Hi, everybody - Chad here! I’ve officially taken it over, but I’m a little late to the Wrap-Up this week due in no small part to outages caused by [a certain unnamed ISP here in Colorado]. In this week’s wrap-up, we’ll take a look at a few stories that should probably raise one eyebrow per reader, minimum.
An explosive spyware report shows limits of iOS, Android security
In yet more Pegasus news, recent analysis has shown some serious security limitations in both iOS and Android devices, respectively. In the face of the report, many security researchers say that both Apple and Google can and should do more to protect their users against these sophisticated surveillance tools. A lot of criticism has centered on Apple in this regard, because the company has historically offered stronger security protections for its users than the fragmented Android ecosystem. In fact, the Amnesty International researchers say they actually had an easier time finding and investigating indicators of compromise on Apple devices targeted with Pegasus malware than on those running stock Android.
Google launches new Bug Hunters vulnerability rewards platform
In some positive Google news, the company has announced a new platform and community designed to host all its Vulnerability Rewards Programs (VRP) under the same roof. Since launching its first VRP more than ten years ago the company has rewarded 2,022 security researchers from 84 different countries worldwide for reporting over 11,000 bugs. Reward amounts paid for qualifying bugs through Google’s VRPs range from $100 to $31,337, however the total amount can drastically increase for exploit chains. Google also launched a new Bug Hunter University, which would allow bug hunters to brush up on their skills or start a hunting learning streak. The company says that patches submitted for open-source software are also eligible for rewards, just as research papers on the security of open-source projects.
HP finds 75% of threats were delivered by email in first six months of 2021
Our “unsurprising” story of the week comes from findings in the HP Wolf Security Threat Insights Report. According to the report, email is still the most popular way for malware and other threats to be delivered, with more than 75% of threats being sent through email messages. The report – covering the first half of 2021 – is compiled by HP security analysts based on customers who opt to share their threat alerts with the company. The report adds that threats downloaded using web browsers rose by 24%, driven mostly by cryptocurrency mining software. Archive files, spreadsheets, documents and executable files were the most common types of malicious attachments. According to HP’s team, almost 35% of malware captured had not been previously known. Sounds like some pretty good “user education” opportunities.
Attackers’ Use of Uncommon Programming Languages Continues to Grow
Welp, this isn’t great. Quite a few less-common programming languages — such as Go, Rust, Nim, and DLang — are suddenly favorites among malware authors seeking to bypass security defenses or address weak spots in their development process, according to a recent report. The research team chose these four languages as they noticed an increase in their use for malicious intent, as well as an increase in the number of malware families using them. Attackers using new programming languages is not new; however, researchers note these languages are becoming more developed and anticipate an uptick in their use as the trend continues.