Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending October 23, 2015.
From SC Magazine: House committee seeks to outlaw car hacking "The House Energy and Commerce Committee will consider automotive safety reforms that, among other proposed changes, would make it illegal to hack vehicles. A draft of the legislation was released Wednesday. Sponsored by Rep. Michael C. Burgess, M.D. (R-Texas), chairman of the Commerce, Manufacturing, and Trade subcommittee, the legislation would make vehicle hacks punishable by civil penalties up to $100,000." See also: Hackers Make Cars Safer. Don't Ban Them From Tinkering (Wired) See also: Why Car Hacking Is Nearly Impossible (Scientific American) See also: David Pogue Gets Car Hacking Dangerously Wrong (Wired)
From Reuters: Cyber security bill advances in Senate "A long-delayed bill that would make it easier for corporations to share information about cyber attacks with each other or the government without fear of lawsuits [the Cybersecurity Information Sharing Act, CISA] advanced in the U.S. Senate on Thursday with support from members of both parties and the White House. But many privacy activists and a few lawmakers, including Republican Senator Rand Paul and Democratic Senator Ron Wyden, vehemently oppose it. Several big tech companies also have come out against the measure, arguing that it fails to protect user privacy and does too little to prevent cyber attacks."
From Medium (Jeffrey Carr): How "Hat-tribution" on China Has Harmed U.S. National Policymaking "Mandiant made a fortune from its long-standing policy of blaming every network breach on Chinese hackers; a fact that didn't go un-noticed by almost every other cybersecurity company. ... [This week's] company blog post combined Crowdstrike's threat intelligence with a marketing pitch for its Falcon platform. The post speaks for itself, blaming China for ongoing cyber attacks after the Xi-Obama agreement. However, after AP, CBS, and the Washington Post picked up the story, Alperovitch attempted to walk back his post's claims by saying "We are not stating anywhere that the Chinese are violating the agreement. It is not up to us to draw that conclusion."" See also: The Latest on Chinese-affiliated Intrusions into Commercial Companies (Crowdstrike blog)
From ZDNet: Dell launches new threat protection products for the enterprise "Dell has launched a new range of security solutions designed to protect enterprise clients from evolving digital threats. Revealed this week at the Dell World conference, the PC maker said the new range "offers a fresh approach" to malware blocking, sandboxing and data security while also improving the flexibility of a business. In a preview offered at the event, Dell showcased the SonicWALL APT Protection Service, the first new addition to the tech giant's security portfolio. The new service, available on both firewall and email solutions, scans files and quarantines suspicious files until a verdict on the file's risk can be reached."
From Street Insider: Trend Micro Acquires HP TippingPoint, Establishing Game-Changing Network Defense Solution "Trend Micro International, a global leader in security software, signed a definitive agreement to acquire HP TippingPoint, a leading provider of next-generation intrusion prevention systems (NGIPS) and related network security solutions. The approximately $300 million agreement encompasses security technology, intellectual property, industry expertise, as well as a large, loyal enterprise customer base. This acquisition positions Trend Micro as the go-to enterprise security provider of dynamic threat defense solutions spanning endpoints, network, data center and the cloud."
From ZDNet: Just how many websites are vulnerable because of SHA-1? "Some certificate authorities are still issuing digital certificates signed with the SHA-1 hashing algorithm, despite recent research showing that the cost of undermining it is not beyond criminals' budgets. Browser makers Google, Microsoft, and Mozilla have announced plans to stop accepting SHA-1 SSL certificates by 2017. But researchers recently called for this deadline to be brought forward, after estimating the cost of causing a SHA-1 collision is much cheaper than initially thought - and definitely within reach of cybercriminal budgets."
From ZDNet: Google now requires full device encryption on new Android 6.0 devices "After considering full device encryption for Android 5.0 phones and tablets earlier this year, Google has decided to enforce the requirement with Android 6.0. New phones shipping with Android 6.0 Marshmallow software and meeting a certain performance standard must be encrypted by default."
From PC World: Computer clocks can be easily scrambled, undermining encryption and bitcoin trades "Researchers from Boston University said on Wednesday they've found several flaws in NTP that could undermine encrypted communications and even jam up bitcoin transactions. One of the problems they found is that it's possible for an attacker to cause an organization's servers to stopping checking the time altogether. NTP has a rate-limiting mechanism, nicknamed the "Kiss O' Death" packet, that will stop a computer from repeatedly querying the time in case of a technical problem. When that packet is sent, systems may stop querying the time for days or years, according to a summary of the research. They found a big issue: it's possible for an attacker to spoof a Kiss O'Death packet, making it appear to have come from a system experiencing trouble when it's actually fine."
From ZDNet: Apple pulls hundreds of iOS apps using private SDK from China to gather user data "At least 250 iOS apps have been discovered to collect personal data and the developers who programmed them may not even know. While updating its Searchlight platform for developers over the weekend, SourceDNA discovered the issue. Apple responded to the situation with a statement, saying it has pulled the offending apps from its App Store."
From The Register: '10-second' theoretical hack could jog Fitbits into malware-spreading mode "A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath. ... Attacks over Bluetooth require an attacker hacker to be within metres of a target device. This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise."
From ZDNet: Yahoo only the latest at "kill the password" altar "Yahoo Thursday took a step toward eliminating the password on its mail services by offering up push notification to mobile phones for access control, which asks a user to confirm they are trying to log into their account. The user taps a button to accept or reject the log-in. The announcement is part of a series of identity and authentication improvements Yahoo has been undertaking for nearly the past two years, including a similar push service called On-Demand Password that was not well received, and a plan to adopt a standard identity federation protocol called OpenID Connect."
From ZDNet: State-sponsored attack? Facebook will now tell you 'You've been hacked' "Facebook has started to notify users when it suspects they've been targeted by government-sponsored hackers, rather by than run-of-the-mill cybercriminals. Facebook won't be revealing how it tells when a state-sponsored hacker is targeting a particular user." See also: Facebook under investigation by Irish DPC for spying accusations (SC Magazine)