Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• According to Karl Lynn of Juniper Networks, older versions of Citrix's Presentation Server Client contain a security flaw that could compromise machines. The flaw is a result of an error in Citrix's proprietary independent computing architecture (ICA) protocol and the way it supports connections via proxy servers, possibly letting attackers execute arbitrary code when users visit malicious Web sites. The flaw affects Presentation Server Client versions older than 10.0. Currently, no patch is available; as a fix, Citrix recommends users upgrade to version 10.0.
• At the recent Black Hat DC conference in February, David Litchfield revealed a technique dubbed cursor injection to exploit PL/SQL injection vulnerabilities in Oracle database servers. Previous attacks using PL/SQL flaws required high-level database privileges, but cursor injection lets anyone who can connect to a database exploit the flaws. In response, Oracle urged customers to apply patches.
• IOActive, a security firm based in Seattle, Washington, cancelled its scheduled demonstration of the flaws in RFID-enabled access badges at the Black Hat DC conference. The company decided not to go ahead with its presentation after receiving legal threats from HID Global, a major manufacturer of RFID access control systems. IOActive's chief executive, Joshua Pennell said, "We can't go forward with the threat hanging over our small company." In a statement, HID Global said it didn't threaten IOActive, but "simply informed IOActive and its management of the patents that currently protect HID Global intellectual property."
• In February 2007, Microsoft warned of an Excel 0-day attack that affects Office 2000, 2004, XP, and Office 2004 for Mac. The attack exploits a vulnerability that lets attackers remotely take over users' systems after they've opened a malicious Excel attachment or visit a Web site that houses the malicious files. No patch is yet available, but Microsoft advises users not to open MS Office files from unknown sources.
• According to researchers at Harvard and MIT, site-authentication images used by financial institutions such as Bank of America, ING Direct, and Vanguard provide little additional security. Customers preselect an image that will appear to them when they access their accounts online; if they don't see the image, they could be at a phishing site and shouldn't enter a password. In a controlled computing environment, the researchers removed the images, and tested 67 Bank of America customers by asking them to log into their online accounts. Of the participants, 58 entered their passwords; only two chose not to because of security concerns. Those who entered their passwords said they didn't notice their images weren't present.
• To combat phishing, Microsoft added support for Extended Validation Secure Sockets Layer (EV SSL) certificates to Internet Explorer 7.0 and urges other browser makers and Web sites to follow. EV SSL-certified Web sites feature an address bar that turns green, displays the country the Web site is based in, and who certified it. EV SSL-certification guidelines also require third-party authentication companies, such as VeriSign and Entrust, to verify that they have registered with local authorities, have a legitimate address, and actually control the site. VeriSign says 300 businesses are in the process of certification, and that it has issued 20 EV SSL certificates so far.
• In January 2007, Exploit Prevention Labs, an Atlanta-based security company, reported that the Q406 roll-up attack kit was behind 70 percent of the Web-based attacks in December 2006. Exploit's chief technology officer, Roger Thompson, says it's hard to pinpoint the kit's exact number of exploits because it's heavily encrypted. "The dominance of this package reinforces the fact that the development and release of exploits frequently parallels legitimate software businesses," Thompson says.
• Recently, Symantec released new security software to help combat 0-day attacks. The new tool—Symantec Online Network for Advanced Response (SONAR)—is a free add-on to Norton Antivirus 2007 and Internet Security 2007 products. SONAR differs from Symantec's signature-based antivirus tools in that it's behavior-based: it analyzes program behavior to determine whether malicious activity is occurring, thus identifying suspicious behavior before security researchers.
• To help protect against phishing scams, eBay now offers password-generating devices to its PayPal users. The device, dubbed the PayPal Security Key, generates random six-digit security codes every 30 seconds and costs personal PayPal account users a one-time fee of US$5, but is free for business accounts. PayPal users enter the unique six-digit code when they log in to their accounts with their regular user names and passwords. The code then expires. The service is available to PayPal users in the US, Germany, and Australia, but the company will eventually extend the service to other countries as well.
