Issue No.02 - March-April (2013 vol.11)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2013.40
Our news briefs cover the latest in security, privacy, policy, and dependability.
Microsoft and Symantec joined forces to take over Bamital, a botnet that used malware to attack 8 million computers and help steal millions of dollars by changing search results on victims' computers, redirecting them to pages that paid commissions to affiliate marketers. Using a court order based on a Microsoft lawsuit, US marshals and technicians for the two technology companies took control of the Bamital botnet after raiding datacenters in Virginia and New Jersey, then shut down Bamital's control servers. Microsoft and Symantec are now using these servers to communicate with infected PCs, referring them to free malware-removal tools.
Security researchers say they've discovered a 0-day flaw in Adobe Reader, which is on an estimated 90 percent of PCs in developed countries. Hackers exploit the problem by sending a crafted file to the target machine. Once a victim opens the file, the malware it contains installs two dynamic linked libraries, including one that opens a backdoor that lets the malicious code communicate with a remote server.
Hackers that might be linked to China's government have been cyberspying on major US media outlets—including The New York Times, The Wall Street Journal, and The Washington Post—apparently to eavesdrop on reporters covering the country. The hackers were apparently looking for advance knowledge of articles that might reflect unfavorably on China and to identify information sources. Chinese officials have denied government involvement in such incidents and called accusations of such activity irresponsible and unprofessional. Several media outlets have found evidence of spying from a single group of China-based hackers and said the hacking appeared to consist of relatively simple but persistent attempts to access networks.
Mandiant, a US security company, says the Chinese military carried out cyberespionage on companies in the US and elsewhere, marking one of the first times such exploits have been traced to a specific national military unit. Mandiant said it investigated numerous attacks since 2006 and traced intrusions against 141 companies and organizations—115 in the US—to the Chinese People's Liberation Army's Unit 61398. According to Mandiant, Unit 61398 stole information such as system designs, manufacturing processes, and business plans from companies in industries—including aerospace, energy, and telecommunications—that China has said is important to its economic growth.
Investigators have determined that a recent cyberattack on Bank of the West distracted the institution's security officials from an intrusion in which hackers took over an online account and stole approximately US$900,000. Hackers used fraudulent automated clearinghouse withdrawals and wire transfers to siphon money out of Ascent Builders' account with the California bank. At about the same time, the bank experienced a distributed denial-of-service attack via traffic from compromised computers. This incident kept it unaware of the account theft until it was notified by security experts.
Hackers broke into some of Twitter's servers and stole user data before the company could shut down the attack. The hackers accessed data for approximately 250,000 of Twitter's 140 million users, including usernames, email addresses, and encrypted and salted versions of passwords as well as session tokens. The company detected the incident after noticing unusual access patterns, and halted the attack within moments, then reset passwords for all affected users and revoked cookies.
Dan Nolan, an Android application developer, contends Google gives developers the names, email addresses, and general locations of people who download their programs, without users knowing about or being able to opt out of the practice. Google has not officially commented on these claims, but Nolan said he recently logged in to his account with Google Play—Android's application marketplace—and found that Google was sending him information about everyone who obtained his program. Sources familiar with Google have said the company has indeed provided developers with information about downloaders. They explained that on Google Play, developers are considered the application merchants and thus need information for tax purposes.
The US government's new cybersecurity initiative will involve many federal agencies but will depend largely on the US Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST). DHS and NIST will be key to the attempt to collaboratively create voluntary security standards and increase the sharing of cyberthreat information among agencies and companies. One of the effort's key tasks, which a DHS task force is leading, will be identifying critical infrastructure systems that could cause a dangerous situation if attacked. DHS and NIST will work together to create a framework for securing critical infrastructure. NIST will also host workshops and develop a resource consisting of cybersecurity best practices.
Two standards proposed for this year could dramatically change the way companies handle actual and reported system vulnerabilities. The first of the proposed International Organization for Standardization proposals, ISO 29147, looks at how companies deal with researchers telling them about security-related problems. Essentially, it would require companies to make it clear whom researchers should contact and gives them seven days to tell researchers they received the disclosures. ISO 30111 addresses companies' frameworks and processes to support the fixing of vulnerabilities, whether found internally or by a researcher. Both ISO standards are due for release by late 2014. Although organizations wouldn't be legally required to obey ISO 29147 and 30111, companies and government agencies often require firms with which they do business to comply with certain ISO standards.
Russian President Vladimir Putin has told cybersecurity personnel in the nation's Federal Security Service to take steps to protect government computers from hacking. This occurred after Russian security vendor Kaspersky Labs reported that a spy network had infiltrated government and embassy computers across the nation and in its former satellite countries in Eastern Europe. Since 2007, the hackers used phishing attacks, dubbed Red October, to infect these machines, steal information, and send it back to a server. Kaspersky Labs says that the hackers' network is still active and that law enforcement officials in several European countries are investigating.
Defects in financial institutions' complex business software and their rapid deployment of new systems will cause the recent rash of reliability problems to continue, according to security experts. These types of issues have recently affected companies such as Lloyds Banking Group; PayPal; Bats Global Markets; Knight Capital; and NatWest, RBS, and Ulster banks. The complexity of financial institutions' software—often consisting of many subsystems written in various languages by multiple teams—makes it difficult to secure adequately, said Lev Lesokhin, strategy chief at software analysis firm CAST. Another issue is that, to cut IT costs, many banks have used software sold by vendors, rather than developed by their own staff, limiting the institutions' ability to change code or design it to meet security needs.
Software on approximately 200 million Samsung smartphones and tablets has a defect that crashes applications if the clipboard has been used to copy more than 20 items of data. The only way to solve the problem is to perform a factory reset, which erases applications and data from the handset. Samsung could develop a fix for the flaw and send it to all of its handsets and tablets. However, the company has not acknowledged the documented bug. Security experts say the vulnerability appears to be in a file directory that's part of the TouchWiz touch-interface software that runs on top of the Android OS.