Friday, January 31, 2014

Estamos acostumbrados: A lo bueno y lo malo de la Tecnología...??? (ZDNet)

Wednesday, January 29, 2014

Temperaturas bajan y los precios del gas suben en el Noreste Congelado...(BusinessWeek)

As temperatures plunge anew into single digits across much of the U.S. Northeast, natural gas prices have been going in the opposite direction. On Jan. 22, thermostats in New York City bottomed out at 7 degrees, a day after the price to deliver natural gas into the city spiked to a record $120 per million British Thermal Units in the spot market on the outskirts of town. That’s about 30 times more expensive than what the equivalent amount of gas cost a hundred miles away in Pennsylvania’s Marcellus Shale, the biggest natural gas field in the U.S. and home to some of the lowest gas prices in the world. And you thought this was the age of cheap energy.
Most of the natural gas that gets used in the U.S. is contracted on a long-term basis and bought with futures and forward contracts, meaning that many consumers in the Northeast won’t feel the full brunt of that price spike. They’re not entirely insulated though. The spot market is there for a reason. Essentially, it’s a refuge for the desperate and unprepared—for those who need to buy or sell immediately. And when a natural gas-fired power plant or a big utility finds itself short, having underestimated the amount of demand it has to fill, its traders and schedulers have to jump into the spot market and pay whatever the going price is. For those buying in parts of the Northeast, it’s been reaching new highs.
While the price utilities pay to deliver natural gas to New York City and New Jersey has been somewhat below $6 for most of the year, it recently spiked to $120
Data: BloombergWhile the price utilities pay to deliver natural gas to New York City and New Jersey has been somewhat below $6 for most of the year, it recently spiked to $120
“I’ve never seen anything like this,” says John Scarlata, vice president of gas supply at PSEG Power, a subsidiary of the New Jersey-based Public Service Enterprise Group (PEG). PSEG Power started running low on the feedstock it needs to run the handful of natural gas-fired power plants it operates in New Jersey. “For those units, we have been buying some of the higher-cost gas,” says Scarlata. “The prices are just unbelievable.”
That means that on the other side of the trade, lots of money is being made. “Traders with gas to sell are making a killing, and the utilities they’re selling to are getting destroyed,” says Adam Hoffman, a natural gas trader and the managing member of the Mada Group, an energy trading firm in Houston. Hoffman says traders and schedulers who buy for utilities and power plants enter the spot market at a significant disadvantage during times like these because they have to buy, no matter the price. The alternative is to run out of gas, leaving customers unable to heat their homes or turn on the lights.
“Given their obligations, prices absolutely could’ve been higher,” says Hoffman. The sticker shock may have been particularly acute for some traders because natural gas prices have been so low for the last few years. They’re simply not used to trading a product with any sort of volatility. But all it took was for one utility to show what it was willing to pay for prices to take off. “Once one of these guys showed his hand, then the real traders figured it out,” says Hoffman.
At the heart of this trading floor fist fight is a crucial pipeline bottleneck that’s keeping consumers in the Northeast from sharing in the full benefits of cheap, abundant supplies of natural gas just a few hundred miles away. There simply are not enough pipelines connecting supply to demand. And even though the wells in Pennsylvania are practically in the backyard of major cities in the Northeast and mid-Atlantic, pipeline companies are still working to connect the last few miles. Those are the most crucial miles—and explain why, in many cases, it’s cheaper to bring natural gas all the way from Texas or the Gulf Coast to the Northeast.
In November a new pipeline started bringing cheap natural gas from the Marcellus into Manhattan. That hasn’t lowered prices as much as a lot of people anticipated. “Everyone of us who supposedly knows what we’re doing predicted [prices in the Northeast] would crumble,” says PSEG’s Scarlata. They haven’t. Despite an additional  year of increased natural gas production in the U.S, the problem has gotten worse. As natural gas production has risen, the share of power generated from it has nearly doubled over the past decade. Yet the capacity to push it into big demand centers remains constrained.

