Security Brief: Mohammed Protests, Cyberlaws and Internet Explorer

We’ve had a busy week, with all sorts of things happening in the world of information security. However, most prevalent this week were protests against blasphemous videos and cartoons featuring the Muslim prophet Mohammed, cyber legislation, and the zero-day in Internet Explorer.

The Innocence of Muslims movie has caused a lot of controversy, not only in the real world, but also in cyberspace. Bangladesh Grey Hat Hackers were the first to react to the news that a YouTube clip featuring the beloved prophet was making the rounds.

They started launching threats and soon enough they announced to have defaced several websites to protest against the US. A few days later, they learned of the Mohammed cartoons published by a French weekly magazine, so they attacked another series of sites, this time from Italy, Brazil, France, Chile and Argentina.

They weren’t the only hacker group that protested. Bangladesh Cyber Army defaced a number of three subdomains owned by the US Department of Agriculture.

Some took things even further. Izz ad-din Al qassam launched a distributed denial-of-service attack against the sites of Bank of America, New York Stock Exchange, and, a few days later, against JPMorgan Chase Bank.

In the past few weeks, rumors started circulating about a cybersecurity executive order prepared by the Obama administration. We learned that they weren’t just rumors and that the US president is actually close to signing it.

We also had some interesting developments in the mobile world in the past days. First, Romanian security researcher Bogdan Alecu identified an SMS-sending bug in avast! Mobile Security. Fortunately, the company handled everything by the book and the issue was addressed in a very short amount of time.

A few days later, speaking at the EUSecWest security conference in Amsterdam, Alecu presented his findings on the security holes present in the Web and WAP portals offered to customers by mobile operators.

Then, developer Kevin Burke brought bad news for Virgin Mobile customers. He demonstrated that their account login PINs were easy to crack with a brute-force attack.

Initially, Sprint – the owner of Virgin Mobile – didn’t seem to care that much, but after the story was picked up by numerous media outlets, the company's attitude changed and the vulnerability was patched up, at least partly.

Another topic that made headlines was the zero-day vulnerability in Internet Explorer. After experts found it to be connected to various cybercriminal operations, including the one that relies on the PlugX RAT, Microsoft rushed to issue a one-click Fix It.

In the meantime, governments started to advise their citizens to use other web browsers while the issue was being addressed.

On Friday, the company released an out-of-band patch to ensure that the issue was addressed permanently.