Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending January 30, 2015. Covers enterprise, controversies, reports and more.
This week China demanded our source code, a critical Linux Ghost vulnerability emerged, the ZeroAccess botnet returned, D-Link routers are vulnerable to DNS hijacking, infosec it hit back at Obama's cybersecurity proposals, and more.
- This week the Chinese government has introduced new regulations for foreign technology companies that sell computer equipment to Chinese banks. The new rules, outlined in a 22-page document, require foreign tech companies to turn over source code, submit to audits, and build back doors into hardware and software.
- PHP applications, WordPress vulnerable to Ghost glibc bug: Less than 48 hours after the disclosure of the Ghost vulnerability in the GNU C library (glibc), researchers have uncovered that PHP applications, including the WordPress content management system, could be another weak spot and eventually in the crosshairs of attackers.
- D-Link routers vulnerable to DNS hijacking: At least one and likely more D-Link routers as well as those of other manufacturers using the same firmware are vulnerable to remote changing of DNS settings and, effectively, traffic hijacking, a Bulgarian security researcher has discovered.
- The ZeroAccess botnet, disrupted by Microsoft in 2013, has risen up once more to commit click-fraud and data theft. According to Dell SecureWorks researchers, the peer-to-peer botnet began to resurface from March 21, 2014 until July 2, 2014, and on January 15 2015, click-fraud templates are now once again being distributed to compromised systems.
"Confirmed empirical efficacy of malware sample." Translation: "I pwned myself."
-- Security Humor (@SecurityHumor) January 29, 2015
- Earlier this week, Google finally explained why it's not going to develop its own patches for WebView for Android versions 4.3 and earlier, even though it could leave over 930 million Android devices exposed to attacks. Ardian Ludwig, Google's lead engineer for Android security, on Friday revealed the decision was due to the complexity of applying patches to older branches of WebKit - the browser engine that was used in WebView and Chrome until Google forked WebKit into Blink for Chrome.
- Americans across a multitude of industries are up in arms this week about the broad laws President Obama is proposing to curb cybercrime, which would not simply target shadowy foreign hackers. American bloggers and media companies would also be subject to felony cybercrime charges for disseminating hacked material. The statute would apply to normal Internet users too. Possibly worse, the proposed CFAA changes are poised to criminalize security research. A small group of civic-minded infosec professionals are calling on the industry to do something about it.
- Adobe zero-day CVE-2015-0311 re-purposed, being spread through mainstream adult websites vis-a-vis a version of Angler EK. According to FireEye, and detailed in A Different Exploit Angle on Adobe's Recent Zero-Day, this exploit is attacking in banner ads on popular adult websites.
OPINION: Bugs shouldn't have names, only indecipherable meaningless unique identifiers as God intended.
-- Fake Infosec News (@FakeInfosecNews) January 29, 2015