Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• According to Trend Micro researchers, more than 400 do-it-yourself phishing kits are in the wild. The kits are designed to target financial companies such as Barclays, Chase, and Citibank. Little to no programming experience is required to set up and run the kits, but buyer beware: some of them target the kit buyers themselves by sending copies of the valuable data back to the phishing kit's authors.
• At a security summit hosted by Yahoo! in February, Websense presented Lexi-Rep, a tool that identifies suspicious domain names. Lexi-Rep uses an algorithm that measures the likelihood that a domain name was registered by man or machine—for example, domain names with unusual letter pairings, such as "JX," would receive a negative score whereas more common pairings such as "TH" would receive a higher (more positive) score. The tool then weighs the scores and categorizes the domains. The tool blacklists domains with negative scores and reportedly has a 99.9 percent accuracy rate.
• In February, PayPal issued a recommendation to its users: don't use Apple's Safari browser to log into the site. Instead, the company says Internet Explorer 7, Firefox 2 or 3, or Opera are safer browsers to use. PayPal's chief information officer, Michael Barrett, says Safari lacks a built-in phishing filter or support for Extended Validation (EV) certificates, an antiphishing technology that turns a browser's address bar green when visiting a legitimate Web site.
• Microsoft has downplayed a threat to encrypted hard drives on laptops that Princeton researchers identified in a paper ( http://citp.princeton.edu/pub/coldboot.pdf) released in February. The attack—nicknamed the "cold boot attack" because attackers can use compressed air or liquid nitrogen to cool down memory and prolong the time attackers can examine memory—lifts the encryption keys used by Vista's BitLocker or the Mac OS X's File-Vault and lets attackers access data on encrypted laptop drives. Russ Humphries, senior product manager at Microsoft, wrote on the Vista security team blog ( http://blogs.msdn.com/windowsvistasecurity/archive/2008/02/22/disk-encryption-balancing-security-usability-and-risk-assessment.aspx) that for the attack to be successful, an attacker would have to have physical access to the laptop in sleep or off mode. To mitigate the threat, a member of the BitLocker test team recommends that laptop users set their machines to hibernate rather than sleep mode, limit boot options by modifying the BIOS, and disable Firewire and PCI host controllers.
• Security vendor Finjan announced in February that it had discovered a database with more than 8,700 compromised FTP usernames, passwords, and server addresses. The server hosting the database also features a trading interface that lets buyers resell compromised FTP information. Finjan says that more than 2,500 of the compromised servers are owned by North American companies, some of which are among the world's top 100 visited domains. The security vendor hasn't released the names of the companies with FTP information in the database, but companies that are concerned about their servers can contact Finjan directly at www.finjan.com/contactFTP.
• In February, the Cult of the Dead Cow released an open source tool called Goolag Scanner, which lets Web site owners run automated scans of their sites for vulnerabilities using Google search terms. Goolag Scanner eliminates the need for users to cut and paste each search query into a Google search field by storing all known vulnerability queries in one file. Users can also add new queries to the file as they find them.
• In a report in Sage ( www.mcafee.com/us/local_content/reports/sage_2008.pdf), McAfee's semiannual security journal, the company details the rise of region-specific malware. According to the report, malware writers in Japan are targeting users of file-sharing software that's popular only in Japan. McAfee believes that malware writers are shifting from malware that tries to infect as many users as possible to malware that targets a relatively small number of users in specific regions in an effort to avoid worldwide attention and focus on regions with weaker cybercrime enforcement. McAfee says it identified 53,537 unique pieces of malware in 2006; in 2007, the number soared 246 percent to 131,862 and is predicted to double by the end of 2008.
• A denial-of-service attack prevented WordPress bloggers from logging into their accounts during a four-day period in February. The attack, which measured some incoming traffic spikes at roughly 6 Gbps, left some bloggers offline for even longer periods of time. The blogs remained viewable, however.
• In an anonymous post on the RBNExploit blog ( http://rbnexploit.blogspot.com/2008/02/rbn-extortion-and-denial-of-service.html), security researchers have detailed a protection racket run by the Russian Business Network (RBN) that targets sites dealing in pornography, online pharmaceuticals sales, and investment scams. The model isn't new: its affiliates launch distributed denial-of-service attacks against sites and then RBN comes in and offers to prevent further attacks at prices that can run as high as US$2,000 per month. The racket works well because Web site owners trafficking in pornography or spamming customers aren't likely to complain to authorities.
• In February, a self-described ethical hacker outfit posted proof-of-concept code ( www.gnucitizen.org/projects/total-surveillance-made-easy-with-voip-phones/) of a cross-site scripting vulnerability that affects a common voice-over-IP phone. The hacker group, GNUCitizen ( www.gnucitizen.org/about/), says attackers would need to have the phone's IP address before executing the attack. According to the group, once attackers get the phone's IP address, they can steal or tamper with the phone's log and address book, monitor conversations, and make phone calls that would be charged to the compromised phone's owner.
• According to security researchers at Web-sense, spammers are using a bot that evades the Captcha security mechanism used by Microsoft's Live Mail. The bot captures the Captcha and sends it back to the bot's server, which then attempts to generate a match and sends that back to Live Mail. Websense reported that the bot delivers a match between 30 and 35 percent of the time. Websense's researchers are still unclear as to what happens when the Captcha image reaches the server. Dan Hubbard, Websense vice president of security, says the server might be running the Captcha through an optical character recognition program or one of several Captcha-cracking tools currently available.
