Tech News

China on Thursday unveiled a draft of new Internet regulations that, if finalized, will force the nation\'s Twitter-like social networking platforms, along with all the blogs and online forums to require users to register with their official IDs. The system had until now been only partially enforced on the larger online microblogging sites, also known in Chinese as weibo. But while authorities state the proposed rule will help fight illegal activities, the expansion of the real-name requirement is intended to remind the country\'s Internet users to be mindful of what they post online, according to analysts. \"It makes everyone, who might post something controversial, think more carefully about it,\" said Mark Natkin, managing director for Beijing-based Marbridge Consulting. China already strictly censors online content, often by deleting Internet posts or blocking sites for anti-government information. In some cases, authorities have gone as far as to detain Chinese citizens for spreading alleged rumors.

Iran\'s oil ministry today confirmed that it was the target of malware attacks over the weekend, adding to reports by state-run media that the country\'s oil industry was hit by hackers. The Mehr News Agency, which is a semi-official arm of the Iranian government, reported Monday that the country\'s principal oil terminal on Kharg Island was disconnected from the Internet as part of the response to the attacks. Email systems associated with the targets were also pulled offline. Kharg Island, which is in the Persian Gulf off the western coast of Iran, handles the bulk of the country\'s oil exports. A spokesman for the Ministry of Petroleum acknowledged the attacks, but said that critical servers at the reported targets -- the ministry, Iran\'s national oil company and Kharg Island -- were not affected because they are isolated from the Internet. The ministry spokesman also said that the malware, which he did not identify, resulted in the theft of some user information from websites and some minor damage to data stored on the web servers. According to the ministry, no data was actually lost because backups were available. Later Monday, Mehr reported that the attacks had prompted authorities to create a crisis management committee to counter the threats. Those reports were echoed Monday by the Fars News Agency, which also has ties to the Iranian government. The attacks immediately brought to mind Stuxnet, the worm that targeted Iran\'s nuclear fuel enrichment project in 2009, and reportedly set back the program after damaging hundreds of gas centrifuges.

Google today dramatically raised the bounties it pays independent researchers for reporting bugs in its core websites, services and online applications. The search giant boosted the maximum reward from $3,133 to $20,000, and added a $10,000 payment to the program. The Vulnerability Reward Program (VRP) will now pay $20,000 for vulnerabilities that allow remote code execution against google.com, youtube.com and other core domains, as well as what the company called \"highly sensitive services\" such as its search site, Google Wallet, Gmail and Google Play. Remote code flaws found in Google\'s Web apps will also be rewarded $20,000. The term \"remote code execution\" refers to the most serious category of vulnerabilities, those which when exploited allow an attacker to hijack a system and/or plant malware on a machine. A $10,000 bounty will be paid for SQL injection bugs or \"significant\" authentication bypass or data leak vulnerabilities, Google said in the revised rules for the program. Other bugs, including cross-site scripting (XSS) and cross-site request forgery (XSRF) flaws, will be compensated with payments between $100 and $3,133, with the amount dependent on the severity of the bug and where the vulnerability resides.

Apple\'s Mac platform has long been promoted as safer than the competition, but as Mac sales and market share grow, it\'s become a bigger target. Nowhere is that clearer than with the Flashback Trojan, a gnarly piece of malware designed to steal personal information by masquerading as very mainstream browser plug-ins. Yesterday Russian antivirus company Dr. Web said that an estimated 600,000 Macs are now infected as a result of users unknowingly installing the software. So here\'s a quick FAQ on the Flashback Trojan, including information on what it is, how to tell if you have it, and steps you can take to get rid of it. What exactly is Flashback? Flashback is a form of malware designed to grab passwords and other information from users through their Web browser and other applications such as Skype. A user typically mistakes it for a legitimate browser plug-in while visiting a malicious Web site. At that point, the software installs code designed to gather personal information and send it back to remote servers. In its most recent incarnations, the software can install itself without user interaction. Flashback as we know it now appeared near the end of September last year, pretending to be an installer for Adobe\'s Flash, a widely used plug-in for streaming video and interactive applications that Apple no longer ships on its computers. The malware evolved to target the Java runtime on OS X, where users visiting malicious sites would then be prompted to install it on their machine in order to view Web content. More advanced versions would install quietly in the background with no password needed.

Following the release of two prominent reports advancing the federal government\'s policy for online privacy, members of a House subcommittee on Thursday again took up consideration of whether new legislation is needed to protect consumers on the Internet. At a hearing before the Energy and Commerce Committee\'s technology subcommittee, top officials with the Department of Commerce and the Federal Trade Commission walked a thin line in their remarks to lawmakers who at times appeared skeptical. Both officials expressed support for baseline privacy legislation that would implement consumer safeguards while avoiding burdensome mandates that could hinder the online economy. At the same time, they emphasized that their recent reports -- the consumer bill of rights that the Commerce Department developed in concert with the White House and the FTC\'s new report on best practices -- contain no new regulatory mandates. \"These are to some extent aspirational,\" FTC Chairman Jon Leibowitz told the panel. \"We wanted to make it very clear that this isn\'t a regulatory document or an enforcement document.\" Similarly, Lawrence Strickling, the Commerce Department\'s assistant secretary for communication and information, affirmed that the administration is backing a largely self-regulatory approach. Both officials expressed support for a rudimentary privacy law, though neither endorsed any specific proposal. The FTC and Commerce Department now plan to continue their collaboration with industry stakeholders to develop codes of conduct and implementation strategies to apply high-minded privacy concepts such as transparency and choice into practice. If the FTC wins formal commitments from industry players to adhere to certain behavior, such as abiding by the rules of the do-not-track mechanism it is endorsing, those firms would then be subject to agency oversight under its authorities relating to unfair and deceptive practices. But in the event that the FTC finds a company to be in violation of those standards and reaches a consent order, as it did last year with Google and Facebook, the agency has no authority to issue financial penalties for civil offenses, a power that it is seeking from Congress.

Microsoft said on Monday it and several partners had disrupted several cybercrime rings that used a notorious piece of malicious software called Zeus to steal US$100 million over the last five years. The company said a consolidated legal case has been filed against those allegedly responsible that for the first time applies the Racketeer Influenced and Corrupt Organizations (RICO) Act. Zeus has been a thorn in the side for financial institutions due to its stealthy nature and advanced spying capabilities that center around stealing online banking and e-commerce credentials for fraud. According to a complaint filed under seal on March 19 in the U.S. District Court for the Eastern District of New York, Microsoft accused the defendants of infecting more than 13 million computers and stealing more than US$100 million over the last five years. The civil complaint lists 39 \"John Doe\" defendants, many of whom are identified only by online nicknames, such as \"Gribodemon\" and \"Harderman.\" It marks the latest action led by Microsoft against botnet operators. The company has gone to court before to gain permission to take control over domain names associated with the command-and-control infrastructure of botnets such as Kelihos, Rustock and Waledac. The company has also initiated civil proceedings against unnamed operators but has had little success due to jurisdiction issues. Mark Debenham, senior manager of investigations for Microsoft\'s Digital Crimes Unit, said the creators of Zeus -- as well as related malware such as SpyEye and Ice-IX -- sold \"builder kits\" to other would-be cybercriminals. Simple versions sold for as little as $700, while more advanced versions could cost $15,000 or more, according to Debenham\'s affidavit.