In its Third Quarter 2009 Security Threat Summary F-Secure Corporation reports on major security developments, including leaner and more secure operating systems, the growing importance of safe search results, cybercriminals exploiting social networking websites and celebrity deaths and the re-emergence of past mobile threats.
One of the notable trends during the quarter was a shift to leaner and more secure operating systems. The August release of Mac OS X Snow Leopard was already evidence of this trend, and also included antivirus software to protect against trojans. Microsoft’s soon to be released Windows 7 operating system is also set to be leaner and more secure than its predecessor, Windows Vista, whose insistent user access control feature actually prompted many users to turn it off completely – a potentially unsafe situation. Google announced that it is developing the forthcoming Google Chrome OS using minimalist design principles since most of the applications running on the new OS will be hosted on the web.
During the third quarter, Firefox introduced its new private browsing feature, and released Firefox 3.5.3, which introduced a notification feature for outdated versions of Adobe Flash Player in an effort to reduce security vulnerabilities often created when users don’t keep this software up to date.
On the search engine front, Microsoft and Yahoo! agreed to replace Yahoo!’s search engine with Bing. Microsoft hopes to compete with Google by offering unique features in Bing, such as adult content filtering. Safe search results are now an important feature for consumers. The deaths of Michael Jackson, Farrah Fawcett and Patrick Swayze were quickly exploited by criminals through search engine optimization attacks, which often pointed people to rogue antivirus products. The H1N1 flu has also been used as an emotional “hook” to lead Internet users to scam sites.
As Facebook reached 300 million accounts in September, social media and social networks have continued to attract criminal and political interest. Personal networking connections offer trusted authentication, which criminals abuse by compromising user accounts and linking to malicious sites. F-Secure reminds Internet users about the importance of strong passwords, and that Facebook passwords should be different than passwords associated with the e-mails used to log into Facebook.
In August, news emerged that Twitter was used to direct botnets. Twitter accounts are also being used to push rogue AV products. Also in August, a Georgian blogger’s Twitter, Facebook, LiveJournal, Google Blogger and YouTube accounts were jammed by a politically motivated DDoS attack, as reported by Elinor Mills on CNET. In another coordinated DDoS attack during Malaysia’s National Day on August 31st, hackers targeted a Malaysian-based web host and defaced more than 100 websites, including those belonging to Malaysia’s national institutes, universities, media and businesses.
In the world of mobile phone security, this quarter witnessed the re-emergence of the SMS worm, Yxe (“Sexy View”) – this time in the form of Sexy Space, which behaves much like its predecessor. The new variant, Yxe.D, is again Symbian-Signed, but with a certificate from a different company in China than the earlier version. The old ‘missed call scam’ is also making a comeback. The scam involves a call from an unknown international number, which is immediately dropped when answered. When the curious person calls the number back, she hears a busy tone audio file, when in fact the call is being charged at a premium rate. F-Secure recommends a Google or WhoCallsMe search on unusual numbers before returning unknown calls to avoid nasty surprises in the phone bill. (Source: F-Secure Corporation/GST)