Issue No.03 - May-June (2012 vol.10)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2012.76
IEEE Security & Privacy news briefs cover the latest in security, privacy, and policy.
To keep a recent malware attack that hit the systems running Iran's oil ministry and national oil company from spreading, operators disconnected equipment in the Kharg Island terminal, which handles 90 percent of the country's oil exports. Iranian officials say the attack didn't affect oil production, but it apparently took down some websites.
Security vendor McAfee recently found new malware—primarily targeting Japanese users—in 15 Android smartphone applications posted on the Google Play app marketplace. Designed to steal users' personal information, the Android/DougaLeaker.A Trojan appears to victims as an application that displays video about upcoming Android games, Japanese-style anime, or Japanese adult videos. When the victims download the application, it shows a request for permission to read both the contact data stored on the smartphone and the "phone state and identity." If users grant permission, the malware surreptitiously steals personal and contact information from the phone.
Cyberattacks on Tibetan freedom activists are increasing in number and sophistication, according to security vendors FireEye and Trend Micro. Reportedly, the social engineering approaches that hackers use to entice Tibetan victims to unknowingly participate in activities that make them vulnerable are becoming more complex. For example, one attack started with an email message that had an attachment containing a rich-text-format file with malware that exploits vulnerabilities in Microsoft Office applications and installs a backdoor.
Apple is taking steps to help users combat the Flashback Trojan, which has infected hundreds of thousands of Mac OS X systems. Users become infected when a link redirects them to a bogus website that loads a small application for downloading malware from a remote location. Security experts have been aware of Flashback since 2011 but have paid much more attention recently after a variant began infecting large numbers of machines. Apple is working with ISPs to disable the command-and-control servers running the Flashback botnets.
Security researchers recently found a flaw in popular mobile iOS applications for Facebook, LinkedIn, and Dropbox that could cause users to become identity-theft victims. They warn that the problem could be present in other programs, including those written for use on Android systems. The affected applications save user authentication keys in easy-to-find unencrypted files. A hacker can access the files and transfer them to another device, then access the victim's Facebook or other accounts without having to log in.
Anonymous, a loosely connected group of hackers that has attacked numerous financial and government sites in various countries, recently targeted several Chinese government websites and publicized its actions on its Twitter account, Anonymous China. Anonymous says one of its goals is to penetrate the "Great Firewall of China," which the country uses to block popular websites such as Facebook and YouTube.
A security vendor identified new malware designed to fool Facebook users into providing their credit card, debit card, or Social Security numbers. Trusteer said a variant of the Ice IX malware tricks Facebook users into exposing sensitive information by displaying in a browser window a Web form with the same design that Facebook uses. In addition to the credit card and other numbers, the form asks for expiration dates, billing addresses, and cardholders' names, saying the website needs the information to verify the users' identity and provide more security for their Facebook accounts.
A new type of malware based on the notorious Zeus Trojan is making the rounds via email messages that appear to be US Airways flight check-in notifications. According to security vendor Kaspersky Lab, the messages include a short description of the airline's online check-in procedure and links to fake reservations that appear to be from the US Airways website but that actually redirect users to other sites that launch a BlackHole attack. Criminals use the BlackHole toolkit to exploit flaws in old versions of popular browser plug-ins, such as Adobe Reader, then infect victims with malware. The current US Airways attack is infecting computers via GameOver, a Trojan based on Zeus, which hackers created several years ago to steal financial data.
According to security vendor Sophos, India now accounts for 9.3 percent of the world's spam, followed by the US with 8.3 percent, South Korea with 5.7 percent, Indonesia and Russia with 5 percent each, and Italy with 4.9 percent. An estimated 80 percent of all spam is routed through computers taken over by criminals who utilize them to set up botnets. Sophos said the volume of email spam has decreased since early 2011, owing in part to better ISP security. More spammers are also using social networks, rather than email, to spread junk mail.
State of Utah officials said it appears that Eastern European hackers broke into a Department of Technology Services (DTS) server and stole personal information on recipients of services from Medicaid and the Children's Health Insurance Plan. The information typically stored in the computers includes clients' names, addresses, birth dates, Social Security numbers, and their doctors' names. An authentication-related configuration error on the compromised server apparently enabled the hackers to circumvent DTS's security system. The state has shut down the server and is instituting new security procedures.
A Washington, DC, hospital reported that a contractor's stolen personal laptop contained personal and health-related data for 34,500 patients. Not all Howard University Hospital files contain the same information, but they typically include names, addresses, Social Security numbers, patient identification numbers, medical record numbers, birth dates, admission dates, and diagnoses. Most of the people affected were patients between December 2010 and October 2011, although some of the stolen data was from as long ago as 2007. Howard officials have contacted the affected patients about the data breach and will implement measures to prevent such a problem from occurring again.
A US government advisory board is calling on officials to ensure that implantable wireless medical devices are safe from hacking before they're sold. According to the Information Security and Privacy Advisory Board (ISPAB), a federal agency should have the authority to ensure these devices' safety. Several research teams have demonstrated the equipment's vulnerability to hacking, which puts millions of patients at risk. The ISPAB recommends that the US Computer Emergency Readiness Team oversee a process for reporting, tracking, and analyzing security problems with pacemakers, defibrillators, insulin pumps, and similar items. The board also suggests that the US Food and Drug Administration or some other agency step in to inform patients, doctors, and healthcare organizations about the devices' potential risks.
The UK government is working on plans for a nationwide electronic surveillance network that, officials say, could track every message sent by anyone in the country. The British Home Office said police and intelligence agencies sometimes must obtain communications information to investigate terrorism and major crime. Opponents say the plan would give law enforcement and national security agencies too much leeway in intercepting communications and could infringe on the privacy of innocent people. Others note the proposal would require the government to install thousands of pieces of monitoring equipment, which could cost billions. The Home Office didn't discuss how the proposed system might work or whether there would be judicial oversight. However, a government spokesperson said the system wouldn't entail reading email or listening to phone conversations but instead would track matters such as who is communicating and when. In the UK, authorities generally must request permission to access such information and aren't supposed to conduct a mass communications-monitoring program.