Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• The Month of Apple Bugs project kicked off in January. Two researchers—Kevin Finisterre and LMH—will release a new security flaw found in the Apple Mac OS X operating system or an OS X application daily. The project's Web site says its goal is to "improve Mac OSX, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system."
• In a paper presented at the Chaos Computer Club conference in Germany in December 2006, security researchers Stefano Di Paola and Giorgio Fedon uncovered a weakness in the Adobe Reader Web browser plug-in that could let attackers launch universal cross-site-scripting (XSS) attacks on any Web site hosting a PDF . Past XSS attacks used vulnerabilities in Web sites to launch attacks, but this vulnerability is on the client side in a widely used plug-in—possibly leading to an increase in XSS attacks, according to Symantec. To safeguard against threats, Adobe recommends that users upgrade to Adobe Reader 8. Additionally, users should use the Acrobat client instead of the browser plug-in to open PDF files.
• The Happy New Year worm "ushered out 2006 with a bang," says Haggai Carmon, vice president of email security company Commtouch. The worm spreads via an email attachment called postcard.exe in emails with "Happy New Year" in their subject line. Executing the attachment infects PCs with malware, including rootkits and keyloggers. Carmon says the worm, also dubbed Tibs, Nuwar, or Mixor.q, accounted for 12 percent of email traffic over the holiday period of 29 December 2006 through 2 January 2007.
• Image spam, which a year ago accounted for less than 1 percent of total spam received, currently makes up 40 percent of incoming email, according to McAfee Avert Labs. Whereas spam blockers can successfully block traditional text-based spam based on typical words and phrases, image spam relies on images embedded in email to circumvent filters. The spam image contains the text that displays the spammer's message. To make it even harder for filters that use optical character recognition technology to detect image spam, image spammers use pictures with textured backgrounds or vary the font for each letter in the message to throw the filters off. For more on this, see the Attack Trends department in this issue, p. 70.
• iDefense warns of a Microsoft PowerPoint attachment making the rounds with "Merry Christmas to our hero sons and daughters!" in the email's subject line. Once executed, the attachment installs a Trojan that lets attackers control infected systems. Ken Dunham, director of iDefense's Rapid Response Team, says the attack was launched from a remote Web site found on a server in China.
• In December, Microsoft acknowledged a vulnerability that affects four versions of its operating system, including Vista. The vulnerability targets the client/server runtime server subsystem, which performs system functions such as opening and closing applications. An attacker could launch malicious code that elevates an ordinary user to administrator status. Because a successful attack requires an attacker to log onto the machine, security firm Secunia rated the vulnerability as "less critical."
• Versions of Opera's latest browser now include a phishing filter that incorporates information from PhishTank and digital certificates from GeoTrust. PhishTank lets users submit and track data about phishing sites. Opera then alerts users when visiting known phishing sites.
• London's Harrow Crown Court sentenced a member of a UK identity-theft gang to four years' imprisonment for "perverting the course of justice." After UK authorities raided the gang's hideout and placed its members under arrest, the identity thief—while handcuffed with his hands in front—flipped a switch that wiped the gang's databases clean and activated the computer system's encryption , which authorities were unable to break. Thus, UK officials were unable to determine the true extent of the gang's illegal activities because much of the data was inaccessible. The Crown Prosecution Service estimated it would take 12 years and 400 computers to crack the gang's code. Officials aren't releasing details of the gang's encryption system because they fear other cybergangs will use it.
• eEye Digital Security identified a new worm that exploits a known hole in Symantec's Antivirus Corporate Edition, which Symantec already issued a patch for in May 2006. The worm opens a back door on systems using the unpatched software and connects to an IRC server that attackers use to control the computer. Symantec downplayed the alert's severity. "Technically, eEye is correct, there is a new botworm out there," says Vincent Weafer, senior director of Symantec Security Response. "But the impression and the worm alert are misleading because we are not seeing any activity." The bug, found in widely used security software, highlights a trend as attackers move from launching attacks at the operating system level to the application level.
