'

Zero Day Weekly: Apple's big fix, Home Depot, Salesforce flags Dyre Trojan

A collection of notable security news items for the week ending September 19, 2014. Covers enterprise, controversies, reports and more.

the week in security

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending September 19, 2014. Covers enterprise, controversies, reports and more.

This week, Apple Inc. made security headlines on many fronts after suffering a black eye in the celebrity iCloud nudes scandal, news about the Home Depot attack worsened, and famous hacker / convicted felon Kevin Mitnick officially entered the exploit sales market.

  • Security Intelligence reported that "Salesforce.com is warning its customers that the Dyre Trojan might be used to target their login credentials. The Dyre banking Trojan, which typically targets customers of large financial institutions, was recently used in a large-scale, credential-phishing campaign targeting Bank of America, Citigroup, Royal Bank of Scotland and JPMorgan Chase customers."
  • A Senate Armed Services Committee investigation released info on an investigation finding Chinese intrusions into key defense contractors: hackers associated with the Chinese government successfully penetrated the computer systems of U.S. Transportation Command contractors at least 20 times in a single year, intrusions that show vulnerabilities in the military’s system to deploy troops and equipment in a crisis.
  • A major Android bug was disclosed by Rapid7/Metasploit, accurately described as a privacy disaster and remains unacknowledged by Google. "By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control. What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window -- the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf."

Thanks to Larry Seltzer for contributing to this roundup.