Issue No.03 - May/June (2010 vol.8)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2010.102
News in security, policy, and privacy.
Software for Energizer's DUO USB battery charger contains a Trojan that permits hackers to access Windows PCs using the product, according to the Department of Homeland Security's US Computer Emergency Readiness Team. The software reports the battery's charging status. The Trojan is activated upon installation and persists even when the charger isn't connected to the computer. The product, which was first sold in 2007, has been discontinued. The company says it's working with CERT and US government officials to determine how the code was installed.
Twenty-nine websites reportedly affiliated with US espionage networks were hacked by Iran's Islamic Revolutionary Guards Corps, which admitted the activity. The group said these sites "acted against Iran's national security under the cover of human rights activities." No specific government agency was named in this report. This information became public a day after the Islamic Republic News Agency, Iran's official news agency, reported that the Iranian government had disrupted several "US-backed cyberwar networks" and arrested 30 people. The news service stated that these websites were funded by the US Central Intelligence Agency.
A newly publicized study from Microsoft Research finds that users are so bombarded with advice regarding computer security that they don't have the time to follow it to the letter. Security researcher Cormac Herley found that the benefits of activities such as admonishing users to change passwords, telling them how to recognize phishing attacks, or dealing with SSL certificates are outweighed by the time it takes an individual user to accomplish such a task. The core problem is that users continually encounter a host of new security steps or measures. Herley says that he's not asking users to ignore security policies or advice, but the advice given must radically improve to be effective. Herley presented his findings at Oxford University in late 2009, leading to ongoing discussions and debates on various technology websites. The report was widely disseminated in April.
In mid-March, Google released patches for 11 Chrome browser vulnerabilities present in the Windows version of Chrome. Most of these flaws were rated as "high," and Secunia, a vulnerability tracker, rated the update as "highly critical." The updates also included several non-security features. Google also made its first four payments to those who discovered the vulnerabilities as part of its ongoing bug-bounty initiative.
In April, Oracle released a Critical Patch Update designed to fix 27 different security holes in its Java SE and Java for Business products. Attackers could have exploited these vulnerabilities remotely without authentication. The update was made available for Windows, Solaris, and Linux. The vulnerabilities also affect the Apple Mac OS X, but Apple security patches are typically delayed.
A study by Forrester Research, commissioned by Microsoft and RSA, found that enterprise computers should be allocating their budgets to security solutions rather than compliance. The study found that most of a company's security programs are dictated by adhering to various regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), rather than protecting its data. Forrester analysts stated that any security investments were "overweighed toward compliance." The study also stated that intentional data theft causes 10 times more financial loss than situations such as data breaches and accidental loss of sensitive data. The analysts "concluded that most enterprises do not actually know whether their data security programs work."
Scientists at the Cooperative Cyber Defense Center of Excellence (CCDCOE) in Tallinn, Estonia, have begun pondering the legal ramifications of cyberwarfare based on various treaties and documents designed to address issues in armed conflicts. The agency, formed in May 2008, helps NATO member nations respond to cyberattacks through training and policymaking. The organization will host a conference on these issues in June 2010.
The Vietnamese government refuted Google's assertion that Vietnamese PC owners were targets of politically motivated hacking. A blog posting by Neel Mehta, a member of the company's security team, stated that opponents of a Chinese-backed bauxite mining operation were subjected to malware attacks. McAfee confirmed the events, stating that infected computers were used to create a botnet that subsequently launched distributed denial-of-service (DDoS) attacks against blogs critical of the mining operation. McAfee found that the botnet's command and control servers were accessed by Vietnam-based IP addresses. Neither company has stated that Chinese or Vietnamese governments were directly involved in these attacks.
Marc Maiffret, who pestered Microsoft as a teen hacker, recently praised Microsoft's security progress and said Apple's software is inferior in protecting users. Now a chief security architect for antimalware firm FireEye, as a young security researcher, Maiffret's energies were focused on exploring vulnerabilities in Windows and other Microsoft products. Secure software became so important to Bill Gates and company, Maiffret says, that "today they do more to secure their software than anyone. They're the model for how to do it. They're not perfect; there's room for improvement. But they are definitely doing more than anybody else in the industry, I would say." He added that desktop and Web-based applications, such as Adobe products and Facebook, are the next threat targets.
After demonstrations that hackers could use Internet Explorer 8 to turn the browser's cross-site scripting filter against websites, Microsoft announced that it will update the browser in June to eliminate the security threat. Researchers Eduardo Vela Nava and David Lindsay showed how hackers could use IE8's antimalware feature to launch attacks on sites including Google, Twitter, and Wikipedia. The release schedule is designed to allow Microsoft a sufficient testing period.
The US National Security Agency (NSA) conducted its annual Cyber Defense Exercise in April, which tests the computer security skills of students from eight North American military academies in four days of competition. Personnel from the NSA and the US Department of Defense evaluated the exercises. Teams must construct and keep their network operational while evaluators attempt to compromise it using exploits such as buffer overflows, Web crawlers, or malicious email attachments. Midshipmen from the US Naval Academy broke West Point cadets' three-year winning streak.
