October is National Cyber Security Awareness Month — so says the U.S. Department of Homeland Security, which asserts Americans have a shared responsibility in increasing the resiliency of the nation and its online infrastructure.
Perhaps other federal bodies and departments should visit that website, beginning with the United States Air Force (USAF).
The USAF has issued a statement to “correct” recent reports that servers supporting drone aircraft piloted remotely over Afghanistan were infected with malware.
The malware is a credential stealer and not a keylogger as reported, the USAF said. Such malware is found routinely on computer networks, it added.
Meanwhile, the Social Security Administration has apparently failed to inform tens of thousands of Americans that it accidentally released their personal information in an electronic database widely used by U.S. business groups, the Seattle Times reported.
This past week also saw more trouble for Sony’s network, new malware created with the Blackhole toolkit, the emergence of a phony Netflix Android app and a proposal by Microsoft for a new taxonomy on malware.
What, Me Worry?
The USAF servers that were infected are located at the Creech Air Force Base in Nevada. The USAF said the servers are part of a standalone mission-support network and the malware is considered more of a nuisance than an operational threat.
The malware isn’t designed to transmit data or video, or corrupt data, files or programs, the USAF said.
In other words, burglars broke into a house multiple times using unknown means and made a mess, but they didn’t steal or break anything.
Apparently, the Social Security Administration releases the personal data of about 14,000 people each year in a database called the “Death Master File.”
This file lists people who have passed away. Copies of the file, which is released annually, can be purchased from many sources on the Internet. They contain the names, Social Security numbers and dates of birth of the departed.
However, mistakes are very often made, according to the report, leading to the release of information about still-living individuals. The SSA apparently fails to notify affected individuals when errors are caught.
Failing to inform people who are affected by a data breach is illegal in many states, and it appears to violate a 2007 directive from the Office of Management and Budget ordering federal agencies to develop a breach notification policy.
Perhaps it’s time the feds tightened up their policies on data breaches.
Sorry Sony Stumbles Again
Once again, hackers have targeted Japanese electronics giant Sony. This time, they attempted to verify the validity of various usernames and passwords stolen from what Sony thinks were attacks on other companies and sites.
The thieves used the stolen credentials to verify the accounts of about 93,000 customers on various Sony networks worldwide, according to Philip Reitinger, Sony’s chief information security officer. Sony locked down those accounts.
Those affected had apparently used the same usernames and passwords for multiple sites.
“Sony was actually partially effective in reducing the scope of the problem,” Chris Harget, senior product marketing manager for ActivIdentity, told TechNewsWorld. He suggested Sony use two-factor identification techniques to improve security.
Doing the Malware Maranga
Security analysts at AppRiver last week saw about 2,000 domains serving up more than 7 million poisoned emails, Fred Touchette, the company’s senior security analyst, told TechNewsWorld.
The emails were infected with malware created with the Blackhole toolkit.
Back in February, Symantec had warned that the Blackhole toolkit was spreading like wildfire.
It’s difficult to detect malware created with Blackhole because “The kit cycles through and updates the various vulnerabilities it’s trying to exploit,” Touchette explained. “Footprints are also hidden behind obfuscated code, which also changes,” he added.
Further, the kit uses numerous domains that change often, Touchette said.
This past week also saw the emergence of a phony Netflix Android app that steals victims’ account data. Symantec researchers spotted the app on an online user forum.
The app steals users’ Netflix account login information, but the remote server it should send the data to was offline, sparking speculation that the malware might have been released as a trial run, Liam O Murchu, manager of operations for Symantec Security Response, told TechNewsWorld.
Rethinking Malware Classification
Microsoft last week released the Microsoft Security Intelligence Report Volume 11.
This included a new method for classifying malware propagation. The taxonomy focuses on built-in malware propagation methods because focusing on means of propagation can help improve cybersecurity.
Microsoft will continually evolve the taxonomy as the threat landscape changes, Jeff Jones, director of the Trustworthy Computing Group at Microsoft, told TechNewsWorld.
“One of our main goals with the taxonomy is to make it easier for organizations to share data in a way that’s easily parsed and consumed by others to enable us all to help protect customers,” Jones added.
Well, they could do what Steam does, and have it so you can "only" access via a client, which hashes data on your machine, such that it won’t let you log in some place else without a code also sent to your email. Oh, wait.. that left me locked out of the damn client for 3 days, while I argued with my new ISP over why they hell I couldn’t get access to the old email address, and there is no way to change the address, unless you can log into Steam. Stupidly, they "can" reset the account, so you can get in without the secondary verification, only… then what the hell is the point, if someone uses the same password for their email as they did the game, for example, and the email is in the DB, along with the password and account info? In fact, you have to, if for some reason you completely forget the exact spelling, or something, of what you put in for the "security questions".
Its not too clear to me how an extra step "helps", unless you define "help" as rendering the account useless to the owner in some percentage of cases. It would be just as easy to require the password be at least 14 characters (or some such), then store half of it in the DB, and half in a second, on a different server, so you can’t steal all of it at one time, or something. But, that then undermines reliability, since you now have "two" login servers that can go down.
The answer, seems to me, to be to stop making stupid ass mistakes, like putting the servers where they are easy to get at from the net.