The proposed extension, called Client IP information in DNS requests, would send along the first three quarters of a user’s IP address along with an DNS request. The last quarter would be cut off to preserve some privacy, but the first part should be enough to geographically target the answer in some cases, Google said in a blog post on Wednesday.

As designed, it would, for example, return the address for Google’s Dutch server, not Google’s California server, to a user in the Netherlands who needs to reach it.

For more on this story, see Google proposes geo-smart Internet speedup on CNET News.

NEC said on Monday that NTT will demonstrate the handset receiving streaming high-resolution video across an LTE network at Mobile World Congress, which kicks off on 15 February in Barcelona. According to NEC, the handset uses an LTE chipset that was developed by Fujitsu, NEC, NTT DoCoMo and Panasonic, and first sampled in October.

LTE, the ‘long-term evolution of 3G’, is the successor to HSDPA and is roughly 10 times faster, providing theoretical downlink speeds of at least 100Mbps and a theoretical uplink of at least 50Mbps. The technology was designed to reduce latency in data transmission and improve the efficiency of frequency usage, making it more suitable than 3G for services such as streaming HD video, video conferencing and online gaming.

The world’s first commercial LTE mobile broadband services went live in Oslo and Stockholm in December through the Scandinavian operator TeliaSonera, which is initially offering LTE access via a mobile dongle.

Huawei announced in December that it had completed its first UK-based LTE trials, held in conjunction with O2, that reached maximum downlink throughput of 150Mbps. The trial took place in the Slough area, where O2′s headquarters are located.

NTT has said it plans to spend between ?300bn-?400bn (?2bn-?3bn) on LTE rollouts over the next five years.

Ever since the beginning of the Chromium project, friends and coworkers have been asking me to add support for user scripts in Google Chrome. I’m happy to report that as of the last Google Chrome release, you can install any user script with a single click. So, now you can use emoticons on blogger. Or, you can browse Google Image Search with a fancy lightbox. In fact, there’s over 40,000 scripts on userscripts.org alone.

Installation is quick and easy, just like installing an extension. That’s because under the covers, the user script is actually converted into an extension. This means that management tasks like disabling and uninstalling work just like they do with extensions.

Note that user scripts are powerful software and have full access to your private data on any web site. So, for example, they could read all your web mail or access your online bank. Be sure to read the comments on any user scripts in order to decide whether you trust the author with this power.

Also keep in mind that some user scripts won’t work in Google Chrome yet, because of differences between it and Firefox. Based on some analysis that the current maintainers of Greasemonkey did, I expect between 15%-25% of scripts to not work in Google Chrome. If you find such a script, you should consider letting the author know. There may be something he or she can do to easily fix the problem. In the meantime, we’ll keep working on bugs on our side to bring our implementation closer to Greasemonkey.

Have fun trying out the thousands of available scripts. And don’t worry – If you get bored, there’s lots more extensions at Google Chrome’s extension gallery.

A new study has revealed – rather reiterated – that internet users nonchalantly continue to set unimaginative, fatuous passwords. The study appraised 28,000 passwords that were recently stolen from a U.S website.

Sixteen percent of the users had set their first name as their password. Around fourteen percent chose easiest to recall key combinations, including “1234” and “12345678”. Other users, who apparently don’t rate their mathematical ability highly, chose to steer clear of numbers and settled for passwords such as “AZERTY” and “QWERTY”.

Five percent of the passwords were found to be inspired by popular things and celebrities, including names of movies, TV shows and actors. The strongest password in this category was found to be “Ironman” as it sounds impenetrable.

Three percent of the people reckon passwords are another medium of expression. How else would you explain passwords like “Iloveyou” and “Ihateyou?”

Alan Bentley, regional VP EMEA of Lumension, said even though there are only two critical patches being issued tomorrow, it could still be a hectic week as the most critical patch this month is the IE bulletin requiring a reboot of all XP and Vista machines in the organisation running IE 7.

Bentley said: “Large-scale reboots of all desktops can lead to disruption and productivity hits if not planned and coordinated appropriately. As organisations are looking at the IE 7 update, they should also look at the recently released critical update for the Firefox browser, more stealthy malware is being introduced to endpoints via browser exploits; therefore, critical browser updates need to be made a higher priority than ever before.”