• A recent report by the Department of Management at the London School of Economics highlights the increasing risk businesses face as they attempt to comply with security directives such as the Sarbanes-Oxley Act and the shortage of qualified security professionals. The report finds this shortage to be most severe in the US, but expects other countries to experience the same problem as they adopt new rules for security and compliance. Especially vulnerable are those companies that rely on a small group of internal workers that would leave their companies stranded if they decided to leave. McAfee and Symantec, among others, suggest outsourcing compliance efforts to combat the shortage, but the report found that the support from outsourcing isn't comparable to having inhouse security expertise.
• In an effort to make its Vista operating system less prone to malware attacks, Microsoft convinced US computer makers to make a BIOS change that lets its Address Space Layout Randomization (ASLR) security feature work correctly . ASLR randomly changes positions of data areas, blocking attackers from predicting and targeting addresses. For ASLR to work, though, computer makers must enable by default Data Execution Prevention/No eXecute (DEP/NX) in the BIOS. Microsoft believes ASLR, along with other security technologies, will block most buffer-overflow exploits used in worm and virus attacks.
• Attackers are including virtual-machine detection in their worms and Trojans in the escalating war between malware authors and antivirus labs. By adding sniffers that detect the presence of virtualization software—mainly, VMware processes—attackers try to slow down security researchers from analyzing and testing their malware. Lenny Zeltser, a SANS Institute analyst with the Internet Storm Center, says, "Three out of 12 malware specimens recently captured in our honeypot refused to run in VMware."
• Grey Goo, a new self-replicating worm, shut down the virtual community Second Life and locked out gamers for roughly 30 minutes. The worm spun gold rings and propagated further when players interacted with them. The worm's purpose wasn't to phish, according to Rob Enderle, an analyst at the Enderle Group. Instead, it was a "grief bomb," designed to merely annoy gamers. "This kind of an attack's sole purpose is to mess up the game," Enderle says.
• Attackers recently attempted to spread malware using a Wikipedia page. They modified Wikipedia's entry for the MSBlast worm to include links to an alleged fix for a new variant of the worm that was really a piece of malicious code . Wikipedia editors are unsure how long the modified page was live, but removed it once they became aware of it. However, the page still existed in the archive, letting attackers point to it in mass emails. Wikipedia has since deleted the archive page. Security firm Sophos reported that many of the emails bypassed antispam filters because they linked back to a legitimate Web site.
• The Hacker Academy opened its doors in November, offering hands-on classes in information security. The Chicago-based school's goal is to teach the tricks attackers use so that students can better protect their future employers. The school offers two certificate programs: the ethical hacker program and the security analyst program. Ralph Echemendia, one of two instructors at the academy, says, "There is a need for security in the general population, but these IT classes are targeted at a very specific professional audience." Ronald O'Brien, a senior security analyst at Sophos, says, "The mere fact that a party would purport to teach hacking as a means of defense is something that we have always been ethically opposed to."
• A disk-image flaw in Mac OS X could let attackers control compromised systems. To execute the attack, users would have to click on a link to an infected image on a Web server. The flaw lies in the way Macs render the disk image (.dmg) format. Users can work around the flaw by deactivating the "open safe files after downloading" preference in the Safari browser.
• To help victims of fraud, including email scams, the European Union (EU) established the Consumer Protection Cooperation (CPC) Regulation for its members. Under the CPC, enforcement agencies are required to help each other by sharing information and cooperating on cross-border cases.
• The US Library of Congress has recommended that Congress consider the reverse-engineering of audio CDs to expose digital rights management (DRM) flaws. If enacted by Congress, content publishers who use DRM will be unable to use the Digital Millennium Copyright Act against security researchers who find flaws in their DRM schemes.
