Issue No.01 - January/February (2009 vol.7)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.19
A brief look at news in security, privacy, and policy.
Oracle released 41 security patches for its products in January. Of this release, the company issued more than 15 patches for flaws that could let attackers remotely execute malicious code without authentication. The patch release includes fixes across all of Oracle's products, including its Application Server, BEA Product Suite, database applications, WebLogic Server, and e-business suite.
In January, attackers hit the networking site LinkedIn, flooding the network with links to Web sites that hosted malware. The attackers created fake profiles and included links promising photos of nude celebrities. Unsuspecting users who followed the links were asked to install a phony video codec to view the photos. Those who installed the codec actually installed a Trojan on their computers. Once notified, LinkedIn immediately shut down the fake accounts. The company didn't release how many fake profiles the attackers created, but McAfee said in a security alert that it had found "several hundred" by doing a Google search ( www.avertlabs.com/research/blog/index.php/2009/01/06/rogue-linkedin-profiles-lead-to-malware/).
Microblogging site Twitter got nailed twice by attackers in January. An attacker hijacked 33 Twitter accounts of well-known celebrities, politicians, and organizations, including Britney Spears, Barack Obama, and Fox News, through online tools the company's support team uses to help users. The company took the support tools offline and locked down the affected accounts. This attack follows on the heels of a phishing scam that hit the service a few days earlier. Attackers used Twitter "tweets" to try and lure users to reveal their usernames and passwords with promises of free iPhones. Rather than herd users to a spoofed Twitter sign-on screen, the tweets contained links to sites that asked for personal info and tried to convince users to sign up for text messaging plans. Biz Stone, Twitter's cofounder, called the span of attacks a "wacky weekend" on his blog ( http://blog.twitter.com/2009/01/monday-morning-madness.html) and said the incidents have prompted a "full security review."
Security researchers from Invisible Things Labs ( http://invisiblethingslab.com) have compromised Intel's vPro processor platform. The researchers, Rafal Wojtczuk and Joanna Rutkowska, created code that mounts a two-stage attack against software that uses the platform's Trusted Execution Technology (TXT). The attack's first stage hits a flaw in the system software; the second-stage attack takes advantage of a design flaw in the current TXT version. The researchers haven't released details of the attack and are working with Intel on a patch. Wojtczuk and Rutkowska plan to give a detailed presentation at the Black Hat Conference in February in Washington, DC.
The leap second that the International Earth Rotation and Reference Systems Service (IERS) added to Coordinated Universal Time in December is causing Oracle problems with its Cluster Ready Services (CRS) software. CRS lets a single Oracle database be deployed on a group of servers to provide fault tolerance and scalability. The leap second causes CRS systems to reboot. The company has issued fixes for the problem, which affects Oracle Server Enterprise Edition versions 10.1.02 to 11.1.07 that run on 64-bit Sun Solaris servers.
In October, Gary McGraw ( S&P's Silver Bullet editor) and Brian Chess introduced a software security framework ( www.informit.com/articles/article.aspx?p=1271382) that's being used to build an associated maturity model. During the course of their data gathering, McGraw and Chess, along with Sammy Migues, uncovered some interesting patterns that they summarize in an article for -informIT ( www.informit.com/articles/article.aspx?p=1315431). Among their findings: bad metrics hurt security initiatives, most organizations don't use Web application firewalls, and the use of penetration testing diminishes over time as organizations become better equipped to deal with the software security problem.
The Identity Theft Resource Center (ITRC; www.idtheftcenter.org), a nonprofit US organization dedicated to preventing identity theft, released a report in January that detailed security breaches for 2008. The report ( www.idtheftcenter.org/BreachPDF/ITRC_Breach_Report_2008_final.pdf) chronicles the 656 reported breaches in 2008, an increase of 47 percent from last year's 446 breaches. The ITRC found that most of the reported breaches didn't have strong protection methods in place, such as encryption or password protection. Only 2.4 percent of the incidents involved data breaches with encryption in place; 8.5 percent had password protection methods in place. The report tracks data losses through incidents involving data in transit, accidental exposure, insider theft, subcontractor mishandling, and hacking. The breaches reported by the ITRC all included some type of personal identifying information, such as social security numbers. Overall, the report found more than 35 million data records were exposed in 2008.
Electronic bill payment service CheckFree has notified more than 5 million customers that attackers gained control of its servers and directed traffic to Ukrainian-based malicious Web sites. The attack occurred in December after the attackers hacked into CheckFree's domain registrar and changed the company's DNS settings. The company is also working with other banks that use its services to identify users who might be affected. The company declined to disclose the other banks that might be affected.
Yahoo introduced a new data retention policy in December that will require it to anonymize data within 90 days of gathering. Yahoo's policy applies to user search log data, page views, page clicks, ad views, and ad clicks. The company said it will keep some identifiable data—-cookies, for example—for no more than six months in fraud cases and for system security. However, privacy advocates point out that Yahoo is modifying the data after three months but still retaining it. Yahoo's new policy comes after Google shortened its data retention period from 18 months to nine months.
As part of a stimulus package, US President Barack Obama has included funding for a nation-wide rollout of broadband, smart energy grids, and new technology for classrooms. As part of the broadband rollout, Obama's plan includes providing broadband to unserved areas such as rural or low-income communities. The rollout will allow small rural businesses to compete globally, Obama said in a speech laying out the stimulus package's goals ( http://change.gov/newsroom/entry/dramatic_action/). Also, the package includes money for needed improvements to the energy infrastructure. Obama's plan would create a new smart grid that uses Internet technology to distribute electricity and allow real-time monitoring of domestic energy consumption. The plan includes funds to equip classrooms with new computers and teacher training.
Comcast, the second largest US provider of broadband cable, has ended its network throttling efforts to slow P2P traffic. In 2007, news reports uncovered Comcast's use of network-management tools that slowed BitTorrent traffic. In August 2008, the US Federal Communication Commission (FCC) ruled that Comcast violated its Net neutrality rules by throttling traffic even though the company claimed its practice was limited to peak congestion times. Since then, Comcast has capped its customers' monthly bandwidth usage to 250 Gbytes per month, and its revised subscriber policy lets it slow traffic to high-bandwidth users during peak usage times. Comcast's new policy identifies the heaviest network users and temporarily manages their usage until network congestion passes. The policy doesn't manage users' bandwidth based on the applications they're using, such as BitTorrent, but solely based on the amount of bandwidth used. The company says its high-traffic users will still be able to continue their online activities but will see longer download and upload times during periods of heavy congestion.
In January, the Organization for the Advancement of Structured Information Standards (Oasis) announced that is had approved two languages for emergency data exchange. Member of the Oasis emergency management technical committee (TC) that ratified the languages include representatives from the US Department of Defense, the Federal Emergency Management Agency, and Sandia National Laboratories, among others. The TC approved the Emergency Data Exchange Language Resource Messaging (EDXL-RM) 1.0 and the EDXL Hospital Availability Exchange (HAVE) 1.0 specs. The EDXL-RM allows for data sharing among data systems that provide emergency equipment and personnel, and the HAVE specification describes XML documents that communicate the status of a hospital's services and resources.
The US National Institute of Standards and Technology (NIST) released its recommended security requirements for wireless access for government agencies in December. The requirements call for authentication under the Extensible Authentication Protocol (EAP), which offer several protocols that use different authentication methods and cryptographic keys. The requirements are laid out in Special Publication 800-120, available at http://csrc.nist.gov/publications/drafts/800-120/draft-SP800-120_Dec2008.pdf.