Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• At DefCon 2006 in August, security researcher Martyn Ruks unveiled a vulnerability on IBM mainframes running the Systems Network Architecture (SNA) protocol developed by IBM more than 30 years ago. The vulnerability, executed by a proof-of-concept Python script, lets attackers control mainframes and networks through queries to Data-Link Switching (DLSw)-capable routers and gather data, including router version, MAC address, and NetBIOS name. Although newer and cheaper mainframe alternatives exist, companies continue to use the SNA-networked mainframes because of their reliability in financial, inventory, and point-of-sale transactions. Ruks says many companies don't view these systems as "low-hanging fruit" and fail to secure them properly. However, attackers must be well-versed in SNA architecture to exploit the vulnerability, he says. To help secure systems, Ruks recommends turning on encryption between routers and on network communication channels.
• Two years since its release, Netsky-P still ranks as the most widely spread email worm. According to security research firm Sophos, 1 in 278 emails were infected with the worm in August 2006, even though security fixes for it are widely available. Carole Theriault, senior security consultant at Sophos says, "If you use the Internet and don't have proper security measures in place, you are not only endangering your data, you are keeping nasty old timers like Mytob and Netsky worms alive and kicking."
• Organized crime rings and hackers are targeting massively multiplayer online game (MMOG) sites such as the K2 Network in an effort to steal gamers' usernames, passwords, credit-card numbers, and virtual game pieces and accessories. The thieves then attempt to sell the characters back to the original owners or to other players. To protect its more than 7 million gamers, K2 Network added a layer-7 firewall that inspects every data packet and runs a security check before connecting to the end server. Pete Abrams, vice president of NetContinuum, the maker of the firewall used by K2 Network, says MMOGs are "juicy targets" because of their built-in databases of sensitive personal data.
• A Moroccan court sentenced two men to prison terms for creating and spreading the Zotob worm last year. The worm hit more than 100 US companies, causing network outages at media outlets such as CNN, ABC, and The New York Times. The US Federal Bureau of Investigation (FBI), working closely with Microsoft, caught the two men 12 days after the initial attack.
• Microsoft is engaged in an escalating digital rights management (DRM) arms race with a hacker who released FairUse4WM, a tool that strips the DRM from movie and song files downloaded from content providers such as Movielink, Real Networks, and MTV's Urge music service. Microsoft released a patch to prevent the tool from working; three days later, the hacker released a new version of the tool that Microsoft has yet to fix.
• Apple released a high-priority update to its QuickTime media player to fix vulnerabilities centered around corrupted QuickTime movies that use the H.264 digital video codec standard. The vulnerabilities let attackers trigger integer and buffer overflows or execute code once users viewed corrupted movies or images. The update plugs the vulnerabilities by additionally validating all H.264 movies.
• Google has temporarily suspended access to its Public Service Search service until it can release a permanent patch to a phishing hole found in the application. The service offers nonprofit companies the use of an ad-free version of Google search on their Web sites at no cost. The vulnerability lets phishers create phony Google pages on the google.com domain to entice users to give out personal information. Until it releases a permanent fix, Google has blocked existing users from logging in to make changes, but site-specific search functions still work on their Web sites.
• Oracle released patches for 101 security vulnerabilities in its products. The company's database products received the most fixes, patching 63 flaws. The majority of critical fixes, according to Darius Wiles, Oracle's senior manager for security alerts, "lie within the application server product […] those are the ones that customers should be most concerned about and fix as soon as possible." This quarterly security bulletin marks the first time the company has included severity ratings for each fix and identifies which flaws could be executed remotely. The next security patch release is 16 January 2007.
• Apple reported that a small number of video iPods made after 12 September 2006 shipped with the RavMonE virus. Greg Joswiak, Apple's vice president, says the iPods were infected from a Windows machine at a contract manufacturer that builds the devices. Apple says current antivirus software should detect and remove the virus and urges customers without protection to install such software as soon as possible. The virus doesn't affect the iPod itself or Mac machines. For Windows users, Joswiak says the virus "does not cause data damage but can lower the security of the computer." Apple says all new iPods produced since then are virus-free.
