Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending August 14, 2015.
From ZDNet: Dropbox adds USB security keys "Dropbox is adding another two-step verification tool as it aims to secure its cloud storage service and give businesses another security option. In a blog post, the company said it will add Universal 2nd Factor (U2F) keys. These keys are designed to go into a USB port when you sign into Dropbox. The key will stand-in for typing in a security key or getting a text on your phone."
From IT News: Oracle pulls blog post critical of security vendors, customers "Oracle published, then quickly deleted, a blog post criticizing third-party security consultants and the enterprise customers who use them. Authored by Oracle chief security officer Mary Ann Davidson, the post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company's proprietary software, with the aim of finding as of yet unfixed security vulnerabilities." See also: Oracle to 'sinner' customers: Reverse engineering is a sin and we know best (ZDNet)
From SC Magazine: Researcher generates thousands of phone numbers, matches them to Facebook accounts "A security researcher has developed an algorithm that exploits a flaw in a Facebook default privacy setting to obtain cell phone numbers linked to Facebook accounts and then get information associated with those accounts." See also: Facebook says user privacy is 'extremely important', but no (ZDNet)
Lol, so Facebook gave out 100k for glorified runtime assertions.. https://t.co/95lwqRwueY
- Vincenzo Iozzo (@_snagg) August 13, 2015
From ZDNet: New security vulnerability discovered in old Intel chips "A security researcher has discovered a new and potentially harmful security vulnerability inside Intel processors released between 1997 and 2010. Security researcher Chris Domas uncovered a vulnerability in the x86 architecture of pre-Sandy Bridge silicon that would allow an attacker to install software in a chip's protected System Management Mode space, which is what controls firmware-level security. Domas has also released proof-of-concept code for the attack. It is not known whether AMD chips are also vulnerable to this attack."
From ZDNet: Cisco networking gear can be hijacked, warns company "Cisco has warned a number of its routers and switches can be hijacked. The networking giant said in an advisory that it has seen a "limited number" of cases where attackers will replace the device's firmware (known as "ROMMON"). Short for ROM Monitor, it allows the device's operating system to load. It allows administrators to run a number of configuration tasks."
From ZDNet: Android, you have serious security problems "Google has failed to meet its own deadlines for fixing two nasty Android security flaws, and is failing to communicate. It's time to put some stick about. "This is Android's moment to stop and have a 'trustworthy computing' moment," tweeted Scott Williams, a Sydney-based IT consultant, on Friday. He's right. Two massive vulnerabilities need to be patched fast, and that's highlighted the utter shoddiness of the Android ecosystem's processes for updates." See also: IBM discovers Android serialization vulnerability allows arbitrary code execution (ZDNet)
New IMSI Catcher detection and other security features for Android released to day at CCC from Karsten Nohl and crew https://t.co/Ik7q5CJbtk
- Richard Johnson (@richinseattle) August 13, 2015
From ZDNet: Hackers charged after pocketing $100m from stolen material "An international team of computer hackers and stock traders has been charged with pocketing more than $100 million in illicit profits made from on-selling stolen market-moving media releases. The US Department of Justice said that in addition to the two Ukraine-based ring-leaders, seven defendants from Ukraine and the United States were involved in the criminal conspiracy, making more than $30 million in illegal trades on the pilfered information. Marketwire, PR Newswire, and Business Wire -- which distribute press releases for major publically traded companies -- had its systems penetrated by a pair of Ukraine-based hackers who stole 150,000 press releases from as far back as 2010. ... A parallel civil case from the US Securities and Exchange Commission listing 32 defendants said the scheme yielded over $100 million in unlawful profits, as a result of the hackers selling the stolen data to traders."
From CSO Online: To shine a light on cybercrime, go Dark "One of the best ways to understand your enemy - what he's up to, what his capabilities are and how he can damage you - is to spy on him. And according to some cybercrime experts, one of the easier and more effective ways to do that is to hang out where the bad guys do - on the Dark Web."
-- Jake Laperruque (@JakeLaperruque) August 13, 2015
From ZDNet: Microsoft fixes four critical security flaws in August's Patch Tuesday "In Microsoft's scheduled monthly round of security fixes, even the company's newest operating system, Windows 10, wasn't let off the hook. For this month's so-called Patch Tuesday, the company has issued 14 bulletins fixing almost five-dozen separate vulnerabilities in Windows, Windows Server, Internet Explorer, and Office, among other products" See also: Adobe patches critical Flash security flaws (ZDNet)
From ZDNet: Symantec to spin off Veritas storage business: report "Symantec is ready to announce the sale of its data storage business Veritas to Carlyle Group LP. According to Reuters, sources familiar with the matter say a deal has been reached to sell off Veritas to the privacy equity firm, and the sale is expected to be announced at the same time as Symantec's quarterly earnings on Tuesday."
From ZDNet: Docker 1.8 adds serious container security "The new open-source Docker container release has numerous new features, but the headline news is its improved security. Server and cloud developers love Docker and containers, but they're also more than a little worried about container security. Now, in its latest release, Docker 1.8, Docker is tackling the problem head on with Docker Content Trust (DCT)."