It was notified on the Internet that Google’s much-anticipated operating system, Chrome OS, is going to come for download even this week! Is it rumors or is it truth? We’ll see.

What we could do is only to wait. When Google reported its early version of new OS last fall, the company said they would open source the code for Chrome OS ‘later this year’. Google also told that netbooks running Chrome OS wouldn’t be accessible for end users until the second half of 2010.

Four months have passed from Google’s disclosure that it is getting into the PC operating system game which would put them in a direct paths against Microsoft and Apple. Michael Arrington from TechCrunch says that a version of the Chrome OS will come with a limited collection of hardware drivers ‘within a week’. TechCrunch also said that Google has PC manufacturers working on hardware driver support, and mentions that at first, the software may only run on a limited set of PCs. This is the second rumor saying an early release of Chrome OS was forthcoming.

At that time, Google also said that the Chrome OS code would be ‘open sourced’ later this year. So the supposed Google’s Chrome OS release would clash with the original timeline. According to PC World, open source code is not the same as a ready-for-prime-time product. Google’s OS hardware partners on the project involve Acer, Adobe, ASUS, Freescale, Hewlett-Packard, Lenovo, Qualcomm, Texas Instruments, and Toshiba. Although it’s still not clear what PCs are going to be supported when the OS is maybe made available this week. TechCrunch speculates that the first public version of the OS would run on EEE PC netbooks.

What’s going to happen this week is that Google would make good on its promise and release the Chrome OS source code to developers. However, that doesn’t certainly imply the average person could download these files and get the OS up and running. Source code is just a collection of text files intended for software developers to tinker with. To get the source code to work as a computer program, a user needs a compiler that brings all the source code together and turns it into something a user’s computer can, in fact, start up.

On a netbook, Chrome OS may be satisfying for offering mobile functionality. On a desktop, Chrome OS may turn a PC into a glorified terminal, dependent on the Internet for almost everything the user does on it. Google has said earlier Chrome is intended to be lightweight and get users connected to cloud applications quickly. The company pretends to think that cloud apps will become prevalent and will not need a very powerful PC to run them. Therefore, Google is building a very lightweight browser that is Chrome, to run up on what amounts to an inserted operating system that is Chrome OS, running on netbooks to be issued in 2010.

Google Chrome OS represents a new computing model and may even change users’ perception of operating systems and security. Its importance depend upon how widely and quickly cloud applications get to the center stage, what trade-offs customers are ready to make, and most essentially, what Chrome OS actually proves out to be. Google’s Chrome operating system could mark a turning point in the computer world. Still, there are many questions left. Rumors are the OS will be issued to developers this week. Most likely that will answer some questions but probably they will raise even more.

If Google will only release source code and not actual builds of the Chrome OS, getting it to work would probably make it unavailable for most users. It is good to know that Google has already released a developer build that users can just download and install the easy way. Developers may soon get a new Google’s Chrome OS, while other users may have to wait for a while.

The first security update, released on Monday, refers to Mac OS X Leopard and Snow Leopard. The second update, issued on Wednesday, goes to a new version of Safari Web browser, available for Mac, PC, and iPhone operating systems. The newest update deals with a lot of security threats, such as remote code execution, system crashing and information disclosure bugs, Apple explained in its advisory. Both the Mac OS X and Windows versions of Safari need to be updated to version 4.0.4.

The freshly released Safari 4.0.4 stops up what seems to be like moderate-to-severe security issues. Differently from rivals Internet Explorer, Firefox, and Chrome, Apple doesn’t rate the severity of its security flaws. Malicious XML, FTP and ColorSync profiles embedded in images and in the WebKit engine, the open-source foundation of Safari, could be created to crash or exploit Windows and Mac versions of Safari on the opened Web sites.

Using shortcut menu options within a maliciously crafted Web site could have led to unsuspected network security threats, such as local information disclosure and arbitrary code execution, when other maliciously written websites are visited. Only Windows versions of Safari are prone to the embedded image color profile deceit, while an exploit that could enable email to distantly access audio and video content when loading a remote image impacts Macs only.

Of the seven flaws that Safari 4.0.4 blocks, six affect the little-used Windows version of the browser, six influence Mac OS X 10.4, aka Tiger, however, only three apply to Mac OS X 10.5 and 10.6, Leopard and Snow Leopard, respectively. Although in contrast to the operating system security update released on Monday, which didn’t provide patches for Mac OS X 10.4, Wednesday’s upgrade involves users, who run Safari on that 2005 operating system. Apple traditionally stops deliver security updates for its oldest still-supported OS several months after the issue of a new edition, but evidently will further support Safari on Tiger.

Safari 4.0.4 for Windows or Mac can be downloaded from Apple’s website. Active users of the Safari browser can get the new version by running Software Update on the Mac or the bundled Apple Software Update on Windows. Safari 4.0.4 also enhances JavaScript performance. If SunSpider JavaScript Benchmark is run, Safari 4.0.4 is 1.08 times as fast version 4.0.3 overall, with considerable growths in many tests. The final and most important thing to note is that Safari 4.0.4 does not damage ClickToFlash. The last security update Safari received was in mid-August, when Apple fixed six security issues, four of them critical.

A new version of the notorious Koobface (W32/Koobface) worm does this automatically.

Koobface is a computer worm that is programmed to propagate through social network sites like Facebook, Twitter and MySpace. The new version that inspired this security article has some new fuctionality, and automatically performs actions like:

• Setting up accounts on Facebook.
• These accounts have characteristics that seem legitimate, like date of birth, favorite books or pictures.
• The accounts’ details vary for every account that is set up.
• Confirming that an email address from Gmail is correct (used to be able to activate the Facebook account).
• Joining random Facebook groups.
• Adding other Facebook users as friends.
• Posting messages to the new friends’ Facebook walls.

With all this functionality it naturally makes it harder to determine that it is an automatic malware impersonating a human, and not a real person.

The new Koobface variant is yet another example of the fact that malware is getting increasingly sophisticated. Typical malware usually sends out malicious emails using email addresses found on the infected computer.

The email recipient trusts emails sent from a known person, but the Koobface worm will often produce somewhat bizarre side effects, like an email with content in another language.

Another technique used by Koobface is not attempting to impersonate a real person, but to rather create a fictitious person. The strange thing is attempts to investigate the sender will result in finding information that seems to some almost legitimate.

Malware writers are clearly making it a priority to refine the art of creating variations for identity production. If one looks at it from the malicious persons’ point of view, it is smart to be in the forefront among those using this technique; before the common users get better equipped to distinguish between communicating with a real person and a computer generated one.

Be weary of this and expect to see more examples of malware using variants of this technique in the future.

It was revealed that a trick worm is spreading over jailbroken’ iPhones in Australia. Additionally, at the end of last month, a proof-of-concept (PoC) application was issued that allows a hacker to distantly activate a BlackBerry microphone and listen in on surrounding conversations and sounds. There haven’t been such widespread and active attacks on mobile devices for a long while, but now, it is expected that they are going to grow rapidly.

In return to the rising danger of smartphone malware, researchers at Georgia Tech are planning to study mobile device security and finally plan to discover a method to distantly fix affected devices. They have gotten a $450,000 NSF grant to improve security of iPhones, BlackBerries and other smartphones and the wireless networks on which they are running. The researchers are focusing on the ways wireless service providers such as AT&T and Verizon can detect malware on devices and clean up the devices before they do more harm.

The Georgia Tech’s researchers are looking back on those events with mobile devices in that they indicate that malware creators have mainly forgot about cellphones that were specialty devices. However, attackers have already got their sight on smartphones based on more general computer operating systems. The researchers say that a big problem is that, smartphones usually aren’t implemented with antivirus software and other such computer security programs.

According to Jonathon Giffin, an assistant professor at Georgia Tech’s School of Computer Science, researchers are going to create a cellular network test bed on campus to try out its remote repair methods. They would enable service providers to clean malicious code off on a vulnerable device with little or no relationship with the end user. The remote repair technique might be the same as remote wipe technologies that are used currently to clear all the data off a mobile device that has gone missing. Such methods might require disable some of the phone’s functionality temporarily, like the ability to download apps.

For all the reasons mentioned above, the researchers have taken the carriers for their target in a striving to break down on mobile device security. Patrick Traynor, assistant professor at Georgia Tech’s School of Computer Science has talked to a lot of major carriers about the project and said that there is a sense of excitement all around. He added that they need to elaborate solutions today so they are ready when these widespread attacks appear. The researcher concluded that one of the signs of their design is to use the network itself to discover attacks.

If a password is easy to remember for the owner, sadly it would be easy to guess for an attacker as well.

If a password is more complex, that is when it includes a mix of uppercase and lowercase letters and digits, it would undoubtedly be harder for a hacker to crack it. Password requirements for users differ in various sites but in most cases ’secret/prompt questions’ are involved. Have you ever thought about strength of such type of passwords?

Users may often be asked a variety of simple ‘prompt questions’ such as ‘Where were you born?’, ‘What is your mother’s maiden name?’ or ‘What street did you grow up on?’ for ID verification before a password reminder is sent out. After all, it emerges that answers to these questions are not so secure because it may not be so hard for other people to predict them. So, what could be done to make the passwords stronger? At first, for answers to be more complicated for hackers to guess, the questions should be made to be difficult in the first place.

Computer scientists at Rutgers University in the United States have announced a system to enhance ’security/prompt-question’ online security when online shoppers forget passwords. Scientists state they are six months away from writing code that would protect passwords from being identified. According to assistant professor of computer science in the Rutgers School of Arts and Sciences Danfeng Yao, it is well-known that security questions are not very safe and easily predictable. Yao is a leader of a team of scientists who are developing an ‘activity-based personal questions’ approach to security questions. Websites could ask a user, ‘When was the last time you sent an e-mail?’ or ‘What did you do yesterday at noon?’ Dynamic questions would be much harder for attackers to suspect.

Once a computer scientist said she gave students in her lab some questions associated with network activities, physical activities and opinion questions, and then asked them to ‘attack’ each other. Security experts say that ’security questions’ serve a real security threat and need to be renewed with questions that continually change according to a user’s digital history. That’s because this information would be harder to gain and it is less widely available. Traditional ’security questions’ are fixed and long-lived and do not usually change, so a user’s answers may be collected or presumed by people around the user.

A 1990 study discovered that people were able to predict email password of someone else 17 percent of the time. Spouses were able to guess the password 33 percent of the time. Another problem is that people are likely to forget their passwords and have to revert to answering a ’secret question’, which is also often easy to guess. Yao tells memory has not been an issue when ‘activity-based’ questions were tried on her students. Yao also says they are presently developing a prototype system which is expected to be finished and available by May 2010. She concludes that the system includes both server-side and client-side components, so they need to accomplish a considerable amount of testing on both security and memorability before they offer their result to the market.

On Tuesday, software giant Microsoft released six security bulletins repairing upwards of 15 vulnerabilities within Windows and MS Office. The bulletins include a critical patch for holes in the Windows, Windows Server and Microsoft Office components that could enable a hacker to take control of a vulnerable computer. Three of the bulletins are rated ‘critical’ and another three are rated ‘important’.

For one of the critical bulletins, affecting the Kernel-Mode Drivers, Microsoft recommends take as a priority is the most important patch, MS09-065. The Windows kernel vulnerability could be used to create a Web page or MS Office document with a malicious Embedded OpenType (EOT) font produced to exploit the remote code on systems that visit the page and view the EOT font. The patch is labeled ‘critical’ for Windows 2000, XP and Server 2003, and ‘important’ for Vista and Server 2008. Proof-of-concept code already is publicly available to start drive-by attacks. Microsoft states that consistent exploit code is expected.

The two other critical patches fix flaws in Web Services on Application Programming Interface (WSDAPI) and in License Logging Server. Two bulletins repair vulnerabilities in the way that Windows Vista and Windows Server 2008 search for connected devices such as cameras and printers that could be used by attackers to install malicious software programs. These particular vulnerabilities set a risk of remote code execution if a user opens a malicious Excel or Word file.

By using the vulnerability in WSDAPI, a malicious packet sent across the network could produce the flaw, but the attacker would have to be on the same local subnet, and then most likely only if the affected system is not protected by a firewall. With the help of the flaw in License Logging Server, a vulnerable system could be corrupted by a malicious network message, but differently from the WSDAPI vulnerability, an attack against this flaw wouldn’t have to be initiated from the same local subnet.

Software affected by the patches involve: Windows 2000, XP, Server 2003, Vista, Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, Office 2004 for Mac, and Office 2008 for Mac. For now, Windows 7 and Windows Server 2008 R2 are not affected by these vulnerabilities. Therefore, users can stay calm at least for a while. Updates are available through Automatic Updates or through the Windows Update Website.

The application Honesty Box, which allows users to send and receive “anonymous messages and discover what people really think of you”, has become the focus of hackers who want to steal Facebook users’ personal information for their own malicious purposes.