• In February, a Chinese hacker broke into South Korea's largest online shopping Web site and pilfered the personal and financial data of roughly 18 million users. According to the Web Application Security Consortium (WASC), the hacker used a cross-site request forgery attack to gain access to the site's servers.
• In February, the Electronic Frontier Foundation (EFF) filed a lawsuit against the US Department of Justice (DOJ) for access to all communications between the DOJ's former chief privacy officer and Google. The lawsuit stems from a Freedom of Information Act request that the DOJ refused. Jane Horvath was the DOJ's top privacy and civil liberties officer when Google fought the DOJ's subpoena for search data in 2006. After Horvath left the DOJ, Google hired her as its senior privacy counsel in 2007.
• The privacy protections that the US Health Insurance Portability and Accountability Act (HIPAA) offers might not apply to personal healthcare records (PHR) stored online. That's the contention of the World Privacy Forum (WPF), which issued a report ( www.worldprivacyforum.org/pdf/WPF_PHR_02_20_2008fs.pdf) in February that examined online personal healthcare systems. The report contends that PHR systems that don't operate under HIPAA are open to subpoenas and data brokers who purchase the data. The group suggests that individuals ask whether the PHR systems they're considering are covered under HIPAA before opting in.
• In February, California district court judge Jeffrey White drew the ire of several privacy and civil rights advocates after he issued a permanent injunction and restraining order against Wikileaks.org, a site that lets anonymous whistle blowers post corporate and government documents online. The judge issued both rulings in response to a lawsuit filed by a Swiss bank—Julius Baer—that claimed that Wikileaks illegally obtained and published hundreds of confidential bank documents and copyrighted material. The site was immediately scrubbed by Dynadot, Wikileaks' registrar, but several mirror sites outside of the US continued to host versions of the site. Julius Baer has since dropped its lawsuit, and the site is now back online.
• In February, a California appeals court ruled that an anonymous Internet poster didn't have to reveal his identity after posting "unquestionably offensive and demeaning" messages about a drug company executive on a Yahoo! message board. The executive sued the anonymous poster for libel and fraud and had hoped to subpoena Yahoo! and compel the company to hand over the real name of the poster.
• In a paper published in Pediatrics (vol. 121, no. 2, pp. e350–e357), researchers found that 15 percent of Internet users between the ages of 10 and 15 reported receiving an "unwanted sexual solicitation online" in the past year, with 4 percent of the solicitations attributed to social networks. Of the control group, 33 percent reported receiving a nonsexual online harassment in the past year, with 9 percent coming from social networks. Where are the unwanted advances and harassment coming from? Instant messaging and chat rooms, according to the paper's authors: instant messaging provides 43 percent of unwanted sexual advances and 55 percent of harassing messages whereas chat rooms provide 32 percent of unwanted sexual advances and roughly 27 percent of harassing messages.
• In February, US Senators Olympia Snowe (R-Maine), Bill Nelson (D-Fla.), and Ted Stevens (R-Alaska) introduced an anti-phishing bill that would outlaw and define the practice as deceptive under the US Federal Trade Commission (FTC). The bill—the Anti-Phishing Consumer Protection Act of 2008—would also require US domain name registrars that offer proxy services to reveal registrants' contact information in lawsuits. The bill's opponents say its scope is too broad and its language could let large trademark holders take away legitimate domain names from smaller entities. Philip Corwin, general counsel representing the Internet Commerce Association, says that the bill is unnecessary and an attempt to create an enforcement scheme that's broader than ICANN's Uniform Dispute Resolution Process (UDRP). Corwin notes that trademark owners prevail in 85 percent of UDRP complaints and nearly 100 percent of the cases brought under the US Anticybersquatting Consumer Protection Act.
• Microsoft chairman Bill Gates is expected to testify before the US House Committee on Science and Technology to urge lawmakers to allow more foreign workers into the country on H-1B visas. In written testimony last year, Gates warned that a shrinking H-1B visa supply would require top graduating students to leave the country and limit innovation and US competitiveness. Last year, US immigration authorities received 150,000 visa applications in one day—the annual cap for visas is 65,000.
• Michael Morley, a Utah state representative, introduced a bill in the state house of representatives that would grant ISPs that filter out pornographic material a special designation and an official seal that they could use in marketing material. If approved, the bill would designate complying ISPs as Community Conscious Internet Providers. The ISPs would have to agree to prohibit their customers from publishing pornographic material, remove such material, and prevent users from accessing it. Additionally, the bill would require ISPs to retain customer IP addresses for two years.
• Facebook relented under heavy pressure from one of its groups with more than 8,000 users to allow permanent removal of profile data after users deleted their accounts. Prior to the change, Facebook kept user data and photos in case users wanted to reactivate deleted accounts. Users wishing to permanently delete their accounts must fill out a form on the site's help page.
• US Representative Edward Markey (D-Mass.) introduced a net neutrality bill that would prevent broadband Internet companies from filtering content. Markey, who is chairman of the US House of Representative's subcommittee on the Internet, said his goal is to preserve the Internet's open architecture and preserve unfettered access to Internet content to the next generation of users. The bill would also require the US Federal Communications Commission to study the issue and hold public hearings.
• The California State Senate approved a bill that makes it a crime to skim data stored on RFID tags. California State Senator Joe Simitian (D-Palo Alto) introduced the bill after participating in a demonstration that skimmed his state capital ID card and allowed another person to walk into the capitol building unfettered. The bill is before the state assembly.
• Germany's highest court has handed down a decision requiring judicial approval before installing spyware on suspects' computers. Germany already requires judicial approval for wiretapping.