CVS Exploit Leads to Project Server Compromise

Users of Concurrent Versions System (CVS) software are being urged to patch their systems against an exploit used to hack the project's web site. CVS is a source code maintenance system used by many open source development projects, raising the prospect that the exploit may be used to spread compromised code to developers and end-users who download files from hacked servers.

That risk prompted an alert Friday from US-CERT, the agency coordinating U.S. cybersecurity awareness. The vulnerability in CVS, which allows a buffer overflow, was discovered May 2 by Stefan Esser of e-matters and made public, along with a patch, on May 19. While technically a "local" security hole that can only be exploited by authenticated users, most public CVS servers allow anonymous logins over the Internet. e-matters also identified a security hole in Subversion, a successor to CVS.

Continue reading

Report: Microsoft Not a Threat to US National Security

Microsoft's dominance of the desktop operating system market isn't a threat to U.S. national security, according to a new study by a team of researchers at the George Mason University, who said a worm or other malicious attack on Windows is unlikely to produce a catastrophic failure of the Internet.

The report is based on advanced network simulations by George Mason's Infrastructure Mapping Project. While it focuses on proprietary monopolies held by Microsoft on the desktop and Cisco in the router market, the study also suggests the growing importance of the security of open source products.

The findings contrast with those of a paper released last year by the Computer & Communications Industry Association, Cyberinsecurity: The Cost of Monopoly, which warned that "the identicality and flaw density in the Microsoft Windows monoculture present clear dangers to national security." The paper stirred controversy when one of its authors, Dan Geer, was fired as CTO of @stake, which does business with Microsoft.

Continue reading

Proposed ICANN Fees Generate Heat, But Not Price Hikes

The group overseeing Internet domain registrations is proposing to sharply raise the fees it charges Internet registrars, drawing protests from both large and small domain sellers. The Internet Corp for Assigned Names and Numbers (ICANN) wants to increase its budgeted revenue from $8.7 million to more than $16 million, with about 80 percent of that coming from registrars. ICANN's 2004-2005 budget (PDF) adds a new fee that will average about $19,200 per registrar, along with a 25-cent fee for each domain sold.

"This budget significantly changes the funding model of ICANN, and threatens the existence of a large number of registrars," according to Bhavin Turakhia of Directi, a registrar based in India, who has launched a website protesting the proposed fee changes. "The current budget favors larger registrars and will actually put the smaller and mid-sized ones out of business."

Turakhia represents a group of 26 smaller registrars, who say the new fee structure also hurts international registrars' ability to compete against companies in America, which is home to the industry's largest players. Those larger domain sellers aren't thrilled, either. The new fee structure would likely mean annual fee increases of $536,000 for Network Solutions, $273,000 for Tucows and $253,000 for GoDaddy, according to ICANN's Kurt Pritz.

Given the current competition among discount domain sellers, it appears unlikely that the new fees will lead to higher costs for consumers. 1&1 Internet remains the pricing leader at $5.99 for a one-year dot-com signup, while AIT Domains lowered its price to $6.95. Going the other direction was GoDaddy, which raised its fees to $8.95, the high end of a range in which its prices have fluctuated from month-to-month.

Retail Domain Name Prices, May 2004
Company One-year
.com price
&nbspPrimary Business&nbsp Primary Region
1&1 Internet AG $5.99 Mixed Hosting Europe
EV1Servers $6.49 Dedicated Hosting America
Hostway $6.95 Shared Hosting America $6.95 Mixed Hosting America
AIT Domains $6.95 Mixed Hosting America
DomainSite $6.99 Domain Registrar America
Crystal Tech $8.50 Mixed Hosting America
Go Daddy Inc $8.95 Domain Registrar America
RegisterFly $9.99 Domain Registrar America
Dotster $14.95 Domain Registrar America
Host Europe $15.69 Mixed Hosting Europe
FastHosts $16.42 Mixed Hosting Europe
Verio $19.00 Mixed Hosting America
eNom $29.95 Domain Registrar America
Network Solutions $34.99 Domain Registrar America $35.00 Domain Registrar America
Melbourne IT $35.00 Domain Registrar America

Continue reading

Another Huge Surge in Phishing Scams in April

A tidal wave of Phishing scams hit the Internet in April, with 1,125 separate e-mail fraud schemes, up 180 percent from the previous record of 402 in March. That's an average of 37.5 unique phishing scams per day, up from 24 a day in March according to the Anti-Phishing Working Group (APWG).

"This marks a huge increase in the volume of phishing attacks," the APWG noted in its monthly report. The April total marks a 4,000 percent increase from November, when just 28 campaigns were reported.

Continue reading

Akamai Network Problems Disrupt Numerous Sites

Problems with Akamai's content distribution network knocked a number of high-traffic web sites offline this morning, affecting the availability of antivirus updates from Symantec, McAfee and TrendMicro, as well as streaming content from Apple. Our monitoring of the Fortune 100 shows performance issues this morning for BellSouth, General Motors, Coca Cola and Verizon.

A statement on Akamai's customer site said the company "is aware of a service interuption earlier today affecting content delivery. We have identified the root cause and have implemented the fix. Issues retrieving content should be decreasing or resolved." The language hints at a technical problem rather than a distributed denial of service attack (DDoS), which had been the focus of early speculation. The size of Akamai's network - reports range from 12,000 to 15,000 servers - would seem to make such an attack unlikely.

Continue reading