Issue No.03 - May/June (2009 vol.7)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.73
A brief look at news in security, privacy, and policy.
In March, security researcher Charlie Miller [coauthor of an article on p. 13] took a US$5,000 prize by cracking Safari during the annual Pwn2Own contest, part of the CanSecWest conference. Miller came prepared with a link where his exploit was hosted and needed only a few seconds to take control of a Macbook organizers used for the contest. Another contestant, Nils, won $15,000 for exposing vulnerabilities in Internet Explorer 8, Safari, and Firefox. Google's Chrome was the only browser to survive the contest unscathed. Organizers also offered a $10,000 prize for successfully exploiting a mobile device, but no one was able to claim it.
Researchers have spotted two separate attempts to build the world's first Mac botnet, but both were considered primitive efforts and one was dismissed as posing no real threat. In April, Symantec researchers reported on a Trojan distributed through pirated versions of iWork 09. Security company Intego discovered two versions of the Trojan in January, but not before it had infected roughly 20,000 Mac users. The botnet was later shown to be involved in a distributed denial-of-service attack. In May, researchers found a worm called Tored that attempted to install a backdoor and steal email addresses. The creators made their intentions clear, writing "First Mac OS X Botnet" in the worm's source code.
The US National Security Agency (NSA) is expected to complete development for President Barack Obama's customized BlackBerry 8830 within the next few months. The device will include the Genesis Key's SecurVoice software, which the company says meets the NSA's top-secret security certification and FIPS 140-2 validation. Communications meeting security guidelines will only be available to other customized devices, so Obama's top aides and First Lady Michelle Obama are also expected to get BlackBerries from the NSA. Currently, the president uses a BlackBerry 8830 connected to a Sectera Edge. [ See "A New Era of Presidential Security: The President and His BlackBerry," in our March/April 2009 issue ( http://doi.ieeecomputersociety.org/10.1109/MSP.2009.29) —Eds.]
Criminals are reportedly paying hefty sums for old Nokia 1110 mobile phones manufactured at a specific plant in Germany. In April, Ultrascan Advanced Global Investigations reported that phones originating from Bochum, Germany, have sold for up to €25,000 (US$32,413). Nokia said it couldn't find any flaws in the devices, but Eastern European gangs reportedly have been able to hack the devices to use another person's phone number. The reprogrammed phones are then used for online banking fraud through mobile Transactions Authentication Numbers (mTANs), a common security measure in Europe. Ultrascan later obtained three of the devices and began testing to find any vulnerabilities.
In April, Vietnamese researchers at the Black Hat DC conference demonstrated a flaw in biometric security logins that use facial recognition software, successfully breaking into Toshiba, Lenovo, and Asus laptops. The researchers used digital images of the laptops' authorized users to fool the login systems, editing lighting and angles on multiple images to simulate a live person. The hacks worked even at the highest security setting, and the researchers said companies should stop using the technology until it can be improved.
In April, Panda Security introduced a free cloud-based antivirus program that uses data submitted from users' computers to quickly identify new malware threats. Currently in beta, Panda Cloud Antivirus ( www.cloudantivirus.com) is available as a thin client in Windows. Instead of scanning files in layers such as antivirus signatures and heuristics, the technology uses a new model that scans files when they're put in use or executed, sending information to the Collective Intelligence cloud system for detection. Although most antivirus programs can take up to 48 hours to update signatures, the Panda model can reportedly identify a new threat in as few as six minutes.
Some ISPs in Sweden have stopped saving information about their customers' IP addresses in an effort to avoid a new antipiracy law implemented on 1 April. Based on the EU's Intellectual Property Rights Enforcement Directive (IPRED), the law lets copyright holders go through courts to obtain users' identifying information from ISPs. The companies say that nothing requires them to store the information, but another EU directive that requires data retention for up to two years is currently pending litigation. Sweden's Internet traffic plunged by 30 to 50 percent after the IPRED law went into effect.
US senators have introduced legislation that would overhaul government cybersecurity and call for a White House cybersecurity adviser who would have broad authority over networked systems, including private and military systems. Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Senator Olympia J. Snowe (R-Maine) sponsored two complementary bills. The legislation would include a national cybersecurity review every four years, programs for businesses to meet cybersecurity requirements, and funding for National Science Foundation research. Many of the proposals were based on a Center for Strategic and International Studies report completed last year, and Obama's administration helped draft the bills.
In March, the US government began seeking white hat hackers to help strengthen its cybersecurity. General Dynamics Information Technology took out help wanted ads on behalf of the Department of Homeland Security, looking for people who could "think like the bad guy." Applicants would be expected to analyze Internet traffic and find vulnerabilities in networking infrastructure using hacking tools and tactics. Defense Secretary Robert Gates said in a Pentagon budget request that he wants to increase the number of cybersecurity experts the department can train each year from 80 to 205.
In April, the European Commission (EC) began a legal proceeding against the British government over its role in testing Webwise, a behavioral advertising technology created by Phorm. The EC said it had received numerous complaints that British Telecom tested Webwise without users' knowledge or consent. Phorm uses deep packet inspection (DPI) to constantly monitor users' Web activity and deliver advertisements based on that information, but says that users aren't identified and no browsing data is retained. Several large Web companies, including Amazon and the Wikimedia Foundation, later requested that their sites be excluded from Phorm's technology. Phorm also set up a Web site at stopphoulplay.com to respond to allegations that it violates privacy.
In April, Google disabled video uploads and comments for its Korean version of YouTube, skirting a new South Korean law that requires large sites to collect contributors' names and national identification numbers. Google explained in a Korean blog post that it works as best it can to abide by local regulations, but believes that the ability to remain anonymous is important to freedom of expression. Users can get around the YouTube restriction by changing their country preference. Korean newspapers reported that the government is unhappy with the situation and is considering legal action. The cyber defamation law went into effect 1 April, calling for anyone found guilty of defaming others online to be punished by up to three years in prison or fined up to 30 million won (US$23,500).
In March, the US Supreme Court declined to consider a state ruling that Virginia's antispam law is unconstitutional, ending the state's appeal to save one of the nation's toughest spam laws and a conviction against spammer Jeremy Jaynes. The Virginia Supreme Court reversed itself in September 2008 during an appeal in the Jaynes case, finding that the law goes too far in prohibiting religious and political messages. Jaynes was the first person in the US to be convicted for sending spam. He was sentenced to nine years in prison in 2004 for sending up to 24,000 commercial emails per day to America Online users.
Verizon Business reported a significant increase in data breaches last year in its 2009 Data Breach Investigations Report ( www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf), totaling more than the previous four years combined. Its Investigative Response team responded to 90 data breaches that accounted for 285 million compromised records, with 20 percent of those records breached more than once. In its report last year, Verizon said breaches from 2004 to 2007 numbered 230 million records. The 2009 report concluded that 87 percent of the breaches could have been avoided with standard security controls, including creating a data retention plan, monitoring event logs, and changing default credentials.