Issue No.03 - May/June (2011 vol.9)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.60
IEEE Security & Privacy news briefs cover the latest in security, privacy, and policy.
Hackers recently created a potential security problem by stealing digital certificates for several major websites, including Skype, Google's Gmail, Microsoft's Hotmail, and Yahoo Mail. The attackers obtained nine SSL certificates generated by security vendor Comodo. On 15 March, Comodo reportedly realized the theft had taken place, revoked the certificates, and contacted browser makers Google, Microsoft, and Mozilla. Google patched its Chrome browser on 17 March; Mozilla and Microsoft updated Firefox and Internet Explorer on 22 and 23 March, respectively. Comodo said evidence indicates Iran's government launched the attack, perhaps to set up fake websites from which authorities could identify and monitor antigovernment activists.
Microsoft recently patched a bug in its Malware Protection Engine. The bug was an elevation-of-privilege vulnerability, which lets an attacker with access to a Windows machine gain complete administrative control of the computer. Microsoft says no one has exploited the flaw yet, but a hacker could use it to change a Windows registry key to a special value, which the malware engine would subsequently process. The attacker could then execute arbitrary code; install programs; view, change, or delete data; or create new accounts with full user rights. Microsoft also reported bugs in the Malware Protection Engine in 2007 and 2008.
Researchers at security vendor Sophos recently reported a new Trojan horse program written for the Mac platform. Sophos said the BlackHole RAT (remote access Trojan)—a variant of a Windows Trojan called darkComet—is easy to find online in hacking forums and is even the subject of a YouTube instructional video. The company hasn't seen the Trojan used in any online attacks so far, stating that it appears to be a basic, proof-of-concept beta program right now.
Once the world's largest source of spam, China has greatly reduced the amount of unsolicited email coming from within its borders. Cisco Systems' IronPort security group currently ranks the country 18th among spam-producing nations. Cisco says the problem has diminished as ISPs have become better at working with customers to cut down on spam. Also, China has made it tougher to register new Internet domains and has applied stricter controls over who can send email. The Spamhaus Project, an antispam organization, said many criminal spammers have moved their operations from China to Russia.
The Internet Systems Consortium (ISC) has warned that versions 9.7.1 through 9.7.2-P3—but not 9.7.3, the latest version—of its popular BIND Domain Name System server application are susceptible to denial-of-service attacks. Hackers could remotely exploit the way BIND handles incremental zone transfers (IXFRs), a technique for transferring data via TCP. When an authoritative name server processes successful IXFRs or dynamic updates, particularly at a high rate, a deadlock could occur, according to the ISC. The organization said it has seen no related attacks in the wild. Security experts urge organizations running vulnerable BIND versions to upgrade immediately.
Distributed denial-of-service attacks recently struck 29 leading South Korean websites, including those run by government ministries, the National Assembly, the armed forces, major banks, and US military operations in the country. South Korean security experts estimate that up to 11,000 PCs were infected by malware—which hackers injected into two file-sharing websites—and then used in the attacks. South Korean cyberinvestigators are looking into the incident, which is similar to a series of attacks that targeted some of the country's websites in July 2009.
Hackers using Chinese Internet addresses launched what French officials recently called a "spectacular" attack on the country's Finance Ministry. As a result of the incident, the ministry has temporarily shut down 10,000 of its 170,000 computers. Officials investigating the incident said the attackers were apparently looking for documents relating to international matters regarding the Group of 20 (G20) leading economies, which France heads this year. The agency says it has since strengthened its security systems.
Identity theft was the leading complaint filed with the US Federal Trade Commission in 2010 for the 11th consecutive year. The FTC received 1.34 million consumer complaints last year, 19 percent of which involved identity theft. Debt-collection complaints ranked second, at 11 percent. Reports about Internet services, Internet auctions, and telephone and mobile services also finished in the top 10. The FTC said it wasn't clear how many identity theft reports involved Internet activity. Identity theft comprised 20 percent of FTC complaints in 2009 and 25 percent in 2008.
