the price tends to be a little higher,” Goodman said. “We expect the IPv4 market to be around for at least three to five years. During that time, the price per address will likely go up and then finally come back down as IPv6 is being widely deployed.”

Goodman stressed that buyers of addresses should make sure they are “clean” and have a known history. There have been reports of address sales where the addresses turned out to be in ongoing use after completion of the transaction.

ARIN CEO Curran also suggested that buyers do their due diligence. “With a car, the car and the registration are two different things. Not so with IP addresses: the registration in the whois database is the only thing,” he said. However, ARIN will only modify its whois records if the buyer of the addresses has a documented need for the amount of address space in question. As such, prospective buyers can pre-qualify with ARIN and then go out and buy the address space that covers their documented needs for the next two years, or they can find a seller of address space first and then come to ARIN to make sure they qualify.

Read More It’s official: North America out of new IPv4 addresses | Ars Technica.

Even with a VPN, open Wi-Fi exposes users

Image:Ken Hawkins

Larry Seltzer is the former editorial director of BYTE, Dark Reading, and Network Computing at UBM Tech and has spent over a decade consulting and writing on technology subjects, primarily in the area of security. Larry began his career as a Software Engineer at the now-defunct Desktop Software Corporation in Princeton, New Jersey, on the team that wrote the NPL 4GL query language.

By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don’t encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn’t widely appreciated.

Large sites like Twitter and Google have adopted SSL broadly in order to protect users on such networks. But for broader protection, many people use a virtual private network (VPN). Most people, if they use a VPN at all, use a corporate one. But there are public services as well, such as F-Secure’s Freedome and Privax’s HideMyAss. Your device connects with the VPN service’s servers and establishes an encrypted tunnel for all your Internet traffic from the device to their servers. The service then proxies all your traffic to and from its destination.

It’s a better solution than relying on SSL from websites for a number of reasons: with a VPN, all of the traffic from your device is encrypted, whether the site you are visiting has SSL or not. Even if the Wi-Fi access point to which you are connected is malicious, it can’t see the traffic. Any party that is in a position to monitor your traffic can’t even see the addresses and URLs of the sites with which you are communicating, something they can do with SSL over open Wi-Fi.

But there is a hole in this protection, and it happens at connect time. The VPN cannot connect until you connect to the Internet, but the VPN connection is not instantaneous. In many, perhaps most public Wi-Fi sites, your Wi-Fi hardware may connect automatically to the network, but you must open a browser to a “captive portal,” which comes from the local router, and attempt to gain access to the Internet beyond. You may have to manually accept a TOS (Terms of Service) agreement first.

In this period before your VPN takes over, what might be exposed depends on what software you run. Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like instant messaging client, may try to log on.

I tested this scenario at a Starbucks with Google Wi-Fi while running Wireshark. Thousands of packets went back and forth on the open network before the VPN attempted to connect. A quick scan of the list found nothing that looked dangerous, and in fact the software on my system used TLS 1.2 in almost all cases, which was quite a relief. But your configuration may be different from mine, and even if your software attempts to use HTTPS, it could be vulnerable to attacks like SSLStrip, which tricks the software into using open HTTP anyway.

This gap in coverage may only be a matter of seconds, but that’s enough to expose valuable information like logon credentials. Try running a network monitoring tool like Microsoft’s TCPView for Windows or Little Snitch for Mac before you establish your Internet connection and see what happens in those first few seconds. The information may be protected by encryption, but it can carry details about your system configuration that could be used to identify it—or provide clues for an attacker

Read More: Even with a VPN, open Wi-Fi exposes users | Ars Technica.

Let the snooping resume: Senate revives Patriot surveillance measures

Image: Mike Licht

The Senate on Tuesday revived three surveillance provisions of the Patriot Act that had expired early Monday because of Senate discord.

The legislation, the USA Freedom Act, was approved two weeks ago in the House. President Barack Obama was to sign the Senate-House package today.

One Patriot Act provision renewed under the bill was a variation of the phone-records spy program that National Security Agency whistleblower Edward Snowden disclosed in 2013.

Here is a look at the three renewed provisions:

The “business records” section enabled the NSA’s bulk telephone metadata program. It grants the government powers to seize most any record, even banking and phone records, by getting a warrant from the Foreign Intelligence Surveillance Act (FISA) Court. The nation’s spies must assert that the records are “relevant” to a terrorism investigation to get the warrant from the secret court.

Under the new legislation, however, the bulk phone metadata stays with the telecoms and is removed from the hands of the NSA. It can still be accessed with the FISA Court’s blessing as long as the government asserts that it has a reasonable suspicion that the phone data of a target is relevant to a terror investigation and that at least one party to the call is overseas. As we’ve repeatedly stated, the Constitution’s Fourth Amendment standard of probable cause does not apply. The metadata includes phone numbers of all parties in a call, numbers of calling cards, time and length of calls, and the international mobile subscriber identity (ISMI) of mobile calls.

The second provision revived Tuesday concerns roving wiretaps. Spies may tap a terror suspect’s communications without getting a renewed FISA Court warrant, even as a suspect jumps from one device to the next. The FISA Court need not be told who is being targeted when issuing a warrant.

The third spy tool renewed is called “lone wolf” in spy jargon. It allows for roving wiretaps. However, the target of wiretaps does not have to be linked to a foreign power or terrorism.

The bill also allows a public advocate for the first time inside the FISA Court to represent the public.

via Let the snooping resume: Senate revives Patriot surveillance measures | Ars Technica.

