Security Week In Review, May 29-June 1
Maybe it was something in the water, but the last week of May was indeed a week of extremes–from the biggest threat on record to the tiniest Trojan to an unusual and completely unexpected act of transparency from Apple. Here’s what the security landscape looked like for May 29-June 1.
Flame Ignites Fire In Security Community: It might be hard to imagine a an attack that can outpace unprecedented targeted threats such as Stuxnet and Duqu. But last week, the emergence of the Flame virus on the security landscape put them all to shame.
The Flame virus, an insidious, a 20 MB piece of data stealing malware first detected by Kaspersky Lab last Monday, appeared to have gained traction on hundreds of targets in the Middle East, particularly Iran, Syria and Palestine, eliciting suspicions that the virus was created by Western governments as a means of enacting cyberwarfare.
Altogether, Flame, which exploits some of the same Windows vulnerabilities as its predecessor Stuxnet, is armed with a slew of unique tools in its belt. Some defining characteristics include the ability to record audio around the victim’s computer, capture screenshots, and upload copious amounts of data to remote servers via encrypted channels, all while stealthily dodging some of the most robust anti-virus solutions on the market.
Thus far, researchers are still not clear about the virus’ point of entry or what its intended target is, if any and anticipate months of research ahead to further understand the threat.
U.S. Created Stuxnet To Attack Iran: Meanwhile, the Obama Administration apparently hit the ground running during the first few months in office by secretly ordering the creation of cyberattacks that would target Iran’s most prominent nuclear enrichment facilities, according to a New York Times report.
That cyberattack in question, developed as a joint effort between the U.S. and Israel, was none other than the notorious Stuxnet virus, designed to specifically target nuclear power facilities relying on SCADA systems. All told, the worm was intended to thwart Iran’s nuclear efforts, in lieu of a heavy artillery strike.
The plan appeared to go awry, however, when code escaped from its intended target and circulated freely on the Internet during the summer of 2010. Despite this hiccup, the Obama administration decided to continue with the attack, in light of the fact that it was continuing to do damage to Iran’s facilities. All told, the final wave of Stuxnet attacks took out 1,000 of the 5,000 centrifuges Iran was then using to purify uranium.
Meanwhile the creation of Stuxnet represents the first time the U.S. has acknowledged the sustained use of cyberweapons to target other governments.
World’s Smallest Trojan Packs A Punch: Bad things come in small packages. That became apparent when the CSIS Security Group discovered a teensy weensy banking Trojan, dubbed Tinba (short for Tiny Banker).
Tinba is a small but mighty Trojan that worms its way into browsers to lift sensitive financial data and sniff network traffic. The Trojan is one of the smallest banking threats ever discovered, weighing in at 20 KB, and clearly demonstrating that not all threats have to be 20 MB behemoths in order to pack a wallop.
Despite its small size, its capabilities are on par with those of its fully grown counterparts. Among other things, the tiny Trojan employs Man-in-the-Browser attacks (like Man-in-the-Middle attack, but with a Trojan horse that intercepts traffic) and Web inject exploits designed to manipulate sites during an attack. Once injected, Tinba reads settings from the configuration files and intercepts and manipulates traffic through numerous browser APIs, according to CSIS.
Its antics also allow it to bypass two factor authentication technologies and impersonate login pages that trick users into submitting account credentials or credit card data, while easily evading detection from known antivirus software.
Apple Issues Security Guide For iOS: In an uncharacteristic move, Apple is helping to educate and arm users against threats by releasing a security guide for its iOS operating system, illuminating the inner workings of some of its infrastructure and security mechanisms.
Altogether, the iOS Security Guide provides a comprehensive look at Apple’s iOS, which powers Apple mobile devices such as its iPhone, iPad and iPod touch, by laying out system architecture, data protection and network security features.
Discussed at length in the new guide, co-authored by Apple expert Charlie Miller, is the address space layout randomization (ASLR) implementation, a security function designed block attacks that exploit memory corruption glitches.
The guide also details Apple’s code-signing process for iOS apps—an integral part of its architecture and one of Apple’s main security features that distinguishes it from Android OS and other competitors in the mobile space.
The release of the guide represents a radical departure for the Cupertino, Calif.-based company notorious for keeping any details of its inner workings under strict lock and key.
Microsoft Gets Flack For Do Not Track: Sometimes you can’t win for losing. This time, Microsoft received a bit of heat for its stance on Do Not Track software, which is turned on by default in its Internet Explorer 10 browser installed in its impending release of Windows 8.
Do Not Track is a mechanism that enables users to disable tracking in browsers allowing Web advertisers to assess users’ online behavior and activities. The tracking info then provides advertisers with insight to better target their ads tailored to their customers’ preferences.
While not required, many Websites and browsers have implemented the DNT privacy mechanism to give users more of a say about how their online behavior is used and shared. But it doesn’t always go over well.
This time, the Redmond, Wash.-based software giant received some heat from the Digital Advertising Alliance (DAA), a coalition of media and marketing companies, which maintained that Microsoft’s decision to automatically enable DNT would limit the “availability and diversity” of Internet content and services, while potentially narrowing the scope of consumer choices and undermining business models delivered via the Web.