Zero Day Weekly: Apple's big fix, Home Depot, Salesforce flags Dyre Trojan

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending September 19, 2014. Covers enterprise, controversies, reports and more.

This week, Apple Inc. made security headlines on many fronts after suffering a black eye in the celebrity iCloud nudes scandal, news about the Home Depot attack worsened, and famous hacker / convicted felon Kevin Mitnick officially entered the exploit sales market.

• In addition to the large list of vulnerabilities fixed in iOS 8, Apple released new versions of many other products to fix many other vulnerabilities (Apple updates OS X Mavericks, Safari and other products), including Apple Configurator. Many noticed that Apple omitted the 'warrant canary' from its latest transparency reports, while news of the week was that Apple doubles-down on security, shuts out law enforcement from accessing iPhones, iPads.

Tim Cook: Apple sells security. Google sells you. http://t.co/WeUEuovWCw

— Chris Wysopal (@WeldPond) September 18, 2014

• CloudFlare made a game-changing announcement Thursday in Announcing Keyless SSL™: All the Benefits of CloudFlare Without Having to Turn Over Your Private SSL Keys.

• Infosec is abuzz that Kevin Mitnick is now selling 0day and exploits.

I can't tell if this is a joke or not. @kevinmitnick is in the exploit brokering business? https://t.co/e2XDU0UlVC

— Christopher Soghoian (@csoghoian) September 18, 2014

• HP announced the release of its Internet of Things State of the Union Study, revealing 70 percent of the most commonly used Internet of Things (IoT) devices contain serious vulnerabilities.

• Security Intelligence reported that "Salesforce.com is warning its customers that the Dyre Trojan might be used to target their login credentials. The Dyre banking Trojan, which typically targets customers of large financial institutions, was recently used in a large-scale, credential-phishing campaign targeting Bank of America, Citigroup, Royal Bank of Scotland and JPMorgan Chase customers."

• A Senate Armed Services Committee investigation released info on an investigation finding Chinese intrusions into key defense contractors: hackers associated with the Chinese government successfully penetrated the computer systems of U.S. Transportation Command contractors at least 20 times in a single year, intrusions that show vulnerabilities in the military’s system to deploy troops and equipment in a crisis.

Increasingly it's about cyber war (to destroy data): China hacked into Pentagon contractor networks http://t.co/VXU4APcHPs via @guardian

— Ray Boisvert ISECIS (@ISECIS) September 18, 2014

• A major Android bug was disclosed by Rapid7/Metasploit, accurately described as a privacy disaster and remains unacknowledged by Google. "By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control. What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window -- the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf."

• Many were upset when The New South Wales Police force was named as a user of the FinFisher malware and spyware toolkit used by governments worldwide to capture user data, as part of a Wikileaks data release of the product.

“@WSJ: Edward Snowden accuses New Zealand leader of deception over surveillance http://t.co/BRMxSQdQC6” << @KimDotcom PR stunt

— Justine Aitel (@justineaitel) September 15, 2014

• An eBay attack was reported by BBC, where an iPhone 5S listing sent users to a fake eBay clone page to steal user credentials; eBay only removed the listings only after a follow-up call from the BBC more than 12 hours later.

• Google announced that Android L will offer default encryption just like iOS 8. Although Google is yet to provide details, or even an official statement, a spokesperson for the company has told The Washington Post that it plans to make data encryption the default setting for the Android L operating system, set to be released next month. Google also released its latest transparency report, described in Google Report Shows Governments’ Increasing Demands for Users’ Data.

• Home Depot's cyber attack was worse than we thought: Home Depot: 56 million payment cards affected by cyberattack. In a statement, Home Depot said that it completed its investigation and added enhanced encryption will be complete in early 2015.

Thanks to Larry Seltzer for contributing to this roundup.