Zeus Malware, Web Privacy, Mobile Security Lead Week's Security News
Security researchers identified new malware variants that had taken on features from Zeus to turn ordinary run-of-the-mill malware into sophisticated worms with back fraud capabilities. With both Zeus and SpyEye code readily available to cyber-criminals, there will be more strains with capabilities to steal financial and other data, researchers predicted.
Facebook won some security praise with its proposed changes to privacy settings, which look very much like what Google has implemented in its "other" social network, Google+. The inline privacy controls will make it easier for users to tell exactly what is visible to whom.
In another win for privacy, Apple deprecated the universal device identifier for its application developers. While the capability will still exist in the upcoming iOS 5, Apple recommended that developers stop using the identifier to track what users are doing as the feature will eventually be removed and not supported altogether.
After researchers identified a class of Web cookies that could stay on the computer even after the user cleared the cache, Microsoft said it had removed them from MSN.com. There were reports that the cookies could respawn even after being deleted, resulting in a "supercookie" that could continue monitoring users despite their request not to be tracked.
Unauthorized Web surfer tracking is at the heart of a lawsuit seeking class-action status filed against Web analytics company comScore this week. Two plaintiffs alleged that comScore used aggressive methods to monitor user activity, modified user security settings and made it impossible to remove the software once it was installed. The lawsuit also claimed it wasn't always clear when the software was installed on the user's computer. However comScore claims the lawsuit is without merit.
Apache promised a patch to fix a vulnerability in its venerable Web server software that would allow remote attackers to overload the server's CPU and memory resources to cause a denial of service attack. The patch was promised "within 96 hours" because a Perl script capable of launching this denial of service attack was posted on the "full disclosure" mailing list. The flaw had been identified several years ago, but had not been fixed previously.
Proving that the hackers under the Anonymous banner aren't the only ones breaking into corporate systems and dumping sensitive information, BitDefender researchers came across Thehacker12's Project Mayhem blog. Acting alone, Thehacker12 has dumped over 102,500 emails and passwords since Aug. 15.
In an Aug. 24 breach of a small business events management company, Thehacker12 released email addresses, user names, passwords and company names for 20,000 employees for various government agencies and companies. The list included the U.S. Small Business Administration, Department of State, Federal Aviation Administration as well as Honeywell and WP Hickman Systems. Thehacker12 released another 66,000 more email addresses and passwords from an unknown source on Aug. 25. According to Identity Finder, 64,641 of the passwords were hashed.
Speaking of documents, it turns out that the former WikiLeaks employee who started up the rival OpenLeaks stole and destroyed a number of documents that had been submitted to the whistleblower-site. The full no-fly list for United States travelers and documents from Bank of America were allegedly among the destroyed files.
In an analysis of new malware in the second quarter of 2011, McAfee found more malware for Android than for any other mobile operating system. The news came as researchers came across a malicious Android application that could gain root access over smartphones running the "Gingerbread" version of the OS. Rising concerns about mobile-application security will help the mobile-security market reach $14.4 billion in 2017, according to analysts.