Mac Rogue AV, Defense Contractors, Phishing Lead Week's Security News
May 2011 is the month Apple and its legion of Mac users were forced to acknowledge that there was nothing natively secure about the Mac OS X when it came to malware. In response, Apple rolled out its promised MacDefender removal tool this week.
The tool was actually an updated File Quarantine, a little known feature in Snow Leopard, which works in ways similar to an antivirus application. File Quarantine lists all the file definitions of what software should not be allowed on the Mac, and Apple tweaked it so that it can automatically update its definitions once a day. Sounds like an antivirus package.
The thing is, cyber-criminals are, if nothing else, quick to adapt. Less than 12 hours after Apple released the removal tool, there was a new MacDefender variant that could get through File Quarantine. Apple updated the definitions. And yet another version came out Friday. Apple countered with a yet another update.
It's a game of cat and mouse, and right now Apple is just trying to keep up.
Speaking of cat and mouse, the developers behind the Android malware DroidDream were back this week with a new version, dubbed DroidDream Light. Despite the name, there was nothing "less" about the damage this particular variant could cause. Google immediately removed 26 apps from its official Android Market containing the malware. For the most part, the apps were all copies of legitimate apps that had the malicious code grafted on.
Web-based e-mail services also came under attack. Google claimed several of its high-profile Gmail user accounts, including those of government officials, had been hit by a successful phishing attack. The company claimed the attacks originated from China, even though the country vehemently denied it. Trend Micro noticed that similar phishing attacks had hit several Hotmail and Yahoo Mail accounts recently, as well.
The scariest-attack-of-the-week award actually goes to those unknown cyber-attackers that apparently breached networks of not one, but three, major defense contractors towards the end of May. Lockheed Martin, L-3 Communications and Northrop Grumman all shut down remote access to their networks without warning. Apparently, attackers used cloned SecurID tokens to trick the networks into letting them logon to the network remotely.
There's been a lot of debate over what exactly was stolen from RSA Security and whether that meant SecurID was compromised. While RSA Security is still not publicly discussing what was stolen, it does seem that if defense contractors were compromised, then relying on SecurID for the enterprise's two-factor authentication needs might not be the best security decision to make.
To be fair, it's not really clear whether Northrop Grumman was compromised using SecurID.
Next week, companies descend on New York City for Cloud Expo. A lot of cloud security announcements are expected to come out of the show. This will occur just in time, according to a McAfee and Brocade report released this week because organizations are beginning to think about virtualization-specific security technology to defend their cloud applications and infrastructure. Approximately 26 percent were the most worried about targeted attacks against their virtualized infrastructure and 24 percent said security breaches were their biggest concern.