Issue No.04 - July/August (2009 vol.7)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.100
A brief look at news in security, privacy, and policy.
In June, security research company Damballa found Trojans bundled deep within pirated versions of Windows 7, and the malware was linked to efforts to build a botnet. The malware packages implemented a "pay per -install" scheme, downloading additional malware supplied by third parties. Damballa said it shut down the botnet's command-and-control server on 10 May, but roughly 1,600 infections continue to occur per day. The company also warned that new versions of the Trojan could surface. Because most antivirus applications don't yet support Windows 7, infections from pirated versions of the operating system could be more dangerous than usual.
In June, an attacker hacked into Cligs ( http://cli.gs), a URL shortening service, and redirected more than 2.2 million links to a newspaper blogger who often uses the service. According to Cligs, the attack originated from Canada and took advantage of a security hole in the service's editing function, which has since been updated. Cligs restored functionality for most of the affected links, letting its registered users edit them and pointing unregistered links to the Cligs home page. Kevin Sablan, a Web director for The Orange County Register who blogs about linking, was on the receiving end of the redirected links but wasn't involved in the attack.
In June, the US Federal Trade Commission shut down an ISP suspected of proactively hosting botnets, child pornography, and malware-laden sites. Pricewert, which operated under names such as 3FN and APS Telecom, was cut off by its upstream providers on the order of a San Jose, California, district judge. The FTC said Pricewert encouraged criminal activity and protected its users, often ignoring take-down requests and shielding users with new IP addresses. The FTC also filed instant-messaging transcripts showing senior Pricewert employees discussing botnet configurations.
Adobe implemented a new patch schedule in June to coincide with Microsoft's "patch Tuesday," releasing 13 critical patches for Acrobat and Reader. The two companies are now coordinating their patch releases after determining that customers preferred patches that coincided. Adobe's fixes on 9 June included a stack-overflow vulnerability, memory corruption, and other problems that could cause the program to crash, exposing the system to attacks. Microsoft patched 31 vulnerabilities on that date, its largest fix ever.
Microsoft recently worked with the US Air Force to develop a secure version of Windows XP that includes preconfigured software and requires less time to implement patches, according to former Air Force CIO John Gilligan. Revealing details of the partnership in Wired, Gilligan said the Air Force requested the special arrangement after the National Security Agency found multiple vulnerabilities in the Air Force's networks, many caused by poor configuration. Microsoft agreed to implement security fixes for the vulnerabilities, such as more complex administrative passwords and automated tools for patches. The Air Force began using its custom Windows version in 2007, which led the White House to institute its Federal Desktop Core Configuration program for all government systems.
In July, a variant of the Mydoom worm was used to carry out sustained distributed denial-of-service attacks against high-profile targets in South Korea and the US, including government and financial sites, leading security experts to speculate that the North Korean government or its sympathizers were carrying out a cyberwarfare campaign. The attacks, which lasted nearly a week and slowed or disabled sites such as the South Korea National Intelligence Service and the US Federal Trade Commission, ended when compromised computers used for the attacks were given instructions to wipe their hard drives. South Korean officials said roughly 20,000 computers in the country were subject to self-destruction. Officials there traced the attacks to five IP addresses in South Korea, Austria, Georgia, Germany, and the US and blocked them. The malware later directed infected computers to retrieve self-destruction files from another 86 IP addresses in 16 countries. [For more on cyberattacks, see Herbert Lin's article, "Lifting the Veil of Cyber Offense," on p. 15 —Ed.]
In June, Facebook began testing open access to its users' updates, creating privacy controls for every post set to "public" as a default. Only users who previously set their privacy controls to "everyone" are part of the beta. The change represents a major shift for Facebook, which has long been known for its strict privacy policies and profiles that by default could only be viewed by other Facebook users who were added as friends. The site touted the change as a way to more carefully manage information, as users can leave general messages "public" and control access to more personal information.