Spammers attempting to evade CAPTCHA security tests are paying workers to decipher the obscured text or solve simple puzzles designed to prove the user is a human rather than an automated spambot. The pay, which is US$1.20 or less per 1,000 CAPTCHAS, is sufficient to attract interested workers from India, Bangladesh, China, and other developing countries. Completed CAPTCHAS let spammers create new accounts and conduct other nefarious activities.
The New Jersey Supreme Court ruled in late March that employers can't read email messages sent via a third-party email service provider—even when the email service is accessed during work hours from a company PC. The question came up when a manager, who had communicated with her attorney using her employer's laptop via a password-protected email account, was fired and subsequently filed suit against her former employer. The company retrieved those emails from the computer and used them in its case. The court stated that the employee could "reasonably expect that emails she exchanged with her attorney on her personal, password-protected, Web-based email account, accessed on a company laptop, would remain private."
Privacy groups filed a complaint with the US Federal Trade Commission (FTC) about big Internet companies' behavioral-advertising practices, based on the real-time trading and sale of individual Internet users' profiles. The groups say these practices violate user privacy by combining information from various sources—gathered on- and offline—into a profile that's a commodity third parties trade without the user's knowledge or permission. The groups are asking the FTC to take several actions to remedy the problems, including requiring those companies that engage in selling user profiles to explicitly tell users what their practices are, and also asks for "fair financial compensation" on users' behalves. Advertisers say these practices have existed for years but are now more efficient.
A sophisticated, multistate identity theft ring was broken after the thieves stole more than US$4 million between 2005 and 2008. The group filed false income tax returns electronically using the names and Social Security numbers of both living and dead people, according to a 74-count federal indictment unsealed in April. Court records indicate that at least three people were involved, one of whom remains at large; the other, a Utah man, became a confidential informant for the government after his arrest. Two of the three men have been served with 35 counts of wire fraud, 35 counts of identity theft, one count of unauthorized computer access, and two counts of mail fraud; a US$5.5 million judgment is being sought.
New Web firms are pushing social interaction into the "too much information" category. These include Blippy, which can be used to divulge recent shopping details via sharing credit-card bills; Foursquare, a social network enabling people to tell exactly where they are; and Skimble, an iPhone application used to share a person's physical activity. This new openness might be dangerous and lead to exploitation by marketers, even identity or real-time theft, say critics. Information posted on various sites that indicates a person isn't at home, for example, was used to create the site "Please Rob Me," which was solely designed to draw attention to the problems that online oversharing could create. At least five Blippy users' full credit-card numbers have been found via a simple Google search.
British officials, dismayed at their inability to recruit individuals with the skill sets to ensure the security of the nation's computers and networks, have announced a talent search that will use games to find the next generation of cybersecurity experts for the public and private sectors. The Cyber Security Challenge is designed to find people in eight key areas—which include analytical, forensic, and programming skills—using Web-based games and challenges. A recent survey of professionals found a glaring lack of experts equipped to combat cybercrime, which is on the rise. Contest sponsors include the Cabinet Office, the Metropolitan Police, Qinetiq, and the Institute of Information Security Professionals. Participants must be at least 16 years old. Prizes reportedly include scholarships and mentoring. The challenge officially began 27 April.
The US Federal Bureau of Investigation appointed Gordon M. Snow as assistant director of the FBI's Cyber Division after Shawn Henry vacated the post in January to head the FBI's Washington Field Office. Snow leads the agency in the detection and prevention of cyberattacks against the US. An 18-year veteran of the FBI, he held numerous high-profile posts, including as deputy assistant director of the Cyber Division. He was also an assistant special agent in the Silicon Valley. The government is stepping up its efforts to protect the nation's critical information infrastructure against both terrorists and criminals.
An unclassified version of the US's cybersecurity plans was made public in March. The 12-point Comprehensive National Cybersecurity Initiative (CNCI) describes several tasks designed to improve national security, according to Howard Schmidt, the White House Cyber-Security Coordinator. Key among these are creating government agency partnerships with industry. "Transparency and partnerships are concepts that have to go hand in hand," Schmidt said in an address to RSA. "We can't ask industry to help the government, [and] the government can't offer to help industry unless we have that transparency. So, we believe this is particularly important in areas such as the CNCI, where there have been legitimate questions about sensitive topics and the role of the intelligence community in cybersecurity, and how they can help us while still preserving civil liberties."
The Obama administration is contemplating sending federal law enforcement investigators under cover on social networking sites such as Facebook, MySpace, and Twitter. According to CNET, the US Department of Justice contends that this might help agents from organizations including the US Federal Bureau of Investigation, the Drug Enforcement Agency, and the Bureau of Alcohol, Tobacco, Firearms, and Explosives "communicate with suspects," "gain access to non-public info," and "map social relationships." It's possible that an agent who lies about his or her identity to gain access to a service could violate the site's terms of service. A Facebook spokesperson states that it has specific protocols for law enforcement inquiries in place.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.