Issue No.06 - November/December (2010 vol.8)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2010.170
IEEE Security & Privacy news briefs cover the latest in security, privacy, and policy for November/December 2010.
Google is pursuing a strategy to reduce the impact of 0day exploits by giving security experts incentives to find holes before hackers do. For example, the company is offering a bounty to researchers who report security vulnerabilities in its Chrome browser. In September, Google paid four independent researchers a total of US$8,337 for reporting various bugs. To encourage other researchers to participate, Google recently raised its maximum bounty for a critical bug to $3,133.70.
Security researchers have found a vulnerability within Microsoft's ASP.NET Web-application-development framework that could let hackers get information -useful for deciphering encrypted data. By default, ASP.NET provides detailed error messages when a system doesn't properly decrypt ciphertext. Using this feedback, an attacker could learn enough to decrypt the ciphertext, which could potentially expose passwords and other sensitive information. The attack works equally well against both the Advanced Encryption Standard and the Triple Data Encryption Standard. Microsoft advised organizations to enable ASP.NET custom error codes to generate a response without detailed information for all failed decryption. A US federal judge has sentenced Edwin Andres Pena—the mastermind behind a scheme that resold millions of minutes stolen from voice over IP (VoIP) service providers—to 10 years in a penitentiary. Collaborator Robert Moore was sentenced to two years. In 2005 and 2006, Pena's team hacked into a variety of VoIP systems and directed them to authorize more than 10 million minutes of Internet phone service. Pena resold these minutes to others by posing as a legitimate wholesale phone-service distributor. The scheme cost providers more than US$1.4 million in less than a year. The recent WTF worm employed a cross-site request forgery technique that caused unsuspecting Twitter users to automatically send out pornographic messages and spread its malware. Victims received a message that contained the text "WTF" followed by a link. Clicking on the link took visitors to a website that generated a blank screen while secretly posting a pornographic message on Twitter from the user's account. Earlier this year, hundreds of thousands of Twitter users were affected by the onMouseOver worm, which sent users to pornographic sites. Twitter said it has eliminated the vulnerabilities that enabled both exploits.
Police in the UK have arrested 19 people who allegedly were stealing money using the ZEuropean Unions Trojan. The gang are suspected of having stolen at least US$9.4 million over a three-month period this year. The ZEuropean Unions software collected online banking credentials that were used to transfer money into accounts allegedly controlled by the hackers. Police said the estimated amount stolen is likely to increase considerably as they investigate further. London Detective Chief Inspector Terry Wilson said the operation owes its success to collaboration among police, computer-security experts, and banking representatives.
Criminals set up two Facebook accounts in the name of Interpol Secretary General Ronald K. Noble. Using the bogus account, they induced several criminal investigators throughout the European Union to divulge information on various fugitives. This helped the criminals track the progress of Operation Infrared—a campaign to crack down on criminals in 29 countries—which resulted in 130 arrests. Noble described the social engineering breach at the first Interpol Information Security Conference in Hong Kong.
The European Unionropean Commission plans to sue the British government for failure to police commercial tracking of website visitors. The controversy began when BT (formerly British Telecom) began using advertising software from Phorm to track online users to gather information designed to enable the company to deliver more personalized ads. European Union law says users must explicitly opt in before companies can track their activities, while UK law states that business can conduct tracking as long as users don't opt out. "These UK provisions do not comply with European Union rules defining consent as 'freely given, specific, and informed,'" the European Unionropean Commission wrote in a statement.
Security vendor AVG said it's important for families to develop privacy policies for posting information about their children so that online photos of them don't inadvertently come with information—such as age, address, and personal details—that identity thieves or pedophiles could access. A new AVG electronic survey reported that an average of 81 percent of parents in 10 developed countries has posted pictures of their children online by the time the youngsters were two years old. Americans (92 percent) were the most likely to post pictures, followed by New Zealand (91 percent), Australia (84 percent), and Canada (84 percent).
Amazon and the American Civil Liberties Union have gone to court in a case that pits a state's right to charge sales tax against its citizens' privacy. State taxation authorities don't have a system for collecting sales taxes from companies with out-of-state offices. North Carolina is going after Amazon for US$50 million in taxes not paid since 2003. The state argues that it wants just enough information to bill citizens appropriately. Amazon gave state officials a list of the merchandise that individuals and companies in North Carolina purchased. The company argues that if it were to divulge the exact amount of purchases, the state could generate each customer's buying history, which it claims should remain private.
The US government is debating whether it needs new legal powers, and officials have proposed dozens of laws that would place new security requirements on critical public infrastructure, such as that operated by utility companies. So far, the government has reduced its number of Internet gateways, connected many of its computers to the security centers it operates, and crafted a national cyber-emergency response plan. However, The WashingtonPost writes that the US Department of Homeland Security has struggled with its antimalware program and is beset by bureaucratic challenges. There are also concerns about new security efforts threatening privacy.
A separate secure network needs to be created for critical civilian infrastructure, said US Army General Keith B. Alexander, director of the US National Security Agency, at a recent press conference. Industries including banking and aviation, as well as public utility systems, need better protection. The military could better protect these industries using its advanced security infrastructure. At the same time, Alexander stated, these efforts still need to address privacy concerns.
US Federal Bureau of Investigation (FBI) officials want a law mandating that service providers be able to give the agency encryption keys it can use to conduct communications surveillance authorized by judicial warrants. FBI general counsel Valerie Caproni told TheNew York Times, "We're not talking about expanding authority. We're talking about preserving our ability to execute our existing authority in order to protect the public safety and national security." Under the proposal, it would be illegal for service providers to offer encrypted communications in which only the customer holds the decryption key. In the early 1990s, the FBI proposed similar legislation, but Congress failed to approve it.
The US Cyber Command missed its early October deadline for reaching full operational status because of the delays in commissioning its new commander. The Cyber Command is a new branch of the military focused on securing approximately 15,000 military networks and launching electronic attacks when directed. The group began operating in May 2010 and has been consolidating resources from existing military groups.
US officials are evaluating Australian plans to reduce the impact of botnet attacks. The Australian program, set to launch in December, will alert botnet victims if they have been infected and lock them off the Internet if they don't eliminate the bot software. White House cybersecurity coordinator Howard Schmidt told the Associated Press his office is focusing on ways to have users voluntarily improve security. He expressed concern about the Australian plan, saying that locking infected computers off the Internet would keep them from downloading botnet-removal software, which could cause problems. In addition, if the infected computers are laptops, users could move them to other networks, further spreading the botnet.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.