In June, a European Commission advisory board recommended new guidelines for social networking sites to follow in Europe, including limits on information shared with third parties. The board placed responsibility on individual sites as the controller of users' information rather than a medium (with the exception of other companies), making it important for those sites to protect user data and privacy. The board also recommended setting high privacy settings as a default and deleting information if users have been inactive for a long period of time.
University of California at Santa Barbara researchers gained control of a botnet, Torpid, for 10 days in early 2009, studying the information it collected and the malware it spread by tracking infections to specific IP addresses. In a May report ( www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf), the researchers said they monitored more than 180,000 computers that harvested 70 Gbytes of personal information, which was stored and later turned over to authorities. Torpig collects data when infected users visit financial Web sites such as Paypal and Capital One, and generates false forms that ask for PINs and passwords.
In July, Carnegie Mellon researchers showed that it's possible to guess US social security numbers based on publicly available information such as birth dates and places. In an article published in Proceedings of the National Academy of Sciences of the United States of America ( www.pnas.org/content/early/2009/07/02/0904891106.full.pdf+html), researchers identified numeric assignment patterns to guess the first five social security digits for people born after 1988, getting 44 percent correct on their first attempt. Their chances of a correct guess were higher for people born in rural areas, which often have only one area number (the first three digits of social security numbers). The US Social Security Administration said it has already been planning a new assignation system that will make the numbers random.
In June, the European Union's Article 29 Working Party asked Google to change its Street View policy to ensure that the company doesn't keep unblurred photos in its files for long periods. Google began providing its Street View mapping service in Europe last year, and enacted a policy to blur faces and license plates to meet European privacy guidelines. However, the company's blurring technology sometimes gets false positives, forcing it to manually restore images that have been blurred incorrectly. Google said it would work to meet the working party's request, but didn't say how long it would keep original photos on file.
British ISPs Talk Talk and BT have backed off agreements to use behavioral advertising technology from US-based Phorm, although another ISP, Virgin Media, could still adopt the controversial system. Phorm's technology, Webwise Discover, uses deep packet inspection (DPI) to provide behavioral advertising based on users' browsing history. The company says it keeps users anonymous by assigning random identification numbers instead of collecting IP addresses, and matches people to their interests without storing any history data. BT said its decision was for financial reasons, and the company doesn't believe the technology violates privacy, leaving open the possibility that it could adopt Webwise sometime in the future. Last year, BT acknowledged that it had conducted unannounced tests using the service, prompting outcry from the European Union.
China indefinitely postponed controversial plans to require a filtering program called Green Dam Youth Escort to be installed on all computers sold in the country by 1 July, citing complaints by manufacturers that they didn't have enough time to meet the requirement. Green Dam, a pornography filtering program that can also be set to block other undesirable content, includes a remote update feature that critics feared the Chinese government could use to control Internet users. Security researchers also warned that the software contained dangerous vulnerabilities, and a California company, Solid Oak Software, claimed that the software included code copied from its Cybersitter program. Some computer manufacturers, including Sony, Acer, and Haier, moved forward with China's request despite the postponement. The software is also still required at schools and Internet cafes.
In June, the US Department of Defense ordered the creation of a new cyberwarfare unit to protect its military networks, and the UK similarly launched the creation of the Office of Cyber Security (OCS) to prevent and carry out cyberattacks. The US Strategic Command will oversee cybersecurity on its .mil domain and is planning to begin operations by October. The OCS will protect UK networks and take a proactive role against intrusions, which could include measures such as direct denial-of-service attacks and spying.
In April, US Representative Linda Sánchez (D- Ca.) re–introduced a bill to criminalize cyberbullying, proposing fines and two-year imprisonment for Internet users who "coerce, intimidate, harass, or cause substantial emotional distress to a person." The Megan Meier Cyberbullying Prevention Act, named for a Missouri teen who committed suicide after she was harassed on MySpace, is meant to protect children and others from psychological harm that might occur via the Internet. The bill includes communication through email, instant messaging, blogs, and other forms of social networking. Sánchez first introduced the bill in 2008, saying that cyberbullying doesn't qualify as protected free speech. Critics have called the bill unconstitutional.