Zero Day Weekly: iOS Wi-Fi DoS, Aaron's Law, and active Magento attacks
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending April 24, 2015. Covers enterprise, controversies, reports and more.
- Intel Security teamed up with VMware, Ericsson and added a public cloud suite for McAfee. Intel brought a boatload of security software and data management upgrades to the annual RSA expo in San Francisco this week. The McAfee portfolio is being treated to a myriad of nips and tucks here and there from email management to advanced threat detection to next-gen firewalls for better user ID security.
- iOS app crashes could be due to a wireless denial of service (DoS) attack. A mobile device security company, currently working with Apple for a fix, replicated the attack and explained it during the 2015 RSA Conference. The attack can cause an endless of an iPhone.
The RSAC Cyber Security Safety Village is awesome. The @hackidcon booth is ready! pic.twitter.com/Ra548andbt
-- Hoff (@Beaker) April 19, 2015
- Defense contractor Raytheon is forming a new joint venture with Vista Equity Partners' Websense in a move that aims to pitch defense-grade cybersecurity. The value of the new venture is about $2.3 billion; the joint venture will consist of Raytheon Cyber Products, a unit of the company's intelligence, information and services unit, and Websense, which has its Triton cybersecurity platform.
- The House on Wednesday passed the first major cybersecurity bill since the calamitous hacks on Sony Entertainment, Home Depot and JPMorgan Chase. The Protecting Cyber Networks Act (PCNA) would give companies liability protections when sharing cyber threat data with government civilian agencies. Also this week, legislation that would reduce charges used against internet activist Aaron Swartz, "Aaron's Law" resurfaced in Congress, with bipartisan support.
- Millions in China affected by compromised gov't data. More than 52 million pieces of personal information such as ID numbers, financial status, and property ownership have reportedly been compromised in various government-run systems across China.. High-risk vulns have been found in systems in more than 30 cities across China - and these are just the tip of the iceberg. A single loophole at the family planning department in Hubei province puts 70 million citizens' personal information at risk.
"@hannahkuchler: Huawei advertising military grade security. Whose military? #rsac pic.twitter.com/I1yZFKFhW7"
-- Mohamed A. Baset (@SymbianSyMoh) April 24, 2015
- A Wi-Fi software security bug could leave Android, Windows, Linux open to attack: Crafted P2P SSID names could potentially be used to crash or execute code on targets. In an email Wednesday to the Open Source Software Security mailing list, the maintainer of wireless network client code used by Android, the Linux and BSD Unix operating systems, and Windows Wi-Fi device drivers sent an urgent fix to a flaw that could allow attackers to crash devices or even potentially inject malicious software into memory.
- Attackers exploit Magento e-commerce vulnerability: Those using Magento's e-commerce platform should ensure they're using its latest software, as attackers are increasingly exploiting a flaw patched two months ago, security companies warned. An attacker could gain complete control over a store with administrator access, potentially allowing credit card theft. As many as 200,000 websites use Magento, which is owned by eBay.
RSAC Event VIDEO: Watch @ponemon discussing 'Changing Role of CISO' with the panel http://t.co/tqM1eJLnaV #datasecurity #RSAC #RSAC2015
-- Narelle Wilson (@Narelle_jWilson) April 24, 2015
- Groupon refused to pay a security expert who found serious XSS site bugs. Having reported a series of security problems to Groupon, a security researcher was expecting a pay-out - but the site refuses to pony up. In all, more than 30 security issues with Groupon's site were found.
- Microsoft unveiled plans for stronger encryption and tighter controls over Office 365 data. Microsoft announced its latest security moves at the RSA conference Monday: The biggest changes are improvements in encryption for Office 365. By the end of this year, Microsoft says, it will also implement content-level encryption, so that data will be protected even if someone gains access to the unencrypted disk contents.
#RSAC slides "Malware Persistence on OS X Yosemite" http://t.co/LIL3ECAyJu [PDF] #synack #osxmalware #persistence #knockknock #RSAC2015
-- patrick wardle (@patrickwardle) April 24, 2015
Imagevia RSA Conference, used with permission.