On Facebook the application writers promise that they will “never reveal who sent messages on Honesty Box”.

Hackers are now using Facebook’s promise to their advantage by spamming a fake program which promises to reveal the message senders’ identities to the walls of Honesty Box users.

Facebook sources have responded saying that the rogue program claims it will strip out the hidden data from your Honesty Box, then convert it into a name so you know who left the message. The program is apparently bound with a random Keylogger/Trojan/Virus of the attackers’ choice.

This could be a perfect setup for scammers to phish accounts then use those compromised accounts to spam the application onto more Facebook walls where new victims can be attracted by the lure of “really secret stuff”. So much for being “honest”! Only time will tell if these becomes true. For now, if you use Facebook, protect yourself by avoiding this application.

It was found that you can view almost all the tweets of an account if you enter “site:twitter.com/username” (replace username with the Twitter name) in the Google search engine. Inevitably, this caused an alarm among Twitter users that value their privacy.

This security hole is able to be exploited, thanks to Google’s search bots which specialize in surfing the web for new pages. However, directly accessing a protected Twitter account is literally impossible at the moment. By entering ‘twitter.com’ and a user’s name, you are able to get a sneak preview of what an individual has been up to. For example, when you enter “site:twitter.com/billclinton” in the search engine you will get a glimpse of what has been on Bill Clinton’s mind, including his depression.

The results page will present you with a list of logged tweets. Surprisingly, tweets that seem to have been removed from a hidden account may also partially be displayed. Fortunately for some Twitter users, cnet.com reported that the situation is not as bad as we think. Apparently Google is not displaying ‘protected tweets’ but is indexing all ‘public tweets’, including tweets from profiles that were originally public but are now private.

So if you have always had your Twitter profile on private, you can relax. But if at some point in your life your Twitter account was public, I am afraid the tweets you made during that ‘public’ period will remain in Google’s index to be viewed by curious individuals. In essence, Twitter has done its part with regards to user profile security and users can rest assured that their ‘private tweets’ are indeed private.

The popular blog publishing application and content management system, WordPress, has fallen under heavy fire lately due to a particularly nasty little worm circulating many users’ blogs who are still using outdated versions of the blogging software.

The vulnerability that allows this attack was discovered on August 11, causing WordPress to quickly spring into action, advising users to upgrade to version 2.8.4. Unfortunately, many people have yet to make the move to this latest version, and the worm is taking advantage of the hesitation.

According to WordPress, the worm does not affect the current version 2.8.4 or the version prior to it. The worm also seems to only affect people who host their own WordPress blog, not those hosted on WordPress.com. The website also offers users links and instructions in order to upgrade, along with an FAQ for those who believe their blog may have been hacked.

The worm in question has proven difficult to detect and identify. Matt Mullenweg, founding developer of WordPress, proceeds to explain that the worm “registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at a user’s page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.”

While the danger is real, the methods by which one can easily protect themselves and their information is simple enough. Upgrade to the latest version of WordPress now if you have not done so already.

On Thursday, Facebook had stated it had disabled a total of six rogue applications that were attempting to steal Facebook user login credentials and spamming people. Unfortunately, mere hours later, more of these phishing applications appeared.

Five more, in fact, and according to Rik Ferguson, a researcher for Trend Micro, they have been identified under such names as “Matching”, “Pok”, “Friends”, “Friends Gifts” and “Your Photos”. By Thursday evening, these had been terminated as well. A spokeswoman for the social networking website stated that Facebook “will continue to ensure that all applications on Facebook Platform comply with Facebook policies.”

Ferguson, who had discovered six rogue applications earlier in the week, posted on his blog that, “The new rogue apps take the same format as previously but use different application icons, have slightly more credible notifications to your friends and also now feature bogus notifications to the profile owner, presumably in an effort to persuade the victim to install further apps and maximize the fraudsters’ advertising returns.”

It seems that while these applications were active, users had been receiving notifications that someone, typically a friend, had commented on one of their posts. These notifications were accompanied by links that redirects the victim to a phishing website where users are prompted to provide their login details, and then download the rogue application.

Following any of the directions contained in these notifications not only allows hackers to gain access to user Facebook accounts and their personal information, but in downloading these rogue applications, a victim’s friends are also spammed with these same messages, spreading the problem.

So please, while surfing Facebook, or any social networking media for that matter, be careful of what links you click on, and who to trust. Go over your privacy settings and remove any applications that you no longer use.