Issue No.04 - July/August (2010 vol.8)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2010.133
News in security, policy, and privacy.
Amid concerns about Chinese hackers and spying, the Indian government banned mobile phone operators from conducting business with Chinese-based telecommunications manufacturers. The Indian Telecommunications Department reportedly asked operators to end any business deals with foreign equipment companies in December 2009, based on concerns that these firms could install spyware on equipment. A spokesman for the department claims that the government is simply being more vigilant, and hasn't banned any specific manufacturer. However, its restrictions could violate the World Trade Organization's "principles of national treatment" if the department bans equipment imports only from China but not from the US or Europe, Zhang Huiling, a spokeswoman for the China Chamber of Commerce of Import and Export of Machinery and Electronic Projects told the New York Times.
While Facebook's security and privacy standards were under continued scrutiny in early May, a company investor became a hacker's target. The attacker sent a Facebook invitation to users on Jim Breyer's "friends" list regarding a new application. Breyer is on the company's board of directors and is with Accel Partners, a venture capital firm that was one of the social networking site's initial backers. CNET found that a hacker targeted Breyer to spread a phishing scam, FBDigits, which claims to be "revolutionary phone software that integrates into Facebook Chat" to let members make free phone calls and send text messages. In reality, those who responded to the invitation had their passwords stolen.
A Ukrainian national charged with what has been called "the most notorious hacking incident in US history" was arrested 8 May. Sergey Valeryevich Storchark was arrested in New Delhi, India, as he was waiting for a flight to Turkey after a layover. Storchark is one of 11 men charged in August 2008 for hacking into major US retailers such as TJX—the parent company of discount retailers TJMaxx, Marshalls, and HomeGoods, among others—and stealing then reselling credit-card information. The US has requested his extradition, according to India's Central Bureau of Investigation (CBI).
Microsoft made an 18 May announcement that it intends to share pre-patch details on software vulnerabilities with governments worldwide. This is part of a new program the company developed designed to secure critical government infrastructure and assets from attacks. Code-named Omega, the program gives governments current information about vulnerabilities before Microsoft releases its security updates. Another initiative is the Microsoft Critical Infrastructure Partner Program, which will reportedly provide insights on security policy, including strategies and approaches to help protect critical infrastructures.
Google announced in April that it released patches for three security vulnerabilities in the Windows version of its Chrome browser—the second such fix issued that month. Researchers responsible for reporting the flaws received awards from Google's bug-bounty program, which launched in January. The company reportedly issues patches more frequently than do Microsoft and Mozilla because Google browser updates occur without notifying the user. As of May 2010, Chrome had been patched five times, according to Computerworld.
Researchers from the University of Calgary have created a proof-of-concept adware system that uses unencrypted wireless connections commonly available in public places to distribute advertisements. This adware system, named Typhoid, gets laptops to communicate with it rather than a legitimate access point, then inserts advertisements in videos and webpages on other computers connected to the network. Infected machines don't display any advertisements, and the adware isn't installed on the machine, so users wouldn't know they were infected. The researchers have demonstrated Typhoid on both wired and wireless networks.
Two US lawmakers introduced a bill requiring companies collecting consumers' personal information to disclose how they collect and share that information. The bill from US Representatives Rick Boucher (D-Virginia) and Cliff Stearns (R-Florida) applies to information collected both on- and offline. It also provides a way for customers to opt out of information collection and mandates that companies obtain explicit consumer permission before passing a customer's personal information to a third party. Privacy and consumer groups say the bill is extremely weak and simply serves to codify current practices designed more for corporations' benefit than to protect consumers. Although consumers have been demanding more privacy, a newly released survey finds most fail to use the privacy controls available to them on social networking sites, exposing themselves to identity theft and other crimes. The survey, in which Consumer Reports polled 2,000 Americans, found that 52 percent of all adults using social networking sites post information that could be used in committing cybercrime. This includes posting full birth dates, home address information, and whether the user will be home at a given time. The survey found Facebook users were generally more likely to post potentially risky information than users of other sites.
A flaw discovered in Twitter in early May let users force another person to follow them. A blogger discovered the flaw, and another blogger tested it by forcing Facebook and Twitter executives to follow a dummy profile. This flaw occurs only in the Twitter Web interface, not via third-party applications. Twitter reset all its follower and following counts to zero to resolve abuse that occurred as a result of the bug before restoring both.
A consumer service designed to protect average people from having their identities stolen is unable to provide the services it advertises. LifeLock claims to offer protection for US$10 per month with a $1 million guarantee to compensate its customers for any losses should they fall victim to ID theft. Todd Davis, the company's CEO, went so far as to publish his social security number in advertising the service. However, his identity has been stolen at least 13 times, says Phoenix New Times, and used to obtain small loans and various accounts. The US Federal Trade Commission has called the company's claims false and has fined LifeLock $12 million for deceptive advertising.
