A recap of the past week's IT security news includes more details about the Rustock botnet, the latest cyber-attack on a DOE research lab and another flaw in Apple's iOS.
All
anyone could talk this past week was Google+, the new social networking
platform from Google that rolled out to a limited audience. The only way to see
the new site was to score an invite from someone who is already a member. But
Google shut down invites temporarily in face of high demand. That just made it
easier for scammers to swoop in with emails masquerading as
fake Google+ invites to direct users to online pharmacy scams.
Malicious
emails may possibly be behind the "sophisticated cyber-attack" that
shut down email and Internet services at another Department of Energy research
facility, the
Pacific Northwest National Laboratory. The lab shut down all outgoing and
incoming traffic July 1, and as of July 8 its Website remained inaccessible.
Internal mail was restored midweek.
A
team of iPhone developers inadvertently uncovered a serious vulnerability in
the way the mobile version of the Safari Web browser uploads PDF files while
trying to come up with a way to "jailbreak" the iPhone. The
JailbreakMe Website provides users interested in cracking the iPhone
operating system with tools so that they can install non-Apple-approved apps on
their iOS devices.
The
developer who found the vulnerability and used it to create the latest version
of the jailbreaking tool also released a patch so that malicious perpetrators
can't exploit the flaw for their own nefarious purposes.
This
has prompted several security experts to note that Apple users were in an
ironic situation where they would be safer from potential attacks by
jailbreaking their iPhones, iPads and iPod Touchs to apply the patch. Once
Apple rolled out the patch, expected in a "forthcoming update," they
could switch back.
Microsoft
also unveiled details and more statistics behind the
Rustock botnet since Microsoft worked with legal authorities to take down
several of the botnet command and control servers in March. Microsoft noted the
size of the botnet has been halved and even though there are plenty of infected
machines outside of the United States, it remains dark. The report also
reaffirmed that its methods, coordinating with law enforcement agencies, other
security companies and academics, was successful against botnets.
There
were two data breaches announced this week, but only one involved any cyber-hacking.
Investment firm
Morgan Stanley Smith Barney mailed CDs containing sensitive information of
about 34,000 of its investors to the New York State Department of Taxation in
June. When the package finally reached its intended recipient, the CDs were
missing.
The
other breach happened over at that venerable newspaper of national record the
Washington Post when attackers breached its employment Website, not once,
but twice, in the last week of June and stole email addresses. The breach
exposes job-seekers to potential spear phishing attacks.
Across
the pond, Rupert Murdoch shut down British tabloid
News of the World amid allegations that its staffers illegally accessed
voice mails of as many as 4,000 individuals, including celebrities, the British
royal family and regular people. The key takeaway from the scandal appears to
be the importance of protecting the PIN numbers that access the phone
mailboxes. But unless carriers take some action, users remain vulnerable to
voicemail fraud.
Next
week, Microsoft is expected to release four patches fixing 22 vulnerabilities
for a fairly light
July Patch Tuesday. Three of the four contain fixes for all supported
versions of the Windows operating system. Microsoft will also officially end support
for Vista Service Pack 1 and Office XP.
Email
Print
