Malware

A worm has been discovered in the wild, targeting jailbroken iPhones running SSH. The proof of concept code merely changes the users' wallpaper, but it's designed to show how more malevolent worms could spread. The popular mobile platform has been the subject of other controversy, too - a federal lawsuit filed last week said that iPhone games made by California-based firm Storm8 was harvesting cellphone numbers.

Hacks

The investigative news show 60 minutes said that power outages in Brazil in 2005 and 2007 were the result of cyberattacks.

Retrospective information on hacker activities seem to be popular this week. Investigators have said that Mossad, the Israeli spy service, used trojan horse software planted on a Syrian official's machine to gather information about a Syrian nuclear facility that it bombed in 2007. The program was planted on his machine when he left it in his room at a London hotel, reports suggest.

Breaches

Hawaiian Catholic Chaminade University published a report on its website containing confidential information about 4500 students, such as their social security numbers. It had been available for eight months before being discovered last week.

Certifications

The Department of Defense approved the (ISC)² Certification and Accreditation Professional (CAP) credential, in an attempt to help create a single certification process across the government.

The Cloud Computing Alliance is reportedly planning a security certification for cloud-based service providers.

Charges

California-based Ryan Harris was charged with earning US$1 million over six years by providing products that enabled customers to get high-speed internet service for free. The service worked by spoofing the MAC addresses from paying users' modems.

Vulnerabilities

Twitter user Terence Eden found that hackers had access to his compromised Twitter account via other sites, even after he changed his password, because the service failed to revoke the OAuth tokens that it was using to grant other services access to his account.

A major vulnerability was disclosed in SSL. The flaw allows malicious data and commands to be injected into the protocol without the client or server being aware. Analysts at authentication firm PhoneFactor had discovered it in August, and were keeping it secret while a fix was created, but the flaw was uncovered in an IETF TLS working group email list last week. The flaw affects browsers, VPN systems, and non-HTTP applications such as some email and database servers.

Dutch Facebook developer Yvo Schaap discovered a back door in Myspace and Facebook that would give third parties access to users' data. All personal data could be hosted to a central server, with no trace, said his blog post. The flaws have been fixed, but as he says, "there is no reason why this wouldn't be happening already with both Facebook and MySpace data".

Acquisitions

Web and messaging security firm M86 scooped up Finjan, a year after it was formed from the merger of Marshal and 8e6 Security. The acquisition brings web gateway and SaaS to M86's portfolio.