Zero Day Weekly: McAfee for President, FireEye litigiousness, Excellus BlueCross BlueShield breach
Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending September 11, 2015.
From Ars Technica: Antivirus mogul John McAfee to run for president as member of "Cyber Party" "On Tuesday, John McAfee, best known for founding the eponymous software firm McAfee Security (to which is he no longer affiliated), filed paperwork with the Federal Election Commission announcing his intent to run for the office of President of the United States. In his interview with Wired ... McAfee cited government's technological illiteracy as a primary motivation in his decision to run for the US' highest elected office."
From CSO: Researcher discloses zero-day vulnerability in FireEye "On Sunday, Kristian Erik Hermansen disclosed a zero-day vulnerability in FireEye's core product, which if exploited, results in unauthorized file disclosure. As proof, he also posted a brief example of how to trigger the vulnerability and a copy of the /etc/passwd file. What's more, he claims to have three other vulnerabilities, and says they're for sale." See also: FireEye Scolded For Injunction Stopping Security Researcher Revealing Source Code (Forbes)
From Vice/Motherboard: Hackers Killed a Simulated Human By Turning Off Its Pacemaker "Mike Jacobs, director of the [healthcare] simulations program at University of South Alabama ... provided the iStan ("the most advanced wireless patient simulator on the market, with internal robotics that mimic human cardiovascular, respiratory, and neurological systems") to a group of undergraduate students who had been taking a cybersecurity class for a semester. After a few hours, the team of students was able to gain access to most of iStan's functions, which were vulnerable to denial of service attacks, brute force attacks, and security control attacks."
From ZDNet: Europeans to win the right to sue in US courts over privacy breaches "Europeans whose data has been mishandled by US authorities will soon have the right to take legal action in the US courts. EU citizens' right to seek legal redress in the US comes as part of a new EU-US data protection agreement covering instances where EU citizens' personal data is involved in US criminal and terrorism investigations. The deal brings rights of EU citizens in line with those of US citizens, who can sue in European courts for similar privacy breaches."
From CNET: Data breach exposes 10M health records from New York insurer "More than 10 million records were exposed in a data breach of health insurer Excellus BlueCross BlueShield and a partner company. ... Excellus revealed the breach on Wednesday, telling customers they would receive identity-monitoring services and that the FBI is investigating the crime. The records included Social Security numbers and other identifying information, as well as claims members made to pay for medical care."
From NextGov: Intelligence Chief: OPM Hack Was Not a 'Cyberattack' "The mammoth data breach of millions of background investigation forms at the Office of Personnel Management was one of the largest cybercrimes ever perpetrated against the U.S. government, according to federal officials. But one thing it wasn't? A cyberattack. At least in the true sense of the term, according to Director of National Intelligence James Clapper. ... Data was "simply stolen," he said. "That's a passive intelligence collection activity - just as we do," Clapper added."
From CSO: Ashley Madison coding blunder made over 11 million passwords easy to crack "Until today, the creators of the hacked AshleyMadison.com infidelity website appeared to have done at least one thing well: protect user passwords with a strong hashing algorithm. That belief, however, was painfully disproved by a group of hobbyist password crackers."
From Ars Technica: First-ever monthly Android security updates start to roll out "The [Stagefright] publicity got the Android device ecosystem-Google, OEMs, and carriers-to at least start paying attention to delivering security updates to users in a timely manner. Google, Samsung, and LG scrambled to get fixes out to their flagship devices and promised monthly security updates for their devices. That was 36 days ago. Today, Google has posted the first of those monthly security updates for Nexus device owners."
From ZDNet: [AU] Government commits AU$18.5m for National Biometric Matching Capability "The New York Times on Monday reported that Apple was served a court order by the Justice Department this summer over an investigation involving drug and gun crime, demanding it provide real time access to text messages sent between suspects using iPhones. Apple reportedly said its iMessage system was encrypted and, as a result, it couldn't comply with the order. Consequently, the company can't provide the same interception capabilities to law enforcement officials under US wiretap laws as telecoms operators can."
From ZDNet: Microsoft fixes five critical flaws, including two hitting all versions of Windows "For this month's so-called Patch Tuesday, the company has issued 12 bulletins fixing 56 separate vulnerabilities in some versions of Windows, Microsoft Office, and even the new Microsoft Edge browser."