Issue No.01 - January/February (2012 vol.10)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2012.20
IEEE Security & Privacy news briefs cover the latest in security, privacy, and policy.
According to security software vendor Intego, a recent phishing attack attempted to steal Apple customers' credit card information by sending Apple customers an email message with the subject line "Apple update your Billing Information" from a spoofed sender address, firstname.lastname@example.org. The included link took customers to an authentic-looking sign-in page. Another recent phishing scam targeted Apple customers via the company's MobileMe, a subscription-based collection of online services and software.
US intelligence agencies have reportedly identified many of the Chinese groups responsible for cyberspying in the US and have determined that China's military sponsors most of them. According to officials, groups connected to China's People's Liberation Army and nonmilitary organizations such as universities initiated such activities. Late last year, the US released a report accusing China of being the world's most active nation involved in economic spying. Chinese Foreign Ministry officials have consistently denied government participation in cyberspying and said the country cracks down on such behavior and cooperates with international efforts to curb it.
More than eight of 10 applications analyzed by risk-management software vendor Veracode contained vulnerabilities that left them susceptible to common attacks, such as SQL injection, cross-site scripting, and remote code injection. Veracode's State of Software Security Report: Volume 4 analyzed the results of nearly 10,000 tests the firm performed for customers during the past 18 months. As in previous versions, the recent study showed that internally developed code was more secure than that from external sources.
HTML 5 promises to enable many new types of rich Web applications but could cause problems, according to security vendor Sophos. The sophisticated markup language offers capabilities such as simple audio and video integration and full-frame animation, but it can also store considerable data in the browser, which might become a direct target for hackers. HTML 5 sandboxing makes clickjacking a bigger risk because webpages can't identify the source of commands. Moreover, the new HTML version could enable supercookies that track and collect large amounts of information about users' Web activities. However, Sophos said the technology also has security benefits, such as client-side input validation and capabilities that eliminate the need for many potentially risky plug-ins.
Experts say IPv6 implementation could create security problems, so organizations deploying the technology should take the appropriate precautions. Unlike IPv4, IPv6 doesn't require manual configuration. Stateless autoconfiguration lets IPv6-enabled devices communicate with one another or with any service, provided they're on the same LAN. These devices locate one another or services via the IPv6 Neighbor Discovery Protocol. However, NDP could expose devices to hackers who could either control them as a part of botnets or learn enough about network operations to exploit them. Industry observers say they've already seen bots using IPv6 as an undetected way to communicate with their controllers. If organizations don't have IPv6 security measures, such as deep packet inspection, the malware could pass through IPv4 defenses.
Features in Windows 8 could dissuade hackers from making OS attacks but might encourage them instead to develop attacks directly against hardware, according to security vendor McAfee. Hackers can use low-level functions for botnet control by migrating control capabilities to graphics processor functions, the basic I/O system, or the master boot record.
Intel has patched a flaw that might have let hackers evade security technology built into the company's processors and chipsets. The problem with Intel's SINIT authenticated code modules could have allowed hackers to bypass the Trusted Execution Technology, a hardware extension to processors and chipsets designed to protect against software-based attacks. It compares a system against a benchmark of acceptable behaviors and launch-time configurations, letting the system itself assess attacks against its launch-time environment and alert administrators if necessary. Security research firm Invisible Things Lab discovered the flaw, which Intel rated as "important," and designed a proof-of-concept exploit.
The US Department of Defense plans to place fake documents—acting as honeypots—on the Internet to catch people trying to steal confidential information as well as protect real documents. This DARPA program occurs in the wake of the WikiLeaks controversy, in which the organization published private, secret, and classified information that anonymous sources acquired from governments and organizations. DARPA said its honeypot documents can capture the IP address of anyone opening them, record the time of the breach, and alert administrators. Proponents also hope to undermine hackers' trust in the private data they find on the Internet.
