Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending September 26, 2014. Covers enterprise, controversies, reports and more.
This week, the "shellshock" bug brought Bash patching to its knees, Apple stock slipped after a disastrous iOS and security update, jQuery was hacked a second time, and infosec argued about the legitimacy of "junk hacking."
The new Apple iPhone 6 Touch ID (fingerprint) sensorwas hacked this week by the same researcher who hacked the iPhone 5S Touch ID first released last year. On the Lookout blog researcher Marc Rogers wrote, "Sadly there has been little in the way of measurable improvement in the sensor between these two devices. Fake fingerprints created using my previous technique were able to readily fool both devices."
Junk hacking isn't cool anymore. In the beginning of the week, respected security researcher Dave Aitel caused a stir when he wrote a heated screed demanding the end of what he calls "junk hacking". Addressing hackers Aitel feels use sensationalist "hacks" and entry-grade techniques to hack "junk" to scare people, he called out specific IoT hacks he believes fuel a culture of slacker hackers coasting from conference to conference on a veritable headliners' D-list. Not everyone agrees with Mr. Aitel.
So am I understanding the whole "junk hacking" thing correctly? Do we hate highlighting nonexistent security now?
TripAdvisor subsidary Viator was hit by a massive data breach that exposed payment card details, account credentials, usernames and passwords of its customers, affecting approximately 1.4 million accounts. Viator first learned of the breach in early September from its payment card service provider "that unauthorized charges occurred on a number of our customers' credit cards." Viator was acquired by TripAdvisor in July for $200 million. According to a TripAdvisor spokesperson, TripAdvisor was not impacted by the breach and further, "Viator and TripAdvisor are operated on separate systems with different design and security attributes, and with no overlap."
IBM Security Intelligence reported that Tinba Malware is Reloaded and Attacking Banks Around the World, publishing a slew of details and interesting findings. The variant is "joining Gameover Zeus in an attempt to improve communication capabilities with the C&C by having a fallback in the form of a DGA. Initially, only a handful of financial institutions were targeted. However, as of this week's report, the attack has broadened to include a larger number of banks globally -- including the United States and Canada."