Issue No.05 - September/October (2011 vol.9)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.137
IEEE Security & Privacy news briefs cover the latest in security, privacy, and policy.
For the second time in several months, Google pulled malware-infested smartphone applications from its Android Market in June. Security experts said the new malware could enable hackers to conduct activities such as intercepting banking transactions conducted via smartphones. One security vendor estimated that between 30,000 and 120,000 users downloaded the malicious applications.
Scareware makers have continued their assault on Apple, forcing the company to again release an update to the Mac OS X's XProtect antimalware system. The scareware operators changed their fake-security-software scheme in June so that it would defeat previous XProtect updates. Scareware—also called rogueware—is fake security software that tells users their computers are infected with malware. Once installed, it launches popups and alerts to convince users to pay a fee. The Mac rogueware asks for between US$60 and $80.
Cyberattackers based in China apparently have turned the focus of their anti-US activities from government officials to private defense contractors during the past few months. The new hacking campaign uses social engineering to try to convince contractors and specialists to open email attachments that would, for example, let a hacker access victims' computers or track keystrokes. Security analysts say the recent efforts have been more sophisticated and difficult to detect. One security vendor said it has observed four to five times the average number of attacks from China since April. The Chinese government denies it's behind these incidents.
RSA Security says it will replace authentication tokens for interested customers, following hackers' recent theft of information used to create fake tokens. Typically, RSA SecurID users authenticating to a network resource must enter a PIN and the six-digit authentication code displayed at that time on their SecurID token. To enhance security, the system generates a new authentication code every 60 seconds, using a factory-encoded random key called a seed. Security experts say hackers probably stole the seeds necessary to generate fake tokens, prompting RSA to issue tokens with new seeds. RSA—a division of EMC—is also offering customers other products, such as its RSA Transaction Monitoring service, which identifies and blocks fraudulent online activity at financial institutions in real time.
The hacking group Anonymous shut down the Spanish national police's website ( www.policia.es) several times this past June. Anonymous took credit for the takedown in a blog post, just as Turkish police arrested 32 suspected group members following attacks against several government websites. The hacker group said it was protesting Turkish plans to filter certain Internet content.
Half of surveyed UK organizations have suffered IT failures caused by ineffective patch management and implementation, according to GFI Security. The company's research also showed that a majority of respondents have no IT policy about how and when to deploy software updates. The survey of 256 senior IT managers in the UK found that 45 percent of organizations don't use an automated patch management system and thus must implement updates manually. GFI said this is a major reason why 72 percent of respondents don't deploy patches within 24 hours of their release.
Canadian privacy commissioner Jennifer Stoddart has recommended that Google submit to an independent audit of its privacy policies within a year and share the results with her office. Stoddart determined that Google offers inadequate personal privacy protection and also improperly collected confidential information about many Canadians. She said these problems occurred as part of the company gathering data via Wi-Fi for its Google Maps and Google Places applications. Google says it inadvertently collected the data, which is secured and not publicly accessible, and has started deleting it. Numerous other countries have expressed concern about Google's privacy policies.
A survey of European Internet users says they're concerned about what will amount to the near-total loss of online privacy by 2020. Approximately 10,000 people in 12 European countries participated in an MSN online poll about the Internet's future. Approximately 45 percent of respondents said they were worried about a lack of online privacy, 60 percent said they were concerned about businesses tracking everything they do on the Internet, 52 percent predicted cybercrime will continue to increase, and 46 percent said the world will become so Internet-centric that many users will rarely feel comfortable disconnecting. Moreover, 33 percent said they are worried that over the next nine years, books, newspapers, and magazines will largely disappear because of material that can be read on websites and e-readers.
A high-profile hacker group has taken credit for taking down the UK's Serious Organised Crime Agency (SOCA) website. This followed an announcement that LulzSec was launching a new campaign against various governments and institutions. LulzSec—which some experts think is an offshoot of the well-known Anonymous hacking group—announced in June that it brought down SOCA. In the past, the group has claimed responsibility for numerous database intrusions and distributed denial-of-service attacks against targets such as Sony, the US Senate, and the CIA.
