January/February 2013 (Vol. 11, No. 1) pp. 6-7
1540-7993/13/$31.00 © 2013 IEEE
Published by the IEEE Computer Society
Published by the IEEE Computer Society
Security, Privacy, Policy, and Dependability Roundup
PDFs Require Adobe Acrobat
Our news briefs cover the latest in security, privacy, policy, and dependability.
Hackers stole millions of people's tax-return and payment data from South Carolina Department of Revenue (DOR) systems that had been vulnerable for two months. The attacks yielded sensitive information on 3.8 million individuals from as long ago as 1998. A report by security firm Mandiant said the South Carolina incident began when hackers sent multiple DOR employees a phishing email. One recipient clicked an embedded link and received malware that stole user credentials. Shortly thereafter, hackers used the credentials to log in to a remote access service and then searched DOR systems and databases.
An Iranian news agency said recently that the Stuxnet worm has again attacked computers in the country, nearly two years after the malware caused problems in its nuclear-material-processing facilities. A report by the Iran Students' News Agency said the worm targeted a power plant and other industrial facilities in the southern part of the country before computer experts stopped its spread.
According to security vendor Symantec, hackers have begun using fake QR codes to send people to malicious websites. In one approach, criminals distributed bogus QR codes in spam messages. Some now simply print their own phony codes on stickers that they attach to real advertising posters, typically in airports and other locations with heavy foot traffic. Symantec recommends that people who scan QR codes use a reader that checks a website's reputation before sending a user on to the related URL.
Hackers recently launched a ransomware attack that encrypted an Australian medical center's patient records and then demanded money to decrypt the data. When the Miami Family Medical Centre's staff arrived at work, they found that seven years' worth of patient records were inaccessible. The hackers, apparently based in Russia, demanded AU$4,000 (approximately US$4,230) to decrypt the data. The clinic, based in the state of Queensland, refused to pay and opted instead to rebuild its database from scratch. The medical center reportedly was vulnerable because it ran antivirus tools but had no other security in place and didn't conduct regular data backups.
French government officials have accused US government hackers of compromising a network serving the Élysée Palace, home of France's president. The US Embassy in Paris has denied the accusation that attackers stole sensitive information from a close advisor to then-president Nicolas Sarkozy shortly before he lost last May's runoff elections. According to reports, the attackers found and contacted targets within the presidential palace on Facebook, sent them links to a fake Élysée intranet page, stole their login credentials, and installed the Flame espionage malware on their PCs.
According to a US Federal Trade Commission (FTC) report, approximately 300 popular children's educational and gaming mobile applications don't clearly tell parents about the personal information they collect, who can view it, and what it's used for. The applications, which the FTC didn't identify, could utilize the information to locate or track children. Federal regulators are investigating whether these practices violate a law requiring website operators to obtain parental consent before collecting or sharing personal information obtained from users younger than 13.
The UK government plans to create a DNA database for patients of the country's National Health Service (NHS). Groups such as GeneWatch, a policy research and public interest group, say that such an information repository wouldn't be as secure as the government claims and thus would create a privacy risk. The new plan calls for officials to sequence and analyze the DNA of NHS patients over a period of up to five years, at a cost of £100 million (approximately US$161 million). According to UK Prime Minister David Cameron, this could revolutionize cancer treatment in the country and help develop new drugs and treatments.
To improve Israel's ability to deal with the growing number of online attacks it faces, the country is developing a nationwide program to train young people to combat cyberwarfare. Officials are inviting promising students between the ages of 16 and 18 to participate. Prime Minister Binyamin Netanyahu explained that Iran and other countries are increasingly attacking Israel's computer systems. Last November, the hacker group Anonymous and Pakistani hackers attacked several Israeli websites in protest of Israel's attempt to stop missile attacks from Gaza.
The North Atlantic Treaty Organization's Cooperative Cyber Defence Centre of Excellence has released its National Cyber Security Framework Manual, which gives readers detailed information about various aspects of national cybersecurity that they can use when drafting cybersecurity policy at a governmental level. The information addresses the perspectives found in various types of policy development and decision making: political, strategic, operational, and tactical/technical. The new manual also discusses different types of national cybersecurity organizations, such as top-level policy coordination agencies and cybercrisis-management groups.
The US is developing an official cyberwar doctrine, much like the doctrines that many countries have for nuclear and conventional warfare. This approach could address issues such as how federal agencies help private firms—especially those operating critical infrastructure such as utility plants—defend themselves against cyberattacks. The new rules could also delineate the steps the Department of Homeland Security could take to defend domestic networks.
The US Federal Bureau of Investigation (FBI) has worked with Facebook and law enforcement agencies in other countries to break up an international cybercrime group that allegedly used a huge botnet to steal US$850 million. The FBI suspects that the gang used variants of Yahos malware to create the Butterfly botnet—used to steal credit card and bank information along with other sensitive personal data—to attack approximately 11 million computers between 2010 and 2012.
Carnegie Mellon University and Coherent Navigation scientists have designed several types of attacks that could disable the GPS infrastructure on which many military and civilian users rely. They constructed one attack by making broadcasts of malicious data to GPS receivers, which they say could bring down up to 30 percent of GPS support stations worldwide. They also built a device that generated location-spoofing transmissions that could crash GPS applications and receivers. The scientists said their techniques differ from previous attack approaches because they approached GPS as a large computer system, rather than just a navigation system.
Ford Motor Company said software defects that could have caused engine fires led it to recall about 90,000 of its newly released Escape and Fusion vehicles. The company says it's updating the software that monitors the cooling systems in Escape crossovers and Fusion sedans with turbocharged 1.6-liter engines. The problems left the systems unable to provide cooling during certain overheating situations. Ford told US regulators that nine vehicles have experienced fires. The company advised all owners of the affected types of cars to contact their dealers for a free replacement until it updates the software.
Bugs in a software update have caused some Apple TV set-top boxes to stop working altogether and some to be unable to connect to their network, rendering them useless. The problem began when set-top boxes were updated to version 5.1, which provides features from Apple's iOS 6 mobile OS, such as shared photo streams and AirPlay. In response, many users manually restored the Apple TV to an older iOS version.