Issue No. 05 - September/October (2010 vol. 8)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2010.158
Sergei Tsurikov, the alleged ringleader for one of the most sophisticated electronic heists ever conducted, has been extradited to the US. His team hacked into RBS WorldPay, the Royal Bank of Scotland's payment processing arm, and created money for 44 debit cards. In some cases, the cards' limits were raised to US$500,000. Although the hackers tried to cover their tracks, six have been apprehended. Authorities are still looking for two others identified as Oleg Covelin and "Hacker 3."
Security vendor Trusteer recently managed to find and pick apart the logs from a Zeus botnet controller. The software is notoriously difficult to detect, and the company believes at least 100,000 computers in the UK are infected. The botnet is constantly being upgraded to evade detection and Trusteer reports that at any one point in time, only 10 percent of antivirus tools can identify an active variant of the Zeus malware. Zeus is capable of automatically acquiring all data handled by a browser after it has been decrypted or before it has been encrypted. This could allow hackers to read a potential target's bank balance from their previous transactions without having to log in directly. Adobe recently released a special security update to patch 17 critical holes in Adobe Reader and Acrobat 9.3.3 for Windows, Mac, and Unix. One of the more serious was an integer overflow error vulnerability first described by Charlie Miller at BlackHat USA in August that could corrupt memory via a specially crafted TrueType font. Another vulnerability would let a PDF file automatically launch malware that could give hackers full control of a computer. A new video game developed for Android phones loads a hidden tracking application that's difficult to terminate. The free Tap Snake game is a clone of a 1970s-era video game. Once installed, it runs in the background and restarts when the phone is rebooted. The phone's GPS location is sent to a server running GPS Spy. Consumers pay $4.95 a month to track a specific phone and must have physical access to the phone to set up the surveillance.
The most significant breach of the US military's computers started with the insertion of a compromised flash drive into a military laptop in 2008, said Deputy Defense Secretary William J. Lynn III in an article in the journal Foreign Affairs. This malicious code created a digital beachhead for transferring classified data to servers under foreign control. The military launched a full-scale counterattack called Operation Buckshot Yankee that marked a new era in the US's cyberdefense strategy. Plans are underway to develop sophisticated new countermeasures, such as active defense, for finding counterfeit hardware and hidden malicious code. Microsoft's Security Development Lifecycle (SDL) documentation has been placed into the Creative Commons. Developers are now free to distribute this documentation to others, which was previously not authorized. The old license made it more difficult to embed elements of the SDL process into an organization's guidance documents. The Simplified Implementation of the Microsoft SDL and Microsoft Security Development Lifecycle (SDL)-Version 5.0 are the first to undergo license conversion, and others are expected to follow as appropriate. A weak link has been found in most implementations of Quantum Key Distribution (QKD) by Norwegian University of Science and Technology (NTNU) and University of Erlangen-Nürnberg researchers. Using bright illumination, the researchers were able to trick avalanche photodiodes used as receivers in QKD systems to surreptitiously acquire the secret key from both ID Quantique's id310 Clavis2 and MagiQ Technologies' QPN 5505. The researchers were able to implement the attack using off-the-shelf components. In theory, quantum cryptography is capable of detecting observers through the use of the Heisenberg uncertainty principle, but researchers are realizing there can be specific vulnerabilities in the various implementations. "Testing is a necessary step to validate a new security technology and the fact that this process is applied today to quantum cryptography is a sign of maturity for this technology," said Grégoire Ribordy, CEO of ID Quantique, in a press release.
The US Department of Homeland Security has found a slew of vulnerabilities on the network of the organizations tasked with protecting the nation's cyberdefenses. A recent audit of the United States Computer Emergency Readiness Team (US-CERT) using the vulnerability scanner Nessus found 1,085 instances of 202 high-risk holes. No vulnerabilities were found in US-CERT's Einstein intrusion detection system, which is employed across 21 government agency networks. The holes were found in unpatched Adobe Acrobat, Java, and Microsoft applications. These systems have since been updated to close these holes.
A lawsuit filed in Spain contends that Google violated Spain's criminal code when collecting Wi-Fi data as part of its Street View mapping service. The lawsuit filed by Apedanica, a Spanish association of Internet users, cites a Spanish law prohibiting the unauthorized interception and collection of communication data. Although this kind of data has been used by other companies commercially to provide a Wi-Fi-based location service, Google contends that the collection of data was an accident. Google plans to destroy Wi-Fi data collected from Ireland, Denmark, and Austria after similar concerns were raised.
The Online Trust Alliance, a group of advertisers, businesses, and government executives, has launched a taskforce to help combat malicious advertising. The Anti-Malvertising Task Force has created a set of guidelines to help reduce the practice. The group claims that malicious ads grew by 250 percent in the last quarter. A study by security vendor Dasient revealed that more than 1.3 million malicious ads are downloaded every day. The practice can be reduced by prohibiting ads hosted by clients and the development of incident response programs for when malicious ads are detected.
In a dispute over surveillance capabilities, the United Arab Emirates Telecommunications Regulatory Authority plans to restrict Research in Motion's BlackBerry phone services in October. Authorities are concerned that the automatic use of encryption and offshore data storage makes it difficult to conduct lawful surveillance. The move would block the messaging, Web, and email aspects of the UAE's 500,000 Blackberry mobile phones, but would not affect voice calls. Critics have expressed concern over this, and the US and Canadian governments are in talks with the SAE to avoid the ban. The New York Times has reported that Saudi Arabia is considering a similar ban.
The US Federal Trade Commission (FTC) reports it has permanently ended a scam that tricked consumers into paying for bogus domain name services. In August, a federal judge ordered a permanent end to the practice and announced a settlement order against several defendants doing business in Ontario, Canada, including Isaac Benlolo, Kirk Mulveney, and Pearl Keslassy, which includes a US$4.3 million suspended judgment. The complaint contended that the scammers sent out invoices to domain name holders requesting payment for domain name renewal and search optimization services. Although many victims paid, no services were delivered. In 2001, the FTC halted a similar scam that was also operating out of Ontario.
A significant effort is under way to improve the security practices within the US government. These efforts have been incorporated into the National Initiative for Cybersecurity Education, which was announced in April. The group is developing learning tracks for workforce structure and for training and professional development. Another initiative is working to redefine competency models for cybersecurity professionals; the first draft is expected in December. The US Office of Personnel Management is also considering whether to change hiring practices. A privacy data breach bill in California would mandate the format of a data breach notification. Under current law, organizations are required to notify consumers in the event of a data breach. The concern is that they're not giving consumers enough information to take appropriate action. California Senate Bill 1166 would require that notices include the type of information exposed, a description of the incident, and contact information for credit reporting agencies. This would bring the requirement of notification up to the level required for healthcare agencies mandated by the Health Information Technology for Economic and Clinical Health Act. The law awaits approval by Governor Arnold Schwarzenegger, who previously rejected similar legislation.
Keith Alexander, head of the US National Security Agency (NSA), provided a glimpse into plans to improve cybersecurity at the Gov 2.0 Conference in September. He said that the agency faces a significant challenge with more than 250,000 attacks per hour on the US Department of Defense network, and that the number of attacks on federal agencies has gone up 150 percent since 2008. But these efforts must be balanced with the need to protect privacy and civil liberties. He noted, "Preserving those rights is not an added-on activity or something we do because we have to. It is a core tenant of the way we conduct our business all around, cyber included." Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.