Issue No.06 - November/December (2009 vol.7)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.162
A brief look at news in security, privacy, and policy.
In October, a list of more than 10,000 Hotmail accounts and passwords obtained through phishing attacks was posted to a developer site; security researchers later discovered that email accounts from Google, Yahoo, AOL, Earthlink, and Comcast were also affected, bringing the total number of compromised accounts to more than 30,000. The companies reset the accounts and worked with customers to restore access. Security analysis of the compromised accounts showed most had weak passwords, the most common being "123456" and variations.
The US Federal Bureau of Investigation (FBI) and Egyptian authorities charged more than 100 people in connection to a phishing ring in October, the largest indictment ever in a cybercrime case, the FBI said. Authorities arrested 33 defendants in California, Nevada, and North Carolina. According to the indictment, Egyptian-based hackers obtained bank-account numbers and accessed funds from two banks. They then wired the money to coconspirators in the US who set up new accounts.
Albert Gonzalez pleaded guilty to organizing massive data breaches at TJX Companies, Heartland Payments Systems, and others as part of a plea deal in September. Gonzalez is scheduled for sentencing in December, is expected to serve between 15 and 25 years in prison under the agreement, and will give up more than US$2.7 million.
Mozilla is planning to launch a feature called Content Security Policy in Firefox that stops cross-site scripting, and is encouraging other browser makers to adopt the technology. The feature asks Web site developers to define legitimate content for Web pages, then blocks anything that hasn't been defined. Mozilla developers said IE and Google's Chrome teams have shown interest in adding it to those browsers. The technology is expected to debut sometime next year.
A University of Washington study showed that recent models of household robots lack adequate security features and are vulnerable to remote attacks (see www.cs.washington.edu/research/security/robots). The team of researchers purchased three robots in 2008 that included Internet and wireless network features, but audio-visual streams, user names, and passwords on the machines weren't encrypted. The team emphasized that the threat of a malicious attack is currently minimal because use of household robots isn't widespread.
Spam and malware distributors are actively targeting Macs, and one cybercrime network recently offered low-level affiliates US$0.43 for each malware infection on a Mac, according to a Sophos researcher. Dmitry Samosseiko said Russian networks known as partnerka operate by recruiting affiliates to drive traffic through fraudulent spam for Canadian pharmacies, software, and other goods and services ( www.sophos.com/sophos/docs/eng/marketing_material/samosseiko-vb2009-paper.pdf). The New York Times was among several news sites that were breached by a malicious ad on a weekend in September. The Times discovered it had been duped by an attacker posing as a legitimate advertiser. The ad appeared as an antivirus scan that took up the entire browser display, then showed a warning that visitors needed to purchase antivirus software. The Times found that the attacker posed as Vonage and supplied seemingly real ads for approval, then switched to the virus warning during the weekend.
The US Department of Homeland Security released its annual privacy report in September ( www.dhs.gov/xlibrary/assets/privacy/privacy_rpt_annual_2009.pdf), offering new details on warrantless searches of laptops and other devices at airports and borders. According to the report, electronic devices were searched infrequently from 1 October 2008 to 5 May 2009. Out of 144.4 million travelers entering the US, there were only 1,947 device searches, 696 of them involving laptops. The report noted that, in many cases, travelers were asked only to turn the devices on.
Facebook agreed to shut down its Beacon feature in September as part of a settlement in a class-action lawsuit against it and partner Blockbuster. When Facebook launched Beacon in 2007, the service let third-party sites such as Blockbuster post user activity on profile pages without consent. Initially launched as a default feature, Facebook later changed it to opt-in. The settlement also includes $9.5 million from Facebook to start a privacy organization. In October, three Facebook users filed a separate lawsuit.
The US Department of Homeland Security (DHS) announced in October that it plans to hire up to 1,000 cybersecurity professionals over the next three years, part of a broad effort to strengthen the country's networks and infrastructure. The department doesn't expect to reach the 1,000-position cap, and the hiring process is likely to be competitive. "This new hiring authority will enable DHS to recruit the best cyber analysts, developers, and engineers in the world to serve their country by leading the nation's defenses against cyberthreats," said DHS Secretary Janet Napolitano.
India is preparing to launch a nationwide biometrics project, issuing identity cards and e-passports to all citizens, according to reports. The change has prompted calls for an open biometrics standard so India can avoid relying on specific vendors for the technology. Issuing the cards to all of India's 1.2 billion citizens is expected to take four years, and the project could make it easier for poor residents to gain access to public services.
Some schools and Internet cafes in China have ignored or stopped following a mandate to install filtering software called Green Dam, according to news reports. Additionally, some computer makers that had complied with the mandate—even though it no longer applied to them—now do so only by request. Some schools reportedly gave up on the software because it was incompatible with other programs necessary for schoolwork. China initially wanted Green Dam, a pornography filter that can be controlled remotely, installed on all new machines sold in the country starting in July, but loosened the requirement following public outcry about privacy concerns.
In August, the US Department of Health and Human Services (HHS) established rules for notifying patients when healthcare providers experience data breaches. Providers are required to notify patients, the media, and the HHS secretary if a breach affects more than 500 people. However, providers don't have to notify patients if the data is protected by strong encryption settings, and providers with unencrypted systems can apply a "harm standard" used to determine how much risk the compromised records carry. Some congressional leaders have asked the department to revise the harm standard to be stricter. The healthcare industry says the harm standard is necessary to avoid causing a panic from minor breaches.
US Chief Information Officer Vivek Kundra announced in September that a task force is developing new metrics for national cybersecurity. According to Kundra, security metrics must focus on outcomes instead of compliance. The task force includes participants from the National Institute of Standards and Technology and the Department of Homeland Security, among others, and is expected to complete its recommendation by the end of November.
Singapore is planning to form a national cybersecurity agency that will protect networks and respond to threats such as espionage and distributed denial-of-service attacks. The Singapore Infocomm Technology Security Authority (SITSA), announced in September, will begin by strengthening infrastructure networks and developing a framework for incident reporting and responses. The agency will also conduct regular preparedness tests to protect against large-scale attacks. Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.