Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• A French Ministry of Defense report highlights security flaws found in OpenOffice, an open source office suite. The flaws center on four proof-of-concept viruses that use macros and templates to compromise the software. The report follows a one-year study conducted by French computer security researchers that compared OpenOffice to Microsoft Office and found "the viral hazard attached to OpenOffice is at least as high as that for the Microsoft Office suite and even higher when considering some […] aspects." The report will be published in the Paris-based Journal of Computer Virology. Louis Suarez-Potts, an OpenOffice.org community manager, says one flaw highlighted in the report has already been fixed, and he's working with the researchers to improve the software's overall security.
• Security software vendors and banks have teamed up in an effort to increase their respective revenue streams. The partnerships help banks persuade wary customers to use Web-based services by offering online antivirus tools at discounted prices and let security software makers reach targeted users and generate new revenue. So far, Barclays Bank has teamed up with F-Secure, and Morgan Stanley has paired up with Symantec, but industry analysts expect to see an increasing number of partnerships. "It's an open question regarding how successful these deals will be in terms of generating sales," says Andrew Jaquith, an analyst at Yankee Group, "but it's a good way of experimenting."
• Kaspersky Lab is predicting that traditional instant messaging (IM) worms, which spread along single IM networks, will give way to next-generation IM worms that not only spread via multiple IM networks but also use variable messages and download links. Roel Schouwenberg, a senior research engineer at Kaspersky Lab, believes an increase in sophisticated IM worms will increase because the "code used to write them can be easily copied" and spread across all major IM networks. Mac users aren't immune either. In February 2006, the first Mac OS X IM worm spread using Apple's iChat application. Although the worm was a proof of concept, Schouwenberg says that "more malware will undoubtedly start to appear" for Macs as Apple's share of the PC market grows.
• According to Kevin Mandia, president of Mandiant, a security firm, attack methods are becoming more sophisticated, outpacing security forensic tools and increasing the time it takes incident response teams to find malicious code. For example, attackers are using phony active server pages to infect users' PCs with malicious code that lets them take control of PCs.
• The source code for BBProxy, a hacking program that attacks corporate intranet hosts through BlackBerries, has been released by Praetorian Global. Jesse D'Aguanno, director of security research at Praetorian and the program's creator, describes the new form of attack as " blackjacking." The program, which attackers can install on a BlackBerry or which can be sent to users in an email attachment, opens a communications tunnel between the attacker and a compromised host on an improperly secured network. D'Aguanno says that corporate perimeter defenses can't detect the attacks because the data channel between the BlackBerry and its server is encrypted. Research in Motion, the maker of the BlackBerry, has issued security guidelines on configuring a more secure BlackBerry architecture.
• During May, June, and July 2006, brute-force attacks against small- and medium-sized businesses increased by more than 1,000 percent, according to a report issued by Alert Logic, a network security company. The company said attackers are using brute-force password-cracking techniques to target services such as FTP. Johannes Ullrich, an analyst at SANS Institute, agrees that brute-force attacks have increased, but has yet to see numbers as high as those reported by Alert Logic. Nevertheless, Ullrich says the reason brute-force attacks are so successful is because of their simplicity. "Brute-force attacks are amazingly successful and simple," he says. "They do not require any particular exploit, but just a script to automatically guess the right password."
• Joseph Colon, a computer consultant, using free software found on the Internet, gained access to the US Federal Bureau of Investigation (FBI) director's password . The consultant had been installing the now-defunct Trilogy technology upgrade and used the passwords to speed up the installation process after becoming frustrated with the bureaucratic authorization process in performing routine tasks such as setting up work-stations, printers, user accounts, and moving individual computers from one operating system to another.
• Only 22 percent of the largest merchants that process more than 6 million transactions per month are in compliance with the Payment Card Industry (PCI) Standard that went into effect in June 2005. The standard requires merchants to secure their networks, encrypt databases, and audit their systems regularly. Eduardo Perez, vice president of corporate risk and compliance for Visa USA, expects two-thirds of large retailers to become compliant by year's end. Noncompliant merchants face up to US$500,000 per data breach.
• McAfee reports that it has recorded the 200,000th piece of known malware code. The security provider says it took 18 years for it to reach 100,000 malicious threats in 2004. Based on its records, McAfee says the threat growth is a 60 percent decrease in the amount of time necessary to generate the second 100,000 malware threats. McAfee vice president of global research and threats, Stuart McClure, says "hackers and malicious code authors are releasing threats faster than before, with approximately 200 percent more malicious threats per day than two years ago." Based on that current rate, McAfee estimates it will identify its 400,000th threat in less than two years' time.
• Virus writers have created a polymorphic virus that spreads using the Interactive Disassembler Pro (IDA) program, which lets security researchers analyze code behavior. Carole Theriault, a security consultant with antivirus company Sophos, describes the malware authors' approach to spreading the virus as "odd" because the virus is programmed to target IDA's scripting language and infect the executable files of utilities used by antivirus researchers—programs not found on the average user's PC.
• America Online's (AOL) release of 20 million search queries submitted by its users has led Massachusetts Representative Edward Markey to renew his efforts to pass legislation that limits the amount of personal data that companies can retain. Markey authored the Eliminate Warehousing of Consumer Internet Data Act of 2006 in February, but the bill stalled in House subcommittee deliberations. Markey hopes the furor over AOL's data miscue will help move the bill forward. The bill would prevent Web sites from storing personal data for indefinite periods of time.
• Glasgow-based NetIDme has introduced virtual ID cards in an effort to keep children safe online. NetIDme creates a virtual ID card that displays the child's first name, age, gender, and general location. Children can exchange the cards while in chat rooms, on social networking sites, or during instant messaging (IM) to identify who they're communicating with. The software awards points that can be exchanged for prizes for each ID the child checks or issues, encouraging the verification of online friends. According to the Center for Missing and Exploited Children, only one-third of households with Internet access use filters to protect their children.
• The US Federal Bureau of Investigation (FBI) has drafted legislation that would expand the Communications Assistance in Law Enforcement Act (CALEA). The CALEA amendments would require manufacturers of routers and network address translation hardware to upgrade or modify their hardware to allow Internet wiretapping. Other amendments include forcing Internet service providers (ISPs) to identify voice-over-IP (VoIP) calls and eliminating the requirement that the US Department of Justice publish the number of actual intercepts each year.
• In an effort to ward off further data breaches at the Veterans Administration (VA), several joint US House sub-committees have introduced The Veterans Identity and Credit Security Act. The act creates a new position, the undersecretary of information services, which would also serve as the VA's chief information officer (CIO). Previously, the VA CIO position was classified as an assistant secretary position; the act would promote the position, directly reporting to the VA secretary and deputy secretary.
• A desktop containing the unencrypted personal information of as many as 38,000 Veterans Administration (VA) patients has disappeared. The desktop was taken from the Reston, Pennsylvania office of Unisys, a subcontractor assisting the VA in insurance collections. The desktop contains the patients' names, addresses, social security numbers, birthdays, and military service dates. This theft follows a May 2006 theft in which a laptop containing 26.5 million veterans' and active duty military personnel's information was stolen from a VA analyst's home. Unisys is offering free credit monitoring to those veterans affected by the data breach but has yet to partner with a credit-monitoring provider.
• In March 2006, the US Army Network Enterprise Technology Command purchased laptops with the Trusted Platform Module (TPM) installed. The purchase conforms to the Army's earlier mandate that all new computers contain TPM. However, older PCs won't be retrofitted with it. The Department of Defense might adopt the same requirement if the army is successful with its TPM deployment.
• Lukas Grunwald, security consultant with German-based DN-Systems, has cloned the electronic passports containing radio frequency identification (RFID) chips that the US and other countries plan to use later this year. Grunwald says the RFID chips are too easy to copy and calls the e-passport design "totally brain damaged." However, the e-passport uses cryptographic hashes to authenticate the data so Grunwald has so far been unable to change the RFID chip's data without detection. According to Frank Moss of the US State Department, the passport's designers have long known about the chip's ability to be cloned and have added security safeguards into the passport's design, such as embedding the passport holder's digital photo into the data page. Moss stresses that the US has no plans to fully automate the passport inspection system, pointing out that officials would catch any discrepancy between the data stored on the RFID chip and a physical inspection of the passport. Still, Grunwald is unimpressed. "From my point of view," he says, "it should not be possible to clone the passport at all."
• Researchers at the University of Cardiff have discovered a security flaw in the Hong Kong and Shanghai Banking Corporation's ( HSBC) online banking system. The researchers say that for at least two years, the flaw has left 3.1 million UK consumers vulnerable to keystroke-logging attacks. The exploit lets attackers break into any account within nine attempts. HSBC played down the flaw's seriousness, calling it a "supposed flaw" and a "sophisticated attack that would require a particular and time-consuming focus on one individual victim."
• Detective Chief Inspector Matt Sarti of the UK Metropolitan Police is urging lawmakers to let law enforcement officials demand the encryption keys for suspects' seized PCs under Part 3 of the UK's Regulations of Investigatory Powers (RIP) Act. At a public meeting organized by the Foundation for Information Policy Research (FIPR) to discuss RIP's draft code of practice, Sarti said the police have seized more than 200 computers "which contain encrypted data for which we have considerable evidence that they contain data that relates to a serious crime." However, several security professionals have criticized the draft because it's poorly written. Richard Clayton, FIPR trustee and a computer security researcher at the University of Cambridge, says the draft lacks recourse for those victims of "deliberate mistakes" by law enforcement officials who abuse the law to obtain private data.
• Rob McKenna, the Washington State Attorney General, and the US Federal Trade Commission, filed suit against movieland.com and four California-based companies that installed advertising spyware on consumer PCs. The popup software advertised movieland.com's download service; after the trial period was over, consumers were subjected to hourly popups that demanded payment for the service. The popups lasted 40 seconds and appeared in windows that couldn't be closed. The ad program was also difficult to remove, prompting consumers to pay anywhere from US$19.95 to $100 to stop the popups. Efforts to uninstall the program through the Windows Control Panel launched a Web site that presented payment options. Each defendant is facing up to $100,000 and $2,000 per violation under Washington's Computer Spyware Act and the Consumer Protection Act, respectively, plus restitution to affected consumers.
• The US Department of Transportation (DOT) has reported that a laptop containing the names, addresses, birthdates, and social security numbers of 133,000 Florida residents was stolen from a government vehicle used by a DOT agent. The data wasn't encrypted, but according to David Barnes, communications director for the DOT, it was password protected. The theft follows a laptop theft earlier this year that contained information on fraud cases involving government contracts and grants.
• In a survey conducted by recruiting network ExecuNet, 35 percent of employers reported that they eliminated a job candidate after uncovering negative information about them online. The survey also showed that 82 percent of job seekers expect companies to conduct Internet searches on job candidates, yet only 33 percent have conducted an online search of themselves.