A massive botnet of up to 12.7 million infected PCs has been dismantled after Spanish police, working in conjunction with a Canadian security firm, have arrested the botnet's operators. The Mariposa botnet first emerged in December 2008, and was used to steal credit card and bank details from infected PCs. The malware driving it was spread through instant messaging, USB thumbdrives, and peer-to-peer networking.

Defence Intelligence, the Canadian firm involved in the bust, started investigating the botnet in spring 2009. The company discovered that the botnet had command and control servers based in Spain, and so joined forces with Spanish firm Panda Security. With their input, the authorities knocked the botnet offline around Christmas. Luck was on the investigators' side; the Internet services used by the hackers were willing to cooperate with the investigation, and most critically, one of the botnet's operators then tried to regain control of the botnet directly from his own PC. This mistake allowed the investigators to identify him and track him down.

The arrest of the operators of such a large botnet is unusual. Operators of smaller networks are easier to identity (smaller networks have less traffic to hide in), so arrests are relatively common. Operations such as Microsoft's recent disabling of the Waledac network may take the botnet offline, but the operators typically remain free to try again. The nature of the Mariposa network made catching the perpetrators particularly important; while botnets like Waledac and Conficker are used predominantly for spamming (annoying and illegal, but relatively harmless as these things go), Mariposa's harvesting of financial information made it much more dangerous.

The hackers themselves—unnamed, per Spanish privacy rules—appeared to be quite ordinary, far from the genius hacker stereotype. They were Spanish citizens with no prior criminal convictions, aged 31, 30, and 25. They depended on their connections in the criminal underworld to get them the resources necessary to start and operate the botnet. Though the network had likely made them rich—investigators are still examining bank records to determine just how much money was made—this was not reflected in their lifestyles. If convicted, they face up to six years in prison for hacking. Further arrests related to Mariposa are also expected.

Read the comments on this post

Long-time Apple executive Pablo Calamera has left Apple in favor of a CTO gig elsewhere, while former Mozilla security chief Window Snyder started work at 1 Infinite Loop on Monday. Pablo will become the CTO at Thumbplay, a company specializing in ringtones and streaming music, while Snyder will work as a senior security product manager at Apple.

According to the Thumbplay announcement, Calamera served as director of MobileMe service while at Apple. Despite the service's less-than-stellar reputation during his time there. Thumplay saw fit to scoop up Calamera. The newly branded CTO spent time at Danger Inc. and WebTV Networks, among others, before joining Apple.

As noted by PC World, the Snyder hire comes on the heels of her time managing security consultants at Microsoft and working on Windows XP and 2003 Server. What Snyder will do at Apple remains unclear, but the two variants of Safari (Windows and Mac) or the iPhone OS seem to be likely candidates for her expertise.

Read the comments on this post

Tuesday, Comcast announced a public trial that any Comcast cable Internet access user can participate in. And a year from now, DNSSEC validation will be rolled out throughout all of Comcast's DNS resolvers. Comcast will also be signing all of the domains it hosts, including comcast.com, comcast.net, and xfinity.com.

The DNSSEC extensions to the DNS protocol make it possible for a validating server or a validating host to determine whether information in the Domain Name System is legitimate or not, the same way that it's possible to determine whether a signed e-mail message did indeed come from the holder of the e-mail address. In the past, it was trivial to inject fake information in DNS servers. 

VeriSign, a prominent vendor of SSL certificates, has announced a new validation service for websites. Companies that sign up for the service will undergo a corporate background check and have their websites scrutinized by VeriSign. Websites that meet with VeriSign's standards will be entitled to post the company's Trust Seal insignia.

VeriSign already offers a similar service to some of its SSL customers. The new service is intended for website operators that offer commercial products and services, but don't need an SSL certificate because they rely on third-parties for processing transactions and performing other activities that require encryption.

The company says that it will conduct daily malware scans of the websites that bear the Trust Seal in order to ensure that they remain trustworthy after the initial examination. According to VeriSign, the $299 per year Trust Seal service will help websites boost traffic and increase customer loyalty. The company claims that the existing SSL variant of its Trust Seal service has generated an average traffic increase of 24 percent for its customers.

Although trust seals might give a warm fuzzy feeling to regular end users, there is little evidence that such validation programs actually guarantee security or trustworthiness. A researcher published a study in 2006 revealing that websites validated by TRUSTe were actually "more than twice as likely to be untrustworthy" compared to unvalidated sites.

The researcher speculated that private validation organizations were reluctant to sacrifice revenue by revoking validations, even in the most egregious cases of abuse. There is also the risk that untrustworthy sites will convey a false sense of legitimacy by displaying a forged seal.

The automated daily scanning that is included in VeriSign's service could give it a leg up in security over some of the alternatives.

The furor over the Harriton High School webcam spying caper continues to grow. The Federal Bureau of Investigation is now investigating whether the school broke any federal wiretap laws when it remotely spied on a student at home, an anonymous official told the Associated Press. A federal grand jury has also subpoenaed the school for records related to the so-called "security" measures implemented on the laptops that allowed officials to activate the webcams to see people using them, according to the Philadelphia Inquirer.

The Lower Merion School District (LMSD) has also started talking to the press about the incident. Spokesman Doug Young told the AP that the school had activated the webcams on the school-issued laptops 42 times over the last year or so, but never to spy on the students. LMSD had said on Friday—when it decided to indefinitely suspend the practice—that the feature was there solely for security purposes in order to locate lost or stolen laptops.

The Electronic Privacy Information Center (EPIC), a privacy watchdog and public interest research group, is calling foul on Buzz, Google's recently launched social networking service. The group has filed a complaint with the FTC outlining several major grievances.

Shortly after Google launched Buzz last week, a number of users expressed dismay over the service's loose handling of user privacy. It automatically makes the user's Gmail address book into a public Buzz contact list, a move that is of questionable value to users and subjects some to the risk of exposing sensitive information to the wrong people.

When it comes to cybersecurity, the Obama administration is taking the same approach to the policies of the Bush administration as it has in so many other areas: there are differences, but they're mainly matters of subtle emphasis and focus. Take the Trusted Internet Connection initiative, which the Bush administration launched in late 2007, and which is aimed at securing the government's network infrastructure by routing all of its network traffic through a smaller number of access points.

The original goals of the TIC program were to establish a baseline set of security practices for government systems that access the Internet, to consolidate all federal Internet access points into about 50 officially certified TICs, and to put in place an audit process to ensure that all government agencies stay in compliance with the program. Of these three goals, it was the network consolidation piece—the entire federal government accessing the Internet through only 50 connections total—that grabbed headlines and caused the most push-back from federal agencies. It's this part that the Obama admin has eased up on, but only a bit.

Security researcher Christopher Tarnovsky has successfully subverted an Infineon SLE 66 microcontroller—a hardware component that implements the Trusted Platform Module (TPM) specification. His method of attack, which requires physical access to the hardware, was presented at the Black Hat conference.

TPM chips can be used for a variety of purposes, but are principally employed for data encryption or DRM. Infineon is a well-known TPM manufacturer whose components are shipped in mainstream computing and consumer electronics products including the Xbox 360 and many modern Apple computers. The basic concept behind a TPM is that it has "write-only" memory. A cryptographic key is baked into the chip when it is manufactured. This key can be used to decrypt data, but is only accessible to the chip itself and can't be read.

Infineon integrates relatively sophisticated security mechanisms into the hardware in order to repel a wide range of conceivable physical attacks, thus preventing a third party from reading the embedded key. The SLE 66 is designed to protect against EM snooping, various kinds of side channel attacks, and pretty much any other conventional approach that you can think of.

In order to circumvent the SLE 66's security, Tarnovsky used an electron microscope and needles. After nine months of intricate work, he managed to pull out the "write-only" data. He says that he has reported his findings to Infineon and the Trusted Computing Group, the organization that devised the TPM standard.