• Hackers attacked Xinnet.com, one of China's domain name registration servers, on 21 September. Local Chinese media reported more than 10,000 affected Web sites use Xinnet.com as both host and registrar. The company apologized but has no plans to compensate its customers for the downtime. Most of the affected Web sites have resumed operations.
• According to a survey conducted by the Measurement Factory, more than half of the Internet's name servers leave networks vulnerable to pharming—attacks that redirect users to a different Web site to capture personal information— because they're configured incorrectly. The survey also found that 29 percent of Domain Name System (DNS) servers allowed zone transfers to arbitrary requesters, a vulnerability that leaves servers open to denial-of-service (DoS) attacks. Only 1 of every 100,000 DNS servers support the DNS Security Extension (DNSSec), the proposed standard for authenticating DNS data.
• Police in Strathclyde, Scotland, say that 10 percent of call centers in Glasgow have been infiltrated by organized crime gangs looking to commit fraud. Glasgow is home to roughly 300 call centers employing more than 18,000 people. The gangs place their own members in the call centers or recruit call-center employees to pass along sensitive personal information.
• A new hacking tool expected to be included in a module for Metasploit disguises browser attack code, circumventing signature-based antivirus protection. The tool, called eVade o'Matic Module (VOMM), creates new exploit code versions by using server-side scripting and delivering it to users' browsers when they visit an attacker's Web site. The code changes are cosmetic and don't affect functionality. The software evades detection by adding tabs and spaces, random comments, and variable names—components not included in known signatures. Aviv Raff, one of VOMM's developers, says that attackers using VOMM "can create an endless number of variants of an exploit."
• The US Department of Defense launched a Web site on 1 September to help military personnel overseas vote in the November elections. The program, called the Integrated Voting Alternative Site (IVAS), instructs personnel on how to submit ballots by fax or email. Voters can also request absentee ballots from the site. However, the program's critics warn that the system lacks fundamental security safeguards such as email encryption. David Wagner, a computer science professor at the University of California, Berkeley, says unencrypted email can be intercepted and read by others, and soldiers could become victims of identity fraud because the absentee ballot requests requires voters' birth dates and social security numbers. "No self-respecting bank would tell me to email them my bank account number and social security number over unencrypted email," he says. J. Scott Wiedmann, the program's deputy director, says the IVAS site offers Secure Sockets Layer (SSL) encryption and advises voters of email security concerns. "It's more important to these voters that they participate in the vote than in maintaining secrecy," Wiedmann says.
• Indiana University computer science student Christopher Soghoian created a Web site—since taken down—that generated fake Northwest Airline boarding passes. Because the Transportation Security Administration (TSA) checks IDs only at its screening checkpoints, someone could have used the fake boarding pass with their real name and ID to get through the screening process and board a plane using a real boarding pass purchased under an assumed name— evading the TSA's no-fly list. However, the fake boarding passes alone wouldn't have let them on the plane because the bar code information didn't match the information on the passes. The boarding-pass generator exploited a security loophole Bruce Schneier first highlighted in 2003. Representative Ed Markey (D-MA) initially called for Soghoian's arrest, but has since changed his mind. "Better yet," Markey said in a statement, "the Department of Homeland Security should put him to work, showing public officials how easily our security can be compromised."
• SpamThru, a new spam Trojan, incorporates an antivirus scanner that uses a pirated copy of Kaspersky AntiVirus for WinGate to detect and remove rival Trojans from infected computers. SpamThru loads a DLL from the author's command-and-control server and patches the license signature check in memory to avoid the pirated copy of the antivirus software. The Trojan then scans for rival malware and sets up Windows to delete it on the next reboot. Joe Stewart, senior security research at SecureWorks, says SpamThru's goal is "to keep all the system resources for themselves. If they have to compete with a mass-mailer virus, it really puts a damper on how much spam they can send."
