Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• In July 2006, WabiSabiLabi launched an online auction site that pairs security researchers who find software vulnerabilities with the highest-bidding security companies . The auction house aims to "enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cybercriminals." WabiSabiLabi said it confirms the reported exploits before placing them on the auction block and ensures that the buyers are legitimate security companies.
• According to Matasano Security, several financial services companies are vulnerable to attack through vulnerabilities in the Financial Information Exchange (FIX) protocol on which many financial transactions rely, including securities trading. By exploiting vulnerabilities, attackers could launch denial-of-service, session hijacking, or man-in-the-middle attacks against applications that support FIX. The security company also points out that other financial industry protocols—on which billions of dollars of transactions depend—contain several holes as well because they were designed for performance not security.
• In July, the US Secret Service arrested members of a South Florida cybergang believed to have teamed up with Eastern European cybercriminals to create counterfeit cards and IDs used to rack up roughly US$75 million in fraudulent charges and purchases over several years.
• In July, Sun Microsystems' staggered security patch release system came under fire from security vendor eEye Digital. The response stems from eEye's discovery in January 2007 of a vulnerability in the Java Network Launching Protocol that could let attackers set up Web sites that install malicious software on Java-enabled PCs. In June, Sun issued a patch on its Web site but hasn't pushed out the patch to the millions of Java users worldwide. A Sun spokeswoman said the staggered schedule let developers test the patch before widespread release. However, eEye Digital's CTO, Marc Maiffret, said the staggered release schedule gives attackers a head start on reverse engineering patches and creating attack code.
• In July, Cisco found a vulnerability in its Unified Communication Manager IP-telephony software that could let attackers launch denial-of-service attacks or run applications. Cisco has provided workaround instructions and patches for the vulnerability on its Web site.
• The investigation into a spying scandal that involved tapping into top Greek government officials' mobile phones has revealed the existence of the first phone switch rootkit. The rootkit let phone tappers disable a transaction log and enable call monitoring on four switches. Network operator Vodafone discovered the breach after the attackers tried to update their rootkit and disrupted the text-messaging service, which generated an alert. However, the investigation didn't produce any suspects.
• A recent survey conducted by Mazerov Research found that roughly 45 percent of IT professionals experienced a compromise of their Domain Name System (DNS) servers. Of the respondents surveyed, 68 percent said malware was the cause of their DNS problems, followed by denial-of-service attacks (48 percent), cache poisoning (36 percent), and pharming (23 percent).
• In July, a survey by industry analyst firm Brockman & Company found that just 22 percent of commercial spam filters—McAfee, Symantec, TrendMicro, and so on— "fully satisfied" their users. Satisfaction rates for email clients such as IBM Lotus Notes were equally low (21 percent), ditto for open source projects such as SpamPal (16 percent). Challenge-response email filters, in which first-time email senders receive a message requiring them to reply, click on a URL, or visit a Web site before their messages are delivered, have the most satisfied users at 67 percent.
• In a recent paper, a security researcher describes a vulnerability in one of the more popular software packages used on Domain Name System (DNS) servers. Amit Klein, chief technology officer at security vendor Trusteer, said the Berkeley Internet Name Domain 9 (BIND 9) software contains a flaw that could let attackers force DNS servers to send users incorrect Web sites, more commonly known as cache poisoning or pharming. The Internet Systems Consortium, developer of BIND 9, has issued a patch for the flaw.
• An analysis done by Gunter Ollmann from the Internet Security Systems' X-Force team found that over the past five years, vulnerability disclosures from the top 10 software vendors has fallen from 20.2 percent to 14.6 percent. For 2006, the top 10 software vendors, including Microsoft, IBM, Sun Microsystems, Oracle, Apple, and Adobe, produced roughly 14 percent of the vulnerabilities disclosed; smaller software vendors accounted for the remaining percentage.
• European technology companies and research institutions are backing Project Wombat (Worldwide Observatory for Malicious Behavior and Attack Tools), a threat-management system that will offer IT professionals and security researchers data on emerging threats and develop new technologies for automating malware collection and analysis. Funding for the project will come from the participating companies and institutions, but the project is also seeking sponsorship from the European Union.
• The US Internal Revenue Service (IRS) recently conducted a security test in which 61 of 102 employees complied with a telephone request from a caller posing as a technical support person to turn over or change their usernames and passwords. Of the 102 employees who received the test phone call, only eight contacted the Treasury Inspector General's office or the IRS security offices to verify the caller.
