Microsoft’s Internet Explorer can track your mouse movements anywhere on the screen, even when minimized. And Microsoft, which was informed of the massive potential security hole over two months ago, has no plans to fix it. Which means that as you explore the web, the web can explore you right back.

And this vulnerability is already being exploited by two advertising companies.

Spider.io, the ad analytics company that can tell if your site visitors are real or dream of electric sheep, found the vulnerability months ago — and notified Microsoft on October 1. The security vulnerability allows any display ad on any site to access your mouse movements — you do not have to install anything, agree to anything, or even be visiting some of the seedier alleyways of the web:

“An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit,” Spider.io’s Nick Johnson posted on Seclists.org, a security-related bug-tracking site. “This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector.”

Source: Spider.io

IE security vulnerability demonstration

The vulnerability in IE versions 6-10 allows hackers to see what your mouse is doing on-screen … which could include typing personal information such as credit card numbers and passwords into virtual on-screen keyboards, a particularly timely security hole in the era of Windows 8 and its emphasis on touch and on-screen interactions.

“Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month,” Johnson added to the bug report. “As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer—your mouse cursor can be tracked across your entire display.”

If you’re using IE on a PC and want to test this, Spider.io created a live demonstration which you can use to observer the vulnerability in action. The company also created a game, “Steal from IE Users,” in which Spider.io is challenging more technically-oriented users to decipher mouse tracks to uncover 12 credit card numbers, telephone numbers, passwords, and email addresses.

One thing that is not yet clear is whether the vulnerability affects just the PC version of Internet Explorer or tablet versions — as in Surface — which would be even more likely to use virtual keyboards. I have talked to Spider.io, and will update this post as the company releases any more information.

VentureBeat has contacted Microsoft for a statement or comment and will update this story as the companyresponds.

photo credit: moiles via photopin cc

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

The good news is that only a small percentage of Android apps are malicious. The bad news is that Android malware is up 216 percent in just three months.

TrustGo, a mobile security company, scanned 175 Android marketplaces all over the world, checking 1.7 million apps and categorizing them as safe, malicious, or risky. They also tracked which countries had the most infested marketplaces, fingering China as the most dangerous country in which to download an app.

A stunning 33.2 percent of apps in Chinese app marketplaces were flagged as “Malicious, High Risk, or Low Risk/Noisy.” And an absolutely ridiculous 63 percent of apps on another marketplace, the Anzhi app store, were classified as risky.

This is not the first time in the last few weeks we’ve heard about about Android security. Just at the beginning of this month McAfee said that Android security threats were up a shocking 700 percent.

Interestingly, Google Play is only the fifth safest Android market, with at least 90 malicious apps found. Amazon’s app store is actually safer, and Aproov, a European app store, is the safest of all, with just a 2.1 percent risk rate.

If you’re looking for safe apps, you might want to steer clear of games, which are the most infected. Social networking and productivity apps are the safest.

Here’s the TrustGo infographic with all the information:

photo credit: docpop via photo pin cc

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Getting your data back might cost you big time. Same for not having “those pictures” spread all over the Internet. And that’s just one of the new attack vectors targeting Android phones in the past few months, according to security firm McAfee.

Source: McAfee

Malware samples found so far

Mobile malware tracked by McAfee has exploded this year, growing almost 700 percent over 2011 numbers. Almost all of it, perhaps 85 percent, targets smartphones running Android.

The attacks range from the traditional and fairly well known email-with-bogus-attachments to the downright Machiavellian: drive-by downloads. Similarly to desktop drive-bys, simply visiting a site initiates the attack.

Once they’re in, your data can be held hostage as “ransomware” threatens deletion — or publication — unless you pay up.

Users still need to authorize an install, but as McAfee says, “when an attacker names the file Android System Update 4.0.apk, most suspicions vanish.” That’s because it looks like an official update to the Android operating system.

In the past three months alone, McAfee has seen 2.7 million new websites on 300,000 new domains that are either infected or created specifically by malware authors to trap the unwary.

The big surprise in the huge increase on Android isn’t that Android is being attacked: Google’s smartphone platform has been a key focus for the bad guys for some time. The big surprise is that Google has not managed to stem the tide in any significant way.

Source: McAfee

Mobile malware by platform … where’s iOS?

Security concerns on Android should not be news to Google, and Google should be putting security at the top of its list of priorities. But Google’s Bouncer software, which is supposed to be protecting users by scanning apps on Google Play for any malicious code or behavior, often appears to be asleep at the switch and easily fooled.

Shades of London Olympics Widget, anyone?

Even worse, Bouncer can only scan Google Play, the official Android app store, not Amazon’s Android market, or any of the other Android markets that appear.

That’s bad news for Android users, bad news for Android, and bad news for Google. McAfee’s “Total Mobile Malware by Platform” graphic doesn’t even show Google’s biggest competitor in the smartphone war: Apple’s iOS.

See that tiny purple sliver? IOS is buried in there, somewhere. Security is so tiny an issue, in spite of a recent SMS spoofing issue, an in-app purchasing problem, and one discovered Trojan on the app store, Apple doesn’t even get its own slice.

