This last week, I had an embarrassing moment when my Facebook account started posting weird “Likes” (in my case, “97 Hottest Women in the World 😀 :: on www.97hottestwomen.com” – seriously, not my interest), which claimed that I endorsed the site. What makes things worse, in an SNS enviornment like Facebook, your network of friends supposedly share the same interests, ideals and trust, so there is a higher tendency that your friends will further click on these links based on a “Like” endorsement. I was only made aware of this “Like” link because a friend happened to comment on my interesting taste in pages.

Anyway, when I decided to research this issue, I began to realize how often security has been featured in the news this month. Therefore, I thought I’d take this opportunity to summarize the most interesting security stories for the month and post them to my main blog site (as opposed to my security blog site) on a periodic basis.

Back to the Facebook issue. Apparently, earlier this month over 100,000 people (at least it wasn’t just me) were victim to both Facebook and the users’ browser issue that made them unwitting endorsers of various scam pages. This practice, now commonly referred to as clickjacking, exploits a bug in the user’s Internet browser by overlaying an invisible iframe on top of a web page link. This then effectively creates an invisible “Like” button on the website, which tricks the user into pressing it. Website and browser security is now at a point where users cannot authenticate the actual website they are interacting with.

In other interesting security news, who needs key loggers when Dr. Doug Tygar of UC Berkeley can pick up just the acoustic emanations and use two types of frequency analysis to find out what you are typing. The first thing his software does is to assign keys to the frequency they emit when a key is pressed. Next, his software uses “old world” code-breaking techniques and the frequency of the keys with a statistical model of the English language in order to determine what is being typed. This can become a very easy exploit since an attacker only needs to run a piece of software in the background that uses the computer’s built-in microphone to pick-up the key press noise.

In other news, AT&T exposed the e-mail addresses and ICC-ID, or integrated circuit card identifier of the SIM card, of 114,067 early adopters (another hazard of buying things early) of the recently released iPad 3G. This alone would usually not mean much (except for the e-mail addresses and the rash of phishing and SPAM attacks – as I have personally noted an increase in), but, unfortunately, the way the Apple iPad ICC-ID is coded, the International Mobile Subscriber Identity (IMSI) for AT&T can be figured out relatively easily, and all sorts of other mischief can result (a future article).

In other news there was also an increasingly rare, yet worth noting, vulnerability in the XP and 2003 versions of the Windows operating system. What makes this noteworthy is that it allows attackers to take full control of a PC just by luring the user to a booby-trapped website. Speaking of booby-trapped websites, this month, it was noted that over 100,000 websites were infected by attackers, which included large corporations, police and even news outlets like the Wall Street Journal.

On a good note, Intel was in the news this month, showing the company’s proactive stance at a recent semiconductor conference by stating that security was “job one.” However, it is interesting to see how the speed of encryption and decryption (the heart of security) is always balanced with power consumption. Furthermore, a technology like true random number generation (which is actually very hard to do) is now finally becoming a reality at the chip level. At least someone is starting to get serious about security.

Finally, here is a list of recently released products that had a little “something extra” for the users this month:

  • 1700 of the new Olympus Stylus Tough 6010 Digital Camera came pre-shipped with a virus on the XD card
  • Several Samsung S8500 Wave phones sold in Germany had micro-SD cards that were infected with W32/Heur
  • IBM handed out infected USB flash memory devices at the AusCERT conference in Australia. This was a conference where high level professionals in the security field were infected with the W32/LibHack-A and W32/Agent-FWF virus. This was both awkward for IBM and ironic for the attendees.
These aren’t actually unique or isolated incidents. In the past, some prominent examples have been:
  • Energizer Duo USB battery chargers that draw power from a USB port, which also installed a hidden backdoor that allowed attackers remote access
  • TomTom GO 910 satellite navigation devices with two pieces of malware, the W32/Perlovga.A Trojan and TR/Drop.Small.qp which also installed a backdoor on a users computer
  • Apple video iPods had shipped with the TR/Bdoor-DIJ Trojan horse
  • McDonald’s Japan recalled 10,000 MP3 players which were infected with the W32/QQPass.worm that captured passwords from a users computer

All of these products exploited the AutoRun feature of the Windows operating system. While it makes it convenient for the user when the install/setup program runs automatically the first time you plug in these devices, it also allows malicious software to run as well. I highly recommend that you disable (and make sure it is) the AutoRun feature to eliminate these and other scarier threats (another future article).

Your comments are always welcome.