• In August, the UK House of Lords published a report that suggests ISPs should provide more online security. The report doesn't specifically call for new legislation regulating ISPs but does suggest that they should be held liable for damages to third parties if they detect infected machines on their networks and fail to isolate them.
• The US Office of Management and Budget issued a directive requiring federal government agencies to conform to a single security configuration. Agencies must have the security figuration—the Federal Desktop Core Configuration (FDCC)—in place by 1 February 2008.
• The state of Illinois is back on track on its 1999 Electronic Commerce Security Act, which gives digitally signed documents equal legal status to wet-ink signatures. Initially, legislators hoped to distribute more than 1 million digital IDs to let state residents conduct business with the state through secure Web sites. By 2004, however, approximately 6,000 IDs had been distributed, so state agencies banded together and settled on a centralized infrastructure. Today, the state has issued roughly 107,000 digital certificates.
• At the Black Hat Conference held this August, Tony Sager, chief of the vulnerability analysis and operations group at the US National Security Agency (NSA), discussed the agency's efforts to bring security experts together in a collaborative environment. The NSA is working on the Security Content Automation Program (SCAP), which focuses on compliance and security management. Sager said, "If you're going to change the world of information security, you need to change lots of things across the spectrum and include the practitioners, users, buyers, suppliers, and authorities."
• Germany's antihacker law, which went into effect on 12 August 2007, could lead to increased cybercrime, according to security experts. Security experts claim the new law is too broad, making the researchers' work more difficult. Marcus Rapp, product specialist at F-Secure, said, "It will make the security situation worse, not better. We use hacker tools to test the security of computer systems […] could our use of these tools get us in trouble someday?"
• California's Consumer Data Protection Act (AB 779) won approval before the State Assembly and is headed before the State Senate. If approved, the bill would go to Governor Arnold Schwarzenegger for his approval. The bill would require retailers to reimburse banks and credit union for the costs of reissuing cards in the event of a data breach . Additionally, it would require retailers to implement security controls such as encryption for storing and transmitting card data.
• In a letter to US Senator Arlen Specter (R-Pa.) in July, US National Intelligence Director Mike McConnell acknowledged the existence of a domestic mining program that extends beyond tapping emails and phone calls and is broader than the National Security Agency's (NSA's) warrantless wiretapping program.
• In August, California Secretary of State Debra Bowen revoked the approval of four electronic voting machines from Diebold, Hart InterCivic, Sequoia, and Elections Systems and Software. Before the companies can submit their systems for reapproval, they must submit a plan detailing how they intend to harden their systems' internal configuration security and network security.
• In August, a group of nonprofits, government contractors and agencies, and commercial organizations unveiled its global infrastructure to support identity management and cross-credentialing across organizations. The 30-member group—the Federation for Identity and Cross- Credentialing Systems (FiXs)—includes the US Department of Defense, Lockheed Martin, and Wells Fargo, among others. The FiX initiative ensures the accurate identity of personnel accessing physical sites or systems by combining existing security technologies with a set of trusted models, policies, and operating rules . The initiative is in the testing stage at a few government agencies, but there are no plans to roll it out any time soon. Mike Mestrovich, the FiX group's president, said, "I think there would have to be a public consensus to move us in that direction and I don't see that happening until at least 2009 or beyond."
• In August, phishers stole roughly 1.6 million records from Monster.com. They can now use this stolen information to customize phishing emails that instruct users to download a job search tool that is, in fact, ransomware. The stolen information included email addresses, home addresses, and phone numbers. Armado Hidalgo, a security analyst with Symantec, said the phishers most likely stole legitimate logins from personnel and accessed the "Monster for employers" area. Once inside the system, the phishers installed a Trojan—Infostealer.Monstres—that ran automated searches and uploaded the results to a remote server.
• The expansion of Google's Street View program has raised concerns among privacy advocates. The program lets users find curbside views of buildings and homes entered into Google Maps at the touch of a button. Privacy advocates are worried that the images could show people entering or exiting places like rehab facilities or political meetings, and make it easier for stalkers to find their victims. Google, however, said it will take down images if it receives complaints and offers an online feedback tool that lets users report images that might create personal security concerns or violate privacy.