Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending February 6, 2015. Covers enterprise, controversies, reports and more.
This week the Anthem breach saw millions exposed from an unencrypted database, Obama created a new White House cyber unit, HipChat got popped, we learned more about the iOS espionage app Pawn Storm. About.com ignored its massive XSS problem, and much more.
- Healthcare insurance provider Anthem admitted this week that hackers accessed a database containing "tens of millions" of records, including customers and employees. The unencrypted data included names, birthdates, physical/email addresses, medical IDs and SS#'s. Apparently, encrypting your data would have been inconvenient. UPDATE/CORRECTION: Mandiant/FireEye has been engaged by Anthem, and we incorrectly reported here this morning that the firm had accused China: This was based on reports from several news outlets, which we have now been told by FireEye was media speculation. We also included a tweet representing a number of tweets criticizing FireEye/Mandiant for naming China as the Anthem hack culprit, when, in fact, it had not. ZDNet and I apologize for any part we had in perpetuating this inaccuracy. Even more relevant to this report in light of this correction is that some researchers say this current attribution blame game trend isn't necessarily helpful or accurate.
Mandiant says Anthem attack = sophisticated 'cos of use of "custom backdoor" but doesn't explain initial penetration http://t.co/zUMRDfdBhQ
-- Alan Woodward (@ProfWoodward) February 5, 2015
- The Obama administration will spend about $20 million on a new White House cyber unit to oversee dot-gov network security, including, for the first time, making sure agencies notify victims of breaches according to a specific timetable. The "E-gov Cyber" division is aimed at making clear OMB's role in government-wide cybersecurity: Policymaking and enforcement. The newly enacted 2014 Federal Information Security Modernization Act formally tasks the Department of Homeland Security with operational aspects of guarding the dot-gov network, and cements OMB's strategic role.
- iOS espionage app Pawn Storm update: In TrendMicro's continued research on Operation Pawn Storm, it found one interesting poisoned pawn-spyware specifically designed for espionage on iOS devices. While spyware targeting Apple users is highly notable by itself, this particular spyware is also involved in a targeted attack. As of this publishing, the C&C server contacted by the iOS malware is live.
- Stolen names, address, birth dates and social security numbers used to buy $700,000 of Apple gift cards: On Thursday, the Manhattan District Attorney's office said it has indicted five people for using personal information stolen from around 200 people to fund the purchase of hundreds of thousands of dollars in Apple gift cards, which in turn were used to buy Apple products.
- About.com has a huge security problem, but it's likely worse for the over 98 million monthly visitors to the About Group's various topic-specific subdomains. A security researcher disclosed Monday that "at least 99.88%" of all topic links and all domains related to About.com are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks. According to the researcher's findings and proof-of-concept results, all subdomains of About.com are affected.
- Adobe issued two separate fixes at the end of January to address two separate zero-day vulnerabilities identified in Flash Player - earlier this week Adobe warned users of yet another Flash Player zero-day bug that the company says is being exploited in the wild. Adobe Systems started distributing an update and fix for this Flash security flaw Thursday.
-- The Next Web (@TheNextWeb) February 2, 2015
- HipChat, the business-focused group chat and instant message (IM) service, was breached earlier this week. According to a security notice posted by HipChat's Craig Davies on Saturday night, hackers were able to breach the firm's defenses and access names, usernames, email addresses, and encrypted passwords.
So, remember when I said "Hipchat didn't pass a standard security audit" in 2012? Yeah, This. https://t.co/220KzGe1tp
-- John Adams (@netik) February 1, 2015
- This week over 110,000 Facebook users have been tricked into downloading a porn-based Trojan attack. The malware lures users of the social network by offering up a link to a porn video via a friend's account, which has already been infected, according to security researcher Mohammad Faghani. By clicking the link, users get a video preview, but it stops midway through, prompting them to download a Flash player to continue watching.
Our #SuperBowl commercial was rejected. Then again, it was just 30 seconds of redacted video.
-- NSA Public Relations (@NSA_PR) February 2, 2015
- WordPress websites are at risk of being exploited by a previously undisclosed vulnerability in a plugin. The flaw exists in Fancybox, a popular image displaying tool, through which Sucuri researchers say malware or any other script can be added to a vulnerable site.