Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending September 17, 2015.
From Engadget: Banks can bring class-action suit against Target over data hack "A District Court judge in Minnesota ruled on Wednesday that Target was negligent in its credit card data security and is therefore liable to a class-action suit brought by banks affected by the hack. That $5 million lawsuit seeks to defer the cost of covering fraudulent charges made with the stolen data. Wednesday's decision allows the primary five plaintiffs -- Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union and First Federal Savings of Lorain -- to represent the rest of the class in its action."
From CNET: Ex-Microsoft employee sues company for gender discrimination "A former Microsoft employee has sued the tech giant claiming it has a longstanding practice of discriminating against women who work in technical roles. The proposed class action lawsuit filed Wednesday in federal court in Seattle by Katherine Moussouris alleges Microsoft of paying and promoting female workers in technical positions less than their male counterparts. The suit also says women workers at Microsoft were also ranked less than men. Moussouris worked at the software maker from 2007 to 2014."
From TechEye: FireEye tried to cover up patched vulnerabilities "There was a row at the London security conference 44CON as a US security company FireEye attempted to kill off public disclosure of a major series of vulnerabilities in its suite. The patched flaws included the default use of the 'root' account on a significant number of the Apache servers providing services to FireEye's clients." See also: Researcher: I Was Suspended For Finding Flaws In FireEye Security Kit (Forbes), FireEye defends researcher injunction as way to protect 'trade secrets' (ZDNet)
From The Next Web: iOS 9 and OS X El Capitan reportedly fix AirDrop security issue "AirDrop, Apple's method for wirelessly transmitting data quickly, has a serious bug according to one security researcher. Happily, the issue is easily resolved by updating to iOS 9. The issue is also patched in the forthcoming OS X El Capitan. Currently, nefarious folks can reportedly trick your device into accepting a fake certificate, even if you never open an AirDropped file." See also: Apple AirDrop flaw leaves users vulnerable to exploit (ZDNet)
From Ars Technica: China tells US tech companies to sign PRISM-like cyber-loyalty pac "As China's President Xi Jingping prepares to visit the White House next week, the head of China's Cyberspace Administration, Lu Wei, is holding a summit with US technology companies in Seattle. There, he's expected to further press US technology companies operating in China to sign off on a pledge that they will comply with Chinese information security policies-potentially giving Chinese authorities direct access to user data."
From The Hill: Top counterintelligence agency: OPM security not our problem "The National Counterintelligence and Security Center (NCSC) on Tuesday deflected questions from Sen. Ron Wyden (D-Ore.) about whether it had identified the OPM as a security risk prior to the massive data breach that exposed millions of federal workers' personal information. "Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget and the Department of Homeland Security (DHS)," NCSC head William Evanina said in a letter to Wyden. Wyden fired back on Wednesday, calling the letter "a bureaucratic response to a massive counter-intelligence failure ... unworthy of individuals who are being trusted to defend America.""
From Ars Technica: Seven years of malware linked to Russian state-backed cyber espionage "For the past seven years, a cyber-espionage group operating out of Russia-and apparently at the behest of the Russian government-has conducted a series of malware campaigns targeting governments, political think tanks, and other organizations. In a report issued today, researchers at F-Secure provided an in-depth look at an organization labelled by them as "the Dukes," which has been active since at least 2008 and has evolved into a methodical developer of "zero-day" attacks, pulling together their own research with the published work of other security firms to provide a more detailed picture of the people behind a long-running family of malware."
From The Hill: Watchdog says DHS networks vulnerable to hackers "The government agency responsible for defending federal networks from hackers needs to better secure its own internal systems, a government watchdog report released Tuesday concluded. The Department of Homeland Security (DHS) lags in coordinating and training its cybersecurity staff, potentially exposing networks at the Secret Service and Immigration and Customs Enforcement (ICE), which are agencies within the DHS. "While our audit showed improved coordination between DHS components in carrying out their cybersecurity functions, we have identified duplication of effort and lack of effective policies and controls," said DHS Inspector General John Roth in a statement."
From ZDNet: Unpatched Android Lollipop devices open to lockscreen bypass bug "There's an easy way to bypass the lockscreen in devices running Android 5.0 Lollipop - at least, those which have not yet received the latest security update. Now that Google has released its September patch for Android Lollipop, which contained a fix for a lockscreen bypass, a security researcher at the University of Texas has detailed how to exploit the bug. The hack involves overloading the password field after opening the camera app from the lockscreen."
From ZDNet: South Africa gets first look at cybercrime bill that comes with 25-year jail terms "South Africa is on course to become the latest country on the continent to tighten legislation around computer crime, with the publication of a draft Cybercrimes and Cybersecurity Bill. The draft bill, published by the Department of Justice and Constitutional Development, seeks to introduce a range of new offences with explicit penalties for phishing attacks, distributing malware, and committing identity fraud, amongst other offences. Penalties for offences under the bill range from fines to 25 years in prison for "computer related terrorist activity" and interception of confidential material."
From Engadget: Kardashian website security flaw exposes data for over 600,000 users "The Kardashian's new mobile apps may be extremely popular, but the websites recently launched alongside those offerings had a major flaw. An open unsecured API provided developer Alaxic Smith access to the names and email addresses of hundreds of thousands of subscribers when poked around Kylie Jenner's site -- over 600,000 on that site alone. What's more, Smith discovered that the same API was used across the other sister's sites, too."