Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending March 26, 2015. Covers enterprise, controversies, reports and more.
- Akamai: A majority of the Internet attack traffic in 2014's fourth quarter originated in China, followed by the U.S., according to cloud service provider Akamai. China and the U.S. were the only countries where more than 10 percent of attack traffic originated. Still, the attack traffic coming from China was down compared to the third quarter, falling to 41 percent from 49 percent. Attack traffic coming from the U.S. also fell, decreasing to 13 percent from 17 percent.
- Huawei equipment is not a risk to U.K. national security, says the Huawei Cyber Security Evaluation Centre: Oversight Board annual report 2015. In 2012, the U.S. issued a national security report on Huawei's suspected role in helping the Chinese government expand overseas spying operations. A House Intelligence Committee report said Huawei "failed to provide evidence that would satisfy any fair and full investigation" into its ties to Chinese intelligence-gathering operations, and recommended that U.S. government entities and private enterprises avoid doing business with Huawei."
- A Dell support tool put PCs at risk of malware infection. A security researcher discovered the flaw in November and reported it to Dell, which patched it in January. However, it's not clear if the fix closed all avenues for abuse. The application, called Dell System Detect, is offered for download when users click the "Detect Product" button on Dell's support site for the first time.
-- mz. bat (@mzbat) March 23, 2015
- IBM Security and the Ponemon Institute announced a study showing an alarming rate of mobile app developers are not investing in security. The study's findings show that nearly 40 percent of large companies, including many in the Fortune 500, aren't taking precautions to secure mobile apps they build for customers. They also found that organizations are poorly protecting their corporate and BYOD mobile devices against cyberattacks.
- Israeli security researchers claim to have discovered a new way to jump supposedly secure air-gapped systems via heat emissions. The BitWhisper project claims that if two air-gapped computers are placed no more than 40cms apart and malware is downloaded onto each, the researchers can enable the systems to communicate with each other via heat emissions. By regulating heat patterns, they turned binary data into thermal signals which the machine next door measures using built-in thermal sensors and converts back into data.
-- Marc Rogers (@marcwrogers) March 26, 2015
- It seemed like the controversy surrounding anonymous message posting app Whisper was calming down, but now the company is facing new accusations. Security startup Xipiter this week published a blog post full of scathing allegations about Whisper, including a video that demonstrates a security hole.
- Yahoo this week updated its transparency report; promises to scale new email encryption by end of year. On the financial side of the spectrum, Yahoo's board also approved a new multi-billion stock buyback program. Yahoo will be scaling its new e2e encryption email security measure to all accounts by the end of 2015.
- Joining Microsoft Office 365 and Amazon Web Services, Huddle has garnered a valuable badge as the first cloud collaboration service granted FedRAMP Authority to Operate (ATO) by the United States Agency for International Development (USAID). FedRAMP (Federal Risk and Authorization Management Program) is a U.S. government program established to speed up cloud deployments by federal agencies with a uniform approach and guidelines for security.
Bad as password or name.. There Are 328 Human People Named "Abcde" in the United States. pic.twitter.com/nEuwxKPM7s
-- Reuven Cohen (@rUv) March 26, 2015
- The House of Representatives Intelligence Committee has introduced a bill to facilitate sharing cybersecurity data for companies by eliminating companies' legal risks from sharing user record. On Tuesday, the US House unveiled The Protecting Cyber Networks Act, to grease data trading between companies and the government without fear of legal reprisal.
- Twitch, which is owned by Amazon and enables gamers to live-stream their game play, was compromised early this week. Twitch provided few details but did say that all user passwords have been reset and that accounts connected to Twitter and YouTube have been disconnected.
- A former Tesla intern released a $60 open source car hacking kit. The small CANtact device, built by Eric Evenchick, serves as a sort of hub between a computer and your car's on-board diagnostic computer. From the device's interface, you can control windows, brakes, service lights, and more.