Zero Day Weekly: CurrentC hacked, White House breached, APT28 exposed, Verizon shamed
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 31, 2014. Covers enterprise, controversies, reports and more.
This week, WalMart's answer to Apple Pay and Google wallet got spanked with a breach in development, the White House played down that its EOP network was infiltrated, FireEye dissected APT28, Popular Science served malicious code to readers, and the Shellshock attacks stacked up.
-
Apple Pay rival CurrentC, the WalMart, Sears, 7-Eleven and Best Buy-backed mobile payment system, became a laughing stock in security communities worldwide when it was hacked this week. The breach exposed an unknown amount of email addresses (and zip codes) of anyone who even expressed interest in participating in the pilot. After touting its strong security practices, now everyone knows who's a player in the Merchant Customer Exchange (MCX) — developers of the CurrentC system. MCX CEO Dekkers Davison defiantly stumbled through a press session about the breach, insisting that it was totally not a breach, perhaps thinking he could redefine the very meaning of a breach by doing so. To the reassurance of absolutely no one, Davison inadvertently slipped that "other information was stolen" and repeated, "This is not a breach. It was only email addresses." The admission of being pwned in its beginning testing phase comes before the service’s official launch, which is expected sometime next year.
The White House told the NYT this week that its EOP network was hacked two or three weeks ago, and played down the breach to press by emphasizing that it was on an unclassified network only — where the hackers conducted "fairly standard espionage." So basically, the intruders accessed the network that handled everything else that happens on unclassified computers in the Executive Office of the President, which indicates that this breach is very likely much more serious than is being reported. Mitigation included staffers having to change their passwords and intranet or VPN access being temporarily shut off. The Washington Post reported that Russian hackers may be to blame.
FireEye revealed APT28 when it released its latest Advanced Persistent Threat report on Tuesday, "APT28: A Window Into Russia's Cyber Espionage Operations" (.PDF link). In a blog post FireEye wrote,
This report focuses on a threat group that we have designated as APT28. While APT28’s malware is fairly well known in the cybersecurity community, our report details additional information exposing ongoing, focused operations that we believe indicate a government sponsor based in Moscow.
In contrast with the China-based threat actors that FireEye tracks, APT28 does not appear to conduct widespread intellectual property theft for economic gain. Instead, APT28 focuses on collecting intelligence that would be most useful to a government.
Specifically, FireEye found that since at least 2007, APT28 has been targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government.
Verizon and AT&T became the target for a torrent of anger when it was revealed that both telcos have been inserting a Unique Identifier Header (UIDH, aka 'header enrichment') perma-cookie to track, record and monitor users' activities for building secret, non-consensual user profiles. Verizon spokeswoman Debra Lewis told Wired that "there’s no way to turn it off." The situation has worsened since ProPublica reported Thursday that Somebody’s Already Using Verizon’s ID to Track Users — namely, Twitter, through its MoPub advertising property. Twitter has so far declined to comment. ProPublica said, "Google has proposed a new Internet protocol called SPDY that would prevent these types of header injections – much to the dismay of many telecom companies who are lobbying against it."
Popular Science has been serving malicious code from its website: Websense posted earlier this week that PopSci's official website has been compromised to redirect visitors to malware injection sites. Websense's Security Labs contacted the team at Popular Science with notification of the compromise.
AR + VR
The largest European cybersecurity exercise to date is going off right now, with more than 200 organizations and 400 experts from a total of 29 European Union and EFTA countries participating in Cyber Europe 2014, a large-scale event that's organized every two years. Representatives of national CERTs, telecoms and energy companies, cyber security agencies, financial institutions, Internet service providers and other private and public sector organizations will put their skills to the test in a realistic simulation of a cybersecurity scenario.
The Shellshock attacks are stacking up. Organizations are unable to keep up with Shellshock patching processes, and incident response practices are lagging: Security researchers released two new Shellshock-related attack warnings Thursday as they witness attackers take advantage of the Bash bug in UNIX and Linux systems.
- The next version of the Google Chrome browser expected in six weeks will arrive with support to fallback to SSLv3 disabled by default. Chrome 39, due to be released in six weeks' time, will be the first step in Google's plan to remove SSLv3 support from its Chrome browser.
We knew two weeks ago when the Drupal team disclosed a really, really bad SQL injection vulnerability in Drupal 7 that it was important for admins to update quickly. Drupal claims a million users on project site drupal.org and over 30,000 developers. But there's no evidence yet of actual, widespread attacks.