• In response to recent attacks on the SHA-1 hash function, the US National Institute of Standards and Technology (NIST) is holding a public competition to develop a more secure hash algorithm . NIST has published a draft on submission requirements and evaluation criteria and is currently accepting public comments on the draft. The submission deadline for new hash functions is tentatively scheduled for the third quarter of 2008. More information is available at www.csrc.nist.gov/pki/HashWorkshop/index.html.
• To fight against terrorism, Pakistan installed a biometrics system at the main border crossing between its southwestern Baluchistan province and southern Afghanistan in January 2007 . The system records fingerprints, retinas, or facial patterns and matches them to biometrically enabled Pakistani passports or identity cards.
• Cambridge University researchers revealed a proof-of-concept hack to the UK's Pin-and-Chip system's hardware that could let attackers steal personal data. The researchers replaced a terminal's internal hardware with their own and got it to play Tetris. The demonstration showed that attackers could make all of a terminal's components interact with one another, leading to the capture of data such as PINs.
• A phishing toolkit available on underground forums is threatening to bring cybercrime to the masses with an easy-to-use interface that requires minimal, if any, programming skill. Using the toolkit, which sells for US$1,000, scammers only need to enter a few variables, such as the Web site to be spoofed and the host site for the phony page, and the tool does the rest: it uses PHP to produce a dynamic Web page that pulls in the actual Web site being phished and displays it to unsuspecting users. Users logging into the legitimate site never know that scammers are intercepting their data.
• The US Department of Homeland Security is planning Cyber Storm 2, a weeklong exercise slated for March 2008 to test the nation's response to a full-scale cyber-attack. Cyber Storm 1 occurred in March 2006, with 115 private and international companies and organizations participating, and included a physical and Internet-based attack on private and public-sector companies.
• Satellite navigation company TomTom reported that its TomTom GO 910 units manufactured between September and November 2006 might be infected with viruses. The personal car navigation devices include a 20-Gbyte hard drive and preloaded maps of the US, Canada, and Europe. The company recommends that users run antivirus programs and remove the infected files.
• In February 2007, the US Veterans Administration reported an external hard drive missing from an employee's computer that contained information on almost all US physicians who have billed Medicaid and Medicare along with medical data for roughly 535,000 VA patients.
• US Congressman Lamar Smith (R-Tex.) has introduced the Stopping Adults from Exploiting Today's Youth (SAFETY) Act of 2006, which would let the US Attorney General draft far-reaching data retention laws for ISPs. Privacy advocates cite the act's vagueness as a major concern. "This bill is so incredibly bad…there's nothing in this legislation to prevent the attorney general from simply saying, 'Save everything forever,'" said Lauren Weinstein from the People for Internet Responsibility, an advocacy group. Smith counters that the act's focus is on catching sexual predators and that a subpoena would be required to access the information.
• Smart Card Alliance, which includes charter members IBM, First Data, Visa, and Northrop Grumman, released guidelines in February 2007 for best practices in security and privacy for companies using RFID technology in identity-management systems . The guidelines range from implementing security techniques such as mutual authentication to privacy practices such as allowing users to correct information and instituting a dispute-resolution process.
• IBM donated its Identity Mixer—software that provides encrypted credentials for online transactions— to the Higgins project, an open source project that give users more control over their personal data by making multiple authentication systems work together. Identity Mixer lets a trusted authority, such as a bank or government agency, issue an encrypted credential that users would give instead of personal or credit information while online. Buyers, for example, would give the encrypted credential to online stores, which would pass it to the credit-card issuer, who decrypts it, verifies it, and pays the retailer. A first version of the Higgins project, with the Identity Mixer software, is slated for release in mid-2007.
• A judge with the US Foreign Intelligence Surveillance Act (FISA) court authorized US President George W. Bush's controversial wiretap program, giving the program court oversight after five years, a move that critics say makes it unconstitutional. The program—called the Terrorist Surveillance Program—lets the government wiretap phone and Internet communications—without warrants—into and out of the country when the caller or receiver has a suspected link to Al Queda. The program will continue with court oversight and move out from under the US National Security Agency's purview.
