Zero Day Weekly: ATM malware, Cisco vulnerabilities, BadUSB shenanigans
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 10, 2014. Covers enterprise, controversies, reports and more.
This week, Chase's big breach raises official questions about the victims, WaPo's "golden key" op-ed on encryption backfired, Yahoo didn't get "shellshocked," ATM malware surfaced in the wild, and the BadUSB shenanigans continue.
- Cisco has issued updates to address numerous, serious vulnerabilities discovered in its Adaptive Security Appliance (ASA) software. The Cisco ASA software is impacted by numerous denial-of-service (DoS) vulnerabilities; Cisco has released patches (free software updates that address these vulnerabilities) and workarounds that mitigate some of these vulnerabilities are available.
- Microsoft announced this week there will be a total of nine updates issued next Tuesday and three of them rated critical. The three critical updates address problems in Internet Explorer and all versions of Windows, all discussed in its advance notification for the October 2014 Patch Tuesday updates.
- Criminals obtained names, addresses, phone numbers, email addresses and "internal JPMorgan Chase information relating to such users" for 76 million households and 7 million small businesses who logged in online or through mobile devices. But the bank told MarketWatch it will not directly contact breach victims to inform them that their data was compromised. Illinois Attorney General Lisa Madigan, whose office is probing the J.P. Morgan breach, told MarketWatch "Chase would be wise to rethink its decision."
WA Post op-ed on golden key "an insult to anyone savvy enough to use encryption;" great @kpoulsen take on Apple saga: http://t.co/mUAOvvwiuO
— Hanni Fakhoury (@HanniFakhoury) October 9, 2014
- Washington Post opined on encryption and it was a disaster. The paper's editorial board published a widely ridiculed and much-criticized op-ed for "compromise" on encryption, proposing our data should be off-limits to hackers and other bad actors, because "with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key" (The Horror of a 'Secure Golden Key'). Completely ignoring the Crypto Wars, the paper didn't explain why this "golden key" would be less vulnerable to abuse than any other backdoor.
Because a magical “secure golden key" is totally different from a backdoor. The "wizards" will get right on that.... http://t.co/2ilQRHuhit
— Liz Goodson (@lizgoodson) October 4, 2014
Actual photograph of Apple and Google delivering secret golden key pic.twitter.com/QreguhuflC
— Nadim Kobeissi (@kaepora) October 5, 2014
- Symantec followed a similar move by Hewlett-Packard this week when it confirmed on Thursday that it will indeed split into two companies. The plan is to divide the Mountain View, Calif.-based company into two brands: one business focused on security and one business focused on information management.
- Yahoo came under scrutiny following a report published by Future South Technologies earlier this week which said that Yahoo's systems were breached using the Shellshock bug. Yahoo confirmed a "handful" of infected servers were found but said the Shellshock bug is not to blame. Romanian botnet hackers were allegedly to blame.
- A flaw in ATM machines dishes wads of cash to hackers who enter key codes after infecting ATM's with malware. The exploit was revealed by Kaspersky Lab this week called "Tyupkin", and requires physical access to the ATM system and booting it off of a CD to install the malware.
- AT&T confirmed on Monday it suffered a data breach in August, carried out by one of its own staff. Officials said the former employee was able to access account information, including Social Security and driver's license numbers. It was AT&T's second breach from an insider this year.
- This week Wired ran a terrific, detailed feature on two men who notoriously found a video poker bug that them rich -- but then Vegas made them pay for profiting off the exploit.
Two months after BadUSB was revealed at Black Hat, Adam Caudill and Brandon Wilson decided to replicate the attacks and publish them to GitHub for their presentation at hacker conference DerbyCon. Caudill and Wilson said they did it to "motivate vendors to take action." Caudill and Wilson were criticized for 'helping malicious hackers,' and SANS Institute's Paul Wilson told CSO Online that he doesn't think the stunt will end well for consumers. When Berlin-based Security Research Labs (SRLabs) demonstrated the BadUSB vulnerability, SRLabs held back on releasing tools or details of its exploit, saying the flaw in firmware on the USB controller was not easily fixed. Over the weekend, Caudill and Wilson published a limited, impractical pseudo-patch for only one kind of USB stick, which Nohl dismissed as a "band-aid".