Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• According to Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, the Payment Card Industry (PCI) Data Security Standard will be updated to focus on more secure software as hackers shift from network attacks to application attacks. However, businesses have found encryption too problematic without support for older payment systems, so the new PCI standard could offer alternatives to encryption, prompting concerns that it might weaken consumer protections. MasterCard and Visa developed the standard in 2005 to mandate security controls for credit-card transactions.
• Shell stopped accepting payments authorized through Chip and PIN technology at 600 of its 1,000 UK gas stations after discovering a fraud case resulting in the theft of more than £1 million from customer accounts. The Association of Payment Clearing Services (APACS) blamed the problem on "inside" hackers at Shell and said the theft didn't illustrate a problem in the technology itself. Shell says the suspension of Chip and PIN payments is only a temporary precaution while the Metropolitan Police investigate, and it hopes to start accepting such payments again as soon as possible.
• The US has received approval to extradite Gary McKinnon from the UK after British officials decided not to prosecute him because the "alleged crimes occurred within the US." McKinnon is accused of hacking US military and government computers, causing US$700,000 in damage by deleting data, and causing damage to military networks. McKinnon's defense counsel fought extradition, arguing that McKinnon could be held as an enemy combatant and tried by a military tribunal rather than a civilian trial. The UK Home Secretary must still approve the extradition request in a process that could take up to a year.
• Many new cars contain keyless entry systems that use radio frequency identification (RFID), making them vulnerable to theft by hacking. The Mercedes S550 boasts a keyless antitheft ignition system that uses a 40-bit code to unlock doors and start the engine but changes every time it's used. However, researchers at Johns Hopkins University managed to unlock and start a 2005 Ford Escape SUV without the key by using a laptop with an attached RFID reader to intercept only two challenge-response pairs. The researchers recommend abandoning 40-bit encryption for the stronger 128-bit Advanced Encryption Standard (AES).
• Because many organizations find phishing attacks increasingly harder to detect, Symantec is leveraging a network of companies put together by WholeSecurity—which it acquired in 2005—to launch the Phish Report Network and "bring a more professional approach" to antiphishing. Symantec has added Google, Yahoo, America Online, and Wells Fargo to the network, along with existing members Microsoft and Visa. RSA Security will contribute data from its eFraudNetwork antiphishing project, which includes banks among its participants. Although other antiphishing projects exist, Symantec says its network will have more resources devoted to it, including paid full-time researchers.
• A task force from Vietnam's Ministry of Public Security and the Bach Khoa Information Securities Centre (BKIS) traced a distributed-denial-of-service (DDoS) attack against e-commerce company Viet Co. The culprit, who allegedly wrote a Trojan to assemble botnet attacks, is the first hacker to be arrested in Vietnam. To target cybercrime, Vietnam is also planning to launch the Computer Emergency Response Team Coordination Centre in late 2006.
• According to RSA Security, phishers started to favor attacks against international brands over US brands for the first time in April 2006. UK brands were targeted more than any other non-US country, accounting for 42 percent of international targets, with Spanish brands at 26 percent, Italian brands at 10 percent, Canadian brands at 10 percent, and German brands trailing at 5 percent. The attack trend toward international brands comes as phishers focus on attacks outside the English-speaking world. The US also shows signs of "phishing fatigue" as businesses start to do more to protect their customers. The US, however, still remains the host or relay for two-thirds of all phishing emails.
• The US Department of State decided not to use 900 computers purchased from Chinese-owned Lenovo on classified computer networks. The US—China Commission, a bipartisan congressional commission, raised concerns when the State Department announced the purchase of 16,000 desktop computers from Lenovo, with 900 to be used on secret networks connected to the US Department of Defense's classified Secret Internet Protocol Router Network (SIPRnet). The State Department is changing its procurement processes to better track changes in vendor ownership that could affect national security.
• A virus-infected PC is responsible for publishing security data from a thermal power plant on the Internet. Sensitive data from Chubu Electric Power Company's thermal power plant in Owase, Japan, was transferred via the "Share" file-sharing program. The leaked data includes the locations of various facilities, manuals on how to deal with unconfirmed reports of intruders in the plant, and the names, home addresses, and other personal data of security guards and other employees.
• According to security firm Postini, instant-messaging (IM) attacks increased 25 percent during April 2006 over the prior month. Postini believes such attacks are becoming more sophisticated as hackers begin to use their experience with email viruses to launch immediate attacks in the IM sphere, on which the security community still focuses little attention. Threats against IM, file sharing, and other real-time communications rose 1,700 percent in 2005; IM attacks involving worm propagation rose 90 percent. Postini believes that criminal organizations are favoring IM attacks as consumers and businesses tighten email protections.
• US Representative Michael Fitzpatrick (R-Penn.) and some of his fellow Republicans recently proposed a bill—the Deleting Online Predators Act (DOPA)—that would require schools and libraries to block access to social networking sites, such as MySpace, Facebook, and LiveJournal. A group of congressional lawmakers called the "Suburban Caucus" drafted the bill to address their suburban constituents' concerns. Many parents feel that social networking sites might expose their children to sex offenders. The bill builds off the Children's Internet Protection Act signed into law by President Bill Clinton in 2000, which requires libraries and schools receiving federal funding to implement adult-content filters.
• In response to Western companies' demands for better data protection for their customers, India—under the leadership of the National Association of Software and Service Companies (NASSCOM)—is launching a self-regulatory organization to address data-theft incidents at call centers and is pushing for data-protection laws. Data security is becoming a competitive advantage for countries seeking a foothold in the outsourcing industry. NASSCOM will establish privacy and security standards, monitor adherence to those standards, and work with law enforcement to address data breaches. NASSCOM has invested US$300,000 in the organization, will appoint a chief executive within six months, and has helped train law enforcement to deal with cybercrime.
• The UK's Home Office is seeking to enforce a controversial section of the Regulation of Investigatory Powers Act RIPA) that gives police the power to compel individuals and organizations to disclose encryption keys. Home Office minister of state Liam Byrne says such policies are needed as more criminals, pedophiles, and terrorists use widely available encryption tools. Under RIPA, anyone who refuses to provide encryption keys or decrypt ciphertext faces up to two years in prison; terrorist suspects already face five years in prison for refusing to decrypt. Banks, however, are concerned that the government could seize the encryption keys behind financial networks. Businesses might accept enforcement more readily if the act is amended to require only decryption, allowing banks and other international businesses to protect encryption keys from government officials.
• US Attorney General Alberto Gonzales has called for Internet service providers (ISPs) to preserve the data they routinely delete to aid in child pornography investigations. Following Gonzalez's lead, US Representative Dianna DeGette (D-Colo.) has proposed a data-retention law that would require ISPs to hold active customers' usage records indefinitely, with data deletion allowed only a year after customers close their accounts. An expansive reading of the proposal could also require coffee houses and home wireless users to retain such records, as well as every Web site. Kate Dean, director of the US Internet Service Provider Association, notes that ISPs already cooperate with law enforcement and that it's unclear whether routine data deletion really impedes investigations.
• US Circuit Judge Harry T. Edwards criticized the US Federal Communications Commission's (FCC) decision to require Internet phone service and broadband service providers to comply with the 1994 Communications Assistance for Law Enforcement Act (CALEA). Judge Edwards told FCC lawyer Jacob Lewis that his argument was "gobbledygook." The US Department of Justice aggressively lobbied the FCC to apply CALEA to Internet phone calls, warning that failure to do so would create a "safe haven" for criminals and terrorists. Critics say the FCC regulation doesn't adhere to Congress's intent for CALEA and that the telephone-era law is ill-suited to the Internet. The FCC regulation goes into effect May 2007.
• According to a study conducted by the Ponemon Institute on behalf of Unisys, most consumers would share personal data if it would make life more convenient and they knew the data would be protected. In fact, they favored biometric technology by 82 percent because of the convenience it offers. Unisys has suggested a single interoperable system for worldwide use based on a multipurpose smart card that could hold several digital certificates and other credentials. Such a card could take the place of driver's licenses and bank cards, and prove useful for Internet commerce. Unisys has already issued 17 million smart cards in Malaysia under such a scheme. Of the study's respondents, 46 percent would trust banks to issue smart identity cards and 45 percent would trust government, but only 40 percent would trust police and 38 percent private businesses.
• British Internet service provider (ISP) Wanadoo has fixed a mistaken configuration on one of its servers that let Web site visitors see the entire contents of a folder rather than just the index page. Visitors were able to view the names, usernames, passwords, email addresses, and Web subdomains of customers listed on the affected server. Posts in Wanadoo's user forum suggest that such a problem might have existed for two years, but Wanadoo says it has no evidence the misconfiguration was ever exploited. Wanadoo ensures customers that the flaw was an isolated incident and was fixed upon discovery.
• The US Department of Homeland Security (DHS) has released a report criticizing radio frequency identification (RFID) for its security and privacy risks, arguing that the technology offers little benefit compared to alternatives. The DHS and the US Department of State are developing a common RFID standard for a variety of identity-card programs, including the Secure Electronic Network for Travelers' Rapid Inspection (SENTRI) and Nexus trusted traveler cards, the Mexican Border Crossing Card, the Free and Secure Trade card for truck drivers, and the People Access Security Service (PASS) card. The report warns that RFID can be used to monitor people, leading the DHS's Privacy Office to support its use for miners, firefighters, and other dangerous professions. The technology industry has been trying to educate users about the difference between RFID tags—which are generally open and unprotected—and contactless smart cards—which also use radio signals to transfer data, but in a protected format.
• According to a panel discussion held at the Computer, Freedom, and Privacy Conference in Washington, DC, electronic medical records and President George W. Bush's proposed National Health Information Network promise great advances in healthcare, but could pose significant privacy risks if improperly implemented. The World Privacy Forum has released a report giving examples of medical identity theft and error leading to misdiagnoses. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 gives guidelines for proper handling of medical data, but gives consumers little control over their health records and how they're shared. However, the recent rash of thefts of laptops, desktops, and backup tapes from several hospitals lead many to wonder whether hospitals are prepared to protect patient privacy in electronic records.
• The Electronic Frontier Foundation (EFF) has sued AT&T for allegedly participating in a US National Security Agency (NSA) program to compile metarecords about domestic US phone calls. The EFF's suit is based on documents provided by whistleblower and former AT&T technician Mark Klein. AT&T moved to have the documents stricken from the public record to protect trade secrets, but US District Judge Vaughn Walker refused and ordered AT&T and the EFF to produce redacted documents. The federal government moved to have the case dismissed to protect state secrets and national security; the court heard the government's argument in June 2006.
• The US Department of Veterans Affairs (VA) lost 26.5 million veterans' personal data after a departmental computer and disk were stolen during a burglary at a data analyst's house in May 2006. VA Secretary James Nicholson didn't learn of the theft for two weeks, and the public wasn't informed until a week after that. The lost data includes veterans' names, birthdates, and social-security numbers. The employee responsible had been taking the personal data home to work since 2003. The VA recovered the laptop aided by a tipster's information in June 2006. After a preliminary forensic investigation, the Federal Bureau of Investigation determined the personal data hadn't been accessed. No reports of identity theft due to the stolen information have been reported.