Were You Tricked Or Treated?


Printer-friendly version Email this CRN article

Yes, Halloween has just passed, but anything to do with Web threats can be a pretty scary thing. Some of the biggest security frights -- malicious worms that run amok, viruses that plague millions of users and giant data-stealing vans that roam the earth -- linger throughout
the year. Here are 10 noteworthy ones.

1. Facebook Privacy: It's no secret that Facebook is used to being publicly flogged after committing some major privacy faux pas. In a recent development, Facebook finds itself under the gun by Congress for enabling a loophole that exposed users' social networking ID numbers linked to their profile to third-party applications such as Farmville and Mafia Wars. Those third-party apps were then
at liberty to use the information to track users' online behavior.

2. Google StreetView: Google acknowledged in May that its
StreetView cars may have unintentionally swiped some personal user data on unsecured Wi-Fi networks, raising strong concerns with privacy watchdogs. Some of the data included entire e-mails, as well as Web site URLs and passwords.

3. Stuxnet Worm: Arguably one of the most sophisticated and dangerous pieces of malware on the Internet, the Stuxnet worm made waves this fall when researchers found traces of code on Siemens industrial software systems that operate Iran's Bushehr nuclear reactor. Essentially, the worm is programmed with "search and destroy" code designed to target industrial facilities such as chemical manufacturing and power plants using Supervisory Control And Data Acquisition (SCADA) systems.

4. Apple FaceTime/iOS: An iOS glitch recently brought to
light allows users to circumvent the passcode entry screen on a user's iPhone to access key functions, including phone contacts, call history, voicemail, text messaging and users' stored photos. Meanwhile, Apple's new FaceTime for Mac application contains a security flaw that enables potential hackers to change a victim's iTunes password without first entering the old password, allowing them to redirect e-mail addresses and phone numbers or otherwise view a user's personally identifying information.

5. Twitter Worm: Twitter Warning: Clicking on everything
can be hazardous to your health. It's the message that tens of
thousands of Twitter.com users received this fall after a rapidly
spreading worm pummeled them with pop-ups, spam and pornographic
tweets and then re-tweeted them to everyone on their contact list. The attack -- known as the onMouseOver attack -- was launched when hackers exploited a cross-site scripting vulnerability that leveraged the onMouseOver JavaScript code designed to run automatically whenever users visited Twitter.com.

NEXT: Firefox Firesheep

6. Firefox Firesheep: A Seattle developer created a stir with a Firefox extension designed to break into someone else's Twitter, Amazon, Windows Live, Facebook and other accounts by hijacking their session over a Wi-Fi network. Essentially, Firesheep is a packet sniffer designed to detect cookies and analyze unencrypted Web traffic on an
open Wi-Fi connection between a router and personal computers. The extension enables hackers to capture authentication cookies from one of 26 major Web sites sent over an unsecure network, allowing miscreants to log on as the original user.

7. Oracle's Java: Beneath the surface, Java is replete with pitfalls and hacker traps -- so much so that Microsoft recently warned
users about an "unprecedented wave of Java exploitation" in
2010. Microsoft researchers have seen a significant upward spike of attacks on Java in 2010 stemming from three critical vulnerabilities,
two of which have exceeded the 1 million mark, despite the fact that all three have been patched for a while.

8. Zeus Botnet: Zeus is on the loose and mightier than ever. Zeus also has the power to make people behave in strange ways -- like
stealing millions of dollars from U.S. bank accounts. More than 60
people were arrested this fall for involvement in an international
cybercrime ring that used the Zeus botnet to do just that. Altogether,
the hackers behind the scheme were responsible for lifting about
$4 million from U.S. bank accounts, according to federal officials.

9. AT&T: From the get-go, AT&T and Apple have been engaged in a strange comedy of errors. AT&T further covered itself with
glory in May when hacker group Goatse Security exploited a security
vulnerability in its Web application, which enabled a breach that exposed the e-mail addresses of 114,000 iPad 3G customers.

10. Adobe: Adobe warned users in September that vulnerabilities in Adobe Acrobat/Reader and Flash Player were being used for attacks in the wild. OK, so no big news there. But multiple zero-day exploits in one month? The Acrobat/Reader attack
occurred from a DLL boundary error that triggered a stack-based buffer overflow glitch when attackers trick a user into opening a malicious PDF file.

BACKTALK: Contact Stefanie Hoffman for all things
security at stefanie.hoffman@ec.ubm.com.

Printer-friendly version Email this CRN article