Issue No.04 - July-Aug. (2012 vol.10)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2012.107
Our news briefs cover the latest in security, privacy, and policy.
Scientists from the Ca' Foscari University of Venice, the University of Birmingham, Google, and the Norwegian University of Science and Technology designed a cyberattack that took only 13 minutes to steal the keys from RSA's SecurID 800 token fob. They say their exploit could also compromise additional devices that store RSA keys, including other companies' tokens and national identification cards. The padding oracle attack repeatedly exploits a weakness in the cryptographic wrapper until contents convert into plaintext.
The US Federal Bureau of In-vestigation took a Pennsylvania man into custody, accusing him of belonging to a hacking group known as the Underground Intelligence Agency. They say he and others broke into systems belonging to organizations such as the US Department of Energy's National Energy Research Scientific Computer Center, the University of Massachusetts, RNK Communications, and the Crispin Porter + Bogusky advertising agency. The hacker allegedly installed backdoors into the compromised servers, created passwords to gain root access, and sold the passwords and logins.
The Fujitsu Laboratories, Japan's National Institute of Information and Communications Technology, and Kyushu University analysts set a cryptanalysis record by cracking a 278-digit, 923-bit key used in a pairing-based cryptography system. They used 21 computers with 252 processor cores, as well as optimization and parallel-programming techniques, to break the key in 148 days. The record holders said they hope their work will help government and standards organizations identify how pairing-based cryptography can and should be used in the future.
Social networking service provider LinkedIn is trying to upgrade security in the wake of a breach in which hackers stole an estimated 6.5 million user passwords and posted them online. In the resulting US$5-million class-action lawsuit, the lead plaintiff contended that LinkedIn didn't properly safeguard users' digitally stored identifying information, violating its own user agreement and privacy policies. The complaint also contended that hackers could easily decrypt passwords because LinkedIn didn't protect its website against SQL injection attacks and failed to use adequate encryption, allegedly storing passwords using an unsalted, outdated SHA-1 format. LinkedIn reports that it has disabled compromised passwords and contacted affected users by email.
Microsoft has revoked several of its digital certificates after learning that the Flame cyberespionage software's authors figured out how to use them to sign its malware. Flame is a large, complex cyberspying tool that breaks into networks, looks for and steals information, and sends the material to its controller. Victimized systems didn't catch Flame because it was signed by unauthorized Microsoft digital certificates, and thus appeared legitimate. To prevent hackers from further exploiting the flaw on unpatched computers, Microsoft issued an update that included certificate revocation for all Windows versions, including the new Windows 8 Release Preview, and has modified the Terminal Server licensing service so that it can't issue code-signing certificates.
The hacker group Anonymous says it recently stole and published 1.7 Gbytes of data from a US Department of Justice (DoJ) server. In a video, Anonymous said that it hacked the "United States Bureau of Justice," which could refer to the DoJ's US Bureau of Justice Statistics, to protest what it claims is government corruption. The Bureau of Justice Statistics collects, studies, publishes, and nationally distributes information on US crime, criminals, victims, and justice systems. In the wake of the recent intrusion, the DoJ says it is taking steps to better safeguard its data.
Kickstarter—a company that lets entrepreneurs promote their projects and attract funding on its website—exposed information on 70,000 projects to the public for two weeks. The problem was caused when an API used to show proposals to authorized viewers on the company's website made some information publicly accessible. According to the company, it accidentally introduced the API bug when it debuted its new homepage in April. Kickstarter says that it fixed the bug and that no personal or financial data was exposed. However, the incident could affect potential users' trust in the -company's security.
According to a recent survey conducted by Juniper Networks, most corporate executives and employees aren't taking steps to protect their companies from mobile security threats. Juniper surveyed 4,000 wireless-device users in China, Germany, Japan, the UK, and the US and found that 89 percent of business users employ mobile devices to access critical work information, and 40 percent of them do so without company permission. Many respondents also said they neither read the terms and conditions before downloading an application nor manually set their mobile devices' security features to provide strong protection. Despite these problems, Juniper's report noted that many survey participants expressed willingness to let their companies provide security for and otherwise support their devices and that 40 percent said they're already pushing their employers to do this.
According to market research firm Gartner, more companies are adopting technologies that monitor employee Internet use, and by 2015, most will focus on social media and its potential for causing corporate security problems, such as posts of unauthorized videos containing confidential company work. Less than 10 percent of companies now monitor employees' use of sites such as Facebook, YouTube, and LinkedIn, but new products and services promise to make such oversight easier.
Microsoft has taken its Bing Streetside service—which shoots and posts street-level photos of publicly viewable areas—offline in Germany after people there expressed privacy-related concerns. Microsoft said it won't consider making Streetside available again in Germany until after it investigates whether it adequately blurs images of houses shown in posted images. Microsoft began photographing German streets in May 2011, agreeing to blur images of faces, car license plates, violence, and nudity, but not houses.
Copies of Green Simurgh, an Internet proxy application used in Iran and Syria to avoid government anticensorship measures, include malware that records user keystrokes, according to Citizen Lab, a Canadian digital-media R&D laboratory. The application routes a computer's outbound connections through a US server, avoiding network filters that keep users from accessing parts of the Internet. Citizen Lab found that malicious versions of the software have been on file-sharing websites such as 4shared.com as a package called Simurgh-setup.zip, which appears to be a Green Simurgh installer. The package puts a legitimate copy of Green Simurgh in Windows' Program Files directory but also installs a Trojan horse, which logs information such as usernames, machine names, and keystrokes.
Canadian and US law enforcement agencies, including the Royal Canadian Mounted Police and the US Drug Enforcement Administration and Federal Bureau of Investigation, say that switching the Internet to IPv6 could hurt their ability to prevent and solve crimes by making it difficult to efficiently and accurately determine users' IP addresses. With IPv4, regional Internet registries distribute Internet-address blocks to ISPs every few months. This control over the supply of available addresses gives registries the leverage to demand that ISPs regularly update their part of the Whois database. This won't be the case with IPv6, for which the registries will distribute large Internet address blocks only every 10 to 15 years.
The US Federal Bureau of Investigation has opened a new facility that will focus on intercepting and analyzing communications as part of law enforcement activities. The FBI's Domestic Communications Assistance Center (which will also include agents from the US Marshals Service and the Drug Enforcement Agency) will undertake activities such as designing and building wiretap hardware, accessing and decoding online transmissions, and developing tools to analyze large amounts of acquired information. Some privacy and government watchdogs have expressed concerns that the DCAC needs more oversight and transparency to ensure it doesn't violate users' privacy rights.
Two New York state legislators have dropped a law they proposed that would have forced network administrators to remove comments on their websites upon request unless the people who posted them provide their names and confirm their addresses. The stated purpose of the Internet Protection Act was to protect people from anonymous Internet postings. However, there were so many objections to the bill that the legislators who proposed the measure pulled it. Proponents said the bill was designed to address cyberbullying; however, it also could have been used against anonymous online criticisms of businesses or politicians. Opponents, including some supporters of cyberbullying legislation, said the Internet Protection Act was too sweeping and violated the US Constitution's protection of freedom of speech.