HTTPS-crippling attack threatens tens of thousands of Web and mail servers

Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they’re communicating over an unsecured, public channel.

The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties.

“Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” J. Alex Halderman, one of the scientists behind the research, wrote in an e-mail to Ars. “That’s exactly what the US did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the Web.”

Read More: HTTPS-crippling attack threatens tens of thousands of Web and mail servers | Ars Technica.

Super-fast Wi-Fi is coming to a public hotspot near you

Wireless hotspots that can deliver hundreds of megabits per second in real-world bandwidth will become more common as operators increase their investments in Wi-Fi networks.

Not much has been announced, but a range of fixed, cable and mobile operators have already started or are planning upgrades to 802.11ac, the fastest Wi-Fi technology yet, according to market research company IHS. By this time next year a noticeable number of hotspots will use it, said research director Richard Webb, who is currently conducting a survey to pinpoint operator plans. Overall operator spending on Wi-Fi networks in 2015 is expected to increase by 88 percent year-on-year.

Networks based on 802.11ac are faster thanks to features such as MIMO (multiple-input multiple-output) and beamforming. The former uses multiple antennas at the same time to increase data speeds, while beamforming aims the signal at the user to improve performance.

British Telecom and Boingo Wireless have already started to upgrade. There is a drive towards 802.11ac as public venues upgrade and get more serious about the role of Wi-Fi in their networks, according to Boingo. It has upgraded hotspots at airports, while BT has focused on hotels. For example, London hotels Every Piccadilly and Amba Charing Cross offer expected speeds of 196Mbps and 175Mbps using BT technology, according to Hotelwifitest.com.

The actual speeds that users get depend on a number of factors, including distance to the access point, the number of users on the network, and the number of antennas in their smartphone, tablet or laptop.

Read More: Super-fast Wi-Fi is coming to a public hotspot near you | PCWorld.

HBO to VPN HBO Now Users: Prove You Live in U.S. or We Will Terminate You

For many customers, HBO refuses to offer any legal option to access its content, while pushing harsh penalties for those who steal it

Time Warner Inc.’s (TWX) network cash cow HBO (Home Box Office) has convinced some to “cut the cable” (cable TV cable that is… you need internet still) by signing up for HBO Now — a $15 USD/month subscription service. The service gives you access to all the most coveted content at cable television’s oldest network. That includes the most pirated show on the internet — Game of Thrones.

I. Of Streaming and VPNs

After its March 9 unveil at Apple, Inc.’s (AAPL) Apple Watch launch event, HBO Now went live on April 7 — just in time for the Sunday, April 12 premier of Game of Thrones. So just how many people signed up for the service? It’s hard to say, but it’s likely no more than a couple million initially, given that most users will need an Apple device to access it and only so many own a compatible device.

If you don’t own an Apple device, the only way you’re going to get access is if Cablevision Systems Corp. (CVC) happens to provide services in your area. Cablevision is the first cable internet provider to bite on Time Warner’s offer in that space. It allows its cable internet users to directly subscrible to HBO Now on settop boxes, without a cable TV package. When you consider Cablevision only has a couple million internet customers, though, it’s clear access is still pretty limited.

DailyTech - HBO to VPN HBO Now Users: Prove You Live in U.S. or We Will Terminate You

[Image Source: The Verge]

Now there’s yet another hoop you have to jump through — U.S. residency. HBO Now is currently a U.S. only service. Outside the U.S. it would be an attractive option, given that even as close as Canada there’s regions that don’t have a cable provider offering HBO. Overseas — in Europe, for example — HBO access is even harder to come by.

But like most streaming services including Netflix Inc. (NFLX) and Amazon.com, Inc. (AMZN) international uses is verboeten. To be fair, this prohibition isn’t entirely Netflix, Amazon, or even HBO’s fault. Some of it comes down to local copyright licensing deals. Locally different companies may license certain content that is licensed by these popular streaming services in the U.S. To allow free international access to the U.S. subscription service would seem to amount to breaching those local licensing deals. So it’s not allowed.

No problem right?

Read more: DailyTech – HBO to VPN HBO Now Users: Prove You Live in U.S. or We Will Terminate You.

Google launches Project Fi wireless service

If you’re an Android user, Google likely already manages your day: your email, your contacts, stories that are relevant to you, and even your fitness goals. Well, now it can be your wireless carrier, too (provided you use a Nexus 6).

After months of rumors, Google’s Project Fi is finally live. The search giant promises “fast speed in more places and better connections to Wi-Fi” by teaming up with Sprint and T-mobile to offer a wide swath of Wi-Fi and 4G LTE coverage. You can use Google’s handy search widget to see if the service is available in your area.

Basic plans cost $20 for unlimited calls and texts, plus $10 per GB for data. You have to specific how much data you want ahead of time (so, 4GB a month will cost you a total of $60), but Google has a twist: they’ll credit your bill for your unused data. There are no family plans available.

A phone with Project Fi will automatically connect to public, open Wi-Fi networks to make calls and transmit data. Google maintains a list of hotspots with robust and reliable connections. To secure your data, all transmissions over public Wi-Fi hotspots are encrypted.

Project Fi appears intended primarily for mobile coverage throughout the U.S., though there are international rates if you’re traveling overseas. These mirror T-Mobile’s offerings on post-paid plans: In 120 countries, you get free data (capped at 256kbps) and texts, while calls cost 20 cents a minute. There are also special rates for calling other countries from the US, which should bode well for those with family members spread throughout the world.

Read More: Google launches Project Fi wireless service.