Issue No.01 - January/February (2011 vol.9)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.16
IEEE Security & Privacy news briefs cover the latest in security, privacy, and policy.
A suspected Romanian hacker called TinKode attacked the British Royal Navy's website late last year via a SQL injection attack. TinKode published details of the information he recovered, including site administrators' usernames and passwords. A British Navy spokesperson confirmed the site was hacked but said there was no malicious damage. The Navy temporarily suspended the site and is investigating the incident. TinKode apparently hacked numerous other websites last year as well.
The Koobface worm, Facebook's first big security problem, is continuing to plague the social networking site after more than two years of attacks. Information Warfare Monitor, an independent research firm, estimates the worm's operators, who apparently live in Russia, earned more than $2 million in one year by giving stolen information to unscrupulous marketers. Koobface sends victims an invitation to get information about updating their computer's Flash software. When trying to access the update, victims download the worm instead, which eventually spreads to their social network contacts. Facebook's investigators reportedly know who created Koobface and are working with law enforcement officials.
A security researcher recently released an unauthorized version of a popular smartphone game that demonstrated a security flaw in Google's Android mobile OS. According to security vendor F-Secure, the Angry Birds Bonus Levels application—not authorized by makers of the Angry Birds smartphone game—enables an attacker to let one application on a victim's phone download, grant access rights to, and launch others, even if malicious, from the Android Market of applications and games. Angry Birds Bonus Levels bypasses the Android requirement that device users give explicit permission for one application to access and install a service over the network. For this new attack to succeed, a user must first install Angry Birds Bonus Levels, and there must be malicious applications in the Android Market. Google says it has released a fix for the vulnerability the attack exploits.
Late last year, the US Secret Service arrested a Malaysian citizen for allegedly breaking into numerous high-security networks and then stealing and selling credit- and debit-card numbers and other sensitive information. The suspect, arrested shortly after arriving in the US from Europe, has pleaded not guilty and is being held without bail. He's accused of hacking into the US Federal Reserve Bank of Cleveland's site, as well as that of a major US Department of Defense contractor that provides systems management services for important military operations. He also allegedly attacked the servers of major financial institutions and other large companies.
Security vendor BitDefender recently released statistics indicating that 20 percent of Facebook users are exposed to malicious postings in their newsfeeds of friends' activity. When clicked on, the postings could let hackers hijack victims' accounts and place malware on their friends' walls. BitDefender derived the information from its own Safego, an application that lets Facebook users monitor their vulnerability to malware. Safego analyzed newsfeed items viewed by the 14,000 Facebook users who installed the application.
Late last year, Iran confirmed that the Stuxnet worm affected the centrifuges it uses to refine uranium for its nuclear facilities. The worm reportedly slowed down and then sped up the centrifuges, either breaking the devices or damaging the uranium being refined. Stuxnet is the first worm designed to attack industrial-control systems such as those used in power plants. It's unusual in that it seeks out very specific industrial systems and then tries to disrupt their operations. One Stuxnet researcher said the worm may also have targeted a turbine in an Iranian nuclear reactor.
Microsoft has announced that Internet Explorer 9 will let users determine who tracks their movements and behavior online. This is the company's response to increasing calls for protection against tracking. Dubbed Tracking Protection, the feature will debut in the IE9 release candidate scheduled to ship in the near future. Tracking Protection will run on an opt-in basis, relying on published lists that let browsers block selected websites and content. The lists reside on the user's PC and are updated weekly as the list maker modifies them. Any individual or organization can create a Tracking Protection list, to which consumers can subscribe or unsubscribe. Privacy proponents praised Microsoft's December announcement, but some said they would prefer do-not-track technology, which relies on an HTTP header to opt out of all online tracking.
A new Twitter worm exploits Google's goo.gl URL-shortening service, in particular, via links such as goo.gl/R7f68 and goo.gl/od0az. Users who click on problematic links are first redirected to a French furniture company's compromised website. The malware looks at information about victims' systems to choose attacks with the greatest chances of success. The new worm reportedly is spreading via mobile Twitter platforms. Shortened links have been used to hide attacks in the past, particularly on Twitter, whose messages must contain no more than 140 characters. Security experts warn users to be careful of unusual Twitter messages and to avoid clicking on suspicious links. Twitter says it has prepared fixes for the worm.