• In January 2007, the parent company of retailers T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores announced that the computer network it uses to handle credit- and debit-card transaction was breached in mid-December . The breach affected stores throughout the US and Puerto Rico, as well as Winners and HomeSense stores in Canada. According to the New Hampshire Bankers Association (NHBA), roughly 20 to 30 percent of all New Englanders might have been affected by the breach.
• Senetas, an Australian cryptography company, and id Quantique SA, a quantum cryptography company based in Geneva, have created a 1- to 10-Gbit network that combines quantum key distribution with traditional encryption techniques. Quantum cryptography uses photon polarization to represent 1s and 0s instead of encryption keys to scramble data, producing uncrackable codes. The companies plan to offer the first networks in mid-2007.
• The UK's Information Commissioner's Office (ICO) warned that the government's new recommendation to relax data-sharing laws could lead to governmental snooping . The recommendation came after Prime Minister Tony Blair held a seminar to review the UK's current data-sharing law—the Data Protection Act—and found that, "overzealous data-sharing rules may be an obstacle to improving public services." In a statement, the ICO said the government must have security and privacy safeguards in place and take a measured approach so as to avoid government abuses and erosion of public trust. "…a cautious approach to information sharing is needed in order to avoid the dangers of excessive surveillance and the loss of public trust and confidence," the statement said. The recommendation has been put to a public debate; results will be reported back to the Cabinet in March 2007 for further review.
• Microsoft confirmed that it sought assistance—and received it—from the US National Security Agency (NSA) in developing Vista's security configuration . The move was to ensure that Vista met the US Department of Defense's standards, according to NSA spokesman, Ken White. However, Marc Rotenberg, director of the Electronic Privacy Information Center (EPIC), says, "There could be some good reason for concern. Some bells are going to go off when the government's spy agency is working with the private sector's top developer of operating systems." White says the NSA's role was limited to configuration aspects, not development, and especially not to system back doors, which the NSA has shown interest in. "This is not the development of code here," White says. "This is the assisting in the development of a security configuration."
• Later this year, MySpace.com will start offering Zephyr, parental notification software that lets parents know the name, age, and location their children use while on the social network. The software, however, doesn't let parents read their children's email or see their profiles. Privacy concerns, including whether the software could be used to monitor other users, prompted Facebook and blogging site Xanga to decline use of the software.
• In February 2007, Wellpoint, the largest US health insurer and parent company of Anthem Blue Cross and Blue Shield, reported the theft of backup tapes that contained 196,000 customers' personal information. The tapes were stolen from a company that audits the insurer's claims. The company sent letters to those affected, all of whom live in Kentucky, Indiana, Ohio, and Virginia.
• German police in the state of Sachsen-Anhalt worked with credit-card companies to review more than 22 million customers' transactions in an effort to nab child pornographers. The operation, called Mikado, netted 322 people suspected of buying Internet child pornography. Under German law, the police can require financial institutions to provide customers' transaction data if the police provide very explicit search criteria. In this instance, the police narrowed their requests down to a specific amount of money, time period, and receiver account.
• Vermont's Agency of Human Services (AHS) reported a computer breach affecting roughly 70,000 state residents that might have exposed personal information, including social security numbers. Heidi Tringe, the state's communications director, said the breach appeared to be the result of a botnet attack. The state sent letters to those affected by the breach, warning them of the compromise.
• Swedish police believe that a Russian organized crime gang used a variant of the Haxdoor Trojan to bilk US$1.1 million dollars from a Swedish online banking site . The criminal gang targeted Nordea customers with phishing emails that urged them to download a "spam fighting" application that was in fact the Haxdoor Trojan. The Trojan payload activated when users tried to log into the bank's online site and were then redirected to a phony home page, where keyloggers installed by the Trojan recorded account information. The gang then used the information to log into the real banking site and drain customer accounts. Nordea has refunded the affected customers' money.
• In February 2007, the European Union (EU) officially launched the Consumer Protection Cooperation (CPC) Network, a consumer-protection network that's designed to aid law enforcement in tracking down perpetrators of cross-border fraudulent activity, including spam and phishing scams. The CPC Network was instituted under the Consumer Protection Cooperation Regulations, which EU countries passed in 2004. The CPC Regulations set the minimum compliance standards for enforcement authorities in the network and include enforcement regulations such as the ability to conduct on-site inspections and order companies to stop illegal practices.
