Saturday, 24 December 2011

Amnesty International UK Attacked

Serving up Malware

Wouldn't it be ironic, and not in a wholesome or entertaining way, if the very act of visiting my (loosely) security based blog, and clicking on my very well intentioned Amnesty International sidebar, were to leave you infected with malware of a context-specific kind? Namely Trojan Spy-XR, the kind that spies on the activities of human rights activists, returning the electronic information so obtained to... certain countries...

Okay: China. There is evidence (from this ThreatExpert analysis) that the malicious Java file, currently being served in a cross-site way through a certain genuine but compromised Brazilian automotive website, appears to be associated with China. Brian Krebs reports the malware as belonging to "a notorious family of backdoor Trojans" from that quarter, and Chinese hacking groups are well known to be waging an ongoing campaign against dissident and human rights organizations, to extract personal and logistic information about them.

So ironic or not, that's what might have happened to you, had you clicked the aforementioned sidebar link within the past week or so. Sorry about that.

Mitigated by Unpopularity and... Java

Being unaware of the previous and ongoing targeting of human rights workers by this nefarious scheme and others like it, I had assumed that the relative lack of popularity of the Amnesty site ( rating below 90,000) - not to mention that of my own blog! - made it a comparatively safe cross-link. But today I learned the organization’s site was hacked with a drive-by attack last April, while its Hong Kong website was in November 2010 hacked and seeded with an exploit dropping malware based around a previously unknown IE zero-day vulnerability (see this Websense report). In possible mitigation, these attackers are clearly not out for financial data or gain.

These attacks, as noted by Brian Krebs, serve to highlight the importance of keeping up to date with security patches. In the case of Java, a safer option might be to remove frequently targeted software you don’t really need.

Monday, 12 December 2011

My Top Ten Christmas Songs

OK Let's Get This Thing Over

Ho³! Everyone seems to be indulging this humbug a little early this year, but as XKCD shows (click through for full details), at least in America, and subjectively here in the UK too, there appears to be a huge cultural bias towards 40s and 50s Christmas songs. For once, I won't be straining to reach as far back in time as my braces will permit, as I own up to some personal favourites in the genre.

10. Mike Oldfield, who could never be bothered waiting around for everyone else to learn their parts, started the trend of playing everything yerself. This is from 1975, although originally from the middle ages:

9. Not strictly a Christmas song, more of a fine study in adolescent rivalry and frustration, slapped on to the B-side of 1986's Trumpton Riots with the word Christmas gratuitously grafted into the title: these are the peerless Half Man Half Biscuit...

8. Justin Hawkins pouted perfectly in 2003: Now how the hell am I gonna make it into the new year?

7. Another non-Christmas song, Joni Mitchell's River just happened to be set at Christmas time in 1971, on a rather melancholy variation of Jingle Bells...

6. This kazoo-festooned KT Tunstall cover of Mele Kalikimaka (Christmas In Hawaii) lit up 2007, but originally written by Robert Alex Anderson in 1949 and appearing on Bing Crosby's White Christmas album, it's the only of our ten falling within the XKCD boom years:

5. Greg Lake, replete with Troika (from Sergei Prokofiev's Lieutenant Kijé, 1934) protested the commercialization of Christmas 1975...

4. John Lennon would have shown that Lake guy a thing or two about protest in 1971...

3. Kirsty, we will never forget you... with The Pogues, perennially since 1987:

2. A prog masterwork from 1976, Ring Out Solstice Bells can be found on The Jethro Tull Christmas Album, alongside such yuletide favourites as A Christmas Song and Another Christmas Song...

1. Topping my festive selection: 1981 had the coolest Christmas song ever!

Please don't mention The Spice Girls. Have a happy holiday season, everyone.

Tuesday, 6 December 2011

Sony Handheld Nonportable

Vita has Flash Problem

And I don't mean Adobe. Even though discontinuing Flash development for mobile devices, Adobe are still in negotiations with Sony for a Vita version of (probably) Flash Mobile 11 - the last version they'll ever make available for phones and tablets. But Steve Jobs has driven all web video irrevocably in the direction of HTML5; and as for Flash games, well, they're mostly rubbish on wee displays like the Vita's 5" OLED capacitive touchscreen anyway. No, the issue I'm referring to is this new announcement from Sony, that the PS Vita will require the use of proprietary memory cards. And just why exactly might that be? A Sony spokesperson explains: [we are] using proprietary memory cards, both for security reasons, and to ensure a consistent experience for all users.

Ah right, security reasons, of course. And yes, a consistent user experience. Always thinking about its beloved users, Sony is. About their security. And about the consistency of their experience. So, we should expect these proprietary sticks to be priced similarly to existing, industry standard flash memory cards, right?

Prices are in dollars. Source:, except for Sony prices, which are current listings at Gamestop.