Regarding the critical patch that will cover the vulnerability in the Exchange mail server software, he claimed that this has proven to be the easiest target for hackers to infiltrate, as if they are able to compromise an organisation’s Exchange Server, then they will be able to intercept every email coming and going, essentially making it open to every corporation across the globe.

Bentley said: “Given the proximity of the Exchange Server to external data entering the network, organisations will want to deploy this update immediately. However, critical email services are often subject to change control processes that could make an urgent deployment a complex matter.

“If this ends up being a web-facing vulnerability, then it will be highly critical to patch as IT professionals constantly have to make sure these types of systems are patched and secure while running efficiently at the same time. Although the Exchange vulnerability is critical, organisations will want to read the details carefully when the full patch comes out to see if there are any mitigating controls.”

He also claimed that organisations should consider the update for the SQL Server as critical, despite it only being named as ‘important’.

Leonard said: “The usual suspects have emerged as expected, with Valentine spam emails and Trojans. The public are becoming more aware of these and it is getting harder to trick people this way. Cybercriminals are also taking their efforts to social networks, given its rising popularity and potential to manipulate the user through ‘friend’ messages.

“Organised criminal units have a long history of timing their attacks to coincide with popular occasions in order to achieve maximum success. Valentine’s Day 2009 is a day that is similarly marked on the criminals’ calendar for targeted attacks.”

Websense has warned of three key signs of fake sites: ‘Broken Hearts’ sites show colourful images such as puppy dogs or a picture of 12 pretty hearts and ask ‘Guess, which one is for you?’. The web page however is one big image and a single click from a tricked user commences the download of Trojans named “onlyyou.exe” or “youandme.exe”, which can connect to remote websites to receive commands and send information about the compromised system.

‘I am your friend’ uses social networking tricks to get users to visit fake sites, with Websense claiming that a popular technique at the moment is spam email pretending to originate from social networking sites – complete with love hearts and cartoon characters. Clicking through to the link would download a Trojan designed to steal log in credentials for banking sites.

Seventy per cent of the top 100 most popular websites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites. Specially created malicious sites are in decline as cybercriminals switch to compromising ‘trusted’ websites. Websense claimed that as there is increased confidence in shopping and researching online – a lot of which happens whilst in the office – people are turning to the internet to order flowers, chocolates and other gifts and cybercriminals are compromising these sites and stealing data.

Leonard said: “The underground economy is positively flourishing as companies fail to keep up with security technology. Criminals are taking advantage of the growing number of Web 2.0 properties, which allows user generated content. More than ever we’re seeing websites injected with links to direct users to malicious and compromised sites.

“Since many email security systems lack web intelligence, spammers have also stepped up email campaigns which contain links to malicious web pages. It’s clear that businesses need security with real-time protection, but until this becomes the norm – cybercriminals will continue stealing data and breaking hearts.”

The website of Russian IT security provider Kaspersky Lab was hit at the weekend by a Romanian ‘white-hat’ hacker.

A group calling itself ‘the Romanian Security Team’ claimed that the hackers achieved full access to the database supporting the websites – which includes customer data – by simply altering a parameter in the URLs. They could also perform SQL injections to remotely introduce harmful code into the database.

The group also claimed to have hit the Portuguese site of US anti-virus provider BitDefender, with the personal details of thousands of users viewed. The hackers said that they alerted the two companies of the security flaw and did not expose any of the data they found.

Kaspersky Lab said in a statement: “On Saturday February 7 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site.

“The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn’t critical and no data was compromised from the site.”

Gunter Ollmann, chief security strategist at IBM’s Internet Security Systems, said: “I hope that Kaspersky administrators fix this vulnerability rather quickly as they no doubt have a large customer base, and it would appear that all those customers are now exposed

“On top of that, this type of critical flaw can probably be used to usurp legitimate purchases and renewals of their products – which could include the linking to malicious and backdoored versions of their software – thereby infecting those very same customers that were seeking protection from malware in the first place.”

It is to provide certification to protect premium digital TV content against piracy with the new CI Plus Common Interface Standard. TC TrustCenter will provide certificate issuance and management services and the necessary registration for all manufacturers of TV devices, digital recorders and conditional access modules that want to license the CI Plus standard.
The CI Plus standard is an enhancement of the existing CI specification that eliminates vulnerabilities in content protection for Pay-TV content.

