Zero Day Weekly: Mozilla smash Flash, FireEye's pain, US identity theft bill
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending July 17, 2015. Covers news and business; is allergic to press releases: Enterprise, controversies, reports, and more.
- Mozilla's support team has made the decision to block all versions of Flash Player from Firefox until Adobe releases a patch. The block, announced by head of Firefox support Mark Schmidt, comes in response to the recent discovery of two critical zero-day flaws in Flash Player.
- This news about Mandiant's FireEye intern getting nailed in the FBI's massive Darkode sting is painful in light of the Department of Homeland Security's darling being first to claim SAFETY Act certifications. The FireEye's (now former) guy was creating and selling Dendroid malware after being caught in global police sting Operation Shrouded Horizon, which obliterated the Darkode cybercrime forum -- along with a total of 70 administrators and members from 20 countries.
- Nine U.S. legislators are putting their support behind a bill that, if passed, would provide free lifetime identity theft protection coverage to the victims of the Office of Personnel Management (OPM) data breaches. The RECOVER Act, introduced by Rep. Eleanor Norton (D-D.C.) earlier this week, would include identity theft insurance for losses up to $5 million.
- Salesforce is rolling out a new set of Salesforce1 platform services designed to offer security and compliance tools to customers in enterprise. Now generally available, the service offers built-in, bundled services such as archiving, monitoring, encryption and auditing for apps built on the Salesforce1 platform. Salesforce says the drag-and-drop tools relieve a common burden for enterprise IT departments, which is complying with internal governance policies and industry regulations in a cloud app environment that is rapidly innovating.
Hey, web devs? Don't do this. Don't disable paste on password fields. It discourages strong, generated passwords. pic.twitter.com/4n3QqXvgff
-- Ryan Joy (@atxryan) July 7, 2015
- Two OKCupid founders have raised $10.8 million for their new venture, Keybase, a cryptography "hobby project" that took on a life of its own. "We've gotten more ambitious," wrote OKCupid founders Max Krohn and Chris Coyne in a blog post Wednesday. "We have a new goal: to bring public key crypto to everyone in the world, even people who don't understand it."
- VMware's companion project to Project Photon is Project Lightwave (Lightwave). Lightwave includes single sign-on, authentication, authorization and certificate authority, and certificate key management services to secure containerized applications. Not only is this project free and open source, it's also enterprise-ready.
- There's been confusion about a "fake Newsstand item" iOS app (from the HackingTeam file dump): However, this application does not seem like it is ready for deployment. As it is right now, the only way to get this onto an iOS device is by being able to physically access the device. Hacking Team also had developed an Android app that could dynamically execute malware payloads, and appeared within Google's Play store as an innocuous news app.
The agency funding this con is shocked that my hacking class contains "hacking information." I'm not sure I can fix that.
-- Sam Bowne (@sambowne) July 17, 2015
- Black Hat USA's just-published, first-ever attendee research report snapshots an industry exploding with growth that still hasn't solved its most pressing problems. Surveying nearly 500 top-level security professionals -- all past attendees of Black Hat USA -- the report reveals continual hiring problems, and a sector confessing it feels unprepared for targeted attacks.
- Here's another reason to upgrade that old Windows XP PC: Microsoft has now stopped providing antivirus signatures for the out-of-support operating system. Even after support for the venerable OS ended in April last year, Microsoft continued to provide its malicious software removal tool and updates to Microsoft Security Essentials - that is, until this week.
Cute: Make your android app "safe" but dynamically download code, download a local priv exploit: http://t.co/dunIvoWW4K Google Play malcode.
-- Nicholas Weaver (@ncweaver) July 17, 2015
- Verizon on Thursday launched a turnkey managed security service that it hopes will appeal to enterprises of all sizes. The telecom giant's enterprise unit outlined Unified Security Services (USS). The services will come in three tiers and are designed to be an IT security team in a box. Verizon will use its networking expertise to protect networks and the data flowing into an enterprise.
- In Microsoft's round of updates for July, the company has issued 14 updates fixing dozens of vulnerabilities in many Microsoft products, including Windows and Office. Three (MS15-065 for Internet Explorer, MS15-070 for Microsoft Office, and MS15-077 for Windows) are being actively exploited by hackers, said HP's Dustin Childs in a tweet.