Issue No.05 - Sept.-Oct. (2012 vol.10)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2012.129
These news briefs cover the latest in security, privacy, and policy.
A flaw in Rugged Operating System, which runs the routers found in many critical-infrastructure elements, allows hackers to exploit cryptographic keys, putting power generation stations, traffic control systems, petroleum facilities, and other critical infrastructure elements at risk. Justin Clarke, director and cofounder of security services company Gotham Digital Science, said hackers can identify the private key that the Rugged OS uses to encrypt communications by analyzing the operating system. Attackers can thus compromise a host on a network, eavesdrop and decrypt HTTPS/SSL or SSH traffic between an administrator and a Rugged OS device, steal private information, and launch man-in-the-middle attacks.
OSX.Crisis Trojan, initially thought to target just the Mac OS, can now attack systems running Windows, Windows Mobile, and VMware virtual machines, possibly spreading among systems via email or social media. Security vendor Symantec hasn't yet found the backdoor Trojan in the wild. However, malware writers could either release OSX.Crisis themselves or modify it to create their own Trojans. Some security experts say that the OSX.Crisis Trojan might be the first malware able to attack virtual machines.
The Arab Youth Group has claimed responsibility for attacking Saudi Aramco, Saudi Arabia's national oil company, saying it opposes some of Saudi Arabia's international policies. Saudi Aramco said a virus that infected its PCs caused a network disruption but didn't affect its core business or production systems. Some security experts speculate the attack could be related to Shamoon, new malware that hackers have used to target at least one energy-related company so far. Shamoon affects Internet-connected Windows systems, using them to communicate with the malware's command-and-control server, and then attacks other machines on the same network, steals information, and overwrites the master boot records.
According to security vendor Kaspersky Lab, Gauss malware, which is similar to Stuxnet, DuQu, and Flame, exploits a Windows Shell vulnerability that allows remote code execution. The malware gathers information, such as the machine's network connections, processes, BIOS, RAM, and drives, and sends it to five deactivated command-and-control servers. Gauss targets Citibank, PayPal, and several Lebanese bank clients. For an as-yet-undetermined reason, it also installs a custom font known as Palida Narrow. The malware contains an encrypted payload that Kaspersky researchers have been unable to decrypt. Cryptographers interested in helping with this effort should contact firstname.lastname@example.org.
DARPA has started a company designed to speed up the process of fixing smartphone vulnerabilities. Duo Security plans to provide an Android application called X-Ray that will notify phone owners when their device's software contains unpatched flaws. Duo will collect vulnerability information for different versions of Android systems. X-Ray will scan systems for components with known flaws and send other components it finds to Duo servers for further analysis. X-Ray will also discover whether manufacturers and carriers have reintroduced flaws during regularly scheduled updates.
The number of mobile phones infected by malware jumped 177 percent in the first half of this year, according to security vendor NetQin. Almost 13 million phones worldwide were infected during the initial six months of 2012, with a record 3.7 million affected in June alone. NetQin detected 17,676 individual mobile malware programs during the first part of the year, up 42 percent from 2011. Of the malware it detected, the vendor found 78 percent affected Android phones, with most of the rest designed for devices running Nokia's Symbian OS. A year ago, 60 percent of the mobile malware targeted Symbian phones.
A network security breach, exposing names, addresses, and Social Security numbers, has threatened the privacy of 34,000 students and employees in the University of South Carolina's College of Education. This is the largest of six privacy-related incidents—involving 81,000 people—that the university has reported since 2006. The school says it isn't sure when the latest intrusion, which was launched from outside the US, occurred. Some people familiar with the situation have questioned why the university took 11 weeks to warn people about the breach, but school officials say they didn't want to alarm anyone until they could determine the intrusion's extent.
According to a study by Keynote Systems, a company that specializes in Internet testing and monitoring, 86 percent of major websites place third-party tracking cookies on visitors' computers. Keynote analyzed online behavioral tracking on 269 leading websites in the news and media, financial services, travel and hospitality, and retail industries to determine how many websites used cookies from other organizations. Almost all websites in the travel and hospitality industry and in the news and media business use third-party tracking. The news and media sites alone averaged 14 third-party tracking cookies per visit.
Oregon Health & Science University Hospital (OHSU) in Portland is notifying the families of about 700 pediatric patients after a burglar stole a USB drive containing some of their personal information. Hospital officials notified the parents of pediatric patients screened for vision-related problems whose data was on the stolen USB drive. They said the drive didn't contain much information about any single patient and that the data was password protected and could be opened only with software that most people don't have. The hospital now plans to step up efforts to encrypt USB drives it uses to store patient and employee information.
The hacking group Anonymous claims it broke into servers belonging to the Syrian government and stole 2.4 million emails from public officials and contractors, which WikiLeaks subsequently published. The emails, which were from approximately 680,000 different addresses, involved Syrian agencies such as the Ministries of Presidential Affairs, Foreign Affairs, Finance, Information, Transport, and Culture, according to WikiLeaks. Anonymous, whose claims have not been verified, said its hackers worked almost 24 hours a day for weeks to break into the Syrian servers and steal the email.
The Chinese government has developed policies designed to help public agencies and other key organizations, including its energy, transport, and finance sectors, better address cybersecurity. The plans call for better training of security professionals and more effective use of strong encryption, as well as additional auditing, incident reporting, and system monitoring. It also recommends that officials reduce the number of Internet connections from systems that store classified information. Some observers note that while the guidelines don't offer any new approaches to improving security, they indicate that officials are concerned about the increasing number of cyberattacks on Chinese systems.
The US National Institute of Standards and Technology (NIST) is preparing to release a draft version of a new encryption requirement with which federal websites will have to comply. NIST currently requires US agencies' websites to support Transport Layer Security 1.0 encryption; now it will require that they implement TLS 1.1 or 1.2. According to the agency, numerous government websites will have to acquire new Web servers to support the newer technology. The agency also wants the federal government to move forward with mutually authenticated TLS. In this approach, two parties, typically a client and a server, request certificates from, and thereby authenticate, each other.