Former DuPont researcher hit with federal data theft charges

A former research scientist at DuPont USA who is already facing civil charges for allegedly attempting to steal corporate secrets from the company, has been hit with a federal criminal complaint on the same charges. Meng, a Chinese national with permanent resident status in the U.S., was arrested Oct. 2 and appeared before Magistrate Judge Mary Pat Thynge. Prosecutors charged Hong Meng with exceeding his authority to access a protected computer when he downloaded certain documents from his DuPont-issued laptop computer to an external thumb drive and then onto his home computer.

He was released on the condition that he establishes a permanent address in Delaware by Oct. 16, from where he can be electronically monitored. The federal complaint sheds some light on what led to the charges against Meng, who joined DuPont in 2002 and worked at the company's Central Research and Development facility in Wilmington, Del. DuPont in September filed a lawsuit in Delaware Chancery Court accusing Meng of stealing data on a new, thin-computer display technology called "organic light emitting diode" or OLED. DuPont claimed that Meng planned to use the stolen information to commercialize products using OLED technology with Peking University in Beijing, which is developing similar technology. During the course of his work at DuPont, Meng had extensive access to cutting edge OLED research information which was considered by DuPont to be trade secret information. In June, Meng informed DuPont officials that he was resigning from the company and to join DuPont in China.

The OLED research data was stored by DuPont in three separate Lotus Notes databases and could only be accessed by a limited number of employees using two-factor authentication. During a meeting with his supervisor, Meng asked for permission to transfer files from his company laptop to systems in DuPont China. Nearly 550 of those files were later found on his home computer, which Dupont investigators inspected with Meng's permission. Though he was denied permission to do so, Meng in August allegedly went ahead and copied nearly 600 files from his company-issued computer onto an external storage device. A forensic analysis of the home computer also showed that more than 175 of the DuPont files had been opened using the Internet Explorer browser, suggesting that Meng had accessed or sent these documents using a personal e-mail account, according to court documents.

Meng is also alleged to have downloaded a Microsoft Word document with information on a specific procedure invented by DuPont to improve stability and performance of organic electronic materials, court documents said. The majority of the incriminating documents allegedly found on Meng's computers originated from DuPont's protected Notes databases and related to DuPont's OLED research priorities and evaluation of the commercial viability of the technology. According to court papers, DuPont has spent millions of dollars and put in more than 17 years of research into developing OLED technology. Meng had taken the job without informing DuPont as he was required to. DuPont investigators also found evidence on Meng's computers that he had accepted a position at the department of advance materials and nanotechnology at Peking University's College of Engineering. Papers filed in connection with the civil complaint against Meng described Peking University as a rival in the area of OLED research.

He has also maintained that the documents never left his control, the complaint noted. Meng himself claimed that he considered the information he had downloaded to be "reference materials" for his job at DuPont in China. This is the second time in recent years that DuPont has been involved in an incident involving an alleged compromise of its trade secrets. Min is serving an 18-month prison sentence after pleading guilty to the theft. In February 2007, Gary Min, a former research scientist at DuPont, admitted to stealing proprietary information valued at $400 million from the company.

Twitter warns of new phishing attack

Twitter warned users Tuesday of a new phishing scam on the social networking site. The message reads, "hi. this you on here?" and includes a link to a fake Web site designed to look like a Twitter log-in page. It's the latest in a series of scams that have plagued the site over the past year, designed to trick victims into giving up their user names and passwords. "We've seen a few phishing attempts today, if you've received a strange DM and it takes you to a Twitter login page, don't do it!," Twitter wrote on its Spam message page. After entering a user name and password, victims enter an empty blogspot page belonging to someone named NetMeg99. Neither of these pages appears to include any type of attack code, but both should be considered untrustworthy, according to Sophos Technology Consultant Graham Cluley. "It seems like this was a straightforward phishing campaign, rather than an attempt - at this stage at least - to spread virally," he said via email.

Once a user has been phished by the attack, the criminals are then able to direct message all of the victim's contacts with the phishing spam. "These sort of things have been happening for over a year on Twitter," Cluley said in an interview. Victims get these direct messages only from people they follow on Twitter, so they seem more believable than other types of spam. Hacked Twitter accounts are a great launching pad for more attacks, Cluley said. "We don't know precisely what they're going to do in this case, but often they will send spam messages to advertise a particular site." Because about a third of users have the same passwords for all of their online activity, criminals can also use the same log-in information to try to get into other Web services such as Gmail or Yahoo, Cluley said. "If you've fallen for one of these traps, don't just change your Twitter password; change your password on every Web site you use," Cluley siad. "Use non-dictionary words and use something that's hard to guess." The Twitter attack comes as Facebook users are also under siege. When victims try to open an attachment that supposedly contains their new password, they end up running a Trojan horse program, called Bredolab, that then installs unwanted software on their PCs. Security researchers say that a spam botnet is has sent out hundreds of thousands of fake password reset messages.