• All active duty, reserve, and auxiliary personnel who access the US Coast Guard's network must take training on how to avoid phishing and spear phishing attacks. This follows a similar mandate by the US Department of Defense that required all of its personnel to take phishing-awareness training.
• The US government will conduct its first testing program of e-voting machines after the US Election Assistance Commission (EAC) approved a testing and certification program for e-voting systems. Brian Hancock, the EAC's director of certification, says the program will decertify e-voting machines that fail security standards, hold e-voting machine vendors accountable, and ensure accurate election results. The program is voluntary, but 35 states require federal certification for voting machines.
• The Defense Science Board (DSB) warned that the US government's use of software code developed overseas could be compromised by adversaries. The DSB—a think tank within the US Department of Defense—will issue a report late in 2007 detailing the security and detection practices to follow to reduce risk, including peer review of code and test results, running scan tools that look for code hidden in software, and enforcing industry standards for quality software code. However, critics such as Ira Winkler, former analyst at the National Security Agency, says, "If there is one line of code written overseas, that's one line too many. Developing it in the US is not perfect, but we are talking about an exponential increase in risk by moving it overseas." Keeping code development "in house" isn't as easy as it seems—most US software vendors employ foreign nationals here in the US. Phillip Bond, president of the Information Technology Association of America, expects the DSB to recommend that the Pentagon assign different procurement rules for software based on national security interests.
• The Irish government began issuing e-passports in October with the passport holder's biographical information and digital image stored on a contactless chip. Security for the passport includes digital signatures, basic access controls to guard against data skimming, and active authentication to protect against cloning.
• The US National Crime Prevention Council, the Forum to Advance the Mobile Experience (FAME), and the Chief Marketing Office Council launched an initiative to increase kids' awareness of online dangers. The free Junior CyberGuard program is part of the "Take a Bite Out of Cybercrime" campaign open to kids aged 11 to 14. The program focuses on computer security measures, including how to use Wi-Fi networks, how to spot online predators, and the dangers of online bullying. As kids progress in the program by passing short quizzes, they gain rewards such as t-shirts, watches, and sports tickets, among other items. Leading technology and media companies such as CNET, Intel, McAfee, and VeriSign are sponsoring the initiative.
• The UK recently passed a law that makes launching denial-of-service (DoS) attacks punishable by five to 10 years' imprisonment. The Police and Justice Bill 2006 closes a loophole in a previous law that prohibited unauthorized modification of a computer system—leaving the door open regarding DoS attacks against email servers via email. The changes stem from a case involving an employee who crashed his former employer's email server by flooding it with 5 million emails. The former employee argued that because an email server exists to receive emails, sending emails to the server wasn't an unauthorized modification. A judge agreed, and the case was thrown out. The new law explicitly prohibits people from impairing the operation of any computer system, preventing access to data on a computer, or impairing any program's operation on a program.
• The US Department of Homeland Security (DHS) is designing a record system that monitors and tracks the names, citizenship status, and addresses of IT workers who access its systems. The DHS says the information will be used by DHS contractors and federal agencies conducting litigation or proceedings involving the DHS. The department will destroy an individual's record six years after becoming inactive.
• PayPal and Mastercard have united to offer a virtual debit card (VDC) that will let consumers make PayPal-authorized purchases. The system, which is in beta trials now, uses a new Mastercard number for each transaction and then discontinues that number's use. This system supplants the use of consumers' debit or credit-card numbers, protecting them from identity theft while users shop online because the randomly generated numbers aren't tied to a real debit or credit card but to a PayPal account. PayPal spokesperson Amanda Pires says, "VDC communicates to PayPal via SSL so any personal or financial information between the user and PayPal is secure. The security of the site itself does not affect the security of the VDC." But what if the transmission is intercepted? Not to worry, Pires says: "The intent of VDC is to protect users, so if a site is not transmitting information securely and the message is intercepted, then they [consumers] are still protected by our 'one-time use number.'" Merchants who try to use this number will be declined. No launch date was announced.
