A mish-mash of security issues came up this week, everything from how to protect virtualized environments to a system that protects copper in utility sites from robbery and a story about digital certificate thefts.
First though, this week brought news that hackers broke into the Kernel.org website that is home to the Linux project, according to Kernel.org's owners. With the barbarian hordes of the Internet having breached this bastion of Linux, Kernel.org's owners say they have contacted law enforcement in the U.S. and Europe as they try to figure out what happened.
Linux lovers should be asking how well the crown jewels of open source are being guarded and whether the best possible security controls are in place.
Other hacking incidents became public last week as well. WikiLeaks, which collects and disseminates information it gets from those who hack places like businesses and government, admitted it was hacked and a large cache of information it thought it held secret was disclosed, according to The Wall Street Journal. Just proves when you live by the sword you often die by the sword.
And it's becoming increasingly obvious that hackers are prying open the door of older security technologies, such as certificates used for authentication, as it was discovered last week occurred when certificate authority DigiNotar, which is owned by Vasco Data Security, admitted a large number of its certificates had been stolen.
VMworld: Security has to get virtual
If there was ever a disruptive force, it's virtualization. It's becoming clear to both the security industry and enterprise managers that it's not sufficient to exist with the same old security stuff used in the non-virtualized networks. At VMworld, the annual conference put on by VMware, which has the lion's share of the virtualization software market right now, a number of announcements related to security.
Not only were new products on display, but VMware, which has struggled with trying to bring security vendors into its vShield development efforts, got new backing from McAfee, Symantec, Kaspersky Lab, Lumension, Sophos and BitDefender. But there's still a lot of debate over whether agentless anti-malware is really going to fly, with Symantec saying it has doubts a fully agentless approach will work.
Kaspersky Lab says it expects to have at least one product specific to VMware ready by early next year. So far, Trend Micro has been the most aggressive in developing vShield-based anti-malware products for vSphere.
VMware, with help from Cisco, unveiled what's called "virtual extensible LANs (VXLAN)" that seek to retain the benefits of VLANs while also adding a virtual machine on the fly, according to VMware Chief Technology Officer Allwyn Sequiera, who says it will be supported in vSphere in the near future. Citrix points out this not just a VMware thing but that VXLAN is intended to be an IETF standard.
Meanwhile, many of the same security problems still arise. A annual survey on cybersecurity that asked more than 3,000 IT professionals what their biggest problems are found it's not just malicious code but also employees running amok. The human being is still the wild card in any security project.
U.S. Department of Energy devises security system to thwart rampant copper thefts
The U.S. Department of Energy and its Oak Ridge National Laboratory said this week they have built a security system that is aimed at thwarting at least some of the copper thefts that plague utilities and other large facilities.
Specifically, "ORNL, DOE, the utility and several subcontractors installed a comprehensive perimeter security system consisting of energy efficient lighting, surveillance cameras that operate in a high voltage environment and an anti-cut, anti-climb fence system with integral intrusion detection cable. The complete system protects a perimeter area of 3600 linear feet."
"This security system will deter future vandalism attempts, allow security officers to conduct surveillance remotely and will automatically alert security officers of an attempt to breach the perimeter so the officers can enact a proper response," project manager Brigham Thomas of ORNL's Global Nuclear Security Technology Division said in a release. The security system installation, calibration and performance testing were completed in early 2011. Since the implementation, the substation has not reported any security issues.
ORNL said the development of the anti-theft system came in response to a 2009 attempted theft of copper cable at a one of the DOE's Power Marketing Administration substations which sparked an explosion and fire that tripped three transmission lines offline. Although the utility recovered by rerouting the substation's power, other power providers have experienced blackouts and loss of service from similar copper theft attempts. The 2009 incident resulted in more than $1 million in damages, ORNL stated.
Copper thefts continue to rise as the metal's value remains high. A press release from Freemont Insurance this week noted there is a direct correlation between the number of thefts and the current selling price of copper. Recently copper traded between $4.50 and $5.00 per pound. This is up almost 60% since 2007.
The FBI has said in the past that the rising theft of the metal is threatening the critical infrastructure by targeting electrical substations, cellular towers, telephone land lines, railroads, water wells, construction sites and vacant homes for lucrative profits. Copper thefts have increased dramatically since 2006, and they continue to disrupt the flow of electricity, telecommunications, transportation, water supply, heating and security and emergency services, and present a risk to public safety and national security, the FBI stated.
Microsoft accused of collecting Windows Phone location data
PC World reports that a Windows Phone 7 user has filed a lawsuit against Microsoft, claiming that the software maker collects data from mobile phone users without their knowledge.