Google says a recent study it conducted found that surveys about privacy frequently raise fears about a loss of privacy. The study said the surveys themselves and their wording often prompt negative responses. The company, which has been the target of privacy-related criticisms in the past, has proposed ways to conduct privacy surveys indirectly to avoid causing such responses. Google says its past privacy issues have been due to mistakes rather than a disregard of user concerns. The company appointed a new privacy director last year and recently introduced a tool to help users monitor what others say about them on the Internet.
Hackers are taking new approaches to using Google's cloud computing systems to conduct cyber-attacks. One example is phishers using the popular Google Docs application to convince users to give up private information. Many universities and other institutions can't avoid the attacks by blocking Google Docs forms because they use the application for their daily operations. Other cybercriminals are basing attacks on the new Google+ social networking service, which was initially available only by invitation. Their realistic-looking Google+ invites took users who clicked on a link to a malicious website.
A group of citizen, public advocacy, and industry organizations say three controversial proposed Canadian cybersecurity laws would hurt privacy and lead to higher Internet service prices. The bills would also increase the access that law enforcement agencies have to personal information, accounts, and other Internet-related data. If passed, Canadian bills C-50, C-51, and C-52 would force service providers to give agencies information without a warrant or judicial oversight in some cases. In a letter to Canadian Deputy Minister for Public Safety William V. Baker, national privacy commissioner Jennifer Stoddart stated that granting the new powers is unjustified because less intrusive alternatives are available. Advocacy group OpenMedia.ca said that the laws would force ISPs to buy equipment and upgrade their networking infrastructure and that they would pass on the cost to consumers. The Canadian House of Commons, which will considered the measures, is adjourned until 19 September 2011.
Hackers have used Amazon's cloud services at least once to spread malware, based on reports from security vendor Kaspersky Lab. This and several other incidents confirm security researchers' longtime fears that sophisticated hackers could use cloud systems to launch large-scale cyberattacks. According to Kaspersky, links in an Amazon Web Services cloud instance pointed to sophisticated malware that could steal banks' financial data and block several security applications. The compromised cloud instance hosted several types of malicious code, including some that acted as a rootkit. The attackers—who Kaspersky said are based in Brazil—protected the malware from reverse-engineering with The Enigma Protector, which is commercial antipiracy software.
European Union member nations agreed in June to recommend tougher punishment for cyberattacks. The recommendations, which the European Parliament still must vote on, are that hackers face at least five years in prison if found guilty of seriously damaging IT systems. EU countries also favored implementing tougher penalties for botnet-based attacks and identity theft and supported making illegal data interception a criminal offense. In addition, they decided to create an EU-wide cybercrime unit that would work with Europol, the European police agency.
European justice ministers have supported making the creation of hacking tools a crime. The European Parliament will now consider whether to make the recommendation a law. Proponents say the availability of hacking tools makes it easy for even inexperienced hackers to launch cyberattacks. However, opponents say the justice ministers' plan simply isn't feasible because the proposed ban is vague as to what constitutes hacking tools and is impractical because attackers could use legal software—such as a password recovery tool—for criminal purposes. They also contend the ban could prevent security researchers from creating hacking tools for testing purposes. Germany and the UK already have controversial laws making the creation of hacking tools a crime. If the EU decides to do the same, all 27 member states would be mandated to adopt similar laws.
A US bank regulation agency released new online security rules for financial institutions this past June. These rules by the Federal Financial Institutions Examination Council (FFIEC) focus on protecting large transactions passing through the US's Automated Clearing House, an electronic network that handles much of the nation's banking activity. Sophisticated hackers have been targeting ACH transactions recently. To fight such problems, the FFIEC said institutions should offer multifactor authentication to customers and also provide layered security and fraud monitoring. Issuance of the new measures marked the first time the FFIEC updated its rules since 2005.
Russia and the US will share cybersecurity information on an ongoing basis as part of a pact the two countries agreed on recently. The agreement took place at a recent meeting between officials of the two countries. The pact was designed to combat growing security threats and reduce the possibility that a misunderstood cyber-incident could hurt the nations' relationship. As part of the agreement, Russia and the US will establish protocols for security communications based on existing crisis-prevention mechanisms. The countries—which have disagreed on cybersecurity policies in the past—say they plan to implement the new measures by the end of this year.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.