The answer can’t just be the standard “educate the users.” The users aren’t going to get it on their own.

Google needs to do more to ensure its mobile platform is safe and secure.

photo credit: kk+ via photo pin cc

The threat is only in the last two versions of Mac OS X: Snow Leopard and Lion.

Intego describes OS/X Crisis as a Trojan dropper, which is a class of malware that is disguised as a game, screen saver, or a music file. It installs itself without users even being aware and then attempts to cover its tracks and mask its existence.

“It makes a lot of effort to hide itself, which is not very common in Mac Trojans,” Lysa Myers, a security researcher with Intego, told VentureBeat. ”[That effort] is much more common in Windows Trojans.”

Most of the files that the Trojan creates are randomly named in order to avoid easy detection and removal, but a number of names appear consistently, and users can search for them to check if they are infected.

If  the Trojan is installed on a Mac running in root or administrator mode, these files will be present on the system:

• /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server
• /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/
• /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

If you’re a bit more of a suspicious person, however, and don’t run your system as root or admin, only this file will be present:

• /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

Once installed, OS/X Crisis calls home to IP address 176.58.100.37 every five minutes, presumably to await instructions. That IP address may change over time, as malware authors often build in features resistant to simple blocking.

One question you might be asking: If it’s not “in the wild” yet, how did Intego find it?

I asked Myers that question, and she said that, as security researchers, Intego personnel spend a lot of time in the dark, nasty recesses of the web. In addition, malware writers often upload their wares to forums and security sites to test if their software is detectable by security software.

Image credit: MG1408/ShutterStock

Update: The United Nations is sending out a warning to member countries about cyberwar tool Flame.

Iran has confirmed the presence of a new and highly complex piece of malware targeted at Middle Eastern countries. The virus, called Flame, is said to be as worrisome as Stuxnet, which plagued Iranian nuclear systems in 2010.

“This malware is a platform which is capable of receiving and installing various modules for different goals,” Iran’s CERTCC said in a blog post. “The research on these samples implies that the recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat.”

Iran says that it has created an anti-virus tool that can detect Flame, as well as a removal tool, which is being distributed.

The New York Times is reporting that this virus has hit high-ranking Iranian officials. Russian security company Kaspersky Lab first unveiled the virus yesterday, saying it was one of the most complex cyberwar tools it has ever seen. It may have been running unchecked for at least two years, and was attacking a number of household computers around the Middle East. The firm found Flame while researching another virus called Viper, which was deleting hard drives in the Middle East and recently caused Iran to shut down Internet access to its oil infrastructure.

The United Nations is sending out a warning about Flame to its member countries agreeing that it may be a state-sponsored attack, according to news site Aljazeera.

“This is the most serious [cyber] warning we have ever put out,” said UN cyber security coordinator Marco Obiso, cyber security told Aljazeera.

Flame has the ability to turn on a computer’s microphone and record audio of conversations happening around the computer. It can listen for when you open up “interesting” communications programs, such as an instant message box, and take screenshots to record the conversation. It can also watch for your keystrokes, and listen in on your network, all the while sending this information back to its many command and control servers.

Both Iran’s CERT and Kaspersky note that it is similar to Stuxnet, a state-sponsored virus that was used to attack infrastructure that provided fuel to Iran’s nuclear program. Flame does not attack these types of systems, or SCADA systems. However, Kaspersky believes that like Stuxnet, Flame is a state-sponsored attack, and according to the New York Times, Israel may be hinting its involvement.

“Anyone who sees the Iranian threat as a significant threat, it’s reasonable that he will take various steps, including these, to harm it,” said Moshe Yaalon, Israel’s vice prime minister and strategic affairs minister, on Army Radio Tuesday. “Israel was blessed as being a country rich with high-tech, these tools that we take pride in open up all kinds of opportunities for us.”

via The New York Times; Flame image via Shutterstock

Many of the giant social network’s 800 million active users have found a flood of pornographic and gory images popping up on their news feed lately.

The reason for this is a linkspam virus (under the guise of celebrity news about Kim Kardashian — among others) that’s exploiting Facebook’s new media-rich Timeline upgrade. When users click a malicious link, it turns their news feed into a stream of pornographic, gory, violent and/or just plain unpleasant images.

It’s unclear who is to blame for the linkspam attacks, although many are pointing the finger at online hacktivist group Anonymous. Facebook isn’t saying much about the incident, but the company did send us the following statement:

“Protecting the people who use Facebook from spam and malicious content is a top priority for us and we are always working to improve our systems to isolate and remove material that violates our terms. We have recently experienced an increase in reports and we are investigating and addressing the issue.”

Have you experienced unpleasant images in your news feed due to the recent linkspam virus? Leave us a comment below.

Update – 1:10pm (PT): Facebook sent us another statement with some additional information about the exploit.

Recently, we experienced a coordinated spam attack that exploited a browser vulnerability. Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.    During this spam attack users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content. Our engineers have been working diligently on this self-XSS vulnerability in the browser. We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people.

[Photo via Reddit user HLef]