Issue No.04 - July-Aug. (2011 vol.9)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.86
IEEE Security & Privacy news briefs cover the latest in security, privacy, and policy.
Hackers exploited a bug in Adobe Flash Player to launch their recent high-profile attack on security vendor RSA's network. Attackers broke into the network by sending email messages with an attached Microsoft Excel spreadsheet to two groups of RSA employees. The spreadsheet contained an embedded Flash file that exploited a vulnerability, then unknown to Adobe, that let hackers take over a victim's PC by installing a version of the Poison Ivy remote administration tool. Hackers then stole various user credentials to access other RSA network machines and looked for, copied, and transferred to themselves sensitive information. RSA hasn't said what was stolen but has acknowledged that the attackers stole information related to the company's SecurID two-factor authentication products. RSA first reported the attack three days after Adobe reported its Flash bug, which has since been patched.
The number of cyberattacks increased 93 percent from 2009 to 2010, reports security vendor Symantec. The company said 286 million new threats were reported last year, including attacks on corporate systems and those that occurred via social networks. Symantec said it has found that up to 65 percent of the malicious links in social networking newsfeeds used shortened URLs and that the number of attacks targeting Java-based vulnerabilities and the number aimed at mobile devices both rose. The company also noted it found approximately 160 vulnerabilities last year that could lead to a hacker taking partial or full control of a victim's mobile device.
Twitter has become one of the Internet's most popular services since its 2006 launch, but during this time, it's also become a popular target for hackers. The site has been the target of many types of attacks, including click-jacking, variants of cross-site scripting worms, account hijacking, exploits that launch a worm when a user mouses over a malicious tweet, and malware uploads. According to security vendor Kaspersky Lab, this has occurred because of Twitter's popularity and its security lapses. In fact, the US Federal Trade Commission brought charges against Twitter in mid 2010, forcing the company to implement several new security policies such as regular audits and default Secure Sockets Layer connectivity. Kaspersky said users should be aware of Twitter's security issues and take that into account when using the site.
More than half of Web applications have one or more serious security problems, according to a recent research report by Veracode. After analyzing 4,835 applications submitted to its cloud-based testing service during an 18-month period, the application risk management vendor determined that approximately 58 percent can't pass a security audit. In addition, the company said, 66 percent of software companies' products—including 72 percent of security products, 82 percent of commercial applications, and more than half of security software firms' products—had inadequate security, more than other types of businesses that develop applications. The company said almost 80 percent of tested Web applications didn't address the 10 most dangerous vulnerabilities as defined by the Open Web Application Security Project, including SQL injection, cross-site scripting, security misconfiguration, and insecure storage. The problem's causes include the rush to launch applications quickly, failure to thoroughly implement a secure development life cycle, and inadequate developer training,
Most cloud computing providers don't see security as one of their major responsibilities, according to a 2011 survey by a US security and privacy research organization and consultancy. In response to the Ponemon Institute's survey of 127 cloud service providers in the US and Europe, most said their customers are responsible for securing their own data. Approximately 80 percent of respondents said they allocate no more than 10 percent of their IT resources or efforts to security-related activities. Ponemon officials, who said they were surprised by the survey results, noted most respondents said their role is to provide an inexpensive IT solution, which they can't do if they also add security to their offerings. In a 2010 survey, approximately 70 percent of cloud services users said providers were responsible for security.
Microsoft has begun delivering a patch to block nine fraudulent SSL certificates that could affect handsets running Windows Phone 7. A hacker recently broke into the Comodo Group's system and used it to issue the certificates. Comodo, a certification authority, has since revoked them. Microsoft says hackers could employ the fake certificates to spoof content or perform phishing or man-in-the-middle attacks against Internet Explorer and other Web browsers. The company has already produced updates to deal with the certificates for desktop Windows versions and is now issuing a Windows Phone 7 update to address smartphones.
A multiagency US group that the US Federal Bureau of Investigation runs to respond to national cybersecurity incidents has inadequate capabilities to do the job, according to a report released recently by the Department of Justice's Office of the Inspector General (OIG). Agents interviewed by the group said they lacked the expertise or contacts to handle such cases. The report added that field officers' forensic and analytical abilities also weren't good enough. Another problem OIG investigation found is that security agencies don't share information with one another enough to maximize effectiveness. OIG's study entailed interviews and observations at FBI headquarters and 10 of its field offices, as well as with the National Cyber Investigative Joint Task Force. The NCIJTF consists of 18 intelligence and law enforcement agencies, such as the Secret Service. According to the study, only 19 percent of FBI agents took on national security intrusions.
The number of attackers setting up operations in Canada is rapidly increasing, according to security vendor Websense. The number of Canadian servers hosting phishing sites increased 319 percent over the past year, while the number in other developed Western countries has decreased. In rankings of countries with servers hosting phishing sites, Canada, although behind the US, is ahead of more populous nations such as France, Germany, and the UK. The number of botnets in Canada jumped 53 percent over last year, making it the only country with an increase in botnets during the past eight months. Websense said hackers might be avoiding the US because of a series of recent enforcement actions against cybercriminals, something Canadian officials haven't done to the same extent. According to the company, Canada was the world's sixth-biggest source of cybercrime in general, up from 13th last year.
