Skype: Now this one is your classic cross-site scripting oops. According to German security researcher Levent Kayan, a user can insert javascript into their mobile phone field on their profile. Now, when your friend (or mom) logs into Skype YOUR profile is updated on THEIR computer, and the javascript is maybe executed.
Maybe? Well there seems to be some mitigating factors. First, you have to be friends with the person (duh) and it needs to be someone you talk to a lot (ie shows up on your main page). So you talking to your significant other could suddenly become more dangerous than talking politics to your mother.
Skype is downplaying this based on the factors I just described above, and are releasing a patch this week (according to the CW article).
iOS: Now I will be honest this may have been fixed already, but this one utilizes malicious PDF files on a iPad or iPhone. So when a person jailbreaks an iPhone (or an iPad) they are basically hacking their own machines and allowing code to execute which allow a user to do more than originally intended for the machine (use any SIM, download homebrew apps, whatever). Now, what is to stop nefarious people to take that same hole which allowed for jailbreaking and exploit a machine? None. Just the poor user thinking grandma sent them a PDF for the recipe for those cookies they love so much, but really is carrying the exploit and nasty code (maybe it also includes a recipe for cookies, but not the one you wanted.... drats!).
This was brought up by the 'Bundesamt fuer Sicherheit in der Informationstechnik' (BSI) which is a German government entity. Basically unless you downloaded an updated iOS recently you are vulnerable and watch out of sketchy PDF's. Or if you ::cough:: have a jail-broken device, the guys who developed the jailbreak (JailBreakMe) have released a patch called PDF Patcher 2 and is available in the Cydia App Store.Windows BotNet: Zombies come in three flavours
in my mind. There are the really slow (physically and mentally) ones which would be easiest to fight or flee from (think Shaun of the Dead). Then you got ones from 28 Days Later, which are a bit faster and just a tad more scary. No worries, a few more precautions and we are good. Now...imagine zombies that are smart as the things in I am Legend.Crap.
People are now talking about a botnet called TDL-4 which seems to be the juggernaut of botnets. Coming back to zombies. Cutting the hand (infected node) from the zombie does nothing, that thing is still moving and infecting other. So, learn a thing from the zombie flicks: you gotta cut the head (c2c nodes). TDL uses its own funky encryption, infects the MBR (master boot record) so its has longer shelf life, and utilizes P2P networks in such a way it makes command and control (c2c) difficult to take down.
Man I like this post... any time I get to mention zombies its a good day.
More detailed analysis can be found here at Sergey Golovanov's (Kaspersky) Blog. If you now feel trapped in a sea of zombies and its just better to give up- fret not. Guys like Richard Boscovich of Microsoft, who have slayed other botnets such as Waledac, Coreflood and Rustock say nothing is indestructible... you just have to think it thru a tad (or maybe a lot) harder.
So, based on this post, your best bet is to switch to Linux and get a flip-phone.
No comments:
Post a Comment