Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending December 12, 2014. Covers enterprise, controversies, reports and more.
This week Cisco acquired Neohapsis, Symantec warns of apps snatching PII, the Sony hack got uglier and the FBI said it's not North Korea, and much more.
- New research by Symantec shows a third of Android apps take a shocking amount of user PII; the company used its Norton Mobile Insight tool to find when apps obtain PII (personally identifiable information, such as a phone number) and what the apps do with it. Symantec says they have collected about 15 million Android apps from app stores worldwide. Norton Mobile Security warns users in detail about potential privacy problems as they browse the app in the app store.
- Wednesday Cisco announced its plans to acquire Neohapsis, a Chicago-based security advisory company providing services to address customers' evolving information security, risk management and compliance challenges. The Neohapsis team will join the Cisco Security Services organization under the leadership of Bryan Palma, senior vice president and general manager. The acquisition is expected to close in the second quarter of fiscal 2015.
-- Electrospaces (@electrospaces) December 11, 2014
- According to McAfee Labs' annual threats predictions report for the coming new year, cyber-espionage and attacks on connected devices are expected to surge in 2015. McAfee highlighted an emerging field dubbed "Cybercrime-as-a-Service," positing that stolen health credentials are valued at roughly $10 each - 10 to 20 times the value of a stolen US credit card number. With the fervor and hype surrounding connected devices and apps particularly geared toward health and fitness, that is a worrisome prospect for end users and tech brands alike.
- Sony's mess got uglier this week, as hackers #GOP released more troves of sensitive files, and Sony reacted badly. In one instance, email communication surfaced with racially insensitive remarks about President Obama from a Sony executive (likening Obama to a butler or a slave), forcing Sony to apologize to the President, and much more. On Monday, rumors about who's responsible for the attack propagated in mainstream news outlets became such an issue that the FBI cyber division's assistant director stated that at present, there is nothing to tie North Korea to the attacks on Sony. On Tuesday, researchers at Kaspersky Lab reported that a sample from the Destover family of malware - the same family used to attack Sony Pictures - was signed by a stolen Sony certificate. As it turns out, the sample was part of a joke between researchers. Respected researcher Bruce Schneier added, "I don't see how Sony launching a DDoS attack against the attackers is going to help at all."
"So if If Recode is right about Sony doing DoS/DDoS, (which I doubt) they're accusing Sony of criminal behavior. Good PR move, eh?"
-- Jack Daniel (@jack_daniel) December 11, 2014
- Kaspersky released its Cyberthreat Real Time Map this week, and it's really pretty. Today's main post image (above) is a screenshot.
- CNET's Tim Stevens told his Twitter followers he was going to interview FBI informant "Sabu" and asked if anyone had questions to suggest. The #QuestionsForSabu hashtag quickly became a pointy stick for those not pleased about the informant's celebrity status after coercing co-hackers to break the law while he was working for the FBI. "Sabu" was on Charlie Rose this week, warning the US government about cybersecurity attacks and bashing government contractors.
- FBI officials are calling for legal updates to the US Computer Fraud and Abuse Act (CFAA) and for new legislation that encourages threat data information sharing and establishes a uniform federal standard for data breach notification. In a statement before the Senate Committee on Banking, Housing, and Urban Affairs Wednesday, Joseph M. Demarest, assistant director of the FBI's Cyber Division, stressed the importance of information sharing from the private sector.
- As promised, Microsoft patched Windows, IE, Office and Exchange. In addition to the new Patch Tuesday updates, Microsoft reissued two older updates to fix problems in them and tightened up SSL security in Internet Explorer.
"This is the best security advisory of the year. http://t.co/eSH4wcscaq"
-- DennisF (@DennisF) December 10, 2014
- On Monday, password manager company Dashlane announced a system for automatic changes of passwords. They have a list of sites for which the feature works. Then on Tuesday, Lastpass made the same announcement. They claim support for 75 sites.
- To the joy of many, iRobot's latest Roomba robot is designed for hackers.
- Adobe this week released updates to Flash Player, Acrobat, Reader and ColdFusion to address vulnerabilities. The company says that they have reports to the effect that one of the vulnerabilities in Flash Player is being exploited in the wild.
-- Sergey Vishnyakov (@n3tw0rk_) December 11, 2014
- Privacy-focused handset maker Blackphone announced the upcoming launch of a big update to its customized operating system, PrivatOS, due in early 2015. Blackphone also announced that soon it would be introducing the "world's first privacy-focused app store" available for existing Blackphone users in January 2015 before opening its doors to users on other Android handsets.