Data, including location information, is collected from Windows Phone 7 devices such as the HTC 7 Mozart and Samsung Omnia 7 when a phone's camera is turned on, even if a user has chosen not to have data recorded, alleges the lawsuit filed in federal district court in Seattle by Rebecca Cousineau.
Cousineau is asking for both an injunction to stop Microsoft from collecting the data, and punitive damages to punish the company for collecting the information in the first place.
The lawsuit also contends that Microsoft misled Congress this year when it said that it did not collect data from mobile users without their permission, Reuters reported.
In a letter responding to queries from several members of the House of Representatives, Microsoft admitted that it "collects limited information necessary to determine the approximate location of a device," but added that "collection is always with the express consent of the user and the goal of our collection is never to track where a specific device has been or is going."
Microsoft collects location data from users to deliver "useful and relevant experiences to users, such as local movie options, directions to a nearby coffee shop or to find a meeting of nearby friends," the letter said.
Microsoft, Apple, Google and Nokia appeared at a congressional hearing this year on data collection practices by mobile operating system makers. That forum followed revelations by researchers that Apple was collecting location data from iPhone users without their knowledge. Researchers found that the data, gathered from cellphone towers, was being placed in an unprotected file on the user's phone and copied to the user's computer when that individual synchronized data between the handset and Apple's iTunes program.
Mac OS X can't properly revoke dodgy digital certificates
A programming glitch in Apple's OS X operating system is making it hard for Mac users to tell their computers not to trust digital certificates, exacerbating an ongoing security problem with a Dutch certificate authority that was recently hacked.
Mac users began reporting problems Tuesday when they tried to revoke digital certificates issued by DigiNotar, a Dutch company whose servers were compromised last month and used to issue fraudulent digital certificates. Mac users revoked the certificates on their computers, but still saw some sites that used those certificates being marked as trustworthy.
Digital certificates are an important part of the way the Internet works, and are essential whenever two computers try to connect using the HTTPS protocol. The problem is that Apple's operating system does not allow users to revoke DigiNotar certificates properly, and marks some websites as trustworthy when it shouldn't.
Seth Bromberger noticed the issue Tuesday afternoon. After reading a news report about DigiNotar being compromised, he decided to take matters into his own hands and revoke DigiNotar's certificates on his Mac, using Apple's Keychain software. That meant that any time he tried to visit a site signed by DigiNotar or one of its intermediaries, he should have received a warning.
He didn't. A visit to DigiNotar's website soon confirmed that all kinds of HTTPS material on the page that should have been marked by his browser as untrusted looked exactly as it had before he'd revoked the certificate. "I just wanted to validate that the solution that was proposed fixed the problem. And it didn't."
Most users don't revoke digital certificates themselves; they let the browser makers handle it. Chrome, Firefox and Internet Explorer have all blocked DigiNotar certificates, but Apple hasn't said what it plans to do with its Safari browser. That means that, for now, Mac Safari users will have a hard time solving the problem.
Hackers may have stolen more than 200 SSL certificates
Computerworld writes that hackers may have obtained more than 200 digital certificates from a Dutch company after breaking into its network, including ones for Mozilla, Yahoo and the Tor project.
The count is considerably higher than DigiNotar has acknowledged. Earlier this week, a company spokesman said that "several dozen" certificates had been acquired by the attackers.
"About 200 certificates were generated by the attackers," said Hans Van de Looy, principal security consultant and founder of Madison Gurka, a Dutch security company, citing a source he said wished to remain confidential.
Among the certificates acquired by the attackers in a mid-July hack of DigiNotar, Van de Looy's source said, were ones valid for mozilla.com, yahoo.com and torproject.org.
Tor is a system that lets people connect to the Web anonymously, and is often used in countries where governments monitor their citizens' online activities. Looy's number is similar to the tally of certificates that Google has blacklisted in Chrome.
An entry in the Chromium bug-tracking database lists 247 certificates that the project blacklisted yesterday. Chromium is the open-source project that feeds code to the Chrome browser and Chrome OS.
"Were these all issued by DigiNotar? It is difficult to tell," said Chet Wisniewski, a security researcher with U.K.-based Sophos, in a blog post Tuesday. "However, considering only 10 were blocked previously, this is a strong indication that these additional blacklisted certificates were most likely part of this incident."
DigiNotar, a Dutch firm that was acquired by U.S.-based Vasco earlier this year, discovered the network breach on July 19, and has confirmed intruders issued themselves valid certificates for a number of domains.