Shuyuan Mary Ho Metcalfe

It turns out that all our iPhones are keeping a record of everywhere you’ve been since June. This data is stored on your phone (or iPad) and computer, easily available to anyone who gets their hands on it.

The enormous privacy startle, apparently enabled by this summer’s iOS 4 release, was discovered by two security researchers, one of whom claims he was an Apple employee for five years. They’re equally puzzled and disturbed by the location collection: “By passively logging your location without your permission, Apple have made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements,” they explain. All it would take to crack the information out of your iOS device is an easy jailbreak. On your computer, the information can be opened as easily as JPEG using the mapping software that the security experts have made for download—Try it yourself: http://petewarden.github.com/iPhoneTracker/#1

From Gizmodo: http://gizmodo.com/#!5793925/your-iphone-is-secretly-tracking-everywhere-youve-been

WASHINGTON/BOSTON (Reuters) – U.S. authorities claimed one of their biggest victories against cyber crime as they shut down a ring they said used malicious software to take control of more than 2 million PCs around the world, and may have led to theft of more than $100 million.

A computer virus, dubbed Coreflood, infected more than 2 million PCs, enslaving them into a “botnet” that grabbed banking credentials and other sensitive data its masters used to steal funds via fraudulent banking and wire transactions, the U.S. Department of Justice said on Wednesday.

The government shuttered that botnet, which had operated for a decade, by seizing hard drives used to run it after a federal court in Connecticut gave the go-ahead.

“This was big money stolen on a large scale by foreign criminals. The FBI wanted to stop it and they did an incredibly good job at it,” said Alan Paller, director of research at the SAN Institute, a nonprofit group that helps fight cyber crime.

The vast majority of the infected machines were in the United States, but the criminal gang was likely overseas.

“We’re pretty sure a Russian crime group was behind it,” said Paller.

From TalkingPonitsMemo: http://www.talkingpointsmemo.com/news/2011/04/us_shuts_down_massive_cyber_theft_ring.php?ref=fpc

Millions of unique URLs have been infected with a rampant SQL injection attack Websense has dubbed “LizaMoon.” The SQL injection attack redirects users to a fake AV site.

A mass SQL injection attack that initially compromised 28,000 websites has spiraled out of control. At the last count, more than a million sites have been compromised, with no end in sight.

Security firm Websense has been tracking the “LizaMoon” attack since it started March 29. The company’s malware researchers dubbed the attack LizaMoon after the first domain that victims were redirected to. At the redirected site, users saw a warning dialog that they had been infected with malware and a link to download a fake antivirus.

The users are shown a number of threats supposedly on their computer, but the fake AV, Windows Stability Center, won’t remove them until the user pays up, in a “very traditional rogue AV scam,” wrote Patrik Runald, the Websense researcher who has been following the attack over the past few days.

The list of redirect URLs has ballooned in the days since, as Websense updated its list March 31 with 20 additional sites, making this one of the biggest mass-injection attacks ever.

More than 500,000 URLs have been injected with LizaMoon, according to Runald. If all the domains used in the attack are considered, eWEEK found about 2.9 million results on Google Search that have been compromised.

From eWeek: http://www.eweek.com/c/a/Security/LizaMoon-Mass-SQL-Injection-Attack-Escalates-Out-of-Control-378108/

About 70% of organizations that store sensitive data abroad choose to do so in countries with lenient breach notification requirements!

Many companies that look to process and store sensitive data — including intellectual property — abroad as a cost-cutting measure are seeking countries with minimal data breach notification requirements, according to a survey of 1,000 senior IT decision makers by market research firm Vanson Bourne. The survey was sponsored by Intel’s McAfee and Science Applications International Corporation (SAIC).

The economic downturn has been driving companies to process and store more types of sensitive information abroad, according to the survey. Today, about 50% of organizations said they would do this as a cost-cutting measure. Meanwhile, about 33% of organizations said they want to store more sensitive information outside their home borders, which is an increase from 20% in 2008.

Interestingly, about 80% of organizations said that their choice of data storage locale is influenced in part by a country’s data breach laws. About 70% of organizations that do store information abroad select countries with more lenient notification rules.

Geographically speaking, which countries are the safest for storing data? “While attacks are hard to trace back to a specific country, China, Russia, Pakistan are perceived to be the least safe for data storage,” according to a related report from McAfee and SAIC. Those rankings remain unchanged from 2008, as do the countries perceived to be the safest places for storing data: the United Kingdom, Germany, and the United States.

from Information Week: http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=229400519&cid=RSSfeed_IWK_News

The Group of Twenty (G-20) Finance Ministers and Central Bank Governors was established in 1999 to bring together systemically important industrialized and developing economies to discuss key issues in the global economy. Not everyone agrees with the work they are doing.

The French finance ministry has confirmed it came under a cyber attack in December that targeted files on the G20 summit held in Paris in February.

More than 150 of the ministry’s 170,000 computers were affected.

“We noted that a certain amount of the information was redirected to Chinese sites,” an anonymous official was quoted by the French magazine. “But that [in itself] does not say very much.”

