Watch Out! 10 Spooky Halloween Security Threats

Halloween Is Here

It's that time of year again. Time for ghosts and ghouls and things that go bump in the night to reawaken and show themselves to mortal beings (Yes, we're holding a flashlight under our chins.)

In the spirit of the season, we thought we'd have a look at some of the biggest Halloween security frights -- malicious worms that run amok, viruses that plague millions of users and giant data-stealing vans that roam the earth, to name a few.

So hold on to the edge of your seat and be prepared to cover your eyes...Mwhahaha

Facebook Privacy

These two words never fail to send shivers down the spine of government bureaucrats, privacy rights advocates, 500 million users, and many others. It's no secret that Facebook is used to being publicly flogged after committing some major privacy faux pas. Even 26-year-old CEO Mark Zuckerberg's generous $100 million donation to Newark public schools couldn't overcome the company's frightening reputation when it comes to protecting users' private information.

In this latest development, Facebook finds itself under the gun by Congress for enabling a loophole that exposed users' social networking ID numbers linked to their profile to third party applications such as Farmville and Mafia Wars. Those third party apps were then at liberty to use the information to track users' online behavior.

Stay tuned for the next chapter in this terrifying tale...

Google StreetView

Beware! Big brother really is watching. Or at least swiping those inflammatory work e-mails and porn sites you visited while in the comfort of your own home.

Like a silent but persistent stalker, Google acknowledged in May that its StreetView cars may have unintentionally swiped some personal user data on unsecured Wi-Fi networks, raising strong concerns with privacy watchdogs. Some of the data included entire e-mails, as well as Web site URLs and passwords. Oops.

There are unconfirmed reports that the once-welcomed Street View cars are now responsible for causing a widespread panic, sending users running for cover.

Watch out... You could be next.

Stuxnet Worm

Okay, so this one might not be nearly as scary as Facebook or Google, but it's up there.

Arguably the most sophisticated and dangerous pieces of malware on the Internet, the Stuxnet worm made waves this fall when researchers found traces of code on Siemens industrial software systems that operate Iran's Bushehr nuclear reactor.

Essentially, the worm is programmed with "search and destroy" code designed to target industrial facilities such as chemical manufacturing and power plants using Supervisory Control and Data Acquisition (SCADA) systems.

Security experts contend that the incident marked the beginning of an age in which the Internet was regularly used in attacks against critical infrastructure.

Not to cause a panic, but this is Halloween, after all.

Apple FaceTime/iOS

Pay no attention to the man behind the curtain. Perhaps its smoke and mirrors that keeps Apple from being scrutinized too closely for its myriad of glitches and privacy flaws. An iOS glitch recently brought to light by users, allows users to circumvent the passcode entry screen on a user's iPhone to access key functions, including phone contacts, call history, voicemail, text messaging and the user's stored photos.

Meanwhile, Apple's new FaceTime for Mac application contains a security flaw that enables potential hackers to change a victim's iTunes password without first entering the old password, allowing them to redirect e-mail addresses and phone numbers or otherwise view a user's personally identifying information. Eeek!

Firefox Firesheep

It turns out users aren't even safe on legitimate sites.

A Seattle developer created a stir in the security community with a Firefox extension specifically designed to break into someone else's Twitter, Amazon , Windows Live, Facebook and other accounts by hijacking their session over a Wi-Fi network.

Essentially, Firesheep is a packet sniffer designed to detect cookies and analyze unencrypted Web traffic on an open Wi-Fi connection between a router and personal computers. The extension enables hackers to capture authentication cookies from one of 26 major Web sites sent over an unsecure network, allowing miscreants to log as the original user. For example a hacker who hijacks a Facebook session, could access a user's Facebook profile picture and then infiltrate the account, even without a password.

So beware -- you never know if that person lurking in the shadows is waiting to strike.

Twitter Worm

Twitter Warning -- clicking on everything can be hazardous to your health. It's the message that tens of thousands of Twitter.com users received this fall after a rapidly spreading worm pummeled them with pop-ups, spam and pornographic tweets and then re-tweeted them to everyone on their contact list.

The attack -- known as the onMouseOver attack -- was launched when hackers exploited a cross-site scripting vulnerability that leveraged the onMouseOver JavaScript code designed to run automatically whenever users visited Twitter.com. Some users received an enhanced version of the attack that re-tweeted itself out to all the Twitter followers on their contact lists.

The giant worm, which ravaged tens of thousands of Twitter users, appears to be at bay for now. But no one knows when it next will resurface.

Oracle's Java

It might look innocent and sweet, but beneath the surface, Java is replete with pitfalls and hacker traps -- so much so that Microsoft recently warned users about an "unprecedented wave of Java exploitation" in 2010.

Microsoft researchers have seen a significant upwards spike of attacks on Java in 2010 stemming from three critical vulnerabilities, two of which have exceeded the one million mark, despite the fact that all three vulnerabilities have been patched for a while.

The most serious Java flaw occurred due to a glitch in Java Runtime Environment (JRE) that allowed hackers to infect around 1.2 million computers in more than 3 million attacks. The second most serious vulnerability stemmed from a critical parsing error that also led to the infections of an additional 1.1 million computers.

Zeus Botnet

Zeus is on the loose and mightier than ever. Zeus also has the power to make people behave in strange ways -- like stealing millions of dollars from U.S. bank accounts.

More than 60 people were arrested this fall for involvement in an international cyber crime ring that used the Zeus botnet do just that. Altogether, the hackers behind the scheme were responsible for lifting about $4 million from U.S. bank accounts, according to federal officials.

The recent wave of arrests is part of a larger ongoing crackdown since July.

In this latest crackdown, federal prosecutors arrested about 20 individuals for bank account fraud and compromising accounts using the Zeus (aka Zbot) botnet, notorious for distributing malware targeting banking and other financial data.

AT&T

For a while there, everything that AT&T touched turned into a nightmare that would prompt even Freddie Krugar to cry for his mommy.

From the get go, AT&T and Apple were engaged in a strange comedy of errors, kicking off a bungled dance with multiple pre-order snafus that forced the telecom to halt sales and extend the delivery date.

AT&T further covered itself with glory in May when hacker group Goatse Security exploited a security vulnerability in its Web application, which enabled a breach that exposed the e-mail addresses of 114,000 iPad 3G customers.

While a security breach would have been bad enough for the beleaguered telecom, the affected iPad customers just happened to include a major list of high-profile Who's Who's, eliciting a Federal Bureau of Investigation probe.

Adobe

Adobe warned users in September that vulnerabilities in Adobe Acrobat/Reader and Flash Player were being used for attacks in the wild.

Okay, so no big news there. But multiple zero-day exploits in one month? C'mon. The Acrobat/Reader attack occurred from a DLL boundary error that triggered a stack-based buffer overflow glitch when attackers trick a user into opening a malicious PDF file, typically through some kind of social engineering scheme. What's more, it affected all the latest and patched versions of Acrobat and Reader for Windows, Mac and Unix.

In the same month, Adobe also released a security advisory warning users of a critical Flash Player vulnerability that -- surprise -- is actively being used by malicious attackers to crash users' computers and take control of their systems. Attackers could trick users into downloading malicious code with an infected PDF or media file, usually through some kind of social engineering ploy.