Issue No.01 - January/February (2010 vol.8)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2010.42
News in security, policy, and privacy.
The Conficker worm reached 7 million infections in October, nearly a year after it was discovered, according to the security organization Shadowserver Foundation. The worm continues to spread, despite widely available tools to combat it, and security experts believe the infections are primarily on bootlegged versions of Windows that aren't updated. Although the worm has achieved massive infection numbers and caused a minor panic in April, it has yet to be used for anything other than spam. Researchers still fear that it could cause heavy damage if it's ever used in larger attacks, such as distributed denial of service.
In its trends survey for 2009–2010, data center industry association AFCOM reported that 60.9 percent of data centers worldwide recognize terrorist attacks as a significant threat, but roughly one-third (34.4 percent) of its respondents had disaster and recovery plans ready for those situations. Only 24.8 percent addressed cyberterrorism in their polices and procedures, and 19.7 percent provided employee training for terrorism threats. However, 82.4 percent of the respondents performed background security checks on potential employees.
China's defense ministry Web site, launched in August, was attacked more than 2.3 million times in its first month online, according to the state-run People's Daily. A site administrator, Ji Guilin, said the network warded off all the attacks with security measures such as intrusion detection. China launched the site ( http://eng.mod.gov.cn) following pressure from the US and elsewhere for more government transparency. According to Guilin, the site had 1.25 billion page views within the first three months.
The US Federal Bureau of Investigation (FBI) warned in November that it has seen increased bank fraud attacks targeting small and mid-sized organizations, such as school boards. According to the FBI, attackers prefer organizations that use small, regional banks that might not have adequate security measures installed. The recent upswing involved automated clearing house (ACH) transfers that can be processed overnight. Attackers typically send targeted phishing emails to people authorized to manage funds, attempting to install keyloggers and malware that can use the victim's credentials to initiate transfers.
In November, hackers broke into email accounts belonging to the Climate Research Unit at the University of East Anglia in Britain and spread internal documents on the Internet, setting off a controversy about environmental statistics. The university acknowledged the breach in a statement and said more than 1,000 emails and 3,000 documents were exposed. Some of the email messages appeared to show scientists' efforts to manipulate climate statistics. However, researchers said the documents were incomplete and only showed an exchange of ideas.
A malicious iPhone worm that targets jailbroken devices (devices that let users bypass Apple's official distribution mechanism) and steals banking information began spreading in November, according to security researchers. The worm, called Duh, is the second to be spotted in the wild, appearing only a few weeks after a nonthreatening worm that takes advantage of the same vulnerability. Duh targets users who have installed the SSH Unix utility—which connects iPhones to the Internet through a secure channel—but haven't changed the default password. The worm can steal mobile transactions authentication numbers (mTANS), giving attackers a short window of time in which to hijack bank accounts.
Facebook founder Mark Zuckerberg sent a message to users in December outlining pending changes to the site's privacy settings, including the elimination of regional networks that allowed access to other network users' personal information. Zuckerberg said in the message that Facebook's growth had made the networks too large to ensure privacy, particularly because some of them encompassed whole countries. Facebook's solution, proposed in July, is to change all privacy settings to a simple, three-tiered model. The site also planned to introduce new tools that would let users choose privacy settings for every post.
The British National Health Service (NHS) reported a breach in its smart-card security in November, while the National Programme for IT (NPfIT) was rolling out its electronic records project. The breach was traced to a former employee who allegedly accessed hundreds of confidential health records and sparked fears that the central electronic system allows insiders to leak confidential information.
In November, T-Mobile confirmed BBC reports that employees had sold UK customer data to third parties, which contacted people whose contracts were about to expire. The company reported itself to the Information Commissioner's Office and helped identify the leak's source, according to a spokesman. The government said it plans to prosecute those involved and is looking into tougher penalties to prevent illegal trade of personal information.
Alan Ralsky, the "Godfather of Spam," was sentenced in November to 51 months in prison by a federal judge in Michigan for leading a pump-and-dump stock market scheme. Ralsky and his coconspirators pleaded guilty to wire fraud charges and violating the US's CAN-SPAM Act. According to authorities, Ralsky's group created a botnet to spam misleading messages touting Chinese penny stocks, then sold their own shares when prices artificially went up.
Beginning in 2010, Australia's computer emergency response team (CERT) will be reformed to take on a two-pronged approach to cybersecurity, the result of a federal review. CERT Australia ( www.cert.gov.au) plans to work with ISPs to identify botnets and infected machines in Australia's networks and advise residents when their machines are compromised. The organization will also alert security teams overseas in an effort to trace attacks from outside the country. CERT Australia's new role consolidates two branches of security that had operated separately, one for the public and private sectors and one for government.
A US government report determined in November that the country isn't fully prepared for cyberattacks. It was released on the same day that members of President Barack Obama's administration acknowledged they are still trying to figure out what changes are needed. The Government Accountability Office said in its report ( www.gao.gov/highlights/d10230thigh.pdf) that it had identified security weaknesses at 23 of 24 major agencies, including lax user authentication, encryption, and monitoring. The GAO said it made hundreds of recommendations agencies were already implementing. However, speaking in front of a congressional panel, Associate Deputy District Attorney James Baker said laws governing cybersecurity aren't adequate, and the administration is still discussing possible changes to propose.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.