Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• It seems history does indeed repeat itself. At CanSecWest in May, security researchers presented an IPv6 vulnerability involving Type 0 routing headers (RH) that lets attackers launch denial-of-service (DoS) attacks that are 80 times more effective than previous DoS attacks. However, the vulnerability isn't new—it's similar to IPv4's source-routing option, which was eliminated for the same reason. The presenters of the vulnerability, Philippe Biondi and Arnaud Ebalard of the European Aeronautic Defense and Space Company (EADS), said, "IPv6 designers did not learn from IPv4 on that point. [They] also forgot some IPv4 best practices." The IETF is considering two ways to eliminate the problem: turn off Type 0 RH by default or remove it from IPv6 completely. For now, security advisors recommend that users switch off Type 0 RH handling on routers or block packets that use the mechanism.
• In May, the US Computer Emergency Response Team (US-CERT) reported a vulnerability in security equipment—firewalls, intrusion prevention systems, and enterprise routers—that could let remote attackers evade detection and control networks. The vulnerability involves HTTP content-scanning systems that don't correctly scan full- or half-width unicode characters. US-CERT has identified 92 security vendors with products that could be compromised, including Cisco, 3Com, and F5 Networks.
• According to an incident report released by Sarasota County officials in May, the SQL Slammer worm attacked the county's database system during the 2006 13th Congressional district race in Florida. The worm brought the network—and the e-voting system—to a halt, leaving voters unable to cast their votes for two hours. The worm, which caused a worldwide Internet slowdown in 2003, infested a county server that "was completely unpatched." Christine Jennings, the election loser by 369 votes, is challenging the election in Congress under the Federal Contested Elections Act. An ongoing state investigation has so far been unable to uncover the cause of 18,000 undervotes—votes reportedly cast but not recorded by the system. Brad Friedman provides excellent coverage at www.bradblog.com/?cat=180.
• The good news: Symantec updated its antivirus signatures for its Norton Antivirus, Norton Internet Security 2007, and Norton 360 products. The bad news: users of the simplified Chinese Windows XP version with Service Pack 2 were unable to reboot their machines after installing the update . The update mistook two critical Windows files—netapi32.dll and lsasrv.dll—for Trojans and quarantined them. The company has since issued an update to fix the goof. Affected users can fix the problem by installing the update or reinstalling the two quarantined files from their original Windows XP CDs. Symantec declined to release the number of users affected. This latest snafu follows on the heels of similar incidents involving Trend Micro and Windows Live OneCare antivirus software.
• Attackers hit British ISP Plusnet, gaining control of its mail server, stealing email addresses, and installing a Trojan horse on users' machines. Plusnet uncovered the attack in May after its customers were inundated with spam. Plusnet launched a new Web mail service after permanently shutting down the affected server. The company was unsure about the number of online accounts affected.
• Shall we play a game? A report released by the US Department of Defense (DoD) in May says that China is increasing its cyberwar capabilities, going as far as developing malware for first-strike attacks against enemy networks. The report notes that China is investing heavily in network defense and network attack and exploitation mechanisms, including the ability to interfere with and exploit battlefield information systems. The report is unclear on how much China is spending, but does state, "The PLA [People's Liberation Army] sees [computer network operations] as critical to achieving electromagnetic dominance early in a conflict."
• Botnet operators are fighting back against security companies' efforts to wipe out their botnets by using increasingly sophisticated methods such as multiple command-and-control centers and peer-to-peer distribution. Mi5 Networks, a security appliance vendor in California, found that roughly 25 percent of botnets it studied used some type of rapid propagation system. Mi5's chief executive, Doug Camplejohn, says the botnet operators' moves to avoid takedowns is a matter of economics: "These operators have too much time and effort invested in their networks to let someone take it down all at once—they've tried to make it such that if you cut off one command center, they can simply take control from another."
• Trend Micro recently identified an attack—dubbed the "Italian Job"— that has infected roughly 10,000 legitimate Web sites with malicious code. The malicious code then redirects visitors to servers with the MPack exploit tool installed, which download a Trojan to unpatched browsers. Websense has identified Italy and Spain as the regions most affected by the outbreak, but attacker-controlled servers exist in California and Illinois as well.
