Malware

SPOTLIGHT ON SECURITY

Watchdogs Get a Whiff of Google’s Government Privacy Policy

There’s evidence that Google’s consumer privacy policy is being extended to government contracts for its software services, according to SafeGov.org.

Citing contracts in Texas, Illinois and California, the group contends that Google’s privacy policy is the “minimum standard” for handling customer data under the contracts.

Google’s privacy policy authorizes it to collect and combine all sorts of data from people using its services. Collection of much of that data is likely to be unacceptable to government users, SafeGov contends.

Google counters that there is language in the contracts it executes with governments that supersedes its privacy policy.

When asked to comment on the latest questions raised by SafeGov, Google spokesperson Tim Drinan referred TechNewsWorld to a blog item written by Amit Singh, vice president of Google Enterprise. In it, he tells the employees at one of Google’s government clients, the Lawrence Berkeley National Laboratory, that Google’s contract with the facility supersedes its privacy policy.

Google’s non-responsive response to his organization’s questions was surprising, said Jeff Gould of SafeGov.org.

“There in nothing in the contracts we looked at that says the privacy policy is superseded by the contracts,” he told TechNewsWorld.

“I thought this might be an honest mistake by Google,” he said, “but now that they’re refusing to acknowledge it, maybe they’re not doing it accidentally.”

Intimate Relations Between Stuxnet and Flame

Kaspersky Lab last week said it found the “smoking code” that links two malicious malware programs believed to have been created by nation-states for cyberespionage and control system mayhem.

Up to last week, it was believed that the programs, Stuxnet and Flame, used separate code bases. Those conclusions, though, were based on comparisons between the latest version of Stuxnet, created in 2010, and Flame. When Kaspersky compared Flame to a 2009 version of Stuxnet, though, it came up with some interesting results.

“What we found was very surprising,” Kaspersky Lab Senior Researcher Roel Schouwenberg told TechNewsWorld. There was a part of the 2009 code that hadn’t been thoroughly analyzed, he explained.

“That part contained a precursor to what we know today as Flame,” he said.

Moreover, there are signs in the code that the teams developing the programs shared their source code with each other. That suggests that the groups trusted each other to a high degree. “Your source code is your holy grail, prized possession,” Schouwenberg observed. “You do not give your source code to just anyone. There must be a strong connection there.”

Microsoft Reveals XML Vulnerability

A “critical” vulnerability in Microsoft’s XML Core Services that could allow a hacker to infect and remotely execute code on a computer was revealed by the company last week.

The zero-day flaw can be exploited when Microsoft’s Web browser, Internet Explorer, lands on infected Web pages.

Digital desperadoes typically attempt to lure unsuspecting targets to infected pages through emails or IM messages containing poisoned links. For that reason, the vulnerability may have been responsible for triggering Google’s newly instituted nation-state attack message.

Some Gmail users were cautioned by Google: “Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer,” according to Trend Micro.

Browser attacks are becoming popular attacks for cybercriminals, according to Trend Micro Vice President for Cybersecurity Tom Kellermann. That’s because, he told TechNewsWorld, “the browsers on these devices are being utilized for control of most of the data that’s downloaded from the Internet or the cloud.”

“A zero day in IE is a critical problem facing that entire user community,” he observed.

“Internet Explorer has improved its cybersecurity in leaps and bounds, but because it’s one of the most widely used browsers in the world, it will be targeted by malware researchers to create exploits,” he said. “Something like this happens once in a blue moon, and it just happened.”

Breach Diary

  • June 11: The University of North Florida revealed a security breach may have compromised 23,246 names and Social Security numbers of people who submitted a housing contract to the university between 1997 and spring 2011.
  • June 12: A reincarnated LulzSec posted information from 10,000 users of TweetGif to the Internet. Information included usernames, real names, locations, bios, avatars, tokens used by TweetGif to pull data from Twitter and even a user’s last tweet.
  • June 13: Spex Security posted personal information of 14,500 people connected to the Clarksville-Montgomery County, Tenn., School System to the Internet. Records, including Social Security numbers, of as many as 110,000 individuals may have been compromised in the breach.
  • June 13:. Global Payments reveals that it was the target of a second data breach. It said its investigation of the breach of its systems in April that compromised 1.5 million payment card numbers uncovered a second breach of its servers containing data from merchant applicants. No information about the size of the second breach was released by the company.
  • June 15: Systems of Fleetwood, Penn., School System were breached and names, birth dates, addresses and parents’ names for the approximately 2,700 students were posted to the Internet.

Calendar

  • June 17-22: 24th Annual FIRST Conference. Malta Hilton. Sponsored by Forum of Incident Response and Security Teams. Late fee registration (April 1-June 1): US$2,500.
  • June 26: Cyber Security: The Perfect Storm. 2-4:15 p.m. Capital Visitor Center, Washington D.C. Sponsored by MeriTalk Cyber Security Exchange and Sens. Tom Carper (D-Del.) and Scott Brown (R-Mass.).
  • June 27: Future State of IT Security: A Survey of IT Security Executives. 2 p.m. ET. Webcast. Sponsored by RSA. Free.
  • June 29: Third Suits and Spooks Anti-conference. Bel Air Bay Club, Palisades, Calif. Sponsored by Taia Global and Pacific Council on International Policy.
  • July 13: BSidesCleveland. Embassy Suites, Cleveland. Free.
  • August 20-23: Gartner Catalyst Conference. San Diego, Calif. Early bird price (before June 23): US$1,995. Standard price: $2,295.
  • October 9-11: Crypto Commons. Hilton London Metropole, UK Early bird price (by August 10): pounds 800, plus VAT. Discount registration (by September 12): pounds 900. Standard registration: pounds 1,025.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels