Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• A DNS cache-poisoning flaw prompted several IT vendors—Microsoft, Cisco, Sun Microsystems, and others— to release patches on the same day in a united effort to mitigate possible problems. Dan Kaminsky, a researcher at IOActive, discovered the flaw earlier this year but kept the vulnerability under wraps until vendors could ready their patches. The flaw could let attackers send users to phishing sites even if they typed the right URLs into their browsers. Kaminsky discovered the flaw by accident and plans to present a paper about it at the upcoming Black Hat USA convention in August.
• Gmail users now have additional phishing protection thanks to a collaboration between Google, eBay, and PayPal. In July, Google began using DomainKeys and DomainKeys Identified Mail (DKIM) to detect phishing emails purportedly coming from eBay and PayPal. Using DomainKeys, Gmail's servers automatically block emails that it can't authenticate as coming from ebay.com or paypal.com. However, DomainKeys isn't able to stop emails from hijacked eBay or PayPal accounts or stop malicious URLs in a message body that get through Google's blacklist of known malware sites.
• Researchers at Secure Computing identified a sophisticated Trojan that infects MP3, Windows Media Audio (WMA), and Windows Media Video (WMV) files stored on users' hard drives. Infection occurs after users visit a warez site and download what they think are activation codes for pirated software. Users spread the Trojan when they share their infected files via P2P. However, users who pass along the infected files are none the wiser because their files play without any indication of the Trojan. When P2P users attempt to open an infected file, they're sent to a page that asks them to download a codec before they can play the audio or video file. However, the codec is actually the Trojan and, once installed, infects their multimedia files.
• Google recently released its internal Web application scanner to the public for free. The tool— Ratproxy—scans Web applications and looks for coding errors that could lead to security vulnerabilities, such as cross-site scripting attacks or caching problems. "We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community's understanding of security challenges associated with contemporary Web technologies. We believe that responsible security research brings a net overall benefit to the safety of the Web as a whole, and have released this tool explicitly to support that kind of research," wrote Michal Zalewski on the company's security blog.
• In response to the increase in SQL injection attacks, Microsoft and Hewlett-Packard released tools to help Web developers and site administrators avoid the attacks. Microsoft released UrlScan ( http://learn.iis.net/page.aspx/473/usingurlscan), which scans and filters malicious query strings, and the SQL Source Code Analysis Tool ( www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en), which analyzes .ASP code for vulnerabilities. HP released HP Scrawlr ( www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx), which scans Web pages for vulnerabilities.
• Security researchers from antivirus vendor SecureMac reported a Mac-specific Trojan in the wild that could let attackers gain remote access to a system to, among other things, log keystrokes and even take photos using the built-in iSight camera. The Trojan takes advantage of a vulnerability in the Apple Remote Desktop Agent (ARDAgent) and could affect Macs running OS X 10.4 or 10.5. Users can remove ARDAgent from its current location and archive it to protect their machines.
• On 4 July, attackers used the Storm botnet to spread malware via email with subject lines such as "spectacular fireworks show" or "celebrating fourth of July." Email links sent users to malware sites where the users were asked whether they wanted to view videos of a Fourth of July fireworks displays. When users clicked on the links, however, they self-inflicted their machines with the Storm Trojan and added their computers to the botnet's growing list of compromised PCs. Previous holiday-themed spam using the Storm botnet included Christmas and New Year campaigns.
• A research team from Johns Hopkins University has developed software that can eavesdrop on encrypted voice-over-IP streams that use a new compression by measuring the packet size of words and phrases. The compression technique—called variable bit rate compression—varies the size of data packets. Longer and more complex sounds have higher sampling rates, whereas shorter and simpler sounds have lower sampling rates. The new technique cuts down on the required bandwidth while maintaining sound quality. However, the researchers created software that can partially decode VoIP conversations using software that searches for certain words and phrases and compares them to sample conversations in a database. When the software finds a match, it alerts the eavesdropper. The software yielded a 50percent accuracy rate on short phrases; the percentage rose to 90 percent on longer and more complex words.
• Using the Coreflood Trojan and PsExec, a Microsoft admin utility that lets administrators run software on computers across a network, attackers have infected roughly 378,000 computers and stolen financial information, according to security vendor SecureWorks. Once the Trojan is successfully installed on a machine, it waits for a system administrator to log into the machine and then steals the admin's login and password. It then uses the stolen login information to try to run PsExec and install the Trojan on other network computers.
• From October 2007 to March 2008, attackers stole roughly US$2 million from Citibank ATMs inside 7-Eleven stores in California by gaining access to PINs. Armed with the PINs, the attackers encoded the stolen financial information onto phony ATM cards and withdrew cash from the compromised accounts. How the attackers gained access to the back end hasn't been released publicly, according to court documents filed in a case against three individuals arrested for the scam. The ATMs are Citibank branded, but the company doesn't own or maintain the ATMs; they're owned and operated by Cardtronics and Fiserv.
• Twingly ( www.twingly.com), a spam-free blog search engine, went public in June. It has indexed roughly 500,000 spam-free blogs. To keep its search results spam-free, Twingly uses its own algorithm that, among other things, looks at a blog's links to make sure it isn't linking to spam blogs. Twingly's CEO, Märtin Kallström, said Twingly's approach differs from the traditional way of removing spam blogs as they're discovered. "We are starting from scratch, only adding spam-free blogs to the index," he said. Additionally, Twingly offers bloggers a widget that they can put on their sites to integrate with the search engine and lets users vote on search results after registering.