A Facebook application bug gave visitors access to users' accounts and personal information for perhaps four years, according to security vendor Symantec. Facebook, which was notified by Symantec about the problem, said it has eliminated the vulnerability and hasn't seen anything indicating private information was accessed. Applications are third-party programs that let users undertake activities, such as playing games, on the social networking website. In some cases, applications shared access tokens—which let holders access or post information on a user account—with advertisers and analytics companies. Since Facebook introduced applications in 2007, hundreds of thousands of them may have leaked millions of access tokens, according to Symantec. Many people might not have understood they could use the tokens to access information, but the potential was there, the vendor added.
Hackers are stealing children's identities, in some cases leaving them with debt for years before they or their families realize what happened. Carnegie Mellon University's Cylab determined that out of 42,000 people in a database of people younger than 18 years old owned by AllClear ID, the social security numbers of approximately 4,300 were being used by someone else. Cylab's study showed, for example, that eight people used one 17-year-old girl's social security number to run up US$725,000 in debt, and a 14-year-old boy had a 10-year credit history, including a mortgage. In some cases, identity thieves or people in the US illegally trying to establish a credit history used children's social security numbers. In other cases, parents with bad credit ratings used the numbers to open accounts with utility companies.
An application risk management vendor says that Pandora's online music service finds, collects, and sends users' personal information to advertising agencies. According to Veracode, Pandora—a streaming service that lets users create music collections from Pandora's data-base—has an Android phone application that gathers personal data such as birthday, gender, postal code, the user's device ID, and current GPS coordinates. When combined, the data can reveal private and potentially exploitable information about the user, Veracode noted.
The European Union says its new cookie law will apply to any company doing business in the EU. However, the EU still must determine how it will enforce the rules for non-EU-based companies. The new e-Privacy Directive requires companies to get customer consent before deploying cookies that collect data not directly related to their websites' services. The new law, which amends the EU's Privacy and Electronic Communications Directive, still lets companies install cookies that collect information such as user site passwords and language preferences. Also under the new law, Internet and telephone service providers will have to notify customers and data protection agencies if they lose or disclose, even accidentally, personal data such as names, email addresses, or banking information. Each EU member nation will decide how to adopt the cookie policies into law, meaning there could be variations among countries.
Google Maps with Street View violates privacy rights, according to a court ruling in Switzerland in April. In the ruling, the country's top administrative court agreed with Switzerland's Federal Data Protection Commission, the country's privacy protection agency. The commission had argued against the Google service—which provides street-level, interactive photographic views of many locations—since it began in Switzerland in 2009. Google had argued that the Federal Data Protection Commission's demands, such as for faces to be blurred out, were financially and logistically impractical. Google said it's examining the court ruling and will determine whether it can file an appeal.
The Walt Disney Company said it will pay US$3 million based on charges that a company that is now a Disney subsidiary broke US rules against violating children's privacy. The US Federal Trade Commission says the Playdom subsidiary operated online virtual worlds for children—including Pony Stars, 2Moons, 9 Dragons, Age of Lore, and My Diva Doll—illegally gathered and disclosed personal information without parental approval. The FTC said this use of information—including names, ages, and email addresses—violates the US Children's Online Privacy Protection Act. The virtual worlds were created by Acclaim Games, which Playdom took over last year. Disney acquired Playdom later in 2010, by which time some of the games in question had been either terminated or transferred to other operators.
A US Senate committee recently said it wants to update a major national privacy law adopted 25 years ago because of subsequent technology advances that threaten personal privacy. The federal Department of Justice, on the other hand, contends 1986's Electronic Communications Privacy Act should stay as it is to provide law enforcement with effective but legal means to protect the public from criminals, spies, terrorists, hackers, identity thieves, and other threats. The Senate Judiciary Committee has already met to start considering an overhaul of the ECPA, saying the act doesn't take into account the way technology has changed since its adoption. For example, committee members have said the law doesn't clearly state how officials can obtain cell phone location information during investigations, which causes confusion and conflicting rulings from courts that consider the matter at various times.
US President Barack Obama's administration is moving forward with its plan to develop a system of Internet user identities that would be broadly implemented in the US. Administration officials contend their proposed National Strategy for Trusted Identities in Cyberspace (NSTIC) would help verify users' identities during online activities and thereby curb the effects of many of today's Internet threats. The proposal would entail multiple digital-identity providers working in the same system. For example, consumers could obtain an ID from an ISP that they could use to look at personal health information, and another ID from a different source they could use to file federal income taxes. Opponents say they fear the NSTIC could function like a national digital ID card, giving law enforcement and other government officials too much access to personal information and enabling large-scale identity theft. Government officials say the proposal is voluntary and doesn't call for a central database, and that they plan to use encryption to let participants disclose only the part of their personal information necessary for a transaction.
European Union officials say they probably won't finalize EU data protection laws for perhaps three more years because of the task's complexity. When they do, officials add, the Data Protection Directive will probably require all organizations—not just service providers, as is the case in the UK—to provide notifications of any security problems that make users' personal information accessible to hackers. The proposed law reportedly could also mandate building privacy and data protection into information and communication system design, limiting users' ability to collect others' personal data, and requiring social networking sites to let users remove data from their websites. The measure would also limit fines imposed for data breaches. The European Commission is currently reviewing the Data Protection Directive.
US President Barack Obama is asking industry to establish standards for securing the networks on which important parts of the country's infrastructure run. The White House will also offer states and operators of infrastructure facilities, such as power-generation plants, help from the Department of Homeland Security in improving security and repairing cyberattack damage. The DHS would work with companies to identify critical infrastructure operators and prioritize the possible weaknesses and threats. The operators would then develop approaches—which would be assessed by private auditors—for addressing threats. Some security experts said the White House plan was a good start, but others criticize it, saying the proposal doesn't address important security issues.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.