Zero Day Weekly: Venom, Black Hat 2015, hyped reports, cyber-extortion controversy

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending May 15, 2015. Covers enterprise, controversies, reports and more.

• Venom (Virtualized Environment Neglected Operations Manipulation), the recently discovered security hole in the open-source QEMU virtual machine hypervisor, has a patch. On Wednesday, CrowdStrike released details on Venom; many media articles spuriously compared Venom to Heartbleed ("the only commonality is the fact that both flaws had a pre-planned marketing campaign"), and Venom's hype was panned by infosec professionals. AWS and Linode are not vulnerable to Venom, so enterprises using those platforms are safe. Likewise, VMware, Microsoft Hyper-V, and Bochs hypervisors are also unaffected.

  See also

  Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters

  Security researchers say the vulnerability affects "millions" of machines in datacenters around the world.

  Read now

• Thursday Black Hat announced the first set of talks selected for this year's Black Hat USA. Automotive vulnerabilities abound, as do briefings on the state of BGP security, manipulating industrial systems (including DCS, PCS, ICS and SCADA switches), and a briefing on winning the online banking war -- with a novel method derived from Zero Knowledge Protocol that prevents banking malware from reverse engineering secrets transmitted between an online banking client and its server by eavesdropping on HTTPS traffic.

• A report on Iran's cyberarmy plans to attack the United States raised eyebrows last month, both for its alarming claims and its unusual combination of authors: A Silicon Valley cybersecuirty company and a neoconservative Washington think tank that has been a prominent opponent to a nuclear deal with Iran. The report warned that if the U.S. lifted sanctions on Iran, the country would pour new money into its burgeoning cyber warfare program. But when they showed their hyped data to U.S. intelligence analysts, they were told to get lost.

• United Airlines announced it now offers air miles as bug bounty rewards, though brute-force attacks, code injection on live systems, DDoS attacks, testing on MileagePlus accounts that are not your own, and testing on in-flight systems will result in disqualification and possible criminal investigation.

• Microsoft has taken steps to stop a China-based hacking group from using its high-traffic TechNet website as part of its attack infrastructure. APT17 -- nicknamed DeputyDog -- created accounts on TechNet and then left comments on certain pages. Those comments contained the name of an encoded domain, which computers infected by the group's malware were instructed to contact.

• The Syrian Electronic Army, the notorious hacking group that has hit several high-profile media companies such as the Associated Press, The New York Times, and CNN, hacked the Washington Post mobile site on Thursday afternoon.

• Last week's headlines from the Microsoft Ignite conference breathlessly (and incorrectly) proclaimed that Patch Tuesday was dead. As if to say, "I'm not dead yet," Microsoft's update servers delivered a heaping helping of Patch Tuesday fixes for Windows, Office, the .NET Framework, and Silverlight.

• Consumer advocate blogger Bob Sullivan on Tuesday revealed that criminals are using Starbucks accounts to access consumers' linked credit cards via the auto-load function. Jonathan Sander, a strategy officer at research firm STEALTHbits Technologies, acknowledged no one knows exactly how the thefts are occurring.

• The US Department of Justice announced the arrest of two men for selling "Photofucket" software that it says stole guest passwords for protected albums and sought out those private pictures. Brandon Bourret of Colorado and Athanasios Andrianakis of Californias are facing charges of "computer fraud and abuse, access device fraud, identification document fraud and wire fraud."

• Mozilla has patched 13 security problems in the latest version of Firefox, including five critical vulnerabilities. Patches in Firefox 38 include: a privilege escalation through IPC channel messages, MP4 parsing buffer flow and out-of-bounds read issues, and a Firefox webchannel vuln which could allow untrusted pages to intercept communication meant for trusted sources.

• Microsoft wants users to consider its Edge browser (previously Spartan) as security-forward as Chrome and Firefox. In a Monday post, Microsoft detailed Edge's security strengths including increased attack protection, that app containers are used as the sandbox mechanism, and protection against memory corruption is better. Old, insecure plugin interfaces are not supported at all, including VML, VBScript, Toolbars, BHOs, and ActiveX.

• Cybersecurity company Tiversa reportedly faked hacks and extorted clients to buy its services, according to ex-employee Richard Wallace. In a federal court this week, Wallace said the company routinely engaged in fraud and shakedowns: To scare potential clients, Tiversa would typically make up fake data breaches and pressure firms to pay up, Wallace said. He claimed that Tiversa also made up information in 2009 pointing to Iran for supposedly stealing blueprints for President Obama's helicopter, Marine One. That scare that led to several news stories published by NBC, Fox, CNET and others.