If your office gets quiet around the week leading up to Christmas and New Years, as many seem to, you may have missed a few interesting security stories during this lull. Let me catch you up in one fell swoop.
Below, I quickly highlight a menagerie of interesting security stories, which you may have missed over the past two weeks:
- Unpatched Vulnerability in Windows Win32k.sys Component – According to reports, a “researcher” calling himself webDEViL found a memory corruption flaw in Windows’ win32k.sys component. By enticing you to a web site containing malicious code, an attacker could exploit this flaw to execute malicious code on your computer, with your privileges. So far, webDEViL has only been able to exploit the flaw via Safari, which isn’t a very popular web browser for Windows systems. That said, it does affect fully patched Windows 7 64-bit systems, thus poses a fairly severe risk to Windows-based Safari users. Microsoft has not released a patch yet, but I will follow up when they do. For more information, see Secunia’s advisory.
- Siemens Accused of Security Cover-up – Siemens has received a lot of attention from the security industry lately. It first started with the infamous Stuxnet malware, which owned Siemens-based software and equipment, and opened many peoples eyes to the possibility of digital SCADA and ICS attacks. Since then, many researchers have focused on SCADA system vulnerabilities, including a recent example where a researcher found a SCADA system exposed on the internet with only a three character password. The latest drama comes from a security researcher’s blog, where he accuses Siemens of lying about a security flaw in one of their products. In short, Billy Rios (the researcher) is unhappy that a Siemens PR person claimed there are no open issues regarding authentication bypass bugs in Siemens products. As a result, Rios decided to publicly disclose just such an issue.
- The US Can Now Launch Cyberwars – One of my 2011 predictions (now replaced with 2012’s predictions) talked about Cyberwar escalating, or as I like to put it, “Cyberwar is Now.” A recent change to the U.S. National Defense Authorization Act supports this notion. It states that the Department of Defense can conduct offensive cyberspace operations with the President’s approval.
- Free iPad 2 Offer Lures Gaga Fans – As they say on the Internet (and Star Wars), “It’s a trap!” According to PC Advisor, many users following Lady Gaga on Twitter and Facebook almost had their credentials stolen by following links about a free iPad 2 promotion.
- Anonymous Still Up to No Good – During the holiday, Anonymous breached Stratfor, a “global intelligence” company in Texas. They reportedly stole 200GB of email, and a client list of 4000, including credit cards info. In the last week, Anonymous has also threatened to attack Sony and Nintendo due to their support of SOPA. As I predicted for 2012, I expect to continue to see these sort of Anonymous-related hacktivism incidents throughout the year.
That’s a small taste of some of the security stories that surfaced over the last few weeks. In general, we’re seeing more security stories a week than we have in years past. I expect 2012 to busy year for security professionals and the unprotected. — Corey Nachreiner, CISSP (@SecAdept)
Leave a Reply