Last Week in Security

This was an amazingly busy news week in the security world, with a lot of major stories competing for your attention: Microsoft sharing pre-patch vulnerability data with foreign governments, IBM handing out certified pre-owned USB keys, Google spying on Wi-Fi users. If you missed anything, never fear, we’ve got a quick review of that matters from the last week. Read on.

This was an amazingly busy news week in the security world, with a lot of major stories competing for your attention: Microsoft sharing pre-patch vulnerability data with foreign governments, IBM handing out certified pre-owned USB keys, Google spying on Wi-Fi users. If you missed anything, never fear, we’ve got a quick review of that matters from the last week. Read on.

One of the most intriguing stories of the week was Microsoft’s announcement that it will be sharing early vulnerability data with foreign governments. The announcement did not sit well with a lot of people, who derided it as an organized program for giving zero-days to foreign intelligence agencies. Others said it was no different than what’s already been happening on a less formal level, especially with Microsoft’s large enterprise customers. Microsoft explains: “The Defensive Information Sharing Program (DISP) will offer governments
entities at the national level who are part of both the Government
Security Program (GSP) and Security Cooperation Program (SCP) with
technical information on vulnerabilities that are being updated in our
products. We will provide this information after our investigative &
remediation cycle is completed to ensure that DISP members are
receiving the most current information.”

Not to be outdone on the controversy tip, Google had a busy week, as well. News came out at the beginning of the week that not only had Google been collecting SSID and MAC address data from public Wi-Fi hotspots with its Street View cars, it was collecting and storing information sent over those networks, as well. Not awesome. As The Register reported, Google’s Sergey Brin didn’t dodge the issue–once it was exposed, that is: “Let me just say: We screwed up,” Brin told a room full of reporters
this afternoon at the company’s annual developer conference in San
Francisco. “I’m not going to make excuses about this.”

Attacks on mobile phones have been the bogeyman that security companies have used to scare users into buying mobile licenses for years. As I wrote in a feature this week, those attacks have never really materialized. The real threat, it turns out, is malicious and Trojaned applications showing up in app stores maintained by Apple, BlackBerry and others. Veracode’s Tyler Shields spells out the problem: “App stores have good and bad things about them. Everything is in one
place, which is nice. But the negative is that you have one point of
distribution for potential threats,” Shields said. “If I can get past a
single wall, I can potentially get lots of downloads very rapidly. How
do users know the dangerous apps from the safe ones in the app store?”

Last, but certainly not least, is the embarrassing incident that hit IBM at this week’s AusCERT conference. The company was handing out free USB keys to conference attendees, as vendors are wont to do, but it turned out that these keys had a special feature: a two-year-old piece of malware. IBM’s Glenn Wightwick explains: “The malware is detected by the majority of current Anti Virus products [as at 20/05/2010] and been known since 2008.The malware is known by a number of names and is contained in the setup.exe and autorun.ini files. It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server whereby the setup.exe and autorun.ini files run automatically.”

Others receiving votes:


Suggested articles