To ensure optimum security between the CA Module and the digital receiver, the new CI Plus standard uses a collection of established, industry accepted and validated techniques, including key management, device and message authentication and encryption.

The founder members of CI Plus – Sony, SmarDTV, Samsung, Philips and Neotion – have appointed TC TrustCenter to cover everything from vetting to verification of subscription requirements to contract management.

Michelle Lewis, account executive at TC TrustCenter, explained that before, people could hack in and download the films, which leads to piracy and forced the manufacturers to plug the hole and offer security.

Lewis said: “We offer digital certification for authentication and scrambling when they are being downloaded to the set top box or TV set. CI Plus injects the certificates into the TV that are created by TC TrustCenter. This is going to enable more business to be done as the providers want to enable secure downloading for consumer services.”

Mark Londero of CI Plus, said: “We chose TC TrustCenter because they demonstrated excellent technical expertise and an impressive responsiveness in adjusting to and acting on our specific requirements throughout the selection process.”

MessageLabs claims that 6.5 per cent of the spam sent has originated from the Cutwail botnet, with one to two per cent of spam sent from the Xarvester botnet. The company claimed that the most active botnet Mega-D, has not been involved in sending St. Valentine’s related spam so far.

Paul Wood, MessageLabs intelligence analyst at Symantec, said: “With one in every fifteen spam emails being a Valentine’s message from Cutwail, this botnet loves this romantic time of year. Dedicating approximately ninety per cent of its output to Valentine-related spam, Cutwail is generating an estimated seven billion spam emails each day. This is possibly the largest volume of Valentine’s Day spam ever seen.”

Cutwail’s spam campaign consists of very simple email messages with either Valentine-related subject lines such as ‘St. Valentine’s Bonus’ or ‘Make this Valentine’s Day the most memorable ever’. Alternatively messages in the body of a message that contain a link to a .cn website touting male enhancement products have also been seen.

In 2008, Valentine’s spam originated from the infamous Storm botnet and accounted for only two per cent of daily spam levels. Comparable to this year’s approach, Storm Valentines spam pointed to websites for VPXL, a herbal enlargement formula.

One of the chief complaints with Windows Vista is frustration with all the warnings that pop up to notify users that changes are being made to the operating system. With Windows 7, Microsoft has changed the feature so that users see fewer messages by default and also so they have more control in deciding how often they are notified.

The problem, say some, is that by making the prompts less frequent by default, Microsoft is potentially paving the way for malicious software to make changes without the user’s consent.

Unlike with Windows Vista, where users were alerted of all major changes to their system, the default setting in Windows 7 provides users with warnings only when it is a piece of software on its own making the changes.

Blogger Long Zheng has detailed several issues he says are created by that change. Last week, he noted that the changes could allow for malicious code that would turn the prompts off entirely without warning the user.

In recent days, Zheng said he notified Microsoft of a second issue in the Windows 7 beta, which he went public with on Wednesday. The latest issue, he says, could allow a program to elevate its rights to administrator level without properly notifying the user.

Microsoft said that second issue, which would still require malware to make it onto a system, has been fixed in a more recent build of Windows 7 issued internally. That fix is likely to make its way to the public when Microsoft reaches its next public milestone, a so-called “release candidate” build.

As for the broader issue with regards to the User Account Control (UAC) feature, Microsoft says the criticisms don’t take into account real-world behaviour. With Vista, the prompts were seen as so annoying by average users that many were ignoring the warnings or turning them off entirely, said Jon DeVaan, the head of Microsoft’s core operating-system development unit.

“It is pretty clear that we drove… that behaviour,” DeVaan said in an interview on Wednesday.

He likens it to a recent move by his bank to increase its security measures. By making the system harder to use, DeVaan said the main change in behaviour it prompted was for him to consider changing banks.

Although in the abstract it may seem like Microsoft is making the system less secure by default, DeVaan said the company’s real-world testing shows users will pay more attention to the prompts when they see fewer of them.

DeVaan also said the recent wave of criticism ignores the advances Windows 7 has made in reducing the likelihood of malware making it onto the system in the first place. Internet Explorer 8, which is built into Windows 7, offers protection against new types of attacks, such as clickjacking.

“Those are designed to help people know before someone is trying to compromise the system,” DeVaan said. “In the current feedback we are seeing from people, there has not been any addressing of those parts we have improved.”