Users of Concurrent Versions System (CVS) software are being urged to patch their systems against an exploit used to hack the project's web site. CVS is a source code maintenance system used by many open source development projects, raising the prospect that the exploit may be used to spread compromised code to developers and end-users who download files from hacked servers.
That risk prompted an alert Friday from US-CERT, the agency coordinating U.S. cybersecurity awareness. The vulnerability in CVS, which allows a buffer overflow, was discovered May 2 by Stefan Esser of e-matters and made public, along with a patch, on May 19. While technically a "local" security hole that can only be exploited by authenticated users, most public CVS servers allow anonymous logins over the Internet. e-matters also identified a security hole in Subversion, a successor to CVS.
Microsoft's dominance of the desktop operating system market isn't a threat to U.S. national security, according to a new study by a team of researchers at the George Mason University, who said a worm or other malicious attack on Windows is unlikely to produce a catastrophic failure of the Internet.
The report is based on advanced network simulations by George Mason's Infrastructure Mapping Project. While it focuses on proprietary monopolies held by Microsoft on the desktop and Cisco in the router market, the study also suggests the growing importance of the security of open source products.
The findings contrast with those of a paper released last year by the Computer & Communications Industry Association, Cyberinsecurity: The Cost of Monopoly, which warned that "the identicality and flaw density in the Microsoft Windows monoculture present clear dangers to national security." The paper stirred controversy when one of its authors, Dan Geer, was fired as CTO of @stake, which does business with Microsoft.
The group overseeing Internet domain registrations is proposing to sharply raise the fees it charges Internet registrars, drawing protests from both large and small domain sellers. The Internet Corp for Assigned Names and Numbers
(ICANN) wants to increase its budgeted revenue from $8.7 million to more than $16 million, with about 80 percent of that coming from registrars. ICANN's 2004-2005 budget (PDF)
adds a new fee that will average about $19,200 per registrar, along with a 25-cent fee for each domain sold.
"This budget significantly changes the funding model of ICANN, and threatens the existence of a large number of registrars," according to Bhavin Turakhia of Directi, a registrar based in India, who has launched a website protesting the proposed fee changes. "The current budget favors larger registrars and will actually put the smaller and mid-sized ones out of business."
Turakhia represents a group of 26 smaller registrars, who say the new fee structure also hurts international registrars' ability to compete against companies in America, which is home to the industry's largest players. Those larger domain sellers aren't thrilled, either. The new fee structure would likely mean annual fee increases of $536,000 for Network Solutions, $273,000 for Tucows and $253,000 for GoDaddy, according to ICANN's Kurt Pritz.
Given the current competition among discount domain sellers, it appears unlikely that the new fees will lead to higher costs for consumers. 1&1 Internet remains the pricing leader at $5.99 for a one-year dot-com signup, while AIT Domains lowered its price to $6.95. Going the other direction was GoDaddy, which raised its fees to $8.95, the high end of a range in which its prices have fluctuated from month-to-month.
The web sites for The SCO Group, which were beseiged earlier this year by virus-related distributed denial of service (DDoS) attacks, experienced outages of about two hours overnight. Sites affected included www.sco.com
A tidal wave of Phishing scams hit the Internet in April, with 1,125 separate e-mail fraud schemes, up 180 percent from the previous record of 402 in March. That's an average of 37.5 unique phishing scams per day, up from 24 a day in March according to the Anti-Phishing Working Group (APWG)
"This marks a huge increase in the volume of phishing attacks," the APWG noted in its monthly report. The April total marks a 4,000 percent increase from November, when just 28 campaigns were reported.
Problems with Akamai's content distribution network knocked a number of high-traffic web sites offline this morning, affecting the availability of antivirus updates from Symantec, McAfee and TrendMicro, as well as streaming content from Apple. Our monitoring of the Fortune 100
shows performance issues this morning for BellSouth
, General Motors
, Coca Cola
A statement on Akamai's customer site said the company "is aware of a service interuption earlier today affecting content delivery. We have identified the root cause and have implemented the fix. Issues retrieving content should be decreasing or resolved." The language hints at a technical problem rather than a distributed denial of service attack (DDoS), which had been the focus of early speculation. The size of Akamai's network - reports range from 12,000 to 15,000 servers - would seem to make such an attack unlikely.