Issue No.06 - November/December (2011 vol.9)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.169
Our news briefs cover the latest in security, privacy, and policy.
Facebook has decided to pay hackers to find security problems with its website if they tell the company about the bugs first. Facebook offers a basic rate of US$500 for a bug but says it will pay more—without specifying how much—for information about significant problems. The company has launched a new portal ( www.facebook.com/whitehat/report) where interested parties can report flaws.
The AntiSec hacker group says it has made public a large amount of data stolen from the websites of US law enforcement departments—including training files, data from informants, passwords, credit card data, and Social Security numbers—as revenge for the arrest of one of its members and several other hackers. AntiSec said it posted the more than 10 Gbytes of data—which it called the "Shooting Sheriffs Saturday Release"—to humiliate and discredit law enforcement personnel. The group launched its initial attack on Brooks-Jeffrey Marketing, which hosts websites for several county sheriff's departments. An AntiSec Twitter profile said the group also attacked the website of Italy's largest police association. The group has broken into numerous websites in recent months.
Microsoft has announced a contest to encourage security technology development. The company's Blue Hat Prize contest ( www.microsoft.com/security/bluehat
prize) rewards the development of what it calls "defensive approaches to support computer security." The entry that contest judges consider the most innovative will receive US$200,000. Second prize will be worth US$50,000. The third-prize winner gets a Universal subscription to the Microsoft Developer Network platform, which the company values at US$10,000. Entrants must submit their proposals via email (email@example.com) by midnight (Pacific Standard Time) on 1 April 2012. They will retain the intellectual property to their technologies, which Microsoft will have the right to license.
Amazon is upgrading its cloud-based security offerings, joining the battle with Google and Microsoft to provide cloud services for US government agencies. The company recently unveiled its Amazon Web Services (AWS) GovCloud, a service that complies with regulations about how agencies manage and store sensitive data. Amazon's other cloud services already meet requirements specified in regulations such as the Federal Information Security Management Act and the Federal Information Processing Standard.
A newly discovered Windows worm is attacking corporate networks by taking advantage of weak passwords. The Morto worm spreads via Microsoft's Remote Desktop Protocol (RDP), which addresses the use of one computer to connect to and control another machine. All Windows versions beginning with XP include Remote Desktop Connection software, which uses RDP to let clients access other computers. Infected Windows PCs scan their local networks for machines that have RDC activated. They then use a list of common passwords to try to log in to a Remote Desktop server. If successful, the worm downloads additional malware to the server and attacks the machine's security software. Morto can also be designed to launch denial-of-service attacks against hacker-designated targets.
Security vendor Symantec says that approximately 15 percent of all videos that it examined on Facebook are part of likejacking attacks, which trick users into "liking" a Facebook site without their knowledge. Attackers generally accomplish this via a fake video player window with a hidden iframe that submits a "like" if clicked anywhere. This subsequently promotes the scam to the victim's Facebook contacts and can spread very rapidly. Hackers could also use the approach to infect PCs with malware or steal account information. Symantec, which sells software that detects likejacking, examined 3.5 million Facebook video posts as part of its study.
After high-profile intrusions into several of its networks, Sony has hired a former US Department of Homeland Security cybersecurity official as the company's chief information security officer. Philip Reitinger was a DHS deputy undersecretary overseeing cybersecurity and computer crimes and was prominent in efforts to strengthen US cyberdefenses. The company said Reitinger—an attorney with a BS in engineering and computer science who previously worked for Microsoft—will review Sony's many networks and oversee corporate privacy and Internet security operations. Breaches earlier this year jeopardized data, including credit card numbers, for approximately 100 million accounts on the company's various networks.
A team of Belgian academics and Microsoft researchers have broken the popular Advanced Encryption Standard (AES), the approach often used to secure Internet and wireless communications. Microsoft worked with researchers from the Catholic University Leuven on an attack that recovers an AES encryption key several times faster than previously thought possible. The team said the attack took a long time to develop, is very complicated, and thus is difficult to implement. The work could be the first sign of weakness in AES, widely considered to be almost unbreakable by today's technologies.
Businesses and government agencies need better cyberintelligence to fight the many online threats they face, according to a recent study by the Intelligence and National Security Alliance's Cyber Council. The council said the current approach of developing patches whenever a vulnerability is found is insufficient to reliably ensure online security. The nonprofit council, which consists of academics and past and present business and government executives with security experience, reviews national cybersafety. The group said the US Department of Homeland Security has the authority but lacks the experience and capabilities to effectively run cyberintelligence campaigns. It thus recommended a partnership among companies and public agencies in areas such as research, information gathering, and evaluation. The council said meaningful improvements will also require cyberintelligence operatives who have the proper training, education, and skills.
A Russia-based hacker has stolen approximately $3.2 million from major US businesses, the military, and the federal government. Security vendor Trend Micro discovered the activity and found that the intruder attacked targets not only in the US but also in 25,000 systems in approximately 90 countries, including Brazil, Canada, India, Turkey, and the UK. The victims include banks, media and technology companies, schools, and manufacturers. The hacker, called Soldier, used the Zeus and SpyEye attack toolkits to commit online banking fraud and steal account credentials from Amazon, eBay, Facebook, Google, Skype, Twitter, Yahoo, and other websites. Zeus, used to create botnets, is one of the most established crimeware toolkits. The SpyEye Trojan toolkit, whose code was recently released publicly, also creates botnets and typically targets account credentials and other sensitive data.
Hackers recently placed scareware into the download software used on the controversial BitTorrent file-sharing site. Once on a computer, the Security Shield malware generates popups that say the machine is infected with a virus and ask users for payment to get rid of it. BitTorrent—which says it removed the scareware from its software—has warned users that some downloads from its site might have contained the malware.
