The top IT security news of the past week included the discovery of new malware with Zeus banking fraud features along with new development in Web user privacy-related news and mobile-application security.
researchers identified new malware variants that had taken on features from Zeus
to turn ordinary
run-of-the-mill malware into sophisticated worms with back fraud capabilities.
With both Zeus and SpyEye code readily available to cyber-criminals, there will
be more strains with capabilities to steal financial and other data,
some security praise with its proposed changes to privacy
settings, which look
very much like what Google has implemented in its "other" social
network, Google+. The inline privacy controls will make it easier for users to
tell exactly what is visible to whom.
In another win
for privacy, Apple deprecated the universal device identifier
for its application developers. While the capability will still exist in the
upcoming iOS 5, Apple recommended that developers stop using the identifier to
track what users are doing as the feature will eventually be removed and not
researchers identified a class of Web cookies that could stay on the computer
even after the user cleared the cache, Microsoft said it had removed them from
MSN.com. There were reports that the cookies could respawn even after being
deleted, resulting in a "supercookie
" that could continue monitoring
users despite their request not to be tracked.
Web surfer tracking is at the heart of a lawsuit seeking class-action status
filed against Web analytics company comScore this week. Two plaintiffs alleged
that comScore used aggressive methods
to monitor user
activity, modified user security settings and made it impossible to remove the
software once it was installed. The lawsuit also claimed it wasn't always clear
when the software was installed on the user's computer. However comScore claims
the lawsuit is without merit.
promised a patch to fix a vulnerability in
its venerable Web server software that would allow remote attackers to overload
the server's CPU and memory resources to cause a denial of service attack. The
patch was promised "within 96 hours" because a Perl script capable of
launching this denial of service attack was posted on the "full
disclosure" mailing list. The flaw had been identified several years ago,
but had not been fixed previously.
the hackers under the Anonymous banner aren't the only ones breaking into
corporate systems and dumping sensitive information, BitDefender researchers
came across Thehacker12's Project Mayhem blog. Acting alone, Thehacker12 has
dumped over 102,500 emails and passwords since Aug. 15.
In an Aug. 24
breach of a small business events management company, Thehacker12 released email
addresses, user names, passwords and company names for 20,000 employees for various government agencies and
. The list included the U.S. Small Business Administration,
Department of State, Federal Aviation Administration as well as Honeywell and
WP Hickman Systems. Thehacker12 released another 66,000 more email addresses
and passwords from an unknown source on Aug. 25. According to Identity Finder,
64,641 of the passwords were hashed.
documents, it turns out that the former WikiLeaks employee
who started up the
rival OpenLeaks stole and destroyed a number of documents that had been
submitted to the whistleblower-site. The full no-fly list for United States
travelers and documents from Bank of America were allegedly among the destroyed
In an analysis
of new malware in the second quarter of 2011, McAfee found more malware for Android
than for any other
mobile operating system. The news came as researchers came across a malicious Android application
that could gain
root access over smartphones running the "Gingerbread" version of the
OS. Rising concerns about mobile-application security will help the mobile-security market
reach $14.4 billion in
2017, according to analysts.