• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Security Stories You May Have Missed Over the Holidays

January 4, 2012 By Corey Nachreiner

If your office gets quiet around the week leading up to Christmas and New Years, as many seem to, you may have missed a few interesting security stories during this lull. Let me catch you up in one fell swoop.

Below, I quickly highlight a menagerie of interesting security stories, which you may have missed over the past two weeks:

  • Unpatched Vulnerability in Windows Win32k.sys Component – According to reports, a “researcher” calling himself webDEViL found a memory corruption flaw in Windows’ win32k.sys component. By enticing you to a web site containing malicious code, an attacker could exploit this flaw to execute malicious code on your computer, with your privileges. So far, webDEViL has only been able to exploit the flaw via Safari, which isn’t a very popular web browser for Windows systems. That said, it does affect fully patched Windows 7 64-bit systems, thus poses a fairly severe risk to Windows-based Safari users. Microsoft has not released a patch yet, but I will  follow up when they do. For more information, see Secunia’s advisory.
  • Siemens Accused of Security Cover-up – Siemens has received a lot of attention from the security industry lately. It first started with the infamous Stuxnet malware, which owned Siemens-based software and equipment, and opened many peoples eyes to the possibility of digital SCADA and ICS attacks. Since then, many researchers have focused on SCADA system vulnerabilities, including a recent example where a researcher found a SCADA system exposed on the internet with only a three character password. The latest drama comes from a security researcher’s blog, where he accuses Siemens of lying about a security flaw in one of their products. In short, Billy Rios (the researcher) is unhappy that a Siemens PR person claimed there are no open issues regarding authentication bypass bugs in Siemens products. As a result, Rios decided to publicly disclose just such an issue.
  • The US Can Now Launch Cyberwars – One of my 2011 predictions (now replaced with 2012’s predictions) talked about Cyberwar escalating, or as I like to put it, “Cyberwar is Now.” A recent change to the U.S. National Defense Authorization Act supports this notion. It states that the Department of Defense can conduct offensive cyberspace operations with the President’s approval.
  • Free iPad 2 Offer Lures Gaga Fans – As they say on the Internet (and Star Wars), “It’s a trap!” According to PC Advisor, many users following Lady Gaga on Twitter and Facebook almost had their credentials stolen by following links about a free iPad 2 promotion.
  • Anonymous Still Up to No Good – During the holiday, Anonymous breached Stratfor, a “global intelligence” company in Texas. They reportedly stole 200GB of email, and a client list of 4000, including credit cards info. In the last week, Anonymous has also threatened to attack Sony and Nintendo due to their support of SOPA. As I predicted for 2012, I expect to continue to see these sort of Anonymous-related hacktivism incidents throughout the year.
That’s a small taste of some of the security stories that surfaced over the last few weeks. In general, we’re seeing more security stories a week than we have in years past. I expect 2012 to busy year for security professionals and the unprotected. — Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: Phishing, Safari, SCADA, Siemens, Windows zero day

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use