• AT&T has reported that hackers have stolen personal data, including credit-card information, for 19,000 of its customers. The data breach affects customers who bought DSL products through AT&T's online store. AT&T says affected customers have been notified by mail, email, or phone, and provided with a toll-free number to call for more information.
• StopBadware.org, a software watchdog group, accused America Online of deceptive practices after discovering that AOL bundled unnecessary software into its free Web browser upgrade without proper disclosure and opt-out procedures. The upgrade installs software such as Viewpoint Media Player, Pure Networks Port Magic, and RealPlayer. Additionally, after downloading the upgrade, a dialog box requires users to update their connectivity services and then installs an AOL toolbar, icons, and a favorites folder to Internet Explorer without user approval.
• Security researches at Danish firm Secunia have found an Internet Explorer 7 vulnerability that lets Web sites display pop-ups containing a spoofed Web address. A Microsoft representative says the problem lies in the way IE 7 displays addresses in the address bar. However, if a known phishing Web site attempts to launch the pop-up, the attack won't work because of IE's built-in phishing shield, which alerts users to the malicious Web site.
• The US Federal Trade Commission (FTC) has levied the largest-ever fine against Xanga.com for violation of the Children's Online Privacy Protection Act. Xanga.com, a popular social-networking site, was ordered to pay US$1 million for letting users with birthdates indicating they were under the age of 13 create accounts without parental consent. (The act requires commercial Web sites to obtain parental consent before collecting personal information from children under the age of 13.) Of Xanga's 25 million users, the FTC alleges 1.7 million accounts were registered with birth dates indicating the users were younger than 13.
• According to the Privacy Rights Clearinghouse (PRC), roughly 94 million consumer data records have been exposed in data breaches in the past two years. PRC director Beth Givens says security breaches happen mostly through low-tech means such as laptop theft and lost backup tapes rather than hacking. A rising concern is the loss of portable USB drives, she says.
• Hewlett-Packard (HP) has admitted to using an email tracer or Web bug in an effort to identify a corporate leak. The company created a fake email message from a nonexistent "disgruntled" HP senior manager and sent it to a reporter with the tracer in an attachment. HP and its investigators hoped the reporter would then forward the email and attachment on to her secret source, sending the source's IP address back to investigators. It's not known if the tracer was ever activated because the reporter never opened the attachment or forwarded the message without the attachment, or the recipient might have been using a browser that disables scripts from connecting to the Internet without permission.
• In October, Microsoft released guidelines on how it protects customer privacy at the International Association of Privacy Professionals Privacy Academy conference held in Toronto. The guidelines offer recommendations on how to build applications that protect customer privacy.
• Online stock brokerage firms TD Ameritrade and E-Trade were hit by a "pump and dump" stock trading scheme that has led to at least US$22 million in losses. The attacks took place over three months and originated in Eastern Europe and Asia. The attackers used keylogging software delivered via malware to steal users' personal information. With the information, the attackers logged into existing accounts or created phony accounts and drove up prices on little-traded stocks by purchasing shares in the companies and then selling their shares at a profit. The US Federal Bureau of Investigation (FBI), Securities and Exchange Commission (SEC), and the National Association of Securities Dealers are still trying to uncover the source of the fraud.
• A data theft ring hit more than 8,500 people in the UK and 60 other countries, including the US, Germany, France, Italy, and Spain. The cybercriminals used a program called Haxdoor to infect computers, disable computer firewalls, and collect login and password information that was sent back to the data thieves. Charlie McMurdie, detective chief inspector for the London Metropolitan Police's e-Crime Unit, says that in some cases the program obtained a screenshot of personal information.
