Week in Review: Mobile Madness, Firesheep Speaks Up, Myanmar Knocked Offline

2010-11-05T19:33:00
ID WEEK-REVIEW-MOBILE-MADNESS-FIRESHEEP-SPEAKS-MYANMAR-KNOCKED-OFFLINE-110510/74647
Type threatpost
Reporter Chris Brook
Modified 2013-04-17T16:35:44

Description

The specter of politically motivated cyber attacks reared its head again this week, while closer to home, the names of two software giants: Google and Adobe were all over the headlines when it came to security this week, as several bugs were found…and fixed in the companies products. Read
on for the full week in review.

As the new month began, reports surfaced on yet another case of what might be considered cyber warfare or politically motivated cyber attacks. This time, it was the repressive, authoritarian nation of Myanmar that found itself cut off from the Internet by a massive denial of service attack on the country’s Ministry of Post and Telecommunication (or PTT), the main conduit for Internet traffic in and out of the authoritarian nation.

Related Posts

Apple Patches Trident Vulnerabilities in OS X, Safari

September 2, 2016 , 10:00 am

Putting Apple Bug Bounty Rewards in Perspective

August 10, 2016 , 11:00 am

Misuse of Language: ‘Cyber’; When War is Not a War, and a Weapon is Not a Weapon

August 9, 2016 , 9:00 am

Arbor Networks, citing its own data and local reports, said that the attacks may have begun as early as October 25, with Internet access disrupted for both government agencies and private sector firms, with major disruptions to Myanmar’s important tourism industry.

Closer to home, search giant Google announced fixes for 10 vulnerabilities in its Chrome browser. Version 7.0.517.44 was released, along with $7,500 in payments to researchers as part of their previously mentioned bounty program. and said they’d be extending their bug bounty program to web properties
like YouTube and Blogger. The search giant was
already awarding between $500 and $1337 for flaws found in Chromium
but
flaws found in its properties will now be worth between $500 and $3133.7,
depending on their significance.

Holes in Android, Google’s mobile operating system, are not included in
this program – though this week’s news might prompt Google to reconsider that policy. Application code testing firm Coverity said this week they’d found a whopping 359
defects in source code for HTC’s version of Android for the Droid Incredible phone. Eighty eight of those holes were identified as high risk.

The security of mobile applications hit the headlines, too, after the Wall Street Journal picked up on Chicago
firm ViaForensics discovery
of serious security flaws in the
Paypal application for iPhone, and from mobile banking applications from Wells Fargo and Bank of America. eBay, which partners with the payment company
released a patch to mitigate these problems on Thursday.

It was also a week that saw prominent vendors scrambling to plug holes in common platforms in the face of active, zero-day attacks. Microsoft rushed out a patch to the Internet Explorer Web browser on Wednesday, after the discovery of a previously unknown hole that was being exploited. Currently
the bug affects IE 6, 7 and 8 and is reportedly being used in some drive-by
download attacks. While patching details were scant when announced, the company
said they hadn’t ruled out an out-of-band fix.

Adobe
issued an emergency patch of their own on Thursday, fixing the critical bug
that was exposed last week
. The problem, which could be found on Android
and Reader on Windows and Mac, was scheduled
to be fixed next week, Nov. 9
.

Following up on one of last week’s bigger stories, one of
the developers behind Firesheep, the Firefox plug-in that allows you to spy on
your peers, spoke up. Eric
Butler, who created Firesheep alongside Ian Gallagher, claimed the plug-in can
help as much as hurt users.
“Like
any tool, Firesheep can be used for many things. In addition to raising
awareness, it has already proven very useful for people who want to test their
own security as well as the security of their (consenting) friends,”
Butler said via blog post Wednesday.

In this week’s Stuxnet
news, ICS-CERT, a division of US-CERT pointed
out web search engine Shodan can easily detect companies running Supervisory Control
and Data Acquisition software.
supporters and detractors. SCADA, the kind of software exploited by the
Stuxnet worm has come under fire as of late but still has its share of

What’d you find interesting this week? We learned how some
attackers are filtering
their attacks through honeypots
to gain information on those who access
them. Additionally, Rogue
AV attacks were ramped up this week
as users searching for information
about the week’s midterm elections were greeted with suspicious-looking links.