• In July, the US Inspector General (IG) issued a report ( www.govexec.com/pdfs/070308n2.pdf) that found the government's Passport Information Electronic Records System (PIERS) vulnerable to data theft. PIERS is used to process passports and contains information—name, birth date, social security number, and citizenship status—on roughly 127 million passport holders. The IG found that the State Department has failed to incorporate controls on the system that would prevent unauthorized access to files. The report comes on the heels of an incident in March in which contractors working for the State Department inappropriately accessed the files of Senators Hillary Clinton (D-N.Y.), John McCain (R-Ariz.), and Barack Obama (D-Ill.).
• A provision in the Housing and Economic Recovery Act of 2008, which hopes to address the current housing and mortgage crisis in the US, has privacy advocates worried about increased identity theft. The provision would require companies that electronically process credit-card transactions for merchants—including eBay, PayPal, and Amazon—to track, aggregate, and report information to the Internal Revenue Service on the payments they make to merchants. Under the bill, companies would be required to provide that information on merchants that make more than 200 transactions per year and earn more than US$100,000 per year. The provision will collect more taxes from merchants and help offset the cost of implementing the bill. Privacy advocates say the collection of this data will create a giant database of transaction information for the government to mine and create identity theft opportunities because it will contain the merchants' social security numbers.
• Privacy groups in the US have asked a federal court to order the US Department of Justice (DoJ) to release records about the government's tracking of mobile phone users. The American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation say that US attorneys have been bypassing warrants and getting tracking data directly from mobile carriers. Catherine Crump, an ACLU attorney, says, "Signing up for cell phone services should not be synonymous with signing up to be spied on and tracked by the government."
• In July, a federal judge ordered Google to turn over YouTube user data—usernames, IP addresses, and videos watched— to Viacom as part of a copyright infringement case Viacom launched in 2007. However, Google doesn't have to provide its source code, which was in Viacom's original request. The ruling limits Viacom's use of the data to proving its case against Google and the company won't be able to target individuals identified in the data. Several privacy advocates blasted the ruling, including Kurt Opsahl of the Electronic Frontier Foundation. He said the order "is a set-back to privacy rights, and will allow Viacom to see what you are watching on YouTube." In response to the rising swell of concern from privacy advocates, Viacom released a statement that said it "has not asked for and will not be obtaining any personally identifiable information of any user. Any information that we or our outside advisors obtain … will be used exclusively for the purpose of proving our case against YouTube and Google… ."
• In July, the US Senate approved a measure (69 to 28) that revamps federal surveillance law and gives telecoms legal immunity from civil suits for cooperating in the US National Security Agency's (NSA's) wiretapping program. Under the new measure, the government has broader powers to invoke emergency warrantless wiretapping procedures. The legislation lets the government perform wiretaps aimed at foreign targets without warrants for up to seven days in situations in which important national security information could be lost. The measure also expands the time period for emergency warrantless wiretaps on Americans from three to seven days in situations in which the Attorney General finds probable cause that a link to terrorism exists. [ See "Risking Communications Security: Potential Hazards of the Protect America Act" in the January/February 2008 and "The Fourth Amendment and Emerging Communications Technologies" in the May/June 2006 issues of S&P for more. —Ed. ]
• The US Senate unanimously passed the New and Emerging Technologies 911 Improvement Act in June. The act requires operators of 911 networks to let voice-over IP providers connect to their networks at the same rates and conditions as mobile phone companies. In addition, the bill offers 911 networks liability protection when handling VoIP calls and requires the US government to establish a plan for developing nextgeneration 911 capabilities.
• The US Department of Homeland Security (DHS) has solicited a written proposal ( www.lamperdlesslethal.com/news/upload/pg1HomelandSecurity7_06.pdf) for shock bracelets from a Canadian company. The bracelets would let flight crew incapacitate hijackers via an electro-muscular shock sent by radio frequency transmitters. The bracelets remain inactive until the flight crew identifies a possible hijacking situation. The jolt overrides the central nervous system, leaving a potential hijacker immobile for several minutes. Additionally, the bracelet would contain passengers' personal information and flight information, eliminating the need for boarding passes. Responding to criticism over the proposal, the contractor involved in the development of the bracelets posted on its Web site, "We believe that all passengers will welcome deliverance from a hijacking, as will the families, carriers, insurance providers etc. The F-16 on the wingtip is not to reassure the passengers during a hijacking but rather to shoot them down" ( www.lamperdlesslethal.com/company_details.asp?ID=234).
• In June, executives from Cisco, Samsung, Sprint Nextel, Clearwire, Intel, and Alcatel-Lucent announced the formation of the Open Patent Alliance. The group's goal is to gather patents and rights to WiMax, the IP-based wireless technology, and license them to manufacturers of consumer electronics, networking equipment, and computers. The alliance hopes to increase WiMax adoption by making the patents inexpensive. In a Web cast introducing the new group, executives from the founding companies stressed the alliance's open model and encouraged companies to join the group.
• In an agreement with the New York state attorney general, Andrew Cuomo, Verizon, Sprint, and Time Warner have agreed to block US access to child pornography sites and newsgroups. The agreement is the result of an eight-month investigation conducted by the New York state attorney general's office in which undercover agents posing as Internet service subscribers complained to their providers about allowing access to child pornography. The attorney general's office stepped in after the ISPs ignored the subscribers' complaints. The three companies will also contribute money to the fund that will underwrite the attorney general's efforts to remove child pornography from the Internet.
• Dutch telecom Worldmax launched the first mobile WiMax network in Europe, giving its users high-speed Internet access on the go. Worldmax's network covers only the city of Amsterdam for now, but the company hopes to extend the network across the country by adding roughly 3,000 access points at a cost that's expected to run into the hundreds of millions of dollars. The company said access will cost roughly US$31 (20 euros) per month and require no long-term contract.