Zero Day Weekly: Chase 2-auth shame, Apple security update, German APT nightmare

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending December 26, 2014. Covers enterprise, controversies, reports and more.

This week Apple forced its first-ever automatic security update, the JPMorgan Chase breach would've been foiled by two-factor auth, an APT led to scary physical damage at a German iron plant, Staples was attacked, and more.

• Apple deploys first-ever automatic patch to fix NTP flaw. Apple on Monday used an automatic security update mechanism for the first time to deploy a fix for a critical vulnerability in NTP, or Network Time Protocol, that was uncovered by a Google engineer. "In light of a security threat to Unix-based systems including OS X, we've used an automatic security feature to update OS X systems and protect our users as quickly as possible," Apple spokesman Bill Evans said in an emailed statement. In that statement, Evans called the NTP bug a "critical" flaw.

• The JPMorgan Chase hack could've been avoided if two-factor authentication had been in use, it has been revealed. JPMorgan's security team had apparently neglected to upgrade one of its network servers with the dual password scheme. The relatively simple nature of the Chase attack - details of which had not been previously reported - puts the breach in a new light.

#sonyhack #PS4goesback @Sony I'll be returning your PS4 tomorrow. Worst X-mas ever. You had plenty of time to prepare for this attack.

-- Bee Pee (@BPkillinEM) December 26, 2014

• Kim Dotcom stopped the Sony Playstation attack on Christmas Day. On December 25 hacking crew Lizard Squad once again took down the Sony Playstation and XBox Live networks, after warning Twitter followers about it. Lizard Squad took Sony's PlayStation network out previously twice, in August and September of this year, among other successful attacks on other large websites. This time, Kim Dotcom offered Lizard Squad "3000 @MegaPrivacy premium vouchers for @LizardMafia if they stop attacking XBOX Live and PSN immediately." It worked. Update: Because the network is up and down since the first attack, many still think it is under attack.

A Christmas Miracle. How @MegaPrivacy saved @Xbox & @PlayStation from the @LizardMafia attack. Enjoy your games! :-) pic.twitter.com/qoaZ33eqCi

-- Kim Dotcom (@KimDotcom) December 26, 2014

• A newly-discovered vulnerability puts 12 million routers at risk around the world in homes, small business, and corporate environments. The Misfortune Cookie vulnerability allows an attacker to remotely take over a gateway device with admin privileges, according to network security vendor Check Point Software Technology, Inc. The scale of the problem is unprecedented, said Shahar Tal, Check Point's malware and vulnerability research manager.

• South Korea nuclear plant hacked: Computers at a nuclear power plant in South Korea were compromised but the plant operator said no critical data has been leaked. The hacker was able to access blueprints, floor maps and other information on the plant.

• German iron plant physically damaged in hack attack. A German federal agency has detailed how an APT attack physically damaged an iron plant. BSI (Bundesamt für Sicherheit in der Informationstechnik) revealed that attackers used spear phishing and social engineering to get into the office network of an iron plant, then accessed production networks. This resulted in an incident where a furnace could not be shut down and caused 'massive damage to the system'.

• Staples admitted approximately 1.16 million payment cards may have been affected in a breach last Fall. Investigators believe malware penetrated Staples' POS systems at 113 of its more than 1,400 retail locations nationwide. Transaction data likely compromised includes cardholder names, payment card numbers, expiration dates, and card verification codes.

• Flaw in MacBook EFI allows boot ROM malware: Programmer/hacker Trammell Hudson is presenting research on ways to infect Apple EFI firmware using the external Thunderbolt port. Attackers introduce persistent boot ROM malware through the MacBook Thunderbolt ports. Hudson says he's "... been in contact with Apple's security team for nearly two years regarding the Option ROM and Thunderbolt issues."

• Charlatans: The new wave of privacy profiteers: An easy way to browse the internet in anonymity and privacy? Not so fast. 2014 made privacy into a business -- and spawned an overwhelming amount of unscrupulous charlatans eager to capitalize on a frightened public. The stories of these charlatans, and the lies and funding scams they're still getting away with, are appalling.

• A phishing-led APT steals millions from banks: A group has stolen over US$25 million by hacking into the infrastructure of numerous financial institutions in Russia and former Soviet countries, as well as U.S. and European retailer POS systems. Researchers from Russian firm Group-IB and Dutch security firm Fox-IT call the group Anunak, after the primary malware program in its toolset.

Sony hack week in review: Sony goes full derp

A week ago Sony openly attempted to silence media coverage of leaked Sony documents ("ordering journalists to stop reporting on the leaked documents, destroy whatever they had in their possession, and wait until they received further instructions on what was/wasn't of "public interest" from Sony").

This week, the studio made a ridiculous threat to Twitter. After Sony threatened a Twitter user for posting screenshots with little success, Sony then threatened to sue Twitter. TechDirt nails it saying, "We've already discussed how bad Sony's computer security strategy has been -- and now it seems like its legal strategy is equally brain-dead."

As you'll remember, last week the FBI formally accused North Korea of perpetrating the Sony hack. Shortly afterward, North Korea announced a denial and offered the U.S. a joint investigation into the matter -- an offer that was quickly rebuffed by the U.S.

Meanwhile, blowback from infosec communities calling shenanigans on the FBI-North Korea blame game hit critical mass.

Cranking up the chorus of respected infosec professionals who think the North Korea angle is BS, Marc Rogers (Cloudflare, DEF CON), wrote No, North Korea Didn't Hack Sony, adding to the chorus of researchers who aren't buying it.

The NYT's New Study Adds to Skepticism Among Security Experts That North Korea Was Behind Sony Hack damningly describes "flimsy evidence" for the attack's attribution, as well as a new analysis of the language used in GOP's emails that concluded the emails were more likely written by a native Russian speaker.

Here is an index of rebuttals to the North Korea theory.

While everyone was distracted with all the 'whodunit' tail-chasing, and also by Sony's big poop of a movie that trivializes a country with death camps as great comedy fodder, others continued to look at the seemingly never-ending evidence source of Sony misdeeds: the GOP file dumps.

Torrentfreak reported that contrary to what the public was told, the MPAA's big '$80 Million' settlement with Hotfile was a lie. TorrentFreak found that "the Hotfile settlement was really just for $4 million, and the $80 million was just a bogus number agreed to for the sake of a press release that the MPAA could use to intimidate others."

You'll remember that a week ago Verge and Huffington Post reported on the now-revealed conspiracy between the MPAA, Universal, Sony, Fox, Paramount, Warner Bros and Disney to go after Google, reinterpret the DMCA to their advantage, and revive SOPA.

The parties were also allotting between $585k and $1.175 million to fund Mississippi Attorney General Jim Hood's (misguided and based on faulty premises) investigation into Google.

Google filed suit against Hood and sent notices to the MPAA to preserve documents in case they're needed in litigation, also launching a public campaign to fight Hollywood's anti-piracy efforts. Hood made a statement via the New York Times calling for a "time out" and saying he will call the company to "negotiate a peaceful resolution of the issues affecting consumers."

Also, Sony's awful film was pretty much a widely-pirated, clumsily released mess (The Interview made under $1 million; Unbroken, Into The Woods and Hobbit are headed for $40 million each), despite all the free publicity milked for it.

@kernelfilms You guys need some serious DRM help. pic.twitter.com/HwyQpHRAGM

-- Expensive Looks (@expensivelooks) December 24, 2014

See also: The continually updated Risk-Based Security post, A Breakdown and Analysis of the December, 2014 Sony Hack.