• US President George W. Bush signed the Telephone Records and Privacy Protection Act of 2006, making telephone pretexting—impersonating someone else for the purpose of buying, selling, or obtaining personal phone records— a federal crime punishable by up to 10 years' imprisonment. Of course, law enforcement and intelligence agencies are exempt.
• The Massachusetts legislature is considering two bills aimed at curbing retailers' poor data security practices. Currently, banks that issue credit or debit cards to consumers who've been victimized by data breaches absorb the costs to stop the fraudulent activity, with the retailers only on the hook for free credit-monitoring services. However, the first bill—HB 213—will make retail companies liable for the costs incurred as a result of a data breach. Companies involved in a breach would be required to notify customers and reimburse the card-issuing banks for subsequent fraudulent activity, including the costs to cancel or reissue cards as a result of unauthorized transactions. Also up for consideration is HB 328, which would require companies to provide credit freezes to those consumers affected by their data breach. Both bills aim to encourage retailers to improve data security.
• Karen Evans, the US Office of Management and Budget's administrator for e-government and IT, said in a recent conference call that the federal agencies that don't protect personal information might get a smaller portion of President Bush's IT budget. "This year we're really focused on making sure agencies are delivering results, investing the taxpayers' dollars wisely, and are really executing now on the activities they said they are going to do," said Evans. President Bush recommended an overall increase of 2.6 percent for this project for the 2008 fiscal year. The US Department of Defense (DoD) is slated for the lion's share of the budget, with $31.4 billion; the agency with the second highest budget is the Department of Health and Human Services, at $5.6 billion. The allocations "represent the President's priorities going forward to combating the war on terror," Evans said.
• A new bill sponsored by US Senators Patrick Leahy (D-Vt.), Russ Feingold (D-Wis.), and John Sununu (R-N.H.), would require US government agencies to report to Congress on their development and use of data mining programs. Senator Leahy said the bill—the Federal Agency Data Mining Reporting Act—would provide an "oversight mechanism" and safeguard privacy. Testifying before Congress, Leahy said that government agencies are operating, or planning to operate, roughly 199 data mining programs, including the controversial Automated Targeting System, which assigns "terror scores" to US airline passengers, and the Secure Flight program, which analyzes airline-passenger data. "The American people have neither the assurance that these massive data banks will make us safer nor the confidence that their privacy rights will be protected," Leahy testified.
• Despite the US Government Accountability Office's (GAO's) recommendation to test the program's security and technology, the Transportation Security Administration (TSA) is going ahead with its rollout of smart-card IDs for all of the more than 750,000 port workers across the country . Starting in March, the Department of Homeland Security (DHS) will issue the IDs, which will contain port workers' photographs and fingerprints, after conducting criminal background checks on all workers. In a report published in October 2006, GAO auditors expressed concern over the TSA's limited testing scope and that it failed to gather data on the "operational effectiveness" of the smart-card readers in maritime conditions, given that the nation's 4,000 ports tend to be near water.
• In January 2007, MI5, Britain's domestic spy agency, began a new email service that alerts the public about security threat levels. To receive the email alerts, users must sign up and register on the MI5 Web site. The move is part of the agency's efforts to emerge from its decades-long policy of secrecy. "It's part of the service's ongoing effort to improve its public communications and contribute to the government's policy of keeping the public informed about the national threat level," says a spokesperson for the UK's Home Office.
• In February 2007, US Senators Patrick Leahy (D-Vt.) and Arlen Specter (R-Pa.) revived a similar version of their 2005 Personal Data Privacy Act. This new bill would impose fines and prison time for those who intentionally conceal information on data breaches that cause "economic damage to one or more persons." Additionally, the bill would require data brokers to let consumers view and correct information about themselves for a "reasonable fee."
• The UK plans to close 551 of its 951 government Web sites and fold the services they offered into its DirectGov or BusinessLink Web sites. Of the remaining 400 sites, 26 will stay; the fate of the remaining 374 will be decided by June 2007. The goal is to expand information sharing between departments and consolidate services.