From the discovery of the first serious iPhone 3G exploit to the sighting of a new Captcha-conquering bot, the past week has proven interesting in the world of IT security, so much so that I've decide to take a look at several of stories that have cropped up, rather than doing my regular deep-dive into a specific topic.
Chrome, the last browser standing at Pwn2Own
Results of TippingPoint's CanSecWest hacking contest, Pwn2Own, once again demonstrated that building a perfectly secure Internet browser is very difficult. Even though Firefox and Apple rushed out dozens of last-minute security patches before the big contest, Firefox, Safari, and Internet Explorer 8 all quickly fell. A Safari bug even led to the first serious documented iPhone 3G exploit.
[Microsoft is defending the security of Windows 7 after a poor showing at Pwn2Own. | InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
The only browser left standing was Google's Chrome. Many observers attributed this success to Chrome's aggressive security model (which is truly impressive in many ways). But that would ignore the fact that Chrome has had at least 18 documented vulnerabilities in the past three months alone -- nearly one-third of which would enable a malicious hacker to compromise a system or bypass access controls. Those 18 vulnerabilities in Chrome followed 16 others reported during the three prior months -- 60 percent of which could lead to system compromise or security control bypass.
This is not to say that Google Chrome isn't a secure browser. It's just that all the popular browsers seem to have their imperfections over time. Personally, I'd love to see the Opera browser invited to participate in the contest, especially because it has always been a major player in the smartphone space.
Malicious ads spawning from "trusted" sites
Antimalware company Avast reported that the majority of malicious ads (those containing malware or malicious scripts) are propagated by some of the most popular and trusted services, such as Google, Yahoo, and Fox. These ad services provide advertising content to tens of thousands of sites, including the ones that most people consider to be legitimate, and unsuspecting visitors can easily end up infected.
Readers of this column won't be surprised by this, as I've been talking about malicious ads for over two years. This is just one more bit of research that proves that most people are getting exploited by visiting legitimate Websites. Heck, a pay-for-view porn site may actually be one of the safer places to visit. Banner ad companies need to do a better job of policing their own services and content.
Bot solves Captchas using audio
Most popular Webmail sites require new users to answer a Captcha challenge (which requires typing in obscured letters to validate) to activate a new address. This is to stop malicious hackers and spammers from using the free service to send unauthorized content. Spammers, in particular, have invented all sorts of ways to get around the Captchas. Initially, they built very accurate OCR engines to answer the Captchas. Email vendors responded by making the text ever more difficult for OCR to identify. In fact, it's so bad now that even though I have 20/20 vision, I often struggle to figure out which letter I should be typing in.
To meet the needs of the visually impaired, vendors now allow users to listen to an audio clip of the Captcha characters they need to retype. In response, a new malware creation has emerged: According to The Register and confirmed by several antivirus companies, a new spam bot has built-in capabilities to listen to the audio files and simulate typing in the answer. The bot is apparently quite accurate -- a point goes to the spammers.
This approach is now my "favorite" Captcha-bypassing technique. Before, it was spammers hiring people (often in third-world countries) to bypass the Captchas all day long.
Convicted hacker gets to keep most of what he stole
In a disappointing development, judges continue to mete out astoundingly insignificant punishment for cyber criminals. While I'll admit I don't know all the facts in this popular case, it seems to me that a key player -- who wrote the exploit code for one of the world's biggest hacks -- got away with just a delicate slap on the wrist.
Twenty-nine-year-old Jeremy Jethro received $60,000 for writing exploit code that he gave to Albert Gonzales. As punishment for his crime, Jethro got three years' probation and a $10,000 fine. Gonzales is probably the most popular and well-known American hacker since Kevin Mitnick. He has been charged with multiple crimes, including stealing 90 million credit card numbers and information from at least half a dozen of the biggest stores in the world. That's only what the authorities know about.
Jethro has, of course, found religion after being caught. That's all great. What I don't understand is, why he doesn't even have to pay back the entire $60,000, not to mention the prosecution and court costs that it took to sentence him. Help rob a physical bank or store and you can be assured you'll spend time in prison and have to pay back all of your ill-gotten gains. Why don't the same rules apply in cyber space?
Congress setting sites on countries harboring cyber criminals
To end on some positive news, Congress is attempting to pass a law that would require the United States to identify countries providing cyber crime safe havens and institute trading penalties. This isn't exactly new, as I know the Bush administration threatened something similar with Nigeria over all the Nigerian spam letters -- although I don't know the eventual outcome of that particular instance. Meanwhile, Nigerian-orientated spam seems to continue unabated.
Still, I'm happy to see this proposed legislation, and I can only hope that it becomes law. We need to hold countries accountable for permitting bad Internet behavior to continue without repercussions. I'm not talking about taking punitive actions against countries that appear to be the source of large amounts of cyber crime -- heck, that would often be the United States. But we do need to make sure that countries at least have laws that make cyber crime illegal and assist other victim countries in the prosecution where evidence has been legally presented. Unfortunately, if the past is any indicator, this type of bill will probably take years to pass -- and when it does, it will be significantly watered down. Hopefully, history won't repeat itself.
This story, "Another week of hacks, malware, and cybercrime," was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com.