Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending December 26, 2014. Covers enterprise, controversies, reports and more.
This week Apple forced its first-ever automatic security update, the JPMorgan Chase breach would've been foiled by two-factor auth, an APT led to scary physical damage at a German iron plant, Staples was attacked, and more.
Apple deploys first-ever automatic patch to fix NTP flaw. Apple on Monday used an automatic security update mechanism for the first time to deploy a fix for a critical vulnerability in NTP, or Network Time Protocol, that was uncovered by a Google engineer. "In light of a security threat to Unix-based systems including OS X, we've used an automatic security feature to update OS X systems and protect our users as quickly as possible," Apple spokesman Bill Evans said in an emailed statement. In that statement, Evans called the NTP bug a "critical" flaw.
The JPMorgan Chase hack could've been avoided if two-factor authentication had been in use, it has been revealed. JPMorgan's security team had apparently neglected to upgrade one of its network servers with the dual password scheme. The relatively simple nature of the Chase attack - details of which had not been previously reported - puts the breach in a new light.
#sonyhack#PS4goesback@Sony I'll be returning your PS4 tomorrow. Worst X-mas ever. You had plenty of time to prepare for this attack.
Kim Dotcom stopped the Sony Playstation attack on Christmas Day. On December 25 hacking crew Lizard Squad once again took down the Sony Playstation and XBox Live networks, after warning Twitter followers about it. Lizard Squad took Sony's PlayStation network out previously twice, in August and September of this year, among other successful attacks on other large websites. This time, Kim Dotcom offered Lizard Squad "3000 @MegaPrivacy premium vouchers for @LizardMafia if they stop attacking XBOX Live and PSN immediately." It worked. Update: Because the network is up and down since the first attack, many still think it is under attack.
A newly-discovered vulnerability puts 12 million routers at risk around the world in homes, small business, and corporate environments. The Misfortune Cookie vulnerability allows an attacker to remotely take over a gateway device with admin privileges, according to network security vendor Check Point Software Technology, Inc. The scale of the problem is unprecedented, said Shahar Tal, Check Point's malware and vulnerability research manager.
South Korea nuclear plant hacked: Computers at a nuclear power plant in South Korea were compromised but the plant operator said no critical data has been leaked. The hacker was able to access blueprints, floor maps and other information on the plant.
German iron plant physically damaged in hack attack. A German federal agency has detailed how an APT attack physically damaged an iron plant. BSI (Bundesamt für Sicherheit in der Informationstechnik) revealed that attackers used spear phishing and social engineering to get into the office network of an iron plant, then accessed production networks. This resulted in an incident where a furnace could not be shut down and caused 'massive damage to the system'.
Staples admitted approximately 1.16 million payment cards may have been affected in a breach last Fall. Investigators believe malware penetrated Staples' POS systems at 113 of its more than 1,400 retail locations nationwide. Transaction data likely compromised includes cardholder names, payment card numbers, expiration dates, and card verification codes.
Flaw in MacBook EFI allows boot ROM malware: Programmer/hacker Trammell Hudson is presenting research on ways to infect Apple EFI firmware using the external Thunderbolt port. Attackers introduce persistent boot ROM malware through the MacBook Thunderbolt ports. Hudson says he's "... been in contact with Apple's security team for nearly two years regarding the Option ROM and Thunderbolt issues."
Charlatans: The new wave of privacy profiteers: An easy way to browse the internet in anonymity and privacy? Not so fast. 2014 made privacy into a business -- and spawned an overwhelming amount of unscrupulous charlatans eager to capitalize on a frightened public. The stories of these charlatans, and the lies and funding scams they're still getting away with, are appalling.
As you'll remember, last week the FBI formally accused North Korea of perpetrating the Sony hack. Shortly afterward, North Korea announced a denial and offered the U.S. a joint investigation into the matter -- an offer that was quickly rebuffed by the U.S.
Meanwhile, blowback from infosec communities calling shenanigans on the FBI-North Korea blame game hit critical mass.
While everyone was distracted with all the 'whodunit' tail-chasing, and also by Sony's big poop of a movie that trivializes a country with death camps as great comedy fodder, others continued to look at the seemingly never-ending evidence source of Sony misdeeds: the GOP file dumps.
You'll remember that a week ago Verge and Huffington Post reported on the now-revealed conspiracy between the MPAA, Universal, Sony, Fox, Paramount, Warner Bros and Disney to go after Google, reinterpret the DMCA to their advantage, and revive SOPA.
The parties were also allotting between $585k and $1.175 million to fund Mississippi Attorney General Jim Hood's (misguided and based on faulty premises) investigation into Google.
Also, Sony's awful film was pretty much a widely-pirated, clumsily released mess (The Interview made under $1 million; Unbroken, Into The Woods and Hobbit are headed for $40 million each), despite all the free publicity milked for it.