According to a recent survey, 71 percent of UK organizations suffered a data breach in the last year, with the average cost of a breach—excluding regulatory penalties—at £1.7 million. The annual survey—by security vendor Symantec and the Ponemon Institute, a privacy and security consulting and research organization—involved 1,000 senior IT and business managers from 15 industries in the UK, France, Germany, and Australia. The study also found that 53 percent of UK organizations had already implemented encryption technology, while 47 percent were in the process of doing so.
The US Federal Bureau of Investigation arrested a Russian man who allegedly is responsible for a botnet that distributed almost 10 billion spam emails daily. He is accused of violating the US's CAN-SPAM Act of 2003, which requires businesses to use accurate email addresses and correctly identify who is sending messages. The FBI says the man, arrested late last year, established the Mega-D botnet, which sent emails with false return addresses on behalf of scam artists selling counterfeit goods and unapproved drugs. Investigators say Mega-D controlled approximately 500,000 infected computers capable at one time of sending nearly a third of all spam over the Internet.
Although the British government has cut government spending in many areas, it will increase cybersecurity funding next year. According to a recent parliamentary report, British spy agency Government Communications Headquarters believes China and Russia have prioritized cyberwarfare and pose the greatest threat of electronic attack on Britain. Experts say the Stuxnet worm—which some sources suggest was probably built by a national intelligence agency—shows the potential of cyberwarfare capabilities.
US law enforcement officials recently met with technology-company leaders in California's Silicon Valley to discuss ways to make it easier for agencies with court orders to wiretap Internet users. Some US officials have supported expanding the Communications Assistance for Law Enforcement Act of 1994 to also include Internet companies. The law currently requires only telephone and network service providers to comply as soon as they receive a court wiretapping order. The proposed expansion would require Internet companies to design systems that would intercept and decode encrypted messages. Services in other countries would have to route communications through a US-based server, from which they could be wiretapped. The US Commerce and State Departments have questioned whether the law's expansion would inhibit innovation and encourage repressive regimes to adopt and misuse such capabilities.
A group of US lawmakers is proposing legislation that would let the government fine technology companies up to $100,000 a day if they don't comply with Department of Homeland Security (DHS) cybersafety directives. The proposed Homeland Security Cyber and Physical Infrastructure Protection Act would apply to companies that the government deems critical. DHS—consulting with, but not bound by, other federal agencies and the private sector—would produce a list of regulated critical companies by evaluating the likelihood of an incident involving the businesses, identifying existing vulnerabilities, and determining the consequences of an attack on them. Any system DHS considers a "component of the national information infrastructure" could be included. DHS could require businesses to comply with its requirements, including the need to develop and submit cybersecurity plans for approval, as well as potential audits and inspections. Opponents say the proposed law is vague and too broad, would give the government too much power in an area in which it has inadequate expertise, and adds bureaucracy to the cybersecurity process.
China recently announced plans to inspect national- and local-government computers to ensure that they're using only copyrighted software. China said it will finish inspections before November 2011. The government has also proposed budget controls for the long-term procurement of software and to encourage businesses to use legitimate software. These initiatives follow a six-month campaign against piracy and other intellectual property problems. Technology-related piracy and counterfeiting has been rampant in China. In 2009, approximately 80 percent of software used in the country—with a value of $7.5 billion—was pirated, according to a report from the Business Software Alliance trade group and market research firm IDC.
Federal cybersecurity spending will rise 9.1 percent per year to $13.3 billion by 2015 because of increased security-related problems during the past few years, according to a recent report. The dearth of security professionals is also a key problem, noted the report by INPUT, a market research firm for companies that do business with US, state, and local governments.
The British government said it's considering making the security expertise of its Government Communications Headquarters intelligence agency available for sale to businesses. This could include letting GCHQ function as a technology incubator. UK officials said recently the agency's expertise could help the private sector and raise revenue for the financially troubled government. Some sources have expressed concern about national security and about a government intelligence agency gaining access to company intellectual property and other secrets. This wouldn't be the first time the British government has taken such a step. In 2001, the UK split off part of its Defence Evaluation and Research Agency to function as a commercial firm.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.