Friday, January 24, 2014

Security: Pica y se Extiende el problema de Seguridad de las Tarjetas de Crédito (ZDNet)

Neiman Marcus: 1.1 million cards compromised
Summary: The retailer, however, said it has no knowledge of any connection between its data breach and the one disclosed by Target.
neiman
Upscale retailer Neiman Marcus confirmed that it was a victim of a data breach and that 1.1 million customer payment cards were scraped for data.
In a notice on its Web site, Neiman Marcus said that malware was installed on its systems and attempted to collect payment card data from July 16 to Oct. 30.
The news comes as payment systems are being examined for security at major retailers. First, Target came out with disclosures that as many as 110 million accounts may have been breached. Then Neiman Marcus surfaced as a victim in subsequent reports. Other retailers are also likely to come forward.
However, Neiman Marcus said it has no knowledge of any connection to the Target security issues. Neiman Marcus said it was informed by its merchant processor in mid-December about a potential breach.
Add it up, 1,100,000 customer cards were visible to the malware. Visa, MasterCard and Discover have told the retailer that 2,400 unique payment cards have been used fraudulently so fear.
The good news for Neiman Marcus customers is that so far social security numbers and birth dates weren't compromised, store issued cards haven't been breached and online shoppers aren't impacted.
Related:

Thursday, January 23, 2014

El Pentágono salva a Blackberry de la desaparición...(BusinessWeek)


The Pentagon Just Saved BlackBerry From Total Oblivion

For a while there, it looked as if BlackBerry’s (BBRY) market value was going to be eclipsed by ’90s-era R&B outfit Blackstreet. But on Tuesday, the Canadian company was extended a lifeline from U.S. taxpayers. The U.S Department of Defense is about to roll out a fancy new wireless network, and the primary device it wants to use on it are BlackBerry handsets. The Pentagon plans to purchase upwards of 80,000 BlackBerrys, helping send the company’s stock sky high—it’s close to $11 a share right now, up from $5.75 six weeks ago.
The Defense Department isn’t picking BlackBerry just to be contrarian; concerns about data security remain at least as high as ever, and BlackBerry is further along than such competitors as Samsung (005930:KS) and Apple (AAPL) when it comes to matching the requirements set by the Pentagon.
The move also validates BlackBerry Chief Executive Officer John Chen’s strategy of returning the company to its enterprise roots. BlackBerry began with a revolutionary product that took hold in large businesses and institutions until the rise of the iPhone pushed BlackBerry to focus on consumers. That was the worst idea ever, and now the company is trying to return to what it knows best.
Maybe BlackBerry should take this to its logical conclusion. Apple and Samsung are making big inroads in private industry, a market BlackBerry used to rule. Making up the lost ground there is probably too hard (particularly with employees telling IT departments what they want to use, not the other way around). But this defense contract raises the possibility that, just maybe, BlackBerry’s future is best secured as a defense contractor, or as part of one. Providing wireless communications to the armed services and other government agencies? That’s worked out all right forGeneral Dynamics (GD)SAIC (SAIC), and L-3 Communications (LLL). It’s a lot better than some of BlackBerry’s other options.
Grobart is a senior writer for Bloomberg Businessweek. Follow him on Twitter @samgrobart.

Wednesday, January 22, 2014

Un refrigerador generando "spam e-mails" ? (Tech-Republic)

Security firm Proofpoint believes they've detected a spam-sending botnet that includes internet-connected televisions and a refrigerator. 
By  in IT Security,                                                    January 21, 2014, 9:44 AM PST
"Proofpoint Uncovers Internet of Things (IoT) Cyberattack"
That was the headline on this January 16th press release issued by Proofpoint, Inc. The press release went on to explain how Proofpoint researchers were analyzing a botnet-based spam campaign. Nothing unusual there, botnets composed of exploited computers and servers spew forth billions of spam emails on a regular basis.
Except these were not computers, they were "things".
In an interesting juxtaposition, a day before the Proofpoint press release, SANS Institute ran a webcast titled: SANS Survey on Securing the Internet of Things. Along with the webcast, the SANS Institute included a comprehensive report sharing the concerns of the survey participants. (My thanks to SANS Institute and John Pescatore, author of the report, for allowing my use of material from the report.)

What is the "Internet of Things"?

Before getting to the survey results, the paper attempted to eliminate confusion. It seems "Internet of Things" is not a universally accepted term. The National Security Telecommunications Advisory Council likes "Industrial Internet," whereas the National Institute of Standards and Technology prefers "Cyber-Physical Systems."
The SANS paper also mentions many vendors are going with the "Internet of Everything." SANS Institute, in deference to simplicity, sided with the "Internet of Things" (IoT), and offered the following list as possible "Things":
  • PCs, servers, routers, switches and other such devices bought as Information Technology (IT) devices by enterprise IT people, primarily using wired connectivity
  • Medical machinery, SCADA, process control, kiosks and similar technologies bought as appliances by enterprise Operational Technology (OT) people primarily using wired connectivity
  • Smartphones and tablets bought as IT devices by consumers (employees) exclusively using wireless connectivity, and often multiple forms of wireless connectivity
  • Single-purpose devices bought by both consumers, IT and OT people exclusively using wireless connectivity, generally of a single form
It is almost as if the SANS Institute is agreeing with vendors. Their list appears to include "everything." It's the last bullet that we're concerned about today—single-purpose devices.

