Issue No.05 - September/October (2009 vol.7)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.128
A brief look at news in security, privacy, and policy.
Multiple flaws discovered in XML libraries affected a wide range of software applications in August, prompting Sun Microsystems, the Apache Software Foundation, and the Python Software Foundation to issue immediate updates. Many other software vendors were expected to issue updates owing to the widespread use of XML on Web applications, mobile phones, and elsewhere. Security vendor Codenomicon, a spin-off from the University of Oulu in Finland, discovered the vulnerabilities, which show up in XML parsing with unexpected byte values. Attackers could use the flaws to install malware or send applications into infinite loops.
A Trojan horse known as Clampi has the potential to steal credentials from more than 4,500 Web sites, a number far larger in scope than other malware, security researchers said in July. According to SecureWorks, malware generally targets account information from roughly 30 Web sites, but Clampi's operators are much more sophisticated, targeting industries such as banking, stock brokerages, insurance, and e-shopping. The Trojan usually spreads through drive-by downloads.
Microsoft issued an out-of-cycle patch in July to fix 0-day vulnerabilities in ActiveX controls that attackers were actively exploiting, and followed up with a large batch of ActiveX updates on its regular schedule in August. The updates came in response to a demonstration at the July Black Hat conference in Las Vegas, where security researchers showed how to bypass a security mechanism called kill-bit, which keeps out non-Windows controls. The researchers used the exploit to run an unauthorized program. The July updates fixed flaws in the ActiveX active template library, and the August update added 19 fixes, including ActiveX updates for the Office suite.
Google security researchers discovered a critical Linux kernel bug in August that was at least eight years old and was easy to exploit. The researchers, Julian Tinnes and Tavis Ormandy, issued an update, and Red Hat later confirmed the vulnerability and issued a mitigation recommendation. According to Tinnes, the problem was related to how Linux handles null pointers for some protocols. Attackers could exploit the bug by creating a mapping at address zero with kernel privileges.
In July, police in Queensland, Australia, began a "wardriving" campaign to find unsecured wireless networks in the state and warn vulnerable residents and businesses. The Queensland Police Service fraud-prevention unit said an increasing number of computer users are setting up networks without enabling security settings or changing the default password, giving criminals who drive and park nearby easy online access. Queensland police said the campaign is likely the first of its kind anywhere, and they expected it to inspire other agencies to try it. In July, Radware security researchers demonstrated a tool they developed that hijacks application updates on Wi-Fi connections and replaces them with malware. At the Defcon 17 hacking convention in Las Vegas, the researchers showed how the tool sends phony update alerts to lure users into downloading it. The tool can mimic roughly 100 applications, including CD burners and video players, but Microsoft applications are immune because they have digital signatures. Compromised machines can also be used to attack other users within Wi-Fi range.
In August, an Arbor Networks researcher investigating distributed denial-of-service attacks against Twitter discovered a profile on the site that was being used as a botnet control center. Researcher Jose Nazario said such cases are likely to become more common because Twitter's high traffic and minimal antispam controls make it attractive for criminals. Twitter disabled the profile, which was supplying links to a malware downloader through an RSS feed.
In August, security researcher Adam Laurie claimed that he could clone the UK national ID cards expected to be issued to foreign workers by the end of the year. Laurie demonstrated his cloning process for the Daily Mail, copying the information from a card's microchip and changing details. The British government, which has touted the cards as "unforgeable," dismissed Lauries's claims as "rubbish" and said it hadn't seen any evidence the cards can be cloned.
A federal grand jury indicted hacker Albert Gonzalez on charges related to the one of the largest corporate data breaches in the US, a week before Gonzalez entered a plea deal in another high-profile case. The grand jury alleged that Gonzalez and two Russian co-conspirators were behind the 2007 SQL injection attacks against Heartland Payment Systems, which affected more than 100 million credit-card holders. Gonzalez, a former Secret Service informant, was also responsible for breaches against 7-Eleven, Hannaford Brothers, and two other large retailers, according to the indictment. The plea deal with federal authorities in Boston and New York was for charges relating to the TJX breach discovered in 2007.
Swiss authorities have demanded that Google remove images of the country from its "street view," complaining that the mapping application doesn't conform to the country's strict privacy laws. Google, which has often faced opposition worldwide as its camera-equipped vehicles document local streets, said that it would work with Swiss privacy regulators to resolve any problems arising from the service. Street view became available for Switzerland in August, and Google said that it's been popular there. The complaints arose because Google's blurring technology didn't obscure all license plates and faces, including that of a parliamentarian.
University of Washington computer scientists released a prototype Web tool in July that places a time limit on text sent over the Internet, essentially giving messages self-destruct properties. Called Vanish (http://vanish.cs.washington.edu), the tool encrypts text sent through Web applications such as Google Docs and sites such as Facebook, rendering it unreadable after a set time frame, usually eight to nine hours. When it encrypts a message, Vanish creates a key that it breaks apart and sends to peer-to-peer (P2P) networks. Natural attrition as computers join and leave such networks ensures that pieces of the key eventually disappear, and messages can't be accessed.
US cybersecurity advisor Melissa Hathaway resigned from her White House post in August, removing herself from consideration for the unfilled position as President Barack Obama's top cybersecurity official. In a Washington Post interview, Hathaway said she was frustrated by the government's slow bureaucracy and felt she could better affect change in the private sector. The White House said in a statement that it remains committed to strengthening cybersecurity and is undertaking a lengthy process to hire a cybersecurity coordinator, a position that would report to the US National Security Council and the US National Economic Council.
The US government is considering a more lenient policy on cookies, inviting public comment in July on a White House proposal that would roll back a federal ban in place since 2000. The Office of Management and Budget is considering the change to give government sites the option to implement social networking and other tools that often use tracking technology. According to US Chief Information Officer Vivek Kundra, the proposal calls for three tiers for cookie usage; users can opt out, and cookie notices must be displayed prominently on sites.
The Payment Card Industry (PCI) Security Standards Council released guidelines in July to ensure that wireless local area networks meet security requirements and prevent large-scale breaches. An organization working group prepared a step-by-step document intended to be an easy reference for merchants who want to accept payment cards through wireless networks. The guidelines clarify certain aspects of PCI standards, such as Wi-Fi networks that are subject to auditing even if cardholder data is sent wirelessly.