Cybercriminals took advantage of Japan's recent massive earthquake and tsunami to attract people looking for news to sites that contain links redirecting them to sites that include malicious code. Within hours of the earthquake and tsunami, hackers used search engine optimization poisoning techniques, which boost sites with malicious links to the top of results for, in this case, searches for news about the events, noted security vendor Trend Micro.
EMC Corp.'s RSA security division—which provides computer access keys used by many businesses worldwide—said it recently experienced "an extremely sophisticated cyberattack" on its systems, resulting in the theft of information related to its SecurID authentication products. The products include tokens—which generate new six-digit numbers synchronized with central security servers—used to access corporate networks. RSA says more than 25,000 corporations and more than 40 million people worldwide use the SecurID system. RSA reportedly hasn't specified what information the hackers stole, but did state that the stolen information "does not enable a successful direct attack" on SecurID users, although the information "could potentially be used to reduce the effectiveness" of the security scheme.
Apple recently patched 56 Mac OS X vulnerabilities, most of which were critical flaws that hackers could use to hijack machines. Of the bugs, Apple identified 45 as enabling hackers to arbitrarily execute code. According to the company, many of the vulnerabilities could enable drive-by attacks that occur as soon as a victim running an unpatched Mac OS X version browses a malicious website. Several of these bugs were in the OS's Apple Type Services font renderer. Hackers could exploit them by embedding malicious font files into documents.
The European Commission disabled all remote access to its email and sensitive intranet pages following a recent, large, malware-driven attack on the EC and European External Action Service, which acts as the organization's foreign ministry. The EC discovered the attacks just days before the beginning of the 24 March meeting on the Libyan crisis, European debt, and nuclear power. The EC's Security Directorate is investigating the breach.
Adobe Systems recently issued warnings and fixes for critical vulnerabilities in some of its applications that could compromise user systems. When exploited, the vulnerabilities could crash a system or let hackers take control of it, Adobe said. The company has produced fixes for vulnerabilities in its Flash Player, Acrobat, and Reader X applications. Exploits for the Flash problem already exist in the wild. Attackers have used a malicious Flash file embedded in a Microsoft Excel file attached to an email message. Adobe said that it hasn't seen exploits for Acrobat or Reader but that Adobe Reader X's Protected Mode would prevent the malicious exploit from executing via that application.
Security experts recently found a new set of malware targeting Android smartphones. Security firm NetQin Mobile reported that it discovered two spyware programs available in third-party marketplaces. SW.SecurePhone runs in the background and collects message, call logs, and other phone activity data and uploads it to a remote server. SW.Qieting also runs in the background and automatically forwards messages that the compromised phone receives. Once installed, the malware can receive remote commands that let a hacker control the phone. Experts also found Hong Tou Tou software—which automates fake clicks on online advertising to increase revenue for ad publishers—in applications in third-party online Android marketplaces.
Yahoo started a new system in March letting UK Web users choose whether to let websites collect information about their Internet habits via cookies. This is an attempt to comply with a European Union law mandating consent before collecting data about user identities and online activities. Yahoo now places "AdChoices" icons in the corner of advertisements. Users can click the icon and decide whether to let Yahoo or other sites install cookies on their computers. A spokesperson for an EU commissioner said the agency will examine Yahoo's proposal to determine whether it satisfies the EU law.
The French government recently penalized Google for improperly collecting and storing personal information that its Street View cars and bicycles collected. The French privacy agency levied a 100,000-euro fine—about US$143,000 at press time—against the company for acquiring personal data from unsecured Wi-Fi networks between 2007 and 2010. The firm has two months to appeal. Google's Street View vehicles gathered information including passwords, personal emails, online banking data, and Web browsing histories. So far, France is the only country to have penalized Google for its information-collection activities, but at least two other European countries might also issue fines, according to sources. Google has apologized for the practice, saying that it occurred inadvertently and has since stopped.
A California court has given Sony permission to obtain records from Twitter, Google, and other sources related to the hacking of the company's PlayStation 3 gaming system. The court approved Sony's subpoena request for information regarding a person who reportedly used these platforms to spread word of his alleged PS3 security-circumvention tool, including via a YouTube video. Sony said the hacker also tweeted about his PS3 hack and posted information in his blog, which appears on the Google-owned Blogspot. In January, the company won a temporary restraining order against him. The court also required him to turn over relevant computers, hard drives, CDs, DVDs, USB drives, and other storage devices.
