Zero Day Weekly: Apple's XcodeGhost, no US Safe Harbour, password reveal ruled unconstitutional

Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending September 25, 2015.

From ZDNet: Here are the top 25 iOS apps infected with malware by XcodeGhost "Apple on Thursday shared a list of the top 25 iOS apps infected with malware as a result of Xcode Ghost. As previously noted most of the titles are from China-based developers since that's where programmers installed a modified version of Apple's Xcode IDE in lieu of the official version." See also: iOS 9 lockscreen bypass exposes photos and contacts (ZDNet), iOS 9.0.1: Let the bug-fixing begin (ZDNet)

From Reuters: Court adviser deals major blow to EU-U.S. data share deal "A deal easing the transfer of data between the United States and the EU is invalid, an adviser to the European Union's top court said on Wednesday, dealing a blow to a system used by Facebook, Google and thousands of other companies. The Safe Harbour agreement did not do enough to protect EU citizen's private information when it reached the United States and should have been suspended, Yves Bot, Advocate General at the European Court of Justice (ECJ), said."

From Milton Security: Morgan Stanley Employee Pleads Guilty in Data Breach Case "A Morgan Stanley employee who was fired in connection with a data breach at the company, pleaded guilty Monday to downloading hundreds of thousands of confidential customer account data. Names, addresses, account numbers, and investment information are among the sensitive data of the 730,000 accounts (10% of the Wealth division clients) taken by Marsh, according to the prosecution. They also claim that Marsh was speaking to other companies about a possible new job when the data was taken."

From Ars Technica: Forcing suspects to reveal phone passwords is unconstitutional, court says "The Fifth Amendment right against compelled self-incrimination would be breached if two insider trading suspects were forced to turn over the passcodes of their locked mobile phones to the Securities and Exchange Commission, a federal judge ruled Wednesday."

From ZDNet: The OPM breach deepens: 5.6 million federal employees' fingerprints stolen "It took weeks before the Office of Personnel Management (OPM) admitted that almost 22-million federal employee personnel and security records had been cracked in two separate attacks. Months later, the OPM and Department of Defense (DoD) confessed that "Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million."" See also: OPM data breach's big question: What's fingerprint data worth in future cyber attacks? (ZDNet)

From Washington Post: Obama administration explored ways to bypass smartphone encryption "An Obama administration working group has explored four possible approaches tech companies might use that would allow law enforcement to unlock encrypted communications - access that some tech firms say their systems are not set up to provide. Senior officials do not intend to advance the solutions as "administration proposals" - or even want them shared outside the government, according to a draft memo obtained by The Washington Post."

From Bloomberg: Russia's Plan to Crack Tor Crumbles "The Kremlin was willing to pay 3.9 million rubles ($59,000) to anyone able to crack Tor, a popular tool for communicating anonymously over the Internet. Now the company that won the government contract expects to spend more than twice that amount to abandon the project."

From Computerworld: A diesel whodunit: How software let VW cheat on emissions "According to the U.S. Environmental Protection Agency, Volkswagen was able to cheat emissions tests for half a million of its U.S.-sold cars. Diesel cars from Volkswagen and Audi cheated on clean air rules by including software, likely a single line of code that made the vehicles' emissions look cleaner than they actually were."

From ZDNet: Security spending will reach $75.4b worldwide: Gartner "Worldwide security spending will reach $75.4 billion this year, a 4.7 percent increase over last year, according to the latest forecast from technology research firm Gartner. "Interest in security technologies is increasingly driven by elements of digital business, particularly cloud, mobile computing, and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks," Elizabeth Kim, research analyst at Gartner said. Kim said this focus is driving investment in emerging offerings, such as endpoint detection and remediation tools, threat intelligence, and cloud security tools, such as encryption."

From THE STACK: Cookies can facilitate attacks on secure web sites "CERT have issued a new directive notifying that cookies can be used to allow remote attackers to bypass a secure protocol (HTTPS) and reveal private session information - and that modern browsers, including Apple's Safari, Mozilla's Firefox and Google's Chrome, currently provide no protection against the attack vector. Research indicates that secure sites as important as Google and the Bank of America are vulnerable to the technique."