• In June, Israeli network management company ECI Telecom announced plans for an encryptor for high-capacity Ethernet traffic using the 256-bit Advanced Encryption Standard. The encryption device will protect network traffic on fiber-optic links between sites. Extending the protection to users will occur in a later software upgrade, the company said. Gali Malkiel, product manager for ECI Telecom, said the device will encrypt at the lowest level of the network stack. "Our encryption is done in hardware, and we are doing it in Layer 2," he explained. The company hopes to crack the lucrative US market; the encryptor will be available in the US later this year.
• A psychology professor at the University of California, Santa Barbara, has released a report examining the Jedi mind tricks scammers use to get even the most skeptical and experienced users to open and respond to their spam. James Blascovich says the first step is getting users to open the email. To do that, scammers use a combination of familiarity and legitimacy—creating phony messages that appear to be from friends, colleagues, or trusted companies, for example. From there, Blascovich says, victims fall into a motivation-process category—approach, avoidance, or a combination of both. Those who respond to email scams involving winning the lottery or Nigerian 419 scams are "promotion focused" and fall into the approach category, whereas those who respond to avoidance emails, such as phishing emails purportedly looking to verify important information, look to avoid unpleasantness.
• In a study presented at the Workshop on the Economics of Information Security this June, researchers from Carnegie Mellon University found that consumers will pay more for purchases from online retailers that safeguard their personal information. The study, conducted by the Carnegie Mellon Usable Privacy and Security Lab (CUPS), monitored the buying habits of people who were given money and instructed to buy specific items online using the PrivacyFinder.org search engine; participants could keep any left-over money. The PrivacyFinder.org search engine rates Web sites' privacy policies and shows each site's rank next to search results. On average, the researchers discovered that people would pay roughly US$0.60 more for each $15 item to protect their privacy. The researchers plan to conduct another study soon, partnering with vendors to offer specific price differences so that they can gather more pricing information.
• In May, the US Transportation Security Administration (TSA)—a unit within the Department of Homeland Security (DHS)— announced that a hard drive containing the names, social security numbers, birth dates, and payroll and bank account information of 100,000 employees was missing . The American Federation of Government Employees (AFGE), the union that represents DHS employees, has filed a class-action lawsuit against the TSA under the Privacy Act. AFGE president John Gage says, "The American people look to DHS for security and protection. A DHS agency that cannot even shield its own employee data is not reassuring."
• The US and European Union (EU) hammered out a data-sharing agreement for airline passengers traveling between Europe and the US. The prior agreement required airlines flying from Europe to the US to supply passenger data—credit-card details and how and where the plane ticket was purchased, for example—to US authorities. Under the new agreement, the US can keep passenger data for up to 15 years and places no limits on what the US can do with the data. However, the agreement allows EU officials to visit the US and inspect how the data is used.
• Google's still number one—kinda. In June, Privacy International, a privacy watchdog group based in London, blasted Google's privacy practices and gave the company its lowest possible rating. The group surveyed and rated 23 companies—including Microsoft, Yahoo, and AOL—and placed Google in a category reserved especially for companies with "comprehensive consumer surveillance and entrenched hostility to privacy." Google's deputy general counsel said the report is based on "inaccuracies and misunderstandings." The survey results followed the EU's Data Protection Working Party's letter to Google, which raised concerns that the company's data retention period didn't comply with the EU's data protection rules. Google has since reduced its data retention period from 24 to 18 months.
• Reporters without Borders (RWB) warned against the Internet profiling algorithms that Microsoft researchers from its Beijing-based lab introduced at the International World Wide Web Conference in May. The Microsoft researchers have developed algorithms that can predict the age and gender of Web visitors based on the sites they visit . The algorithms predicted the gender of Web users 80 percent of the time and correctly revealed users' ages 60 percent of the time. The researchers say they could expand their algorithms to include occupation, education, and geographic location. RWB said in a statement, "These technologies could eventually lead to the creation of programs that could identify 'subversive' citizens. We believe it is unacceptable to carry out this kind of sensitive research in a country such as China where 50 people are currently in prison because of what they posted online." Erik Bratt, a Microsoft marketing communications manager, said, "Microsoft currently has no plans to use the capabilities found through this research in our products and services."
