46 US House of Representatives Republicans joined in a letter (PDF) to urge President Barack Obama not to issue the executive order on cybersecurity. The White House is currently drafting an executive order that encourages operators of critical infrastructures (like banks, power grids, etc.) to meet cybersecurity standards.
“Instead of preempting Congress’ will and pushing a top-down regulatory framework, your administration should engage Congress in an open and constructive manner to help address the serious cybersecurity challenges facing our country,” the lawmakers wrote.
The executive order is expected for release in January, which will help protect these vital systems from hackers. It’s highly important that this gets put into action, or the United States can see some issues happen such as power loss, plane crashes, train derailments, etc.
“This framework will work better than attempts to place the government in charge of overseeing minimum standards for industries seeking to invest in new and innovative security solutions,” the Republicans wrote.
The letter of urgency, led by Representatives Marsha Blackburn (Tennessee) and Steve Scalist (Louisiana) is aimed at helping to reduce the amount of government involvement in cyberwar, in hopes not to stir rages with hackers and other pests. However, if something isn’t done very soon, America as we know it could be in a lot of trouble.
Much of the attention in 2013 in computer security will be mainly focused on industrial control systems (ICS), Android, and the all new Windows 8 OS. With the dealings of malware like Stuxnet and other government threats, to the normal hackers and attackers on consumer devices – it will be a challenge in both business and consumer markets.
Supervisory software runs on dedicated workstations and programmable hardware devices, and this is called a control system. They’re used to monitor and control many different operations, such as power grids, trains, airplanes, water distribution systems, military installations, and many more. Many times, control systems are used in critical infrastructures, especially systems for big populations that depend on electricity, clean water, transportation, etc.
Many worries that we’d be watching in 2013 that other security authorities are watching as well include the rise of more government malware. Especially, when it comes to control systems, which are believed to be widely targeted and surveyed.
For other problems to be faced include intense rises of mobile malware, particularly in the Android marketplace. The problem is that Android malware is becoming more widespread. It looks like hackers are retrying some old methods of Windows operating system exploitation on Android devices. This can prove to become a big problem to watch out for.
The big issue with Android attacks also seems to point at privilege escalation attacks, which like to work through malicious apps installed by the user to gain root access and take control of the device. With hundreds of millions of Android devices already infected since its birth, the size of botnets have gotten to be big, and there may still be a lot of devices infected.
Also, keep in mind that when you use a smartphone, you’re leaking a lot of information. This is mainly through App usage, which most of them collect a bit of data from your phone. It isn’t exactly personally-identifiable information, however, it’s enough to make some people nervous.
Android is very open, and you can download apps from almost anywhere for Android. This is much like Windows OS has been. But, that’s a whole different long story.
Windows 8 will be a challenge for security, because researchers, hackers, security experts, etc. want to get in on testing just how secure it is.
When you look at the scope of Android malware (malicious software/viruses), and then think about Windows Phone malware, it’s as if hackers and virus-makers (“cybercriminals”) are retrying their own luck. What is meant by this? Years ago when malware started gaining big time (probably around 2000), these cybercriminals tried a number of ways to hack the Windows API/kernel, causing innumerable issues for Windows users. Now, today’s market looks like it’s being done all over again.
During the 2000s era, it seemed like we had quite a few different types of malware. Here are those types explained in today’s market for smartphone malware:
- Dialer: a trojan app/program that automatically dials premium rate numbers and attempts to rack up charges on the user’s phone bill. This can be highly costly, so removing it immediately is the best option.
- Trojan: a common name for any type of app/program that is designed to look like it does one thing, but it’s code does something else untrustworthy. Many options trojans pick would be the stealing of personal data off of the device, or changing the settings of a device to make it behave a different way.
- Virus: a self-replicating piece of code, infects other files, or just damages files on devices.
- Spyware: another trojan app/program, which decides to attempt the stealing of personal data on the user’s device.
- Adware: another trojan app/program designed to show ads to the user, sometimes flooding their screen. Commonly, these ads are personalized for the user, by getting a scope of the type of apps they have.
- Rootkit: a piece of trojan code, designed to get administrator privileges on the device, and then take control (and manipulate) of the system.
As you can see, some of those issues are as prevalent on mobile devices as they were on Windows operating systems in the 2000s era.
To further protect your mobile device from anyone of the threats described, please consider purchasing Kaspersky Mobile Security: Buy Kaspersky Mobile Security and protect your Android smartphone for 1 Year – only $19.95 Click Here
Let’s discover the vulnerabilities of CVE-2012-4681 and CVE-2012-5076, what’s similar and what we can learn about these two serious vulnerabilities. These use a Java reflection mechanism that breaks applet security restrictions, and allow a malicious payload. In other words, they bypass security and execute malicious code.
Now, Java reflection is used in programs commonly, usually those requiring the examination of runtime behavior of applications running in Java Virtual Machine. It is very convenient for Java developers (despite saving time) to write Java programs, but it also opens up more opportunities for exploits.
Now, to open up for the technical part, which you can skip if you don’t understand Java or it would give you a headache. 🙂
== TECHNICAL START ==
Java reflection has many functions and they are:
- GET class
- GET all members and methods in class include private ones
- Invoke methods
Java’s big vulnerability in dealing with reflection is that it allows hidden fields. Obviously, this isn’t a true flaw (meaning the Java developers don’t see a problem), but it would help to change this attribute to avoid further problems.
Now, CVE-2012-4681 used Java reflection to induce a hidden field that was called statement.acc. It implemented, also, the “setfield” function, which changes the value of the ACC file (found in the hidden field). To break the code, “Java.beans.statement” would be implemented.
So, in Java, we’d see:
SetField(Statement.class, "acc", localStatement, localAccessControlContext);
Then, as we analyze CVE-2012-5062, we see the big offender, “util. GenericContructor”, which is used to create an object from a restricted class. We would implement it like “sun.invoke.anon.AnonymousClassLoader”, and then call its function “loadclass” – that would deliver the malicious payload. Here is a breakdown of how the payload would work:
- GET the method “loadclass” and then invoke.
- GET the method “r” in payload and then invoke.
- Using “Class.forName” to load a target class
- Using “getDeclaredFields”, which would enumerate all fields (not including hidden ones).
- Using “setAccessible” to expose hidden/private fields.
== TECHNICAL END ==
Obviously, it’s time, researchers, to keep an eye on Java reflection vulnerabilities.
AV-Test.org is a German publisher of comparative reviews on a slew of antivirus products. They review all types of antivirus and security suite products, and the tests are very beneficial to customers and for companies. Their reviews are published bi-monthly.
The latest review shows that Microsoft Security Essentials was the only one who did not make the cut for an award. They failed to make certification during the latest review. Now, it is unclear on whether Microsoft’s Anti-Malware Team was stressed of working double on the super-improved Windows Defender for Windows 8, or if malware has just been too troublesome.
Microsoft Security Essentials is, according to Opswat’s September 2012 market share report, used by almost 14 percent of the security market worldwide. That is a lot compared to the number of antivirus product vendors available, which is over 50 vendors. It is highly difficult to maintain antivirus software during the current industry, because hackers and cybercriminals are much more numerous than the amount of security researchers and developers there are to counteract the attacks.
Many antivirus companies have employed new tactics to have robot schemes set up to do malware research on its own, rather than hire a lot of security researchers. By doing so, the antivirus company would have the risk of dealing with a lot of false positives. Some have led to believe this is the uprising trouble in companies like AVG, ESET, or Kaspersky – those of whom have seen a rise in false positives in the past couple of years.
Latest round of AV tests: