Security Week in Review
True to numerous New Year’s security predictions, vulnerabilities are emerging as easy, low-hanging target for hackers. Flaws, vulnerabilities and exploits defined this week in security, hitting popular platforms such as Skype, Java and Android. Congress is again mustering its strength and dusting off ambitions to revisit another cybersecurity legislation fight.
Here’s a look at the top stories of the week.
Skype Bugs Hit With One-Two Punch
This week, Skype got pummeled from all sides. The popular video chat application had a rough ride after researchers discovered two new strains of malware:
* Bublick enables remote access, giving attackers the ability to download plug-ins and files to a C&C server and monitor browser activity. Operators can then gather and report on data and network information.
* The Phorpiex worm targets removable drives and spreads on Skype messages via links to sites hosting the worm. It can download malware onto the infected system and send itself out in e-mail attachments, before deleting itself.
The attacks come as a one-two punch after the banking worm Shylock, which surfaced the week before, developed an ability to spread via Skype. Shylock made a name for itself by sending messages, transferring files, cleaning messages from Skype history and bypassing alerts to users about connecting to Skype.
More Java Drama
Java again became the subject of scrutiny when miscreants exploited it and Internet Explorer zero-day flaws to compromise the free press advocacy group Reporters Without Borders’ site. It was the subject of a persistent watering hole attack campaign that leveraged the unpatched Java and IE vulnerabilities to launch attacks against high-value sites, according to Avast researchers.
The attacks, appearing to be sourced to China, have concentrated on human rights and political organizations. In particular, attackers behind the Java exploits turned their cannons on Tibetan, Uygurand Hong Kong sites, making them the most prominent victims in the operation.
Android Malware on the Loose
Another Android Trojan is making the rounds on the threat landscape. Android.Troj.mdk, which reportedly infected one million Chinese Android devices, is the latest variant of the Bankscript malware, according to researchers at Symantec.
The latest iteration distinguishes itself by using an advanced encryption standard on server and command data. The Android Trojan enables operators to control their victims’ devices, harvest user data, download APKs and generate pesky adware once it’s installed.
Perhaps not surprisingly, the Trojan is masked in popular games such as Temple Run and Fishing Joy, designed to entice users to unwittingly install it. It then relies on tried-and-true tricks – dynamic loading, data encryption and code obfuscation – to evade detection.
Senate Dusts Off Cybersecurity Bill
The U.S. Senate is attempting to reaffirm cybersecurity as a national priority. Again.
Last week, Democratic leaders of the Senate Homeland Security, Commerce and Intelligence committees introduced S. 21 – the Cybersecurity and American Cyber Competitiveness Act. Like its predecessor, the Cybersecurity Act 2012 defeated in the Senate last year, the proposed legislation attempts to protect critical infrastructure from foreign and domestic cyber threats.
The new bill aims “to secure the United States against cyber attack, to improve communication and collaboration between the private sector and the Federal Government, to enhance American competitiveness and create jobs in the information technology industry and to protect the identities an sensitive information of American citizens and businesses.”
As with numerous pieces of cyber-legislation, technology organizations and industry leaders are urging Congress to incorporate language ensuring the ability to share information freely between private entities and the public sector. This latest attempt to enact comprehensive federal cyber-legislation includes language facilitating the free flow of critical threat information between organizations.