The top IT security news of the past week included the discovery of new malware with Zeus banking fraud features along with new development in Web user privacy-related news and mobile-application security.
Security
researchers identified new malware variants that had taken
on features from Zeus to turn ordinary
run-of-the-mill malware into sophisticated worms with back fraud capabilities.
With both Zeus and SpyEye code readily available to cyber-criminals, there will
be more strains with capabilities to steal financial and other data,
researchers predicted.
Facebook won
some security praise with its
proposed changes to privacy settings, which look
very much like what Google has implemented in its "other" social
network, Google+. The inline privacy controls will make it easier for users to
tell exactly what is visible to whom.
In another win
for privacy,
Apple deprecated the universal device identifier
for its application developers. While the capability will still exist in the
upcoming iOS 5, Apple recommended that developers stop using the identifier to
track what users are doing as the feature will eventually be removed and not
supported altogether.
After
researchers identified a class of Web cookies that could stay on the computer
even after the user cleared the cache, Microsoft said it had removed them from
MSN.com. There were reports that the cookies could respawn even after being
deleted, resulting in a "
supercookie" that could continue monitoring
users despite their request not to be tracked.
Unauthorized
Web surfer tracking is at the heart of a lawsuit seeking class-action status
filed against Web analytics company comScore this week. Two plaintiffs alleged
that
comScore used aggressive methods to monitor user
activity, modified user security settings and made it impossible to remove the
software once it was installed. The lawsuit also claimed it wasn't always clear
when the software was installed on the user's computer. However comScore claims
the lawsuit is without merit.
Apache promised a patch to fix a vulnerability in
its venerable Web server software that would allow remote attackers to overload
the server's CPU and memory resources to cause a denial of service attack. The
patch was promised "within 96 hours" because a Perl script capable of
launching this denial of service attack was posted on the "full
disclosure" mailing list. The flaw had been identified several years ago,
but had not been fixed previously.
Proving that
the hackers under the Anonymous banner aren't the only ones breaking into
corporate systems and dumping sensitive information, BitDefender researchers
came across Thehacker12's Project Mayhem blog. Acting alone, Thehacker12 has
dumped over 102,500 emails and passwords since Aug. 15.
In an Aug. 24
breach of a small business events management company, Thehacker12 released email
addresses, user names, passwords and company names for
20,000 employees for various government agencies and
companies. The list included the U.S. Small Business Administration,
Department of State, Federal Aviation Administration as well as Honeywell and
WP Hickman Systems. Thehacker12 released another 66,000 more email addresses
and passwords from an unknown source on Aug. 25. According to Identity Finder,
64,641 of the passwords were hashed.
Speaking of
documents, it turns out that the
former WikiLeaks employee who started up the
rival OpenLeaks stole and destroyed a number of documents that had been
submitted to the whistleblower-site. The full no-fly list for United States
travelers and documents from Bank of America were allegedly among the destroyed
files.
In an analysis
of new malware in the second quarter of 2011, McAfee found
more malware for Android than for any other
mobile operating system. The news came as researchers came across a
malicious Android application that could gain
root access over smartphones running the "Gingerbread" version of the
OS. Rising concerns about mobile-application security will help the
mobile-security market reach $14.4 billion in
2017, according to analysts.
Email
Print
