Tomorrow is Black Friday—the official kick off of the holiday shopping frenzy here in the United States, and a day where every business in the world seems to run some sort of special deal to lure shoppers in. Malware developers are looking to get in on some of the Black Friday action as well.
The Sophos Naked Security blog reports that there are fake iTunes gift certificates being distributed via email which are actually malware-laden file attachments. The prospect of a free $50 to spend shopping on iTunes is a compelling deal for rabid Black Friday shoppers.
Given the economic malaise that continues to drag on around the world, it is easy to see why people might jump at this bait any time. When you mix it in with the avalanche of emails advertising Black Friday bargains, and the expectation that a few retailers will have awesome deals worth fighting for, it is even easier to understand why many might click on a file attachment that promises $50 to spend on iTunes.
Smartphones and tablets continue to rise in popularity--among both consumers and malware developers. Traditional malware is still a large and growing threat as well, but mobile platforms represent fertile ground with less awareness and limited defenses. A new report from McAfee illustrates that malware developers are anxious to exploit mobile devices.
Actually, while the star of the McAfee Threats Report: Third Quarter 2011 is mobile malware, it is worth pointing out that 2011 is on track to finish as a record-breaking year for malware in general--exceeding very generous predictions. At the end of 2010, McAfee predicted there would be 70 million new malware samples in 2011, but it has since revised that prediction to 75 million based on the rapid proliferation of attacks.
“This has been a very steady quarter in terms of threats, as both general and mobile malware are more prevalent than ever,” said Vincent Weafer, senior vice president of McAfee Labs.
A water utility in Illinois was reportedly hacked in a cyber attack traced back to Russia. The motives aren’t clear, but the act alone demonstrates how vulnerable our SCADA (Supervisory Control and Data Acquisition) networks are, and the potential risks posed to the critical infrastructure of the United States.
The FBI and DHS are investigating the incident. Attackers were able to obtain login credentials from a company that makes the software used to control industrial systems like the Illinois water pump, and remotely shut it down. The attackers reportedly enabled and disabled the pump repeatedly, eventually damaging it.
This instance is more a nuisance than a real threat, but attacks against SCADA systems can have grave consequences. SCADA systems are specialized control devices used to monitor, manage, and maintain chemical plants, natural gas pipelines, dams, railroad switches, nuclear power facilities, and water treatment plants like the one hacked in Illinois. The potential for endangering lives with a compromised SCADA network is very serious.
Malware just got sneaky! Well, sneakier, that is. Attackers in Brazil have found a way to sneak around antivirus programs by using cryptography.
Recently Dmitry Bestuzhev, Kaspersky Lab's Head of Global Research and Analysis Team for Latin America, was looking over some potentially malicious links from Brazil when he discovered some files with .jpeg filename extensions. At first glance, Bestuzhev thought that they were some form of steganography--the art and science of hiding messages. But upon further inspection, the reseacher discovered that they were actually more like .bmp (bitmap) files, than JPEGs.
Smartphones and tablets are evolving from niche luxury devices to mainstream consumer gadgets. As mobile devices become a ubiquitous part of the mainstream culture, malware developers are paying attention and are anxious to exploit the fertile new territory.
Android is the low-hanging fruit because it combines the leading smartphone platform with an open ecosystem, and the ability to purchase apps from diverse, rogue app repositories. Other platforms seem inherently more secure, but are still not invulnerable. Despite the "walled garden" and strict curation of iOS apps, a security researcher recently demonstrated that the Apple App Store has its weaknesses as well.
A statement from McAfee proclaims, "While reported mobile malware incidents are still relatively low in number, McAfee Labs is seeing significant growth in the mobile malware threat landscape."
If you're a gamer who plays titles that use the Steam platform from Valve, you may want to keep a close eye on your personal data.
On Sunday November 6, Steam servers got hacked, and the hackers gained access to the user database. Initially the attack appeared to be against the Steam forums, but Valve later discovered the attack had run deeper than the online community. Details are still a little thin on the ground, but on Thursday Valve, the company behind Steam, posted the following message to its forums:
“We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
Charlie Miller, the perennial winner of the annual Pwn2Own contest for hacking and compromising Apple software, found a serious security flaw in Apple's App Store. Apple's response was to kick Miller out of the Apple Developer program. Shooting the messenger doesn't improve security or make the issue go away, so did Apple do the right thing?
It turns out that the answer is not a simple one. Apple didn't suspend Miller from the Apple Developer program because he found a flaw. It suspended him because he violated the Apple Developer terms of service by intentionally uploading a deceptive app to the App Store, essentially to illustrate that it could be done.
The issues of security researcher ethics and responsible disclosure of discovered vulnerabilities is a hotly debated topic in information security. Vendors want to be notified privately and given time to investigate and develop a patch or solution before the flaw is disclosed publicly. However, vendors are often painfully slow to do so once the information about the flaw has been shared with them, which leads some researchers to "light a fire" under them by going public.