A recent study indicates that the facial-recognition tools that companies such as Facebook are adding to their websites could imperil online privacy. Using a facial-recognition technology that Google recently acquired, Carnegie Mellon University researchers correctly identified approximately 30 percent of the people in snapshots of student volunteers that they used for testing purposes by matching the photos with those on Facebook. Using information from the Facebook profiles of the individuals they identified, the researchers then correctly predicted the first five digits of their Social Security numbers about 27 percent of the time. This was accomplished based on the Social Security Administration's policy of assigning Social Security numbers related to people's birthdates. Facebook—which provides a face-recognition service to let people identify photos of their contacts—says users who are concerned about this don't have to put photos on their pages or can change their privacy settings.
South Korean regulators recently fined Apple for allegedly illegally collecting iPhone users' location information. The Korea Communications Commission (KCC) fined the company 3 million won, which is approximately US$2,600 based on the exchange rate at press time. There has been controversy over Apple's location-tracking technology in several countries, including the US, after researchers found a hidden iPhone file that stores a device's latitude and longitude at various recorded times. Apple says it doesn't track iPhone users' locations but uses the controversial file to help maintain a database of Wi-Fi hotspots and cellular towers in the area, which could aid users who want to know their own location.
A new Facebook feature will help cybersnoops find users' personal information more readily, security vendor Sophos recently reported. At issue is Facebook's recently launched Timeline, which offers new functionality and interface capabilities that let users list information from throughout their lives, not just the recent past, on a single page. Sophos said the new feature could make a lot of personal information easy for hackers to find and use for attacks targeting specific individuals. For example, many people base passwords on personal information that could be found on their Timeline page. Hackers could also use information from Timeline to write email messages that sound like they're from a trusted source but that include links that either contain malware or send visitors to infected sites.
A well-known wireless communications service has changed previously announced plans to gather and share GPS-tracking and other data it collects from vehicles. OnStar, a subsidiary of automaker GM, has 6 million customers and recently announced this decision after numerous people, including several US senators, expressed privacy concerns. Originally, customers would have to opt out if they didn't want OnStar to collect and share information. Now, this only occurs if customers opt in. The company provides services including emergency assistance, hands-free calling, turn-by-turn navigation, and remote diagnostics. In the process, it collects information such as diagnostic error codes, odometer readings, and crash-related data. OnStar told subscribers that it would collect subscribers' information, even if they canceled their service, unless they asked the company to deactivate their data connection. OnStar said it would anonymize the data and share it with third parties and business partners. The company contended this would allow it to help former subscribers in case of disaster or emergency and to better plan future services.
Digital rights groups have recently demanded that the European Commission prove it needs to retain the telecommunications data that it collects for public safety. Groups such as European Digital Rights, Germany's AK Vorrat, Belgium's Net Users' Rights Protection Association, Holland's Bits of Freedom, the US's Electronic Frontier Foundation, the European Federation of Journalists, and Privacy International sent the European Commission a letter expressing their concerns about the Data Retention Directive. Under the 2006 directive, telecommunications providers must retain information identifying the sender, recipient, date, type, time, and duration of all email, phone calls, and text messages and must give it to national police when asked to do so. In the past, critics have said the policy is too vague, not handled uniformly by all countries, and not effective in reducing crime. Moreover, judges in countries including Austria, Germany, Romania, and Sweden have said the directive is unconstitutional.
The Independent Center for Privacy Protection for the German state of Schleswig-Holstein has told government sites to remove Facebook's fan pages and like button or risk being fined €50,000. The center said that the fan pages and like button violate European data privacy laws and that they send information back to the company's US offices, which could utilize the material to build user profiles. Facebook says that it complies with EU data protection requirements and that users have control over the sharing of information collected on its site. The company also said it has consistently worked with German officials to address privacy concerns.
Chinese officials say they have stiffened their attempts to stop hacking. The nation's Supreme Court and prosecutor's office ruled that anyone who buys or sells hacked data or network access or who covers up such activities will face criminal penalties. The US states that many online attacks originate in China. Google, the world's largest search engine, partially pulled out of China last year in part because of a serious hacking episode it says originated in the country. China says it is one of the world's biggest victims of such incidents and contends that approximately 42,000 of its websites were hacked in 2009.
The UK's Information Commissioner's Office (ICO) is recommending that British schools teach students about data privacy. The ICO is currently exploring ways to include such matters in primary and secondary schools. The agency is seeking proposals from organizations interested in serving as a research partner to help study the issue and recommend approaches. ICO designed the initiative to make young people aware of the many privacy threats they face and the ways they can safeguard themselves, including the use of legal processes.
For the first time, the US has said that a cyberattack could cause it to implement terms of a military treaty with other countries. US officials said the policy is necessary because such incidents are now an integral part of modern warfare. The US and Australia said cyberattacks could cause the two countries and New Zealand to work together on a response, potentially military in nature, based on the 1951 ANZUS Treaty. The treaty is between Australia and New Zealand on one hand, and Australia and the US on the other.
A US government agency has proposed changing online child privacy regulations to address concerns regarding smartphones and geolocation technology. The Federal Trade Commission (FTC) is advocating updating the Children's Online Privacy Protection Act of 1998 to prohibit child-oriented websites and mobile applications from using tracking cookies or GPS location tracking for marketing purposes without parental consent. Parental approval would also be necessary for collecting data on children's online activities or behaviorally targeting them with advertising. The FTC plan would let websites track young people "for purposes such as user authentication, improving site navigation, maintaining user preferences, serving contextual advertisements, and protecting against fraud or theft." Privacy advocates have praised the FTC proposals as a necessary way to protect young people from inappropriate marketing. Numerous online companies, on the other hand, have supported self-regulation.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.