The storm clouds over mobile security continued to gather this week with news of a new browser exploits for Android and a URL attack for iPhones, while OWASP’s AppSec conference in D.C. provided an update on Uncle Sam’s security priorities. Read on for Threatpost’s security Week in Review.
The security of Google’s Android mobile OS led the news this week, beginning with a new exploit that could prove dangerous just by visiting a website on your Android phone. At HouSecCon in Houston last week researcher MJ Keith presented evidence for the exploit, which was found in Webkit, a browser module found in Android and other operating systems.
Researcher Jon Oberheide, discovered another weakness in Android this week. Offered up for download in the Android Market under the guise of an upgrade to the über-addictive Angry Birds game, the flaw allows an attacker to install a malicious third-party application phones without the user’s knowledge.
The security of the iPhone’s operating system, iOS, was also brought to light this week. Researcher Nitesh Dhajani described how iOS can mishandle some URLs, particularly in the way it parses Skype URLs. While this may not seem like an immediate concern, certain application-based attacks could disguise themselves, leading to risky Skype-like open URLs.
This week also brought another edition of Microsoft’s monthly Patch Tuesday. This month’s totaled just three bulletins, fixing 11 vulnerabilities — a big step down from last month’s record-setting release. The patches were mostly centered on Microsoft Office, with some fixes for Powerpoint and Unified Access Gateway.
After weeks of hand wringing about the security of Web applications after the release of the FireSheep browser plugin, Microsoft also took some time to address the security of their e-mail program, Hotmail. Adding full session SSL encryption and the ability to enable HTTPS on Tuesday, the browser responded to the threat of the much-buzzed Firesheep plug-in, which takes advantage of web insecurity.
Also attempting to combat Firesheep this week was zScaler, who released a new plug-in, BlackSheep, which notifies users when someone is snooping on your network.
From D.C. came some insight on how the government handles security. In a keynote at OWASP’s AppSec conference this week, Neil Ziring, technical director of the National Security Agency’s Information Assurance Directorate came clean on how transparent their practices have been.
“Most of what we do in terms of app development and assurance is in the open literature now. Those things are known publicly now.”
AppSec also brought news of the ongoing war against botnets and a pair of researchers who are developing a new approach to try to disable malicious servers. Instead of tracking down the C&C, researchers Peter Greko and Fabian Rothschild came up with three methods to slow botnets’ data extraction.
While botnets have been a scourge on the internet lately, the recent crackdowns (Pushdo, Waledac, Bredolab, etc.) have helped curb spam — somewhat, according to a recent Kaspersky Lab report. Volumes dropped 1.5 percent between August and September this year – a number that may be directly related to Pusho’s demise.
Finally, it was a week that saw private corporations take steps to improve the security of the Internet for everyone. Barracuda Networks started the week by announcing that it would join the ranks of firms like Google, Mozilla and VeriSign by paying a bounty for information on software vulnerabilities. The company’s bounty program is the first by a pure-play security software vendor, with Barracuda promising to match Google’s price for top vulnerabilities and offer a floor of $500 for information on new software security holes.
After expanding its own bounty program to cover both its Chromium platform and Web applications, Google found itself having to backtrack a bit. The company gently reminded aspiring researchers that not all Web app vulnerabilities are worthy of bug bounties. New guidelines, published Thursday, make it clear that some low-severity vulnerabilities won’t be rewarded with a bounty.
Finally, Verizon announced a new application that allows businesses to anonymously report data breaches and other security incidents for analysis. The application, dubbed VERIS Community Application is based on the company’s Verizon Enterprise Risk and Incident Sharing Framework, which it uses to gather and assess information on the data breach incidents that Verizon Business investigates for its customers and can connect the dots between isolated incidents and others tracked by Verizon Business.
What’d you find interesting this week? The creator of the Shodan search engine wrote an interesting response to ICS-CERT’s warning of SCADA insecurity while Bruce Schneier took a look at a new U.K. startup where privacy and surveillance intersect.