In May, Google introduced an option for those individuals fearful of having their privacy compromised by packet sniffing. It now offers encrypted search via Secure Sockets Layer (SSL). Users need only type in https:// to access the website, which is now in beta. Google said the service is rather slow because of the time taken to establish a secure connection. Initially, the option will be available only for Web-based searching.
Although marketing executives commonly paint privacy advocates as being out of touch and overstating any problems data collection online might have, privacy issues have caused US-based marketers to use online behavioral advertising 75 percent less. A report by the privacy research group the Ponemon Institute states that advertisers are using behavioral tracking—which follows a user's Web browsing habits to serve them with targeted ads—less frequently, although these types of ads were 50 percent more effective at generating sales than traditional online ads. Advertisers say they've reduced use of this technique because they're concerned about the current, uncertain legal and regulatory environment. Government legislation could soon further restrict online data collection and use.
Intego, a Mac-based security and privacy software developer, recently found that some freeware includes new, invasive spyware. OSX/OpinionSpy is a Mac variant of Windows spyware first seen in 2008 that has been tracked to applications and screen savers distributed by sites including MacUpdate, VersionTracker, and Softpedia. The application purportedly convinces users to provide their passwords by claiming its market research software will be installed to collect user browsing and purchasing history. The spyware, when launched, opens a backdoor and injects code into Safari, Firefox, and iChat in memory rather than altering the applications. Data gathered could include email addresses, usernames, passwords, and credit-card numbers. It also updates and relaunches automatically. Intego claims the latest versions of its products successfully remove the spyware.
The newly installed coalition government in the UK announced its intentions to scrap the country's national ID card program. Politicians have said the measure was part of the "substantial erosion of civil liberties" that occurred under the former Labor government. The ID card system was originally conceived by the Labor party as a way to prevent crime and terrorism as well as control immigration. It was instituted in November 2008. The National Identity Register—currently under development at the UK's Identity and Passport Service and Border Agency—would store information from biometric passports and ID cards and will also be eliminated, as will programs to create new biometric passports and a database that stores information on minors. A US district court judge has, at the insistence of the US Federal Trade Commission, permanently shuttered a San Jose, Calif., ISP accused of hosting and distributing spam, spyware, child pornography, and other illegal content. Judge Ronald Whyte of the US District Court for the Northern District of California ordered closure and sale of assets owned by Pricewert, which was doing business as 3FN.net. The judge also ordered the company to turn over US$1.08 million in illegal profits to the FTC, stating that the ISP's prime function was as "an Internet service provider for illegal activity." The FTC claims the ISP had a network of command-and-control servers responsible for more than 4,500 malware programs carrying out activities including password stealing and spam distribution. Last year, a temporary restraining order was issued against the ISP, which disrupted its services. In the wake of the legal action, one security firm claimed to observe a 15 percent dip in spam volume.
Digital copy machines are the latest computer privacy concern, according to the US Federal Trade Commission, which says document images, some of which could include sensitive data, can be easily stored on the machines' hard drives. The agency has been notifying manufacturers and office supply resellers about the risk posed to consumers should an adversary remove data and use it for nefarious purposes. Xerox claims it has been aware of the issue for years. Most of its products have built-in security, and customers can remove a drive before the copier is disposed of or returned following a lease; some Xerox copiers also have a free image overwrite feature that can be used to destroy stored information. The FTC is reportedly undertaking consumer education measures.
Iran must amplify its cyberdefense, said Brigadier General Ahmad Vahidi, the country's Defense Minister, in a May address to army commanders. Vahidi says various technological advances necessitate more preparation for any form of cyberwarfare that might be exacted against the nation. The Iranian government claims it took down a US-backed cyber network earlier this year that was created to gather information on Iranian nuclear scientists and spread unrest following the 12 June 2009 presidential election. The country's judiciary says the network was funded by former US President George W. Bush's government, the Mojahedin Khalq Organization, Iranian pro-monarchy groups, and other anti-Iranian organizations.
South Korean military leaders say North Korea poses a significant cyberthreat and have said there is a great possibility it will attack South Korean communication networks during the G-20 Summit, scheduled to be held in Seoul in November. Previously, South Korean government networks were targeted in days-long distributed denial-of-service attacks in 2009. Intelligence sources blamed North Korea, although there wasn't sufficient evidence to support the claim. South Korea's Minister of National Defense, Kim Tae-Young, stated in an early June speech to the nation's Defense Information Security Conference that, among the various attacks being launched, North Korea is distributing false information online designed to embarrass and discredit the South Korean government and military.