New Firefox security technology blocks Web attacks, Mozilla claims

Mozilla has released a test build of Firefox that adds new technology designed to stymie most Web-based attacks, the browser maker said Sunday. That would block any script or malicious code that's been added by hackers who manage to compromise the site or app. The technology, dubbed "Content Security Policy" (CSP), is a Mozilla-initiated specification targeted at Web site and application developers, who will be able to define which content on the site or in the online application is legitimate.

Such attacks are generally tagged with the label of cross-site scripting (XSS). Preview editions of Firefox are available for developers to try out, said Mozilla in an announcement last week . "This isn't a single trick that's meant to counter a single kind of attack," said Johnathan Nightingale, the manager of the Firefox front-end development team. "This helps sites solve cross-site scripting, but it's more than that. With CSP in place, Firefox will allow the former but will automatically block the latter. "It is in some ways similar to NoScript," said Brandon Sterne, Mozilla's security program manager, referring to the popular Firefox add-on that blocks JavaScript, Java, Flash and other plug-ins often abused by hackers. "The main difference is that the Web site itself is determining the policy. They now have a way to shut everything dynamic off, so that no matter what content gets added to a site, if it's on the page and they've sent us policy instructions in its header, we shut it down." Firefox is passing the baton to site and application developers, who will be able to separate the legitimate from the illicit content. NoScript is a great tool, but a large number of Web users are not sophisticated enough to manage the kind of decisions it requires." Nightingale and Sterne have pinned high hopes on CSP, which grew out of an idea first put forward by security researcher Robert "rsnake" Hansen in 2005. Last year, Hansen, the CEO of SecTheory, and Jeremiah Grossman, chief technology officer at WhiteHat Security, made headlines when they revealed details about how browsers were vulnerable to so-called "clickjacking" attacks . "Absolutely, this will drive a stake through the heart of cross-site scripting attacks," argued Sterne. "An attacker injects some script that harms the users of that site, that encompasses content injection. Google , the maker of Chrome, was not available over the weekend, but the company has previously said it generally doesn't comment on future product development.

Out of the box, CSP [lets sites send] signals to the browser that says, 'We're gonna turn off everything by default.' Cross-site scripting will be neutered at that point." But Nightingale and Sterne realize that, even with nearly a quarter of the world's Internet users running Firefox, Mozilla faces a tough road if it's the only browser maker pushing CSP. "Both the Internet Explorer and Chrome teams have contributed to the design discussions of the specification," said Sterne. "They have some tentative interest in implementing it at some point in the future." Earlier this year, Eric Lawrence, a program manager on Microsoft 's Internet Explorer (IE) team, called CSP "a good idea" and "a promising approach" in a pair of entries on the official IE blog, but did not commit Microsoft to supporting the technology. "It's great to see that others are taking this threat seriously, as well," said Sterne. Mozilla must also convince site and application developers that it's worth their while to use CSP. Nightingale and Sterne declined to name the sites that have expressed interest in using the technology. "The first step is for us to use it," said Nightingale, adding that Mozilla would turn one of its online properties into a guinea pig to show others that CSP is possible, and to iron out problems. The one thing they did say was that it wouldn't show up in the minor upgrade, Firefox 3.6 , that's to ship in November. The pair was also vague about when CSP would debut in a production version of Firefox. The first, and likely only, beta of Firefox 3.6 is slated to ship Oct. 13. "Whatever comes after 3.6, that's the earliest," said Sterne. Microsoft, for example, added a cross-site scripting filter to IE8 that the company said would block most attacks.

Mozilla isn't the only browser maker trying to protect users from cross-site scripting attacks. Preview builds of Firefox with CSP enabled can be downloaded for Windows, Windows Mobile, Mac and Linux from Mozilla's server . Sterne has also posted a demonstration page that graphically shows how various scripts are blocked by the technology.

