Zero Day Weekly: Drupal disaster, POODLE, Ebola phishing scams

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 17, 2014. Covers enterprise, controversies, reports and more.

This week, Drupal had a SQL faceplant, Dropbox wasn't hacked, controversy erupted over a Kickstarter privacy gadget, nobody wanted a POODLE, and Ebola is infecting inboxes.

• Snapchat sorta-promised to cook up a public API to fix the 3rd party app free-for-all that exploits its flawed business model to hack Snapchat's users... sooner or later. In a Facebook post this weekend, Snapsaved.com said its servers were breached due to a "misconfiguration." The site allows Snapchat users to save images without the sender knowing. Despite its obviously careless business model, Snapchat still blamed the violated users for what it termed as their own victimization by the use of 3rd party apps.

• The Drupal security team is reporting that versions of Drupal 7 prior to 7.32 are vulnerable to a "Highly Critical" SQL injection bug. Larry Seltzer reported , "Version 7.32 is now available to address the bug and the Drupal team strongly recommends that Drupal 7 admins update their sites immediately." SC Magazine reports that in a Wednesday post, Daniel Cid, CTO of Sucuri, wrote that proofs of concept were being shared on underground forums; in a Thursday post, Steven Adair, founder of Volexity, wrote that the company has observed the vulnerability being actively exploited.

• Google's Security Team revealed on Tuesday that the long obsolete, but still all too used, Secure Sockets Layer (SSL) 3.0 cryptographic protocol has a major security flaw. In an example attack called Padding Oracle On Downgraded Legacy Encryption (POODLE), an attacker can steal "secure" HTTP cookies or other bearer tokens such as HTTP Authorization header contents. According to the team's Bodo Möller: "This vulnerability allows the plaintext of secure connections to be calculated by a network attacker." The OpenSSL Initiative issued a patch on Thursday.

• Russian hackers have exploited a bug in Microsoft's Windows operating system in order to target computers used by NATO, the European Union, Ukraine and the telecommunications and energy sectors , according to security firm iSight. In a blog post Tuesday, Dallas-based iSight, in collaboration with Microsoft, said the zero-day vulnerability impacts all supported versions of Microsoft Windows and Windows Server 2008 and 2012. 

• To counter the effects of a recent massive data breach, South Korea is mulling issuing new national ID numbers to all 50 million of it citizens – a project that would cost the government an estimated $650 million. The Korea Research Institute for Local Administration told ABC the numbers are like “master keys” to hackers that could be used to “open every door and steal whole packages of personal information.”

One of the #anonabox shots in the Kickstarter video is pretty clearly a 'shopped version of an Alibaba photo pic.twitter.com/LGMsTSCzg3

— Kevin Poulsen (@kpoulsen) October 15, 2014

• Two days after press outlets breathlessly reported that magic Tor-in-a-box Kickstarter project Anonabox was an easy solution for a plug-n-play version of Tor, the project was exposed for getting its so-called "custom" hardware off the shelf from a Chinese manufacturer — and it only got worse from there. Infosec communities and hacker figureheads have taken the creator to task (and called for the project to be reported to Kickstarter) and a Reddit AMA went badly for the creator; yet the project's funding has exceeded half a million dollars. The creator of Anonabox has since backpedaled on his claims.

Did you back the Anonabox on Kickstarter? Login -> Manager Pledge -> Cancel. Hardware runs $20 online @ http://t.co/pPPsIoYSIH

— HD Moore (@hdmoore) October 16, 2014

• Web founder Tim Berners-Lee is one of the privacy advocates behind a newly launched service that combines social media, cloud storage, person-to-person, and group communications for privacy-conscious users. The MeWe private communications network spun out of online privacy company Sgrouples — founded by online privacy advocate Mark Weinstein — doesn't own, track or share information its members provide or share among one another. 

• Ebola is the flavor of the week for phishing. The United States Computer Emergency Readiness Team (US-CERT) has issued an advisory alerting users of email scams and cyber campaigns using the highly publicized Ebola virus disease as phishing bait. "Phishