Issue No.02 - March/April (2010 vol.8)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2010.78
News in security, policy, and privacy.
In January, Google threatened to cease its operations in China after it discovered attempts to hack into Gmail accounts belonging to human rights activists in December, part of a sophisticated attack that affected more than 30 major companies. The attack, called Operation Aurora, was traced in February to two Chinese universities, but both schools denied involvement, and researchers acknowledged that the hackers could have simply been using the schools' IP addresses. Google, which said that it would attempt to provide an uncensored site in the country, is reportedly in negotiations with the Chinese government, which has denied that it was behind the attacks.
Microsoft issued an emergency patch in January to fix a critical vulnerability in supported versions of IE after attackers exploited the hole in December's major attack against Google. Microsoft admitted that it knew about the vulnerability—which can be exploited when an attacker lures a user to an infected site—for roughly four months. The attack appeared to victimize only IE6 users, but after it became public knowledge, security companies reported seeing new malware that exploited the vulnerability.
Security researcher Karsten Nohl revealed in December that the GSM algorithm used to encrypt roughly 80 percent of the world's mobile phones can be cracked. Nohl and a team of volunteers produced a code book to reveal the 64-bit encryption keys in calls, which Nohl said was adequate when the GSM standard was introduced in 1988 but is too short for current computing power. The GSM Association, which develops and maintains the standard, downplayed the risk and said eavesdropping on mobile calls is unlikely to occur.
In December, an Israeli researcher reportedly discovered a cross-site scripting vulnerability in Google Calendar and Twitter that could be used to steal cookies and session IDs. Both sites fixed the issue when informed about it, and Google said chances were low that anyone would have tried to exploit it. Nir Goldshlager of Avnett Information Security Consulting, who found the vulnerabilities, said attackers could have used them to redirect users to the attackers' site or take full control of accounts.
Two January surveys showed that malicious attacks are on the rise as the most common form of data breach, replacing human error because of lost laptops at the top of the list. The Identity Theft Resource Center, which has conducted annual surveys since 2007, found that the total amount of breaches decreased slightly, but hacking and insider theft accounted for 36.4 percent of breaches. A Ponemon Institute survey showed that malicious attacks against US companies doubled from 2008 to 2009.
In January, Kingston Technology announced that three of its USB flash drive models are vulnerable to attacks and offered replacements to customers. The company didn't disclose the vulnerability, saying only that it was notified by a third-party security consultant that hackers with physical access to the drives could get past their encryption. The affected drives are DataTraveler BlackBox, DataTraveler Secure Privacy Edition, and DataTraveler Elite Privacy Edition. Information about replacements is available at www.kingston.com/driverupdate.
A French judge issued an arrest warrant for US cyclist Floyd Landis in January to answer hacking charges related to Landis's effort to clear himself in a doping scandal. The French Anti-Doping Agency (AFLD) claimed in 2006 that confidential documents had been stolen from its lab and that Landis was using some of the information for his defense. French investigators later traced the breach to a hacker, Alain Quiros, who confessed that a consulting firm paid him to steal the information with a targeted Trojan program. Investigators were unable to connect Quiros to Landis, although a history search on a copy of the stolen documents showed a link to Landis's coach, Arnie Baker. Landis, who was ultimately stripped of his 2006 Tour de France title, said in media reports that he never received any summons to appear in court and denied any involvement with hacking.
A Trojan-building toolkit that emerged in January, SpyEye, includes an option to disable Zeus, a competing Trojan that became widespread in 2009. According to security researchers, SpyEye includes a feature called "Kill Zeus" that lets it hijack data Zeus has obtained on compromised machines or remove Zeus entirely. SpyEye was first seen in cybercrime forums originating in Russia.
In January, attackers used a phishing scheme to steal thousands of European carbon credits, the emission certificates that companies can buy if they exceed greenhouse gas limits. According to reports, the attackers sent emails that appeared to come from the German Emissions Trading Authority telling users they needed to reregister their accounts, then stole the credits and resold them. One company reportedly lost credits worth 1.5 million euros (US$2.1 million).
Researcher Christopher Tarnovsky revealed in February that he had cracked an Infineon SLE-66 CL PE chip, which uses the Trusted Platform Module (TPM) standard in most PCs and was previously considered unhackable. Tarnovsky's hack was complicated, involving physically manipulating the chip with electron microscopy to get past its defenses, which disable it if tampering is detected. Tarnovsky said attackers could use his method to create counterfeit chips to gain entry to secure systems.
The US Federal Trade Commission sent roughly 100 letters to various companies and organizations in February warning them that sensitive information had been made available through peer-to-peer file-sharing networks. The agency also sent education material warning about security risks but didn't take action on sensitive information leaks, which could violate federal law. The letters went to both private and public entities with as few as eight employees as well as corporations employing tens of thousands.