Apple defends AT&T, says partner will fix iPhone problems

Apple executives yesterday again stuck up for their exclusive U.S. partner, AT&T, and said that they approved the carrier's solutions to long-running problems handing iPhone traffic. They've complained about AT&T's network since Apple unveiled the smartphone in June 2007, and ramped up their sniping after the July 2008 release of the iPhone 3G, the first model to use AT&T's faster data network. During Apple's quarterly earnings conference call Monday with Wall Street analysts, Gene Munster of Piper Jaffray & Co. asked about AT&T's troubles. "AT&T has had a lot of bad press here recently and obviously that impacts your brand," Munster said. "Can you remind us what the benefits and the virtues of sticking with a single carrier in the U.S. are?" Tim Cook, Apple 's chief operating officer, repeated what the company has said before: "AT&T is a great partner." He also downplayed the "bad press" that Munster alluded to. "I think it is important to remember that they have more mobile broadband usage than any other carrier in the world," said Cook. "In the vast majority of locations, we think that iPhone customers are having a great experience from the research that we have done." Many iPhone owners would disagree.

A dozen lawsuits from consumers tired of their iPhone 3G devices constantly dropping calls or having trouble connecting to AT&T's network are still pending, although they were consolidated by a federal judge last summer. We'll do a lot better," Ralph de la Vega, CEO of AT&T Mobility and Consumer Markets, said during a December 2009 financial conference. Apple's Cook admitted that AT&T service wasn't trouble-free, but said its partner is on the case. "AT&T has acknowledged that they are having some issues in a few cities and they have very detailed plans to address these," Cook said yesterday. "We have personally reviewed these plans and we have very high confidence that they will make significant progress towards fixing them." AT&T has conceded poor network performance in Manhattan and parts of San Francisco, but has promised to deal with the problems. "You'll see this is going to be fixed. AT&T has taken other steps to address its service issue, including releasing an iPhone application that lets customers submit complaints of poor reception directly from their smartphones. Even so, Apple has continued to defend AT&T when it came under attack by Verizon, the rival most often mentioned as the likely addition to the list of carriers allowed to sell the iPhone. Many analysts believe that AT&T's exclusive contract for the iPhone will end this June, three years after the debut of the original model.

Apple television advertisements last November, for example, stuck up for AT&T as Verizon belittled the carrier's 3G coverage in a still-running campaign. Marshall estimates that the iPhone is responsible for over 90% of AT&T's net additions to its customer rolls. "The iPhone is by far the single most important driver of the postpaid subscriber addition market in the US today," Marshall said in a recently released research note to clients. AT&T relies heavily on the iPhone to boost its subscriber numbers, according to Brian Marshall, an analyst with BroadPoint AmTech. Apple sold 8.7 million iPhones in the quarter that ended Dec. 31, a 100% jump over the previous year and almost 1.4 million more units than the previous record of 7.4 million, which was set in the quarter ending Sept. 30, 2009. Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer , send e-mail to gkeizer@ix.netcom.com or subscribe to Gregg's RSS feed .

WhatsUp Gold buys Windows security management vendor

WhatsUp Gold, the network management division of Ipswitch, Tuesday announced it had acquired for an undisclosed sum Dorian Software, a maker of security event and log management products for Windows environments. By adding Dorian technologies to its portfolio, WhatsUp Gold will be able to offer customers additional capabilities at an affordable price, company executives said. "We believe our mutual customers will greatly benefit from a single vendor supporting the gamut of network management tasks from device utilization and bandwidth monitoring, systems and application management, traffic analysis, VoIP and now security and compliance solutions via in-depth log management,"  said Ennio Carboni, president of WhatsUp Gold, in a statement. Hottest tech M&A deals of 2009 The WhatsUp Gold division of Ipswitch delivers network management software of the same name, which is targeted at small to midsize companies, though the vendor had added enterprise-level capabilities in more recent releases. The Dorian Software acquisition would equip the network management software maker with additional capabilities on the security information and event management (SIEM) and log management front.

Dorian specializes in Windows Security Event Management and log management for small businesses and enterprise-level organizations. These two feature sets have been coming together from security management vendors such as Q1 Labs, NitroSecurity and Tripwire. Company founder, president and CEO Andy Milford used WhatsUp Gold in the past and said coupling Dorian technology with that of Ipswitch would benefit customers. "This feels like a coming home for me personally, given my long-standing familiarity with and appreciation of WhatsUp Gold products," Milford said in a statement. "I couldn't be happier that Ipswitch is going to be the company to take our software to the next level in terms of sales and market penetration." Do you Tweet? Follow Denise Dubie on Twitter here.

Companies patch OS holes, but biggest priority should be apps

Corporations appear to be much slower in patching their applications than their operating systems - even though attackers are mainly targeting vulnerabilities in applications, according to a new report. "Now we know which vulnerabilities are being patched and which are not," says Alan Paller, director of research at the SANS Institute.   The report, "The Top Cyber Security Risks," is based on data collected between March and August and was a collaborative effort by SANS, TippingPoint and Qualys. The report shows that 80% of Microsoft operating system vulnerabilities are being patched within 60 days, but only 40% of applications, including Office and Adobe. The group analyzed six months of data related to online attacks, collected from 6,000 organizations using the TippingPoint intrusion-prevention system, along with data related to more than 100 million vulnerability scans performed on behalf of 9,000 customers of the Qualys vulnerability assessment service. Meanwhile, the majority of online attacks are aimed at applications, particularly client-side applications, making this the No. 1 priority named in the report.

The main attack methods used against Web sites were SQL injection and cross-site scripting. During the six-month timeframe, more than 60% of all attack attempts monitored by TippingPoint were against Web applications in order to convert trusted Web sites into malicious sites serving up malware and attack code to vulnerable client-side applications. In terms of vulnerability and exploitation trends, popular methods include attempting to brute-force passwords by guessing, with Microsoft SQL, FTP and SSH Servers among the most popular targets. Zero-day vulnerabilities - which occur when a flaw in software code is discovered and exploit code appears before a fix or patch for the flaw is available - were popular in targeted attacks, according to the report. Some of the main vulnerabilities being exploited include the malicious Apple QuickTime Image File download (CVE-20009-0007); Microsoft's WordPad and Office Text Converter Remote Code Execution Vulnerability (MS09-010); and multiple Sun Java vulnerabilities. Six notable zero-day flaws in the past six months include: * The Adobe Acrobat & Flash Player Remote Code Execution Vulnerability (CVE-2009-1862)  * Microsoft Office Web Components, Active X Control Code Execution Vulnerability (CVE-2009-1136)  * Microsoft Active Template Library Header data Remote Code Execution Vulnerability (CVE-2008-0015)  * Microsoft Direct X DirectShow QuickTime Video Remote Code Execution Vulnerability (CVE-2008-0015)  * Adobe Reader Remote Code Execution Vulnerability (CVE-2009-1493)  * Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2009-0556) The report concludes by pointing out that finding zero-day vulnerabilities seems to be getting easier as "a direct result of an overall increase in the number of people having skills to discover vulnerabilities worldwide."

SAP: Outreach to Oracle about Java, not help with Sun deal

SAP said Wednesday it contacted Oracle and its CEO, Larry Ellison, in recent months over concerns about the future of the Java programming language and competition in the database market, not to offer help facilitating Oracle's purchase of Sun Microsystems, which is being held up by a European antitrust review. The editorial was based on a letter sent to Ellison on Sept. 15 by SAP CEO Léo Apotheker, which consisted of the following statement, according to the Journal: "As you know, we have significant concerns about Oracle's proposed takeover of Sun. The statement follows a recent Wall Street Journal editorial that speculated about the latter possibility. We renew our invitation to meet to attempt to resolve our concerns and other open issues between our companies.

SAP "strongly rejects" the editorial's "misleading speculation," Wednesday's statement said, reiterating remarks by an SAP spokesman earlier this week. Please let us know if and when you would like to meet." The Journal noted that "other issues" between the two companies include an ongoing intellectual property lawsuit Oracle filed against SAP in connection with TomorrowNow, a now-shuttered subsidiary of SAP that provided third-party support for Oracle applications. Instead, SAP has "concerns about customer choice in the database market and the future open licensing of Java," and first contacted Oracle and Sun about the matter "as far back as the end of July 2009." "Since there was no response, our CEO Léo Apotheker took the initiative and wrote to both Oracle and Sun CEOs in the middle of September to voice our concerns again, offer a dialogue, and attempt to clarify the issues. Meanwhile, this week the European Commission issued a formal statement of objections to Oracle and Sun regarding the merger. We have not heard back from Oracle, but instead found Léo Apotheker's letter leaked to the press last week," the statement adds. "This is both telling and disappointing as it demonstrates that there is no real interest by Oracle to listen and explain how it wants to ensure the required level of customer choice in the database market as well as open access to Java." In a blog post on Monday, SAP CTO Vishal Sikka also called for more openness in Java. The body is particularly concerned over the fate of Sun's open-source MySQL database if it comes under Oracle's ownership.

An Oracle spokeswoman declined comment.