• In June, The Washington Post reported that an internal US Federal Bureau of Investigations (FBI) audit revealed more than 1,000 violations in data collection on domestic phone calls, emails, and financial transactions since 2002. According to the Post, roughly 700 of the violations involved telephone companies and ISPs handing over more information than what was authorized by the agency's National Security Letters. Additionally, two dozen violations involved FBI agents requesting information that US law doesn't allow them to have.
• A group of scientists from NASA's Jet Propulsion Lab have banded together in opposition to a presidential security directive that requires federal agencies to fingerprint and conduct background checks on employees. NASA scientists object to the scope of the background investigations, which includes full financial, medical, and criminal histories. Additionally, the scientists say the background checks are interfering with recruitment efforts. "In the face of such intrusions, talented researchers are inclined to take positions elsewhere, where the employers have a modicum of respect for the Constitution," the group wrote in letters to US Representatives Rush Holt (D-NJ) and Vernon Ehlers (R-Mich.), both physicists, and to their local congressional representatives.
• Two US senators from Montana successfully introduced an anti-Real ID amendment that prohibits employers from requiring the upcoming national identification card for employment verification. The Real ID Act goes into effect on 11 May 2008 and will require a federally approved ID card to travel on airplanes, open bank accounts, collect social security, or other government services. The amendment still awaits a formal vote.
• In May, the German government approved legislation that makes hacking a crime punishable by up to 10 years in prison. The legislation defines hacking as penetrating a computer security system and gaining access to secure data—even if data isn't stolen. The legislation closes loopholes in a previous law against attacks on business IT systems; denial-of-service attacks and sabotage against individuals are now also punishable under the law. Critics of the new law, such as the Chaos Computer Club, say it will hinder the work of white hat hackers and researchers and restrict the ability of security companies to guard against attacks.
• Under a new law in Hong Kong, spammers can be fined up to one million Hong Kong dollars and spend five years in jail. Hong Kong's deputy secretary for commerce, Marion Lai, said that 95 percent of Hong Kong's spam originated from outside the country but most unsolicited faxes and voice calls were local. The new law doesn't apply to telemarketers.
• In June, the US House of Representatives passed the Spy Act, a broader anti-spyware bill than the I-Spy Act the House approved in May. The Spy Act would outlaw transmitting personal information without users' knowledge and sets penalties for spyware authors who install security-circumventing code on computers without user authorization . Opponents of the bill—from the American Bankers Association to the Information Technology Association of America—say it would regulate every Web site on the Internet and, as written, would threaten search engines and e-commerce and news sites that rely on cookies. The Senate is expected to vote on both bills later this year.
• Zimbabwe's lower house passed a bill in June that would let the government monitor phone calls, emails, and Internet use. The Interception of Communications bill is now before the upper house, where it's expected to pass because President Robert Mugabe's ruling party controls both houses. In opposition to the bill, Movement for Democratic Change legislator David Coltart, said, "I recognize the need for legislation of this nature, especially after the emergence of al Qaeda and international terrorism. The objection is what checks are there to stop the abuse of this law."
• In June, the Boston, Massachusetts police department unveiled its new anonymous text-message tip line. The initiative is part of its Crime Stoppers programs, which lets citizens call in anonymous tips about crime. Calls and text messages are routed through a third party that forwards them to the police department, protecting the tipster's identity. In the program's first three days, the police received roughly 35 messages, including one that detailed a suspected drug dealer's license plate number and regular hideout.
• The US Department of Homeland Security (DHS) revealed its plans to require European visitors to fill out online questionnaires two days before entering the US. The DHS's chief privacy officer, Hugo Teufel, said the department had been discussing the idea internally but had no timetable for introducing the requirement, which would likely require congressional approval. The DHS said the online registration requirement would work in tandem with the Automated Targeting System, which assigns risk factors to determine the likelihood that visitors entering the US could be security threats.