From the BBC: http://www.bbc.co.uk/news/business-12662596

Last summer, the world’s top software-security experts were panicked by the discovery of a drone-like computer virus, radically different from and far more sophisticated than any they’d seen. The race was on to figure out its payload, its purpose, and who was behind it. As the world now knows, the Stuxnet worm appears to have attacked Iran’s nuclear program. And, as Michael Joseph Gross reports, while its source remains something of a mystery, Stuxnet is the new face of 21st-century warfare: invisible, anonymous, and devastating.

ll over Europe, smartphones rang in the middle of the night. Rolling over in bed, blinking open their eyes, civilians reached for the little devices and, in the moment of answering, were effectively drafted as soldiers. They shook themselves awake as they listened to hushed descriptions of a looming threat. Over the next few days and nights, in mid-July of last year, the ranks of these sudden draftees grew, as software analysts and experts in industrial-control systems gathered in makeshift war rooms in assorted NATO countries. Government officials at the highest levels monitored their work. They faced a crisis which did not yet have a name, but which seemed, at first, to have the potential to bring industrial society to a halt.

A self-replicating computer virus, called a worm, was making its way through thousands of computers around the world, searching for small gray plastic boxes called programmable-logic controllers—tiny computers about the size of a pack of crayons, which regulate the machinery in factories, power plants, and construction and engineering projects. These controllers, or P.L.C.’s, perform the critical scut work of modern life. They open and shut valves in water pipes, speed and slow the spinning of uranium centrifuges, mete out the dollop of cream in each Oreo cookie, and time the change of traffic lights from red to green.

Although controllers are ubiquitous, knowledge of them is so rare that many top government officials did not even know they existed until that week in July. Several major Western powers initially feared the worm might represent a generalized attack on all controllers. If the factories shut down, if the power plants went dark, how long could social order be maintained? Who would write a program that could potentially do such things? And why?

As long as the lights were still on, though, the geek squads stayed focused on trying to figure out exactly what this worm intended to do. They were joined by a small citizen militia of amateur and professional analysts scattered across several continents, after private mailing lists for experts on malicious software posted copies of the worm’s voluminous, intricate code on the Web. In terms of functionality, this was the largest piece of malicious software that most researchers had ever seen, and orders of magnitude more complex in structure. (Malware’s previous heavyweight champion, the Conficker worm, was only one-twentieth the size of this new threat.) During the next few months, a handful of determined people finally managed to decrypt almost all of the program, which a Microsoft researcher named “Stuxnet.” On first glimpsing what they found there, they were scared as hell.

More from Vanity Fair magazine:
http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104

The Department of Homeland Security’s U.S. Citizen and Immigration Services has made progress securing its cyber networks from potential insider threats.

However, gaps in security still remain, including one that could allow malicious insiders to tamper with digital immigration records.

A far-reaching security audit of USCIS, undertaken by the Software Engineering Institute at Carnegie Mellon University singled out the Transformation program at Immigration and Customs Enforcement as one of the most vulnerable.

The findings revealed the department had not taken enough steps to secure the digitized immigration paperwork, which– if tampered with –could grant access to terrorists or other malcontents, Federal News Radio reported.

The multimillion-dollar Transformation program, designed to digitize immigration records, has been plagued by work delays that have caused it to run 10 years behind schedule, InformationWeek reported.

Despite the over-runs, DHS appears to be leaning heavily on the program “to correct many of the problems resulting from legacy systems,” according to InformationWeek.

But, the recent IG report may put a new wrinkle in the program.

Specifically, the report found while the Transformation program encompassed risk management, it had failed to adequately account for the risk from the insider threat.

“USCIS should incorporate comprehensive insider threat risk mitigation requirements into the Transformation effort,” the report found.

Insider threat risk mitigation in the federal government received a jolt of attention following the revelations that a so-called insider — an allegedly disgruntled Army private — was reported to have leaked classified materials to whistle-blower site WikiLeaks.

From ExecutiveGov.com: http://www.executivegov.com/2011/03/dhs-report-digital-immigration-records-vulnerable-to-insider-threat/

Organizations are rapidly adopting new technologies, but many information security professionals may lack the requisite security skills to safely implement them, according to a report released last week at the RSA Conference.

According to Frost & Sullivan’s 2011 (ISC)2 Global Information Security Workforce Study, many IT security professionals are not “ready” for social media-related threats. Respondents reported inconsistent policies and protection surrounding employees’ use of such sites; 30 percent of respondents said they lacked any controls at all.

In addition, although 70 percent of respondents said they had policies or technical controls in place to secure mobile devices, these devices were ranked as the second greatest threat to organizations, after application vulnerabilities.

The largest skills gap may be illustrated by cloud computing. More than 50 percent of respondents reported having private clouds in place, and more than 40 percent reported using software-as-a-service. But more than 70 percent of approximately 10,000 global professionals polled said they needed more skills to adequately secure such technology.

“From a technology perspective we are very challenged,” said Rob Ayoub, a Frost & Sullivan global program director. “There are lots of things happening in organizations making our lives difficult.”

Separately, the report found that the information security profession appears poised for growth. Currently, there are 2.3 million professionals working in information security, according to the report. But that should grow to 4.2 million by 2015.

From Security Management: http://www.securitymanagement.com/news/study-highlights-it-security-skills-gap-008233