• The US Commerce Department recently disclosed that it lost more than 1,100 laptops in the past five years, including 246 with personal data from the last census. To ensure data will be secured for the upcoming 2010 census, the department plans to transmit encrypted information to a central database via a secure private network immediately after census takers collected it. As for the 246 lost laptops with personal information, department officials say password protection and encryption limit any possible misuse of the data. "All of the equipment that was lost or stolen contained protections to prevent a breach of personal information, and we are moving to institute better management, accountability, inventory controls, 100 percent encryption, and improved training," says Carlos Gutierrez, US Secretary of Commerce.
• In August, the US started issuing biometric passports with embedded radio frequency identification (RFID) chips containing the passport holder's digital photograph and personal information. All passport renewals will include the RFID chips as well. A metallic mesh cover is weaved into the e-passport's cover that "makes it nearly impossible to access the chip when the book is closed," according to the US State Department. A technology called Basic Access Control (BAC) encrypts the data on the RFID chip and requires authentication before the chip can be read.
• The US Department of Veteran Affairs (VA) has announced plans to install data encryption software on all desktops, laptops, and handheld devices used by its employees. The VA instituted these new plans in response to recent data breaches that exposed veterans' personal data. R. James Nicholson, VA secretary, says, "I have promised America's veterans that I intend to make VA information security a model, and this encryption program is a major step in that direction."
• US President George W. Bush's Homeland Security Presidential Directive 12 (HSPD-12) went into effect on 27 October 2006, requiring all US agencies to begin issuing smart identification cards to employees and contractors. The directive requires that all federal employees be equipped with common ID cards for use in any federal building. For now, the cards will be used for physical access to buildings and computers, but eventually the cards could help verify the identity of email senders, make purchases, or access health benefits.
• The German government has proposed new legislation that makes computer hacking a crime. Under the law, actual theft of data isn't required in a formal charge; penetrating and gaining access to secure data is all that's necessary. Also, creating, spreading, or purchasing hacker tools would be punishable by up to 10 years' prison time. The legislation aims to close any potential legal loopholes in German law, which already has laws for attacks against public agencies and companies.
• The California legislature approved the Identity Information Protection Act of 2006, creating a privacy framework for using radio frequency identification (RFID) in state documents and ID cards. The bill would have required encryption to protect against data theft and abuse and made skimming—reading RFID data without permission—a crime. However, California Governor Arnold Schwarzenegger vetoed the bill because he considered it premature. He said the federal government has yet to announce its security standards for ID cards and didn't want to approve state laws that would contradict federal statutes.
• The next major US security threat, according to US Homeland Security Secretary Michael Chertoff, could come from disaffected US citizens who develop radical ideologies and terrorist skills using the Internet. At a meeting of the International Association of the Chiefs of Police, Chertoff said, "We now have a capability of someone to radicalize themselves over the Internet. They can train themselves over the Internet." To combat this potential threat, Chertoff said the Department of Homeland Security would assign 20 field agents to work with local police agencies to gather intelligence on home-grown attackers.
• The California legislature has passed a bill requiring wireless access points for homes or small businesses to come with warnings that improperly secured wireless networks could be open to attack . The warning could be a sticker or a page in the manual, but the bill requires the warning to be impossible for buyers to miss before using the device. California Governor Arnold Schwarzenegger is expected to sign the bill into law, but analysts have questioned the need for it. Ken Dulaney, analyst for the Gartner Group, says, "To get the state involved with this is ridiculous. Don't they have anything better to do?" He also pointed out that most setup wizards for wireless products address security issues.
• The US Department of Homeland Security has chosen Gregory Garcia as its first assistant secretary for cybersecurity. The position is responsible for advising government agencies and the private sector. Garcia is a former vice president of the Information Technology Association of America.
• According to Iran's Islamic Republic News Agency (IRNA), the Iranian Telecommunication Ministry has "forbidden" ISPs from providing Internet connections faster than 128 Kbytes per second . These limits affect homes and Internet cafes but not businesses. The restrictions will stay in place until the government issues new asymmetric digital subscriber line regulations.