In March, the UK government wiped and shredded approximately 500 hard drives and 100 backup tapes with personal details and fngerprints for approximately 15,000 people. The program was designed to hold the details of people who applied for National Identity Cards. The government said destroying the drives and tapes demonstrated its commitment to reducing its intrusion into personal privacy. Opponents of the Identity Cards Act of 2006 said it was intrusive, expensive, and easy to abuse; supporters said it was necessary for national security.
TripAdvisor, a well-known travel website, found that hackers had exploited a vulnerability to steal part of its email list of 20 million subscribers. TripAdvisor says it has fixed the vulnerability and is implementing new security precautions, working with law enforcement agencies, and running its own investigation. The company says that it doesn't collect members' credit-card numbers or other financial data but that affected members might receive spam. Mykonos Software, a vendor of Web application security products, said the attackers probably exploited the bug via a SQL injection attack, in which they entered SQL statements into input fields on TripAdvisor's website. The page was submitted to the database, which didn't realize the request was improper and thus ran the command and returned subscriber data.
Most users don't realize that Facebook posts can be malicious, and most who do usually don't warn friends of suspicious links, according to a recent survey by security vendor BitDefender. The survey found that only 43 percent of respondents warned friends if they noticed suspicious activity on their news feeds. BitDefender also analyzed Facebook scams and found that the most popular ones purported to enable activities such as letting users see who viewed their profile or other features that Facebook doesn't offer. Fake links to games or to fake news articles or videos offering shocking images were also popular. Some of the scams entail malware that can spam news feeds; others let hackers access users' personal information, which they can either sell or use in subsequent attacks.
The US government should use incentives, rather than regulations, to encourage businesses to adopt better cybersecurity practices, according to a recent paper by the Business Software Alliance, the Center for Democracy & Technology, Internet Security Alliance, TechAmerica, and the US Chamber of Commerce. Incentives could include security research tax credits, grants, lawsuit liability protection, and eased regulatory obligations. Groups such as the Center for Strategic and International Studies have called for the government to take a bigger role in cybersecurity, saying private approaches don't yield the necessary security measures. US President Barack Obama's 2009 Cyberspace Policy Review recommends that private industry drive cybersecurity standards and that companies and the government work together.
The US Federal Trade Commission has finished legal action against Twitter based on two 2009 attacks that enabled hackers to gain control of high-profile accounts, including that of US President Barack Obama. According to the FTC, Twitter misled consumers by saying its site was secure but then not providing adequate security. The commission said this let hackers break into administrative consoles by figuring out Twitter staffers' passwords. The FTC said the hackers then read private messages and sent fake tweets using well-known users' accounts. Twitter and the FTC recently reached a settlement in the case. As a result, the company could be fined if it doesn't provide adequate privacy protection in the future. Twitter must also establish a comprehensive security program that an independent auditor will evaluate regularly.
A proposed US law would enlarge the Department of Homeland Security's authority over private networks it judges to be part of the nation's critical infrastructure. If approved, the Executive Cyberspace Coordination Act would give the DHS the power to establish security practices and standards for critical-infrastructure elements. In addition, the bill would establish a National Office for Cyberspace in the White House to evaluate and enforce cybersecurity requirements for federal agencies, including employee training and technology acquisition. Federal agencies and contractors would also have to regularly monitor their information systems for compliance with security requirements.
North Atlantic Treaty Organization defense ministers recently agreed on a policy to upgrade NATO's cybersecurity and are expected to adopt it in the near future. In addition to discussing policy, they emphasized the need to work with other international organizations, such as the European Union and the United Nations. NATO notes that its Computer Incident Response Center will be operational by next year, requiring the creation of cybersecurity teams and equipment acquisition. Before 2007, NATO focused primarily on protecting its own cybersystems, but it expanded its efforts to encompass individual countries after the 2007 cyberattacks against Estonia.