Apple's PDF Flaw, DOE Attack, Rustock Lead Week's Security News
All anyone could talk this past week was Google+, the new social networking platform from Google that rolled out to a limited audience. The only way to see the new site was to score an invite from someone who is already a member. But Google shut down invites temporarily in face of high demand. That just made it easier for scammers to swoop in with emails masquerading as fake Google+ invites to direct users to online pharmacy scams.
Malicious emails may possibly be behind the "sophisticated cyber-attack" that shut down email and Internet services at another Department of Energy research facility, the Pacific Northwest National Laboratory. The lab shut down all outgoing and incoming traffic July 1, and as of July 8 its Website remained inaccessible. Internal mail was restored midweek.
A team of iPhone developers inadvertently uncovered a serious vulnerability in the way the mobile version of the Safari Web browser uploads PDF files while trying to come up with a way to "jailbreak" the iPhone. The JailbreakMe Website provides users interested in cracking the iPhone operating system with tools so that they can install non-Apple-approved apps on their iOS devices.
The developer who found the vulnerability and used it to create the latest version of the jailbreaking tool also released a patch so that malicious perpetrators can't exploit the flaw for their own nefarious purposes.
This has prompted several security experts to note that Apple users were in an ironic situation where they would be safer from potential attacks by jailbreaking their iPhones, iPads and iPod Touchs to apply the patch. Once Apple rolled out the patch, expected in a "forthcoming update," they could switch back.
Microsoft also unveiled details and more statistics behind the Rustock botnet since Microsoft worked with legal authorities to take down several of the botnet command and control servers in March. Microsoft noted the size of the botnet has been halved and even though there are plenty of infected machines outside of the United States, it remains dark. The report also reaffirmed that its methods, coordinating with law enforcement agencies, other security companies and academics, was successful against botnets.
There were two data breaches announced this week, but only one involved any cyber-hacking. Investment firm Morgan Stanley Smith Barney mailed CDs containing sensitive information of about 34,000 of its investors to the New York State Department of Taxation in June. When the package finally reached its intended recipient, the CDs were missing.
The other breach happened over at that venerable newspaper of national record the Washington Post when attackers breached its employment Website, not once, but twice, in the last week of June and stole email addresses. The breach exposes job-seekers to potential spear phishing attacks.
Across the pond, Rupert Murdoch shut down British tabloid News of the World amid allegations that its staffers illegally accessed voice mails of as many as 4,000 individuals, including celebrities, the British royal family and regular people. The key takeaway from the scandal appears to be the importance of protecting the PIN numbers that access the phone mailboxes. But unless carriers take some action, users remain vulnerable to voicemail fraud.
Next week, Microsoft is expected to release four patches fixing 22 vulnerabilities for a fairly light July Patch Tuesday. Three of the four contain fixes for all supported versions of the Windows operating system. Microsoft will also officially end support for Vista Service Pack 1 and Office XP.