Security in the news – June 2010

This last week, I had an embarrassing moment when my Facebook account started posting weird “Likes” (in my case, “97 Hottest Women in the World 😀 :: on www.97hottestwomen.com” – seriously, not my interest), which claimed that I endorsed the site. What makes things worse, in an SNS enviornment like Facebook, your network of friends supposedly share the same interests, ideals and trust, so there is a higher tendency that your friends will further click on these links based on a “Like” endorsement. I was only made aware of this “Like” link because a friend happened to comment on my interesting taste in pages.

Anyway, when I decided to research this issue, I began to realize how often security has been featured in the news this month. Therefore, I thought I’d take this opportunity to summarize the most interesting security stories for the month and post them to my main blog site (as opposed to my security blog site) on a periodic basis.

Back to the Facebook issue. Apparently, earlier this month over 100,000 people (at least it wasn’t just me) were victim to both Facebook and the users’ browser issue that made them unwitting endorsers of various scam pages. This practice, now commonly referred to as clickjacking, exploits a bug in the user’s Internet browser by overlaying an invisible iframe on top of a web page link. This then effectively creates an invisible “Like” button on the website, which tricks the user into pressing it. Website and browser security is now at a point where users cannot authenticate the actual website they are interacting with.

In other interesting security news, who needs key loggers when Dr. Doug Tygar of UC Berkeley can pick up just the acoustic emanations and use two types of frequency analysis to find out what you are typing. The first thing his software does is to assign keys to the frequency they emit when a key is pressed. Next, his software uses “old world” code-breaking techniques and the frequency of the keys with a statistical model of the English language in order to determine what is being typed. This can become a very easy exploit since an attacker only needs to run a piece of software in the background that uses the computer’s built-in microphone to pick-up the key press noise.

In other news, AT&T exposed the e-mail addresses and ICC-ID, or integrated circuit card identifier of the SIM card, of 114,067 early adopters (another hazard of buying things early) of the recently released iPad 3G. This alone would usually not mean much (except for the e-mail addresses and the rash of phishing and SPAM attacks – as I have personally noted an increase in), but, unfortunately, the way the Apple iPad ICC-ID is coded, the International Mobile Subscriber Identity (IMSI) for AT&T can be figured out relatively easily, and all sorts of other mischief can result (a future article).

In other news there was also an increasingly rare, yet worth noting, vulnerability in the XP and 2003 versions of the Windows operating system. What makes this noteworthy is that it allows attackers to take full control of a PC just by luring the user to a booby-trapped website. Speaking of booby-trapped websites, this month, it was noted that over 100,000 websites were infected by attackers, which included large corporations, police and even news outlets like the Wall Street Journal.

On a good note, Intel was in the news this month, showing the company’s proactive stance at a recent semiconductor conference by stating that security was “job one.” However, it is interesting to see how the speed of encryption and decryption (the heart of security) is always balanced with power consumption. Furthermore, a technology like true random number generation (which is actually very hard to do) is now finally becoming a reality at the chip level. At least someone is starting to get serious about security.

Finally, here is a list of recently released products that had a little “something extra” for the users this month:

  • 1700 of the new Olympus Stylus Tough 6010 Digital Camera came pre-shipped with a virus on the XD card
  • Several Samsung S8500 Wave phones sold in Germany had micro-SD cards that were infected with W32/Heur
  • IBM handed out infected USB flash memory devices at the AusCERT conference in Australia. This was a conference where high level professionals in the security field were infected with the W32/LibHack-A and W32/Agent-FWF virus. This was both awkward for IBM and ironic for the attendees.
These aren’t actually unique or isolated incidents. In the past, some prominent examples have been:
  • Energizer Duo USB battery chargers that draw power from a USB port, which also installed a hidden backdoor that allowed attackers remote access
  • TomTom GO 910 satellite navigation devices with two pieces of malware, the W32/Perlovga.A Trojan and TR/Drop.Small.qp which also installed a backdoor on a users computer
  • Apple video iPods had shipped with the TR/Bdoor-DIJ Trojan horse
  • McDonald’s Japan recalled 10,000 MP3 players which were infected with the W32/QQPass.worm that captured passwords from a users computer

All of these products exploited the AutoRun feature of the Windows operating system. While it makes it convenient for the user when the install/setup program runs automatically the first time you plug in these devices, it also allows malicious software to run as well. I highly recommend that you disable (and make sure it is) the AutoRun feature to eliminate these and other scarier threats (another future article).

Your comments are always welcome.

William Saito
Special Advisor at Cabinet Office (Govt. of Japan)
Named by Nikkei as one of the “100 Most Influential People for Japan,” Saito began software programming at an early age and started his own company in high school. By the time he was named Entrepreneur of the Year in 1998 (by Ernst & Young, NASDAQ and USA Today), he was recognized as one of the world’s leading authorities on encryption, biometric authentication and cyber security.

After selling his business to Microsoft, he moved to Tokyo in 2005 and founded InTecur, a venture capital firm and consultancy that identifies innovative technologies, develops global talent and helps entrepreneurs become successful. In 2013, Saito was appointed a Special Advisor to the Cabinet Office for the Government of Japan.

Similarly, in 2012 he served as a council member on national strategy for the Cabinet-level National Policy Unit, and prior to that, was named as the Chief Technology Officer for the Fukushima Nuclear Accident Independent Investigation Commission (NAIIC). He is a Foundation Board Member at the World Economic Forum (WEF), and has been named by the WEF as both a Young Global Leader and Global Agenda Council member.

Saito also advises several national governments around the globe. In Japan, he has also served as an advisor to METI, MIC, MEXT, MLIT, AIST, IPA and the Japan Society for the Promotion of Science (JSPS), among others.

He teaches at multiple universities, serves on several corporate boards, appears as a commentator on national TV and is the author of numerous publications in addition to writing a weekly column for a prominent Japanese business newspaper. His best-selling management book, The Team: Solving the Biggest Problem in Japan, was published by Nikkei BP in 2012, his follow-on book, Is Your Thinking up to Global Standards?, was published by Daiwa Shobo in late 2013 and his autobiography, An Unprogrammed Life: Adventures of an Incurable Entrepreneur, was published in 2011 by John Wiley & Sons.

Posted by whsaito

  1. hello!This was a really fabulous post!
    I come from milan, I was luck to look for your topic in wordpress
    Also I obtain much in your subject really thanks very much i will come daily

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *