This past week in security news was highlighted by a hacking revelation out of China, bad news for banks, good news for Sony gaming customers and a curious email that might have been at the heart of the big RSA data breach.
China protests too much?
So it turns out the Chinese government, despite protests to the contrary, has been hacking U.S. targets after all. How do we know? Because Chinese state television broadcast a documentary about hacking and cyberwarfare strategy that showed a demo of a state-sponsored hacking tool purportedly disrupting the operations of a spiritual movement called the Falun Gong, which the Chinese government considers a threat to its authority.
The Chinese documentary, titled "The Internet storm is coming!" (which focused on the official Chinese view of the Pentagon's cyberwarfare strategy), happened to give a quick look at how an attacker targeted a website of the Falun Gong, which in this case was hosted at the University of Alabama in Birmingham.
The brief clip of the attack is thought to be very old film footage if only because this website was taken down several years ago by the university. As The Wall Street Journal noted in its story about the documentary, "The 10-second segment -- part of a longer report on cybersecurity -- appears to be a rare example of an official source contradicting China's repeated assertions that it doesn't engage in cyberattacks, according to Andrew Erickson and Gabe Collins of the China SignPost analytical service, which specializes in military matters."
The cyberwarfare documentary was broadcast by China Central Television Channel 7 last month but the U.S. public got some idea about it last week when Erickson, an associate professor at the U.S. Naval War College's Maritime Studies Institute, published a report about it. The WSJ noted that the footage in question could still be seen on CCTC's website last week featuring Senior Col. Du Wenlong, a researcher at the Chinese army's Academy of Military Sciences, talking about cybersecurity issues.
Another Chinese hacking news angle last week was that Hong Kong police arrested a local man in connection with an Aug. 10 computer attack on the Hong Kong Stock Exchange. That attack forced the exchange to suspend trading about two weeks ago. Now that's where real-life cyberattacks really hurt.
Taking it to the banks
Cybercriminals also really can hit the wallet when they take over business bank accounts, and that is happening on a regular basis, according to the Financial Services Information Sharing and Analysis Center (FS-ISAC), the group of banks that works with the Treasury Department and the FBI on cybersecurity issues of national importance.
Often these commercial account takeovers occur because cybercriminals take control of the bank customer's business computers used for funds transfers by means of specially-designed malware, such as the ZeuS variants.
According to a poll of its members, FS-ISAC last week said 21 institutions reported a total of 108 commercial account takeovers by cybercriminals during the first 6 months of 2010 compared with 86 for the full year of 2009. The only good news in all this is the banks seem to be getting a little better at blocking fraudulent funds transfers out of compromised bank accounts. But irretrievable losses are still piling up.
Sony gets tougher
Speaking of victims of data breaches, Sony (which as we all recall had its online gaming services hacked repeatedly a few months ago) is apparently thinking its gaming customers would appreciate better security. One thing Sony Online Entertainment is doing is offering its customers hardware- and software-based authentication tokens that can generate one-time passwords that customers can use to get into their accounts. One-time passwords are widely regarded as far more secure than simple, reusable passwords.
"Sony Online Entertainment has joined the growing list of gaming companies that offer physical authenticators for protection against account hacking and associated fraud," said a spokeswoman from Vasco, the company through which Sony is offering the authentication tokens. Blizzard Entertainment's World of Warcraft is another Vasco client in the online gaming business, which offers its customers a version of Vasco's one-time-password generation tokens.
Sony wasn't immediately available to comment, but Vasco says Sony is now offering the branded SOE Authenticator, which is based on the Vasco Digipass GO 6 hardware token. As an alternative to a hardware token that would be used in a PC, Sony is also offering customers the choice of a software token based on Vasco technology for mobile devices, such as smartphones.
Jochem Binst, Vasco's director of communications, says Sony is expected to charge about $9.99 for the hardware token, but offer the software-based token for free. He says Sony is operating the Vasco back-end equipment used in the authentication process directly on Sony premises. Vasco is thought to be the sole provider of authentication in this form for Sony online gaming services, he adds.
"It's similar to what we do for the banking world," Binst says.
Hackers going mobile, old school hacking and the RSA email?
Three more security news items worth noting:
* Mobile devices are the next frontier for hackers, and McAfee last week said that Android has emerged as the most-targeted mobile operating system. In its Q2 threats report, McAfee said it found around 1,200 mobile malware samples and about 60% were aimed at Android. Mobile malware is still but a tiny fraction in comparison to malware targeting PCs, but McAfee believes the trend is clear that Android is now the favorite mobile target for attackers writing malware, surpassing what's written for Java Micro Edition. Another interesting tidbit from that report is Abode's products are getting hammered by attackers in terms of known exploit code at a rate that now far exceeds that for Microsoft products.
* The data breach parade keeps marching on, last week led by Yale University, which notified about 43,000 faculty, staff, students and alumni that their names and Social Security numbers were publicly available via Google search for about 10 months. The breach is said to be the result of an FTP server where the data was stored becoming searchable by Google after a change the search engine made last September. But oops, Yale IT staff people didn't know.
* F-Secure last week said it's discovered in a big old pile of collected malware what might be the original booby-trapped email that was the first step in the successful attack on RSA in March to steal information about its SecurID product. Only RSA knows for sure, or at least we hope they know by now.
Read more about wide area network in Network World's Wide Area Network section.