• Stewart Baker, assistant secretary of the US Department of Homeland Security (DHS), says critics of the US government's Automated Targeting System (ATS) are "paranoid." The ATS collects travelers' personal data and keeps it for 40 years. The ATS started in the 1990s to track cargo containing drugs, but was broadened after the attacks of September 11, 2001, to include checking passports and passenger information against terrorism and crime databases. The system then assigns a risk score to travelers. The Electronic Frontier Foundation has filed suit against the DHS in an attempt to force the agency to hand over information on the program, calling it an "invasive" data-mining program. Individuals can't access their scores or correct any false information that might be used to assess a score.
• The UK's Department of Health said patients must consent to sharing their medical information in electronic health records as part of the UK's National Health Service HealthSpace portal. Under the plan, doctors will upload patient information to the portal. Patients can then correct or amend their records and opt in or out of sharing their records. The HealthSpace portal connects 50 million patients with 30,000 health care workers.
• A laptop with the names, social security numbers, birthdates, addresses, and salary information of more than 382,000 current and former Boeing employees was stolen from an employee's car. The laptop was password-protected, but the information was unencrypted, according to Boeing spokesman Tim Neale. He confirmed that this latest theft was the third for Boeing since November 2005. After the 2005 incident, Boeing installed encryption software on all employees' laptops, but Neale acknowledged that most employees don't use it. Boeing is now exploring ways in which to automatically encrypt sensitive data on employee computers.
• Attackers exploited a software flaw in a database at the University of California, Los Angeles, compromising the personal information—social security numbers, names, birthdates, and addresses— of more than 800,000 current and former students and members of staff and faculty. The breach went undetected for more than a year and was discovered in November 2006. It is the largest ever breach reported for a US university.
• By unanimous consent, the US Senate recently passed a bill outlawing pretexting. The bill makes it a federal felony to obtain or disclose personal phone records without their owners' consent. Under the legislation, individuals can be fined and imprisoned up to 10 years for each offense—even longer if the information is used to commit other crimes. Exemptions are provided for the police, emergency services, and carriers. The bill still needs President Bush's approval.
• Using the new Nike+ iPod Sport Kit might put you at risk for surveillance, according to security researchers at the University of Washington. The sport kit uses a radio frequency identification (RFID) sensor in running shoes to transmit real-time updates to runners via a receiver plugged into an iPod Nano. A hardware hack could let anyone with a Nike+ iPod receiver capture the unique ID of other Nike+ iPod receivers. The researchers warn that stalkers could use this information to plot their targets' location. Lee Tien, attorney for the Electronic Frontier Foundation, says "We're going to see more devices like this in the next few years. This isn't just a problem with the Nike+ iPod per se—it's a cautionary tale about what happens when companies unwittingly build a surveillance capacity into their products."
• The UK has scrapped its plans to combat identity theft by creating a national identification database after a report from the London School of Economics raised security and privacy concerns. Plans for the database haven't been completely abandoned, however. The Home Office released an action plan addressing the security and privacy concerns and set a timetable for delivery of the cards in 2009.
• The Citizen Lab, based at the Munk Center for International Studies at the University of Toronto, unveiled a free program that lets users in heavily restricted countries circumvent their governments' Web-censoring tools. The program—Psiphon—lets users access and display Web pages from anywhere using social networks. Users in uncensored countries can download Psiphon to their computers, enabling them to act as access points for censored users in other countries. Censored users can freely browse the Web through the access point once they get a unique Web address, login, and password.
• Users bookmarking whole or portions of Web pages with Google Notebook might be exposing their personal information, including social security numbers and email passwords. Google Notebook users can organize book-marked pages into folders and classify the information as public or private. However, a Digg.com posting showed that many users are neglecting to classify their sensitive information as private, opening it up to view by anyone who uses Google Notebook's search tool.