Cybersecurity News Roundup: ‘miniFlame’ Malware; Android Spyware; Huawei Spying

Cyberespionage Malware ‘miniFlame’ Discovered (CSO) — Newly-discovered spying malware designed to steal data from infected systems was likely built in the same cyber-weapon factory that produced the notorious Flame and Gauss malware, according to Kaspersky Lab. Kaspersky released a technical paper Monday outlining the discovery of the malware it dubbed “miniFlame.”  This new malware is capable of working along with Flame and Gauss, but miniFlame is a “small, fully functional espionage module designed for data theft and direct access to infected systems,” Kaspersky said.

FBI Warns Commercial Spyware has Made Jump to Android:  (CSO) — A recent FBI warning regarding Android malware mentions a mobile version of known spyware that was sold to law enforcement and governments, demonstrating how such commercial applications can pose a threat to private companies and consumers. The FBI’s Internet Crime Complaint Center said this week that FinFisher was among the latest mobile malware brought to its attention, along with a Trojan called Loozfon. To infect phones, criminals sent text messages with links leading to malicious websites. FinFisher has been compromising personal computers for some time. The commercial version was originally sold to law enforcement and governments as spyware in almost a dozen countries.  

Pacemaker Hack Can Deliver Deadly 830-Volt Jolt: (NetworkWorld) — Pacemakers from several manufacturers can be remotely controlled and instructed to deliver a deadly, 830-volt shock by someone using a laptop up to 50 feet away. The Pacemaker flaw is the result of poor software programming by medical device companies. The new research comes from security-company IOActive’s Barnaby Jack, who is known for his analysis of other medical equipment, including insulin-delivering devices. Jack said the flaw relates to the programming of the wireless transmitters that provide instructions to pacemakers and implantable cardioverter-defibrillators (ICDs), which detect irregular heart contractions and deliver an electric shocks to avert heart attacks.

Zero-Day Attacks Thrive for Months Before Disclosure: (ThreatPost) — “Zero-day vulnerabilities and exploits dominate headlines and most heated information security discussions. In truth, however, there are relatively few of these attacks hitting a small number of hosts, according to new research on the subject.”

White House-Ordered Review Finds No Evidence of Huawei Spying: (Reuters) – “A White House-ordered review of security risks posed by suppliers to U.S. telecommunications companies found no clear evidence that Huawei Technologies Ltd had spied for China, two people familiar with the probe told Reuters.”

Undercover Cop Outed on Facebook, Woman Arrested for Posting Photo: (NakedSecurity) – “Police arrested a Texas woman for allegedly posting a photo of an undercover police officer onto her Facebook page. The case shows that it’s time that police learn how vulnerable they are in a social media world.” She was charged under a Texas statute about retaliation because the police judged that this was a threat to the officer’s safety. So basically she was arrested for telling someone that someone else is a police officer? She didn’t threaten the officer or suggest anyone else do so. First Amendment? What’s that?

Children in Care Data Found on Public PC in New Zealand: (BBC) – “Confidential government files belonging to New Zealand’s Ministry for Social Development have been freely accessible from computers available for the public to use. Blogger Keith Ng says he was able to download 7,000 files from the department’s network. He used a public computer provided in Work and Income New Zealand (WINZ) offices for job hunters. The files included the names of children currently in state care. Some basic search functions had been disabled but the names of people suspected of benefit fraud and invoices from contractors were easily retrievable ‘by just using the open-file dialogue on Microsoft Office’, wrote Mr Ng in a post for blogger community Public Address.”

Microsoft Offers $250,000 for the Head of Conficker’s Author: (NakedSecurity) – “Microsoft has announced that it is offering a $250,000 reward for information that leads to the capture and conviction of the authors of the Conficker worm (also known as Downadup or Confick).”

Chinese Arrest 9,000 Cyber-Crims: (The Register) – “Chinese police have smashed over 700 cyber crime gangs and arrested nearly 9,000 alleged criminals. The Ministry of Public Security – or police force, to you and me – announced confidently that it had cracked 4,400 criminal cases in its bid to “earnestly safeguard the legitimate rights and interests of the masses of the people, to purify the internet environment”. The efforts to crack down on internet fraud, hacking, trafficking counterfeit goods, firearms and online porn are a continuation of a campaign begun back in March that has already led to thousands of separate arrests. The MPS also trumpeted its successful smashing of what it claimed to be the country’s first illegal “internet PR network” – basically an operation offering to delete negative user-generated content for firms. The gang – which made in excess of 10 million yuan ($1,595,318.04)- would apparently also try to extort money from businesses by threatening to actively post negative comments about them if they didn’t pay up.”

Exploit Code Released Targeting Firefox 16 Vulnerability:  (ThreatPost) – “It’s been an interesting couple of days for Firefox users. First Mozilla released version 16 of the popular browser on Wednesday, then quickly pulled it back yesterday after a serious security vulnerability was found in the new version. Less than 12 hours later, Mozilla had repaired the problem and re-released the updated browser, but not before exploit code was released. The attack exploits an issue where Firefox was exposing URL information across Web domains by not restricting Javascript’s location method. Mozilla director of security assurance Michael Coates said the vulnerability could allow a malicious website to determine which websites a user had surfed to and would leak URL information.”

Hackers Hit Small US Town, Steal Tax Payer Data and $400,000: (NakedSecurity) The town of Burlington, Washington has warned residents that they could be the targets of identity theft, after hackers compromised systems used to run an online automatic utility billing system and emptied $400,000 from a city bank account.