Your refrigerator might be sending spam

Between December 23, 2013 and January 6, 2014 Proofpoint researchers detected a botnet that was aggressively mailing malicious spam three times each day. Proofpoint believes the 450,000 IP-address strong spam botnet included over 100,000 IoT devices:
"A more detailed examination suggested that while the majority of mail was initiated by "expected" IoT devices such as compromised home-networking devices (routers, NAS), there was a significant percentage of attack mail coming from other non-traditional sources, such as connected multi-media centers, televisions and at least one refrigerator."
The press release and this blog post did not provide much in the way of proof (more on this later), only mentioning attackers compromised the IoT devices by leveraging misconfigured firmware and default passwords.
The SANS Institute survey did not directly refer to IoT botnets, but survey participants were asked: Where do you consider the greatest risk to be in "Things" connecting to your network and the Internet?
Internet of Things
The top two concerns were Internet connection and command and control; two requirements for creating a botnet.

Computers are still easier targets

Why waste that much effort to use IoT devices for spam botnets, when there are millions of vulnerable computers just sitting there for the taking? Perhaps this event was just a "proof of concept" exploration or maybe a dare amongst the bad guys.
Dan Goodin took exception with Proofpoint's claim. Writing for ArsTechnica, he expressed his reservations:
"The Proofpoint report quickly went viral, with many mainstream news outlets breathlessly reporting the findings. The interest is understandable. The finding of a sophisticated spam network running on 100,000 compromised smart devices is extraordinary, if not unprecedented."
Goodin continues by saying the engineering effort to setup a botnet of "Things" would be immense, but possible. Goodin then proceeds to dissect many of the claims made by Proofpoint, asking for clarification, and not getting much. Goodin ends the blog post with:
"Again, I'm open to the possibility the botnet reported by Proofpoint exists. But until these smoking guns are produced, I'm maintaining a healthy amount of skepticism."

Maybe not this time, but IoT botnets will happen

When talking to security pundits about protecting IoT devices, a common thread surfaced. The SANS Institute survey also referred to it. Due to the nature of IoT devices, it will be difficult if not impossible to patch vulnerabilities in the field. Which means external security, firewalls for example, upstream of IoT devices will be their only source of protection.
We seem to be repeating the same mistakes we made with the inherent vulnerabilities of our computers on our new Internet connected things.

About Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.

Tuesday, January 21, 2014

Warning: Your Browser Extensions Are Spying On You...(How-to Geek)

The internet exploded Friday with the news that Google Chrome extensions are being sold and injected with adware. But the little-known and much more important fact is that your extensions are spying on you and selling your browsing history to shady corporations. HTG investigates.
TL;DR version:
  • Browser add-ons for Chrome, Firefox, and probably other browsers are tracking every single page you visit and sending that data back to a third-party company that pays them for your information.
  • Some of these add-ons are also injecting ads into the pages that you visit, and Google specifically allows this for some reason as long as it is “clearly disclosed”.
  • Millions of people are being tracked this way and they don’t have a clue.
Are we officially calling it spyware? Well… it’s not quite that simple. Wikipedia defines spyware as ”software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer’s consent”. That doesn’t mean that all software that gathers data is necessarily spyware, and it doesn’t mean that all software that sends data back to their servers is necessarily spyware.
But when the developer of an extension goes out of their way to hide the fact that every single page you visit is being stored and sent to a corporation that pays them for that data while burying it in the settings as “anonymous usage statistics”, there is a problem, at least. Any reasonable user would assume that if a developer wants to track usage statistics, they are only going to be tracking the usage of the extension itself — but the opposite is true. Most of these extensions are tracking everything else you do except using the extension. They are just tracking you.
This becomes even more problematic because they call it “anonymous usage statistics”; the word “anonymous” implies that it would be impossible to figure out who that data belongs to, as if they are scrubbing the data clean of all your information. But they aren’t. Yeah, sure, they are using an anonymous token to represent you rather than your full name or email, but every single page you visit is tied to that token. For as long as you have that extension installed.
Track anybody’s browsing history long enough, and you can figure out exactly who they are.
How many times have you opened your own Facebook profile page, or your Pinterest, Google+, or other page? Have you ever noticed how the URL contains your name or something that identifies you? Even if you never visited any of those sites, figuring out who you are is possible.
I don’t know about you, but my browsing history is mine, and nobody should have access to that but me. There’s a reason why computers have passwords and everybody older than 5 knows about deleting their browser history. What you visit on the internet is very personal, and nobody should have the list of pages I visit but me, even if my name is not specifically associated with the list.
I’m not a lawyer, but the Google Developer Program Policies for Chrome extensions specifically say that an extension developer should not be allowed to publish any of my personal information:
We don’t allow unauthorized publishing of people’s private and confidential information, such as credit card numbers, government identification numbers, driver’s and other license numbers, or any other information that is not publicly accessible.
Exactly how is my browsing history not personal information? It’s definitely not publicly accessible!

