Zero Day Weekly: ATM malware, Cisco vulnerabilities, BadUSB shenanigans

A collection of notable security news items for the week ending October 10, 2014. Covers enterprise, controversies, reports and more.
Written by Violet Blue, Contributor
Zero Day Weekly

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 10, 2014. Covers enterprise, controversies, reports and more.

This week, Chase's big breach raises official questions about the victims, WaPo's "golden key" op-ed on encryption backfired, Yahoo didn't get "shellshocked," ATM malware surfaced in the wild, and the BadUSB shenanigans continue.

  • Cisco has issued updates to address numerous, serious vulnerabilities discovered in its Adaptive Security Appliance (ASA) software. The Cisco ASA software is impacted by numerous denial-of-service (DoS) vulnerabilities; Cisco has released patches (free software updates that address these vulnerabilities) and workarounds that mitigate some of these vulnerabilities are available.
  • Criminals obtained names, addresses, phone numbers, email addresses and "internal JPMorgan Chase information relating to such users" for 76 million households and 7 million small businesses who logged in online or through mobile devices. But the bank told MarketWatch it will not directly contact breach victims to inform them that their data was compromised. Illinois Attorney General Lisa Madigan, whose office is probing the J.P. Morgan breach, told MarketWatch "Chase would be wise to rethink its decision."
  • Washington Post opined on encryption and it was a disaster. The paper's editorial board published a widely ridiculed and much-criticized op-ed for "compromise" on encryption, proposing our data should be off-limits to hackers and other bad actors, because "with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key" (The Horror of a 'Secure Golden Key'). Completely ignoring the Crypto Wars, the paper didn't explain why this "golden key" would be less vulnerable to abuse than any other backdoor.
  • A flaw in ATM machines dishes wads of cash to hackers who enter key codes after infecting ATM's with malware. The exploit was revealed by Kaspersky Lab this week called "Tyupkin", and requires physical access to the ATM system and booting it off of a CD to install the malware.
  • This week Wired ran a terrific, detailed feature on two men who notoriously found a video poker bug that them rich -- but then Vegas made them pay for profiting off the exploit.
  • Two months after BadUSB was revealed at Black Hat, Adam Caudill and Brandon Wilson decided to replicate the attacks and publish them to GitHub for their presentation at hacker conference DerbyCon. Caudill and Wilson said they did it to "motivate vendors to take action." Caudill and Wilson were criticized for 'helping malicious hackers,' and SANS Institute's Paul Wilson told CSO Online that he doesn't think the stunt will end well for consumers. When Berlin-based Security Research Labs (SRLabs) demonstrated the BadUSB vulnerability, SRLabs held back on releasing tools or details of its exploit, saying the flaw in firmware on the USB controller was not easily fixed. Over the weekend, Caudill and Wilson published a limited, impractical pseudo-patch for only one kind of USB stick, which Nohl dismissed as a "band-aid".

Editorial standards