In a January appearance at the Crunchies Awards, Facebook founder Mark Zuckerberg suggested that privacy has become less of a concern as the Internet has developed. "People have really gotten comfortable not only sharing more information and different kinds, but more openly with more people," Zuckerberg said, contrasting today's online world to his college years, when people had less reason to share information on the Web. "That social norm is just something that's evolved over time." Facebook changed its privacy settings to a three-tiered model in December but drew criticism for making default settings more open.
Google admitted a misstep in February with the launch of Buzz, a social networking feature for Gmail that created a firestorm of privacy complaints. Buzz automatically generated a "follow" list based on email and chat frequency that was publicly viewable, unless users changed the default settings. After it was bombarded with negative feedback, Google implemented changes within the next week, such as scaling back auto-follow into auto-suggest and providing an option to completely hide Buzz in its Gmail interface. The company also admitted that it had bypassed its usual public testing for Buzz, relying only on internal experience.
A Philadelphia couple filed a class-action lawsuit in February against the Lower Merion School District, alleging the district was using webcams on school-issued laptops to conduct remote spying, even when students were at home. The couple said they became aware of the spying when their son was called in for discipline at Herriton High School and shown a photo taken from his laptop. District officials said the laptops were equipped with antitheft software that had been turned on 42 times within 14 months but denied that school officials had any access to the images, which were taken with a monitoring program called LANRev. Following the lawsuit, the FBI launched an investigation, and a federal grand jury subpoenaed the school's records.
The second annual Data Privacy Day was observed on 28 January in North America and Europe with videos from Google, Facebook, and Mozilla as well as other privacy awareness campaigns to mark the occasion. The US Federal Trade Commission held the second in a round-table series on privacy at the University of California, Berkeley, which reportedly included discussion about the role of third-party applications and the extent of regulation. The next round-table discussion is set for 17 March (see the Privacy Interests column on p. 59 for more on these discussions).
Following Google's announcement that it and 30 other companies were the target of attacks appearing to originate from China, US Secretary of State Hilary Clinton sent a verbal complaint to Chinese officials in January and asked them to fully investigate the matter. A report also surfaced that the British intelligence agency, MI5, warned business executives that China was actively trying to hack into companies by distributing free USB flash drives infected with Trojans. India's government said that it had also been attacked by China around the same time as the Google attacks because of its increasingly friendly relationship with the US. China has vehemently denied that it had any role in the attacks.
In December, US President Barack Obama appointed Howard Schmidt as his cybersecurity coordinator, a position previously held by Melissa Hathaway. Schmidt, who served on the Critical Infrastructure Protection Board under President George W. Bush, said in a video posted to the White House Web site that his focus will be on "developing a new comprehensive strategy to secure American networks; ensuring an organized, unified response to future cyberincidents; strengthening public-private partnerships here at home and international partnerships with allies and partners; promoting research and development of the next generation of technologies; and leading a national campaign to promote cybersecurity awareness and education."
DARPA has launched a Cyber Genome program to develop tracking methods for digital data. According to DARPA, the program "will develop the cyber equivalent of fingerprints or DNA to facilitate developing the digital equivalent of genotype, as well as observed and inferred phenotype in order to determine the identity, lineage, and provenance of digital artifacts and users." The agency called for US participants in January.
In a televised event in February, the Bipartisan Policy Center organized a simulated cyberattack in Washington, DC, that showed the US is ill-prepared for a large-scale attack. Cyber ShockWave included former top-level officials playing roles as presidential advisers while a simulated attack unfolded in real time. The attack began with a March Madness malware application that spread through mobile phones and eventually caused the Internet and the East Coast power grid to shut down. Participants found they were stymied by legal restrictions while trying to stop the malware from spreading.
Child advocacy organizations throughout Europe marked Safer Internet Day on 9 February 2010 with new campaigns to keep children safe from online predators. The UK Council for Child Internet Safety (UKCCIS) launched a campaign called "Click Clever, Click Safe," urging parents to follow a digital behavior code—"zip it, block it, flag it." Parents were advised to instruct their children to keep passwords private, show them how to block unwanted communication, and ask them to report anything they see online that's upsetting. The Child Exploitation and Online Protection Centre (CEOP) produced a cartoon, "Lee and Kim's Adventures," to relay the importance of Internet safety to 5 to 7 year olds. CEOP also partnered with Microsoft to develop a "ClickCEOP" button for use with IE8 that provides a direct link to volunteer guidance. Safer Internet Day ( www.saferinternet.org) is organized by Insafe, a European network of online awareness centers.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.