Yep, Many of These Extensions Insert Ads Too

The problem is compounded by a large number of extensions that are injecting ads into many of the pages you visit. These extensions are just putting their ads wherever they randomly choose to put them into the page, and they are only required to include a tiny piece of text identifying where the ad came from, which most people will ignore, because most people don’t even look at ads.
RELATED ARTICLE
Some forms of tracking are obvious – for example, websites know who you are if you’re logged in. But how... [Read Article]
Whenever you are dealing with ads, thereare also going to be cookies involved. (It’s worth noting that this site is ad-supported, and the advertisers put cookies on your hard drive, just like every site on the internet.) We don’t think cookies are a huge deal, but if you do, they are pretty easy to deal with.
The adware extensions are actually less of a problem, if you can believe it, because what they are doing is very obvious to the users of the extension, who can then start an uproar about it and try and get the developer to stop. We definitely wish that Google and Mozilla would change their ridiculous policies to forbid that behavior, but we can’t help them get common sense.
Tracking, on the other hand, is done in secret, or is essentially secret because they try to hide what they are doing in legalese in the description of the extensions, and nobody scrolls to the bottom of the readme to figure out if that extension is going to track people.

This Spying is Hidden Behind EULAs and Privacy Policies

These extensions are “allowed” to engage in this tracking behavior because they “disclose” it on their description page, or at some point in their options panel. For instance, theHoverZoom extension, which has a million users, says the following in their description page, at the very bottom:
Hover Zoom uses anonymous usage statistics. This can be disabled in the options page without losing any features as well. By leaving this feature enabled, the user authorize the collection, transfer and use of anonymous usage data, including but not limited to transferring to third parties. 
Where exactly in this description does it explain that they are going to track every single page you visit and send the URL back to a third party, which pays them for your data? In fact, they claim everywhere that they are sponsored through affiliate links, completely ignoring the fact that they are spying on you. Yeah, that’s right, they are also injecting ads all over the place. But which do you care more about, an ad showing up on a page, or them taking your entire browsing history and sending it back to somebody else?
Hover Zoom’s Excuse Panel
They are able to get away with this because they have a tiny little checkbox buried in their options panel that says “Enable anonymous usage statistics”, and you can disable that “feature” — though it’s worth noting that it is defaulted to be checked.
This particular extension has had a long history of bad behavior, going back quite some time. The developer has recently been caught collecting browsing data including form data… but he was also caught last year selling data on what you typed into another company. They’ve added a privacy policy now that explains in further depth what is going on, but if you have to read a privacy policy to figure out that you are being spied on, you’ve got another problem.
To sum up, a million people are being spied on by this one extension alone. And that’s just one of these extensions — there are a lot more doing the same thing.

Extensions Can Change Hands or Update Without Your Knowledge

This extension is asking for way too many permissions. Deny!
There is absolutely no way to know when an extension has been updated to include spyware, and since many types of extensions need a ton of permissions to even operate properly in the first place before they turn into ad-injecting pieces of spycraft, so you won’t be prompted when the new version comes out.
To make matters worse, many of these extensions have changed hands over the last year — and anybody who has ever written an extension is being flooded with requests to sell their extension to shady individuals, who will then infect you with ads or spy on you. Since the extensions don’t require any new permissions, you’ll never have the opportunity to go figure out which ones added secret tracking without your knowledge.
In the future, of course, you should either avoid installing extensions or addons entirely, or be very careful about which ones you do install. If they ask for permissions to everything on your computer, you should click that Cancel button and run.

Hidden Tracking Code with a Remote Enable Switch

There are other extensions, in fact, a ton of them, that have complete tracking code built right in — but that code is currently disabled. Those extensions ping back to the server every 7 days to update their configuration. These ones are configured to send even more data back — they calculate exactly how long you have each tab open, and how long you spend on each site.
We tested one of these extensions, called Autocopy Original, by tricking it into thinking that the tracking behavior was supposed to be enabled, and we were able to immediately see a ton of data sent back to their servers.  There were 73 of these extensions in the Chrome Store, and some in the Firefox add-ons store. They are easily identifiable because they are all from “wips.com” or “wips.com partners”.
Wondering why we are worried about tracking code that isn’t even enabled yet? Because their description page doesn’t say a word about the tracking code — it’s buried as a checkbox on each of their extensions. So people are installing the extensions assuming they are from a quality company.
And it’s only a matter of time before that tracking code is enabled.

