Calendar14 – 15 JuneSANS What Works in Pen Testing & Vulnerability Assessment SummitLocation: Baltimore, MD, USwww.sans.org/pen-testingsummit-2010/

14 – 17 JuneInformation Security and Cryptography seminar: fundamentals and applicationsLocation: Sunstar Parkhotel Davos, Switzerlandwww.infsec.ch/573/

16 – 17 JuneEUSecWest 2010Location: Melkweg, near Leidseplein, Amsterdam, The Netherlandseusecwest.com/

21 – 24 JuneOWASP AppSec Research 2010Location: Stockholm, Swedenbit.ly/cRZu3H

22 – 23 JuneFederal Information Security ConferenceLocation: University of Colorado at Colorado Springs, Colorado, USwww.fbcconferences.com/fisc/

22 – 25 JuneEighth International Conference and Exhibition on Applied Cryptography and Network SecurityLocation: The Grand Gongda Jianguo Hotel, Beijing, Chinawww.tcgchina.org/acns2010/

23 – 25 JuneFirst International Workshop on Wireless and Network Security (WNS 2010)In conjunction with the 4th International Conference on InformationSecurity and Assurance (ISA 2010).Location: Sheraton Grande Ocean Resort, in Miyazaki, Japanwww.sersc.org/ISA2010/

29 June – 1 JulyTSP 2010Location: Bradford, UKtrust.csu.edu.cn/conference/tsp2010/

July 30 – 1 AugustDefconRiviera Hotel & Casino Las Vegas, USwww.defcon.org/

CALENDAR

20Computer Fraud & Security May 2010

information was their top concern about viruses; only 29% expressed concern over the loss of corporate data due to viruses.”

The same situation was also true in the UK, Germany and Japan. Around half of employees confessed to leaking privileged information via insecure webmail accounts.

Predictably, mobile workers were leakier than their office-based colleagues. Some 60% of mobile workers – and 78% in Japan – admitted to sending confidential company information via instant messaging, webmail or social media applications. Only 44% of office-bound workers did the same.

When it came to using company comput-ers for private activities, laptop users were worse than those with desktop PCs. Three-quarters of workers with company laptops used them for checking private email accounts (which may not have the anti-mal-ware features of the corporate email system) while 58% browsed non-work websites. These figures dropped to 58% and 45% for desktop PC users, perhaps because they are more easily observed or monitored.

At least a quarter of all users admitted to using company machines for activi-ties such as online banking, paying bills, streaming audio or video, using social networking sites and online shopping.

One statistic that may have corporate security staff worried is that one in ten workers actively over-rode corporate security restrictions to access normally restricted websites.

Sneaky tab attack

Watch what your browser’s tabs are doing is the message from

Aza Raskin, whose job title is ‘crea-tive lead’ for Firefox. Phishers could use a sneaky technique to change the contents of a page behind your back.

The technique uses a script that runs only when the user isn’t looking. The malicious page may seem entirely innoc-uous at first, but the script detects when the focus of the browser has switched to a different tab. It then changes the favi-con and page title and loads a different page – a fake login for services such as Gmail. The idea is that the user thinks he or she has been logged out of the service and needs to sign in again.

Fortunately, the attack is just a proof-of-concept designed by Raskin himself. He’s even suggested ways of ‘improving’ it – for example, by searching the browser’s CSS history looking for well-known sites: users are more likely to be fooled into signing in to services they actually use.

Google under attack for wifi snooping

The Google wifi snooping contro-versy continues, with the compa-

ny coming into conflict with German regulators and being sued in the US.

The company recently admitted that its Street View cars were not only collect-ing the MAC addresses and SSIDs of all wifi access points they encountered, but also recording snatches of payload data. This, Google insists, was an accident caused by experimental code being left in the snooping software.

Google has been trying to delete the 600GB of data it says it collected, but this came to a halt when a UK privacy organisation claimed this was ‘destruc-tion of evidence’.

The controversy started as a result of German data protection regulators demand-ing to know what information Google was collecting on wifi access points. The German data protection authority (DPA), based in Hamburg, has demanded that Google hand over the data it had gathered in the country. But Google has refused to do so, claiming that providing such pay-load data might actually put it in breach of German telecommunications law. The DPA is unimpressed by this logic, and Prof Dr Johannes Caspar of Hamburg’s data protec-tion commission has stated that Google will not face prosecution for supplying the infor-mation. On the other hand, Google could face a E50,000 fine if it doesn’t turn over the hard drive.

Meanwhile, Galaxy Internet Services, an ISP in Massachusetts, has filed a class-action suit against Google, claiming that the search company’s collection of wifi payload data constituted a breach of US federal and Massachusetts state privacy laws. Google has yet to respond.