Canada has set new guidelines to limit advertisers' ability to track consumers. Privacy Commissioner Jennifer Stoddart's policy focuses on online behavioral data and personally identifiable information. The guidelines say that information companies give to customers about their policies should be easy to comprehend and that Web usage shouldn't depend on users accepting participation in online behavioral advertising. The document doesn't insist on advance user consent for cookies and other typical online data collection approaches but says advanced tracking techniques might violate the new policy. According to Stoddart, her office is concerned about the growing use of online behavioral advertising invading personal privacy, particularly if consumers aren't aware they're being tracked. She also said marketers shouldn't knowingly track children online or collect sensitive information.
Hackers exploited a security bug in a Facebook tool to access private images that users—including company CEO Mark Zuckerberg—had posted to the social networking site. Facebook has since stopped making the tool—which let users report offensive images—available. Problems began when someone anonymously posted on the Bodybuilding.com Web forum detailed instructions on how to exploit the tool and access photos—even those locked for privacy—that users uploaded to Facebook. Subsequently, someone posted 13 locked images taken from Zuckerberg's account on the Imgur photo-sharing site. The images were then distributed widely on Twitter. When a user wanted to report an image on a Facebook page as offensive, the site would sometimes give the reporter the ability to add other photos to the notice. Facebook would then show additional photos, potentially including some marked as private. Facebook acknowledged the problem but said the flaw exposed only a small number of photos.
The World Wide Web Consortium is developing tools that will let Internet users request online privacy from websites. The W3C has begun designing specifications that would let users employ browser settings to tell websites what tracking, if any, they'd permit. The technology would also let websites acknowledge such privacy instructions and outline best compliance practices. In addition, the tools would warn users about sites that haven't respected privacy requests. The W3C is now asking users, browser makers, and companies to work together to complete and implement the specifications. The consortium says it expects browsers to start deploying the technologies in the middle of this year, and websites to do so a bit later.
A group of plaintiffs has filed a US$16 million class-action lawsuit claiming the University of California, Los Angeles (UCLA), Health System compromised more than 16,000 patients' personal information. The organization recently notified 16,288 patients that their information was at risk after a burglar stole an external hard drive from a Health System employee's home. The information reportedly included first and last names, birth dates, medical record numbers, addresses, and medical information, but not Social Security numbers or financial information. According to the Health System, information on the hard drive was encrypted, but the decryption password was written on a nearby piece of paper that wasn't found after the burglary. The organization says it's reviewing its policies and procedures and will make changes to prevent such a problem from happening again.
A US government agency is investigating facial recognition technology's effects on privacy. The Federal Trade Commission is studying the technology's current and future commercial uses and benefits. However, the FTC is also probing issues such as how and when facial recognition should be used, particularly with vulnerable groups such as children. It's also examining the best practices organizations using facial recognition should implement to protect consumer privacy. The impetus for the FTC's investigation is the growing use of facial recognition in consumer applications such as Facebook. Google recently included the technology for use in tagging images of people in its Google+ social network.
Security experts from the US and EU member countries worked together for the first time recently to practice fighting simulated cyberattacks. The Cyber Atlantic 2011 exercise targeted two types of threats: an ongoing but stealthy attempt to access and publish secret information from EU nations' cybersecurity agencies, and attacks targeting power generation facilities' computerized industrial control systems. Approximately 20 EU countries participated. The event was designed to examine how the EU and US would cooperate when responding to attacks on their critical information infrastructures.
The Obama Administration has released a plan for setting cybersecurity R&D priorities designed to increase and focus efforts to secure the US network infrastructure. The Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program resulted from a study that called for urgent action to shore up the nation's cyberdefenses. The new plan focuses on four strategic areas. The first is identifying the causes of security shortcomings and finding ways to address them by changing current practices. The second is developing scientific approaches to solve cybersecurity problems. The other goals involve agencies collaborating and coordinating their cybersecurity efforts to maximize their effectiveness, and reducing the time it takes to put cybersecurity research results into practice.