Investigating this Spying Extension Awfulness

The average person isn’t going to ever even know that this spying is going on — they won’t see a request to a server, they won’t even have a way to tell that it is happening. The vast majority of those million users won’t be affected in any way… except that their personal data was stolen out from under them. So how do you figure this out for yourself? It’s calledFiddler.
Fiddler is a web debugging tool that acts as a proxy and caches all the requests so you can see what is going on. This is the tool that we used — if you want to duplicate at home, just install one of these spying extensions like Hover Zoom, and you’ll start seeing two requests to sites similar to t.searchelper.com and api28.webovernet.com for every single page that you view. If you check on the Inspectors tag you’ll see a bunch of base64-encoded text… in fact, it’s been base64-encoded twice for some reason. (If you want the full example text before decoding, we stashed it in a text file here).
They’ll track any site you visit, even the HTTPS ones
Once you’ve successfully decoded that text, you’ll see exactly what is going on. They are sending back the current page that you are visiting, along with the previous page, and a unique ID to identify you, and some other information. The very scary thing about this example is that I was on my banking site at the time, which is SSL encrypted using HTTPS. That’s right, these extensions are still tracking you on sites that should be encrypted.
s=1809&md=21&pid=mi8PjvHcZYtjxAJ&sess=23112540366128090&sub=chrome
&q=https%3A//secure.bankofamerica.com/login/sign-in/signOnScreen.go%3Fmsg%3DInvalidOnlineIdException%26request_locale%3Den-us%26lpOlbResetErrorCounter%3D0&hreferer=https%3A//secure.bankofamerica.com/login/sign-in/entry/signOn.go&prev=https%3A//secure.bankofamerica.com/login/sign-in/entry/signOn.go&tmv=4001.1&tmf=1&sr=https%3A//secure.bankofamerica.com/login/sign-in/signOn.go
You can drop api28.webovernet.com and the other site into your browser to see where they lead, but we’ll save you the suspense: they are actually redirects for the API for a company called Similar Web, which is one of many companies doing this kind of tracking, and selling the data so other companies can spy on what their competitors are doing.
If you’re the adventurous type, you can easily find this same tracking code by opening up your chrome://extensions page and clicking on the Developer mode, and then “Inspect views: html/background.html” or the similar text that tells you to inspect the extension. This is going to let you see what that extension is running all the time in the background.
That trash can icon is your friend
Once you click to inspect, you’ll immediately see a list of source files and all sorts of other stuff that will probably be greek to you. The important things in this case are the two files named tr_advanced.js and tr_simple.js. These contain the tracking code, and it’s safe to say that if you see those files inside of any extension, you are being spied on, or will be spied on at some point. Some extensions contain different tracking code, of course, so just because your extension doesn’t have those, doesn’t mean anything. Scammers tend to be tricky.
(Note that we wrapped the source code to fit into the window)
You’ll probably notice that the URL on the right-hand side isn’t quite the same as the one earlier. The actual tracking source code is pretty complicated, and it appears that each extension has a different tracking URL.

Preventing an Extension from Updating Automatically (Advanced)

If you have an extension that you know and trust, and you’ve already verified that it doesn’t contain anything bad, you can make sure that the extension never secretly updates on you with spyware — but it is really manual and probably not what you’ll want to do.
If you still want to do so, open the Extensions panel, find the ID of the extension, then head to %localappdata%\google\chrome\User Data\default\Extensions and find the folder that contains your extension. Change the update_url line in the manifest.json to replace clients2.google.com with localhost. Note: we haven’t been able to test this with an actual extension yet, but it should work.
For Firefox, the process is a lot easier. Go to the Add-ons screen, click the menu icon, and un-check “Update Add-ons automatically”.

So Where Does This Leave Us?

We’ve already established that loads of extensions are being updated to include tracking / spying code, injecting ads, and who knows what else. They are being sold to untrustworthy companies, or the developers are being bought with a promise of easy money.
Once you have an add-on installed, there’s no way to know that they aren’t going to be including spyware down the road. All we do know is that there are a lot of add-ons and extensions that are doing these things.
People have been asking us for a list, and as we’ve been investigating, we’ve found so many extensions doing these things, we’re not sure that we can make a complete list of all of them. We’ll add a list of them to the forum topic associated with this article, so we can have the community help us generate a bigger list.