Zero Day Weekly: Sony's epic hack, Home Depot lawsuits, Regin malware
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending November 28, 2014. Covers enterprise, controversies, reports and more.
This week, Sony Pictures was critically compromised, Home Depot got hit with 44 lawsuits over its breach, Craigslist got DNS hijacked, the SEA made a comeback, and much more.
On Monday Sony Pictures was brutally hacked and held for ransom when it was forced to disable its corporate network after attackers calling themselves the GOP (Guardians of Peace) hijacked employee workstations in order to threaten the entertainment giant. The latest information suggests that 'GOP' had physical access to the network in order to accomplish their aims.
The UN moved aggressively this week to strenghten digital privacy. A resolution presented by Germany and Brazil calls for governments to strengthen digital privacy builds on a landmark text presented last year after revelations of widespread surveillance by the US and British governments. It followed weeks of tough negotiations with Australia, Britain, Canada, New Zealand, and the US -- members of the so-called Five Eyes intelligence alliance -- which sought to limit the resolution's scope. The five countries are not among the 65 co-sponsors of the Bill.
Regin malware finally washed up: Symantec Security Response (and others) this week disclosed a new malware called Regin which, they say, "...displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals -- since at least 2008. So: Which nation-state is behind the sophisticated, stealthy Regin malware?
Siemens released security updates for several of its SCADA (supervisory control and data acquisition) products for industrial environments, in order to fix critical vulnerabilities that may have been exploited in recent attacks. One of the vulnerabilities allows unauthenticated attackers to remotely execute arbitrary code on a Siemens SIMATIC WinCC SCADA server by sending specially crafted packets to it. The flaw received the maximum severity score of 10 in the Common Vulnerability Scoring System and can lead to a full system compromise.
Both Uber and Twitter apps came under fire this week when analysis was done on app access and the privacy anhiliating permissions of seemingly benign apps under the guise of improving or enhancing user experience. According to Cult of Mac, GironSec claims Uber's app “calls home” and sends data to Uber, but it isn’t typical app data: "Uber has access to users’ entire SMSLog even though the app never requests permission. It also accesses call history, Wi-Fi connections used, GPS locations and every type of device ID possible."
Google's Project Zero bug hunters published details of a critical vulnerability in Adobe Reader for Windows that was patched in September. Windows users who haven't updated to the latest version of Acrobat and Adobe Reader probably should do so right now, after a Google security researcher revealed details of a vulnerability affecting the pair, and how to exploit it.
StealthGenie is a federal crime. In the US, it's a federal crime to sell spyware: On Tuesday, we saw the first-ever criminal conviction concerning the advertisement and sale of a mobile device spyware app. The Department of Justice announced that the creator of StealthGenie, 31-year-old Danish citizen Hammad Akbar, had pleaded guilty to advertising and selling StealthGenie. The court sentenced Akbar to time served, ordered him to pay a $500,000 fine and ordered to turn over the source code for StealthGenie to the government.
No RATs: A European crackdown on the use of RAT spyware has resulted in the arrest of 16 people across seven countries. The arrests, announced by Europol late last week, were made in Estonia, France, Italy, Latvia, Norway, Romania, and the United Kingdom. They targeted people suspected to have used remote access tools (RATs) for cybercrime. See also: ZDNet's Government IT Week.
The Syrian Electronic Army (SEA) on Thursday hacked CNBC, Forbes, the Chicago Tribune, OK magazine, the Evening Standard, PCWorld, The Daily Telegraph and The Independent. Not all visitors saw the pop-up messages, which read “You’ve been hacked by the Syrian Electronic Army (SEA)” and in many cases the incident was reported by mobile users. SEA does not appear to have actually hacked the affected websites directly, but instead pulled off the attack through Gigya, a customer identity management platform used by a large number of brands.
Last Sunday, Craisglist was DNS hijacked, and the full story was never fully explained. One site that appeared to receive most of the traffic destined for Craigslist was “Digital Gangster,” an invitation-only Web board owned by rapper and hacker Bryce Case, Jr.—also known as YTCracker. Case gained notoriety in 1999 for hacking into the network of NASA's Goddard Space Flight Center.
Home Depot announced that it is facing “at least 44 civil lawsuits” in the United States and Canada stemming from 56 million customers' data being stolen and exposed earlier this year. According to the disclosure published Tuesday, “We are also facing investigations by a number of state and federal agencies. These claims and investigations may adversely affect how we operate our business, divert the attention of management from the operation of the business, and result in additional costs and fines.”
