Zero Day Weekly: Active Microsoft zero-day, Oracle kills Java, D-Link snafu, more DHS cyber-negligence

A collection of notable security news items for the week ending April 17, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.

silver-lock-cnet.jpg

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending April 17, 2015. Covers enterprise, controversies, reports and more.

  • Oracle is to end publicly available security fixes for Java 7 this month: Public updates for Java 7 - including bug and security fixes - will end this month, a situation that one security advocate says could impact millions of applications. The Critical Patch Update released by Oracle on Tuesday includes 98 security fixes for a wide range of product families.
  • D-Link has failed to properly fix vulns affecting several router models. The networking equipment manufacturer says it's currently addressing the issues. The vulnerabilities, related to the Home Network Administration Protocol (HNAP), were reported earlier this year by Samuel Huntley and Zhang Wei of Qihoo360.
  • CoinVault ransomware decryption keys were released for free by Kaspersky after the National High Tech Crime Unit (NHTCU) of the Netherlands police and the Netherlands National Prosecutors Office obtained a database from a CoinVault command-and-control server.
  • Cybercrime and law enforcement was key at Interpol World 2015. During the opening address Tuesday at Interpol World 2015, Singapore's Second Minister for Home Affairs and Trade and Industry S. Iswaran said tech advancements, globalization, and urbanization had enabled criminals and terrorists to pose a new wave of threats that could shake the security foundation of local and global markets.
  • Department of Homeland (in)Security: Sensitive docs and computer passwords left unsecured after-hours at five DHS agencies. Nearly a third of employee desks checked after the close of business by a government watchdog at five Department of Homeland Security agencies had sensitive materials, laptops, cell phones and "For Office Use Only" documents left unsecured.
  • Verizon's new DBIR (Data Breach Investigations Report 2015) says we've "got 99 problems, and mobile malware isn't even less than 1 percent of them." This backs up Google's findings in its Android 2014 Security Year in Review, which found that fewer than 1 percent of Android devices had a "potentially harmful app (PHA)" installed in 2014. The report also found that organized crime has become the most frequently seen threat actor for web app attacks, and the cost per record formula for breaches is no longer an accurate measure.
  • Target, MasterCard settle over data breach: Target and MasterCard have settled on a fund so the credit card issuer can pay its customers over the retailer's 2013 data breach. In a statement, Target said that it will fund up to $19 million in pre-tax alternative recovery payments, which are offers MasterCard will make to its customers affected by the data breach.