Compliance Management, Incident Response, Privacy, TDR, Vulnerability Management

News briefs: Stuxnet, a Facebook vulnerability unveiled, and more

» A retired U.S. Marine general is being probed as the person responsible for leaking details about Stuxnet to The New York Times. In late June, NBC News reported that Gen. James ‘Hoss' Cartwright has been under investigation since last year. He is suspected of leaking information about “Olympic Games,” the Stuxnet operation created under President Bush and continued under President Obama. In 2012, the Times revealed that the U.S. and Israel developed the worm to sabotage Iran's nuclear enrichment facilities.

» A security researcher revealed in June that he discovered an easy-to-exploit Facebook vulnerability that, thanks to the social networking service's “Mobile Texts” feature, could enable attackers to take control of a target account. The U.K.-based researcher, who goes by the handle “fin1te,” said Facebook has since patched the flaw. For his disclosure, he was awarded $20,000 through Facebook's Bug Bounty Program. That same month, a researcher also discovered a bug in the site's “Download Your Information” tool, which exposed the contact information of at least six million users. The vulnerability was also reported through the company's vulnerability rewards program. 

»Researchers believe they have discovered the most advanced Android trojan yet. It targets smartphones users – exploiting two previously unknown vulnerabilities in the mobile platform, and a third flaw in separate software, called DEX2JAR – to send text messages to premium-rate numbers and download other malware onto victims' phones. While the threat is not currently widespread, because of its complexity and use of unknown exploits to infect victims, Kaspersky Lab researchers who discovered the trojan, dubbed Obad, called the malware sophisticated and comparable to Windows malware.

» Microsoft, which has long kept the rollout of a bug bounty program at bay, introduced monetary incentives for researchers who report vulnerabilities in its software. In June, the tech giant announced that it would pay bug hunters up to $11,000 for discovering critical vulnerabilities in its Internet Explorer 11 and Windows 8.1 preview software. Meanwhile, the introduction of the incentive came not long after Microsoft severed connections between some 1,400 Citadel botnets and the individual computers under their control. The botnet infrastructure for Citadel, described as a sophisticated cousin of the Zeus banking trojan, is believed to be responsible for the theft of more than a half-billion dollars worldwide.

»Lawmakers unveiled companion bills in the House and Senate that would reform a federal anti-hacking law that critics believe is outdated and has enabled unnecessarily aggressive prosecutions. After months of feedback, Rep. Zoe Lofgren, D-Calif., in late June formally introduced legislation that would amend the three-decade-old Computer Fraud and Abuse Act (CFAA). Sen. Ron Wyden, D-Ore., introduced a companion bill in the Senate. Nicknamed “Aaron's Law,” after the late activist and web developer Aaron Swartz who was being prosecuted under the CFAA when he committed suicide in January, the measure would limit the ways in which people can be charged under existing legislation, and remove provisions of the law that currently allow prosecutors to charge a suspect multiple times for the same alleged crime, increasing their likelihood of higher fines and jail time.

»Opera Software, maker of the Opera browser, disclosed in June that its internal network was targeted in a heist in which the attackers made off with at least one certificate that they subsequently used to sign and distribute malware. The Norway-based company, whose browser is used by roughly two percent of internet users, according to Net Applications, said the hackers did not compromise any data belonging to users, and that the infection has been neutralized.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.