Zero Day Weekly: ISC hacked, SS7 mobile security, Windows privilege escalation

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending January 2, 2015. Covers enterprise, controversies, reports and more.

This week the Internet Systems Consortium site was hacked, a Lizard Squad member was caught (and released), a privilege escalation bug was revealed in Windows, SS7 research nuked mobile privacy beliefs, The Interview became an Android malware vector, post-breach perceptions of Sony and Staples were analyzed, and more.

• Steven J. Vaughan-Nichols reports on some Bad, bad Internet news: Internet Systems Consortium site hacked. Cyphort, an Internet security company, reported that they'd told ISC that their site had malware on it on December 22. ISC's main site, which used an out of date version of WordPress, had, according to Cyphort been compromised to point visitors to the sites infected with Angler Exploit Kit.

• The U.S. went to the Trade in Services Agreement (TiSA) talks in Geneva ready to negotiate immunity from online security breach investigations for U.S. companies. If the terms are accepted, the U.S. companies doing business in the EU would be beyond the reach of regulators and law enforcement in the host country. As a result, European governments would have to turn to U.S. courts to go after those companies for breaches or negligence. And EU data protection laws could be diluted.

• Lizard Squad arrest: A 22-year-old man linked to the hacking group that claimed responsibility for a Christmas Day attack on Sony and Microsoft was arrested yesterday by UK police investigating PayPal thefts. Vincent Omari has been linked to the Lizard Squad hacking group that took credit for attacks on Sony's PlayStation Network and Microsoft's Xbox Live gaming networks over Christmas. The man from southwest London was arrested on Tuesday on suspicion of fraud by false representation and Computer Misuse Act offenses -- and is out on bail with no charges filed.

Japanese police suspect Mt. Gox bitcoin theft due to internal system manipulation, not hack http://t.co/ASdJyKCdni http://t.co/gM2y1i9jWZ

- Techmeme (@Techmeme) January 2, 2015

• Google researcher Forshaw discovered and disclosed a privilege escalation bug in Windows. The vulnerability is identified in the function AhcVerifyAdminContext. Forshaw included a proof of concept (POC) program for the vulnerability. He says he has only tested it on an updated Windows 8.1 and that it is unclear whether earlier versions, Windows 7 specifically, are vulnerable.

• Shocking new SS7 research destroys the fallacies of mobile privacy and security. Three groundbreaking research presentations and live demonstrations this week on SS7 have shown that the NSA -- or any government's ability or access -- isn't needed to track you completely (and terrifyingly) with your cell phone. Talks announcing the research were presented at Hacker conference Chaos Communication Congress 31c3 which is under way in Hamburg, Germany.

SS7map: Ranking of Telecom Operators SS7 Security http://t.co/Bx2Cay9mRs

-- Vitaly Osipov (@agelastic) December 28, 2014

• Analysis: How Sony and Staples breaches affected public perception of the companies. Ashton Webster wanted to see if two of 2014's widely-reported breaches changed the way people see the corporate entities using Semantria. He posted his results in Analyzing Sony and Staples Breaches with Sentiment Analysis.

• Hacking Facebook with a forged Microsoft Word document: A vulnerability on Facebook's Careers Page was discovered and patched in a third-party service that handles resumes. The discovery was worth more than $6,000 in a bounty paid out by Facebook to researcher Mohamed Ramadan of Egypt, who published some details of the vulnerability and exploit on his website. Ramadan said the vulnerability is a blind XXE (XML External Entity) Out of Band bug. It allowed him to upload a .docx file to the careers page with some additional code that was not vetted by the third-party service.

• The public found out that Nvidia and Chik-fil-A were both compromised this past week; Chick-fil-A appears to be a customer card data breach, while Nvidia's was a successful corporate account attack.

• Android banking trojan poses as fake "The Interview" app. Graham Cluley writes, "Researchers at McAfee in a joint investigation with the Technische Universität Darmstadt and the Centre for Advanced Security Research Darmstadt (CASED), identified that a threat campaign has been active in South Korea in the last few days, attempting to exploit the media frenzy surrounding Sony film The Interview's release. McAfee security expert Irfan Asrar tells Graham Cluley that a torrent making the rounds in South Korea poses as an Android app to download the movie to mobile devices."

• Politician's fingerprint 'cloned from photos' by hacker: In a presentation this week, security researcher "Starbug" showed how to clone the thumbprint of the German Defense Minister. To get that into something that could be used on a biometric scanner, Starbug employed the same technique he used to defeat Apple's TouchID fingerprint lock. He also examined other biometric security hacks, like copying the iris print of German Chancellor Angela Merkel to fool a basic iris scanner.

The week in Sony hack drama: A shrinking spotlight

While no further data had been released by GOP, the group behind the Sony Entertainment Pictures hack, press, pundits, Sony's legal team, and authorities continue to turn themselves inside out trying to dominate the situation -- and its spotlight.

On Wednesday, many news outlets reported the news that the same hackers who targeted Sony had turned their attention to CNN -- originating with a report on exclusive details from an FBI bulletin "obtained by The Intercept." It was re-reported by The New York Post, Business Insider, PC Mag, Gizmodo, Engadget, Gawker, and many more.

Now, security writer David Garrett, Jr. is taking credit for the hoax, claiming it was just one big joke. The initial report originated on The Intercept where Jana Winter posted details of an FBI bulletin that cited threats against an unnamed media organization.

The Desk's Matthew Keys linked that bulletin to an anonymous Pastebin post that threatened CNN and claimed to be from the same Guardians of Peace group that hacked Sony. Garrett says he wrote the post to make the point that Pastebin is an unreliable source.

Put me in charge somewhere in @FBI, so embarrassing! CNN "threat" is utter #Hoax. http://t.co/GkOlefqAx2 #SonyHack pic.twitter.com/Il8VN5m8Tr

- Jonathan Langdale (@jlangdale) December 31, 2014

As of this writing, virtually none of the media outlets have corrected their stories, and The Intercept has not updated or clarified its story.

Also this week, more doubt against the North Korean government as the hack's culprit came from Norse Security, who said -- like many others have -- that the Sony hack was an inside job.

Norse said a former employee allegedly involved in the attack was laid off by Sony this past May, using human resources documents released in the hack to identify and track the suspect for the past several months.

The FBI rebuffed Norse Security's conclusions after a three-hour briefing, and doubled-down on blaming the North Korean government.

Senior VP at Norse Kurt Stammberger told The Daily Beast, "They basically said thanks a lot and shook our hands and took off," Stammberger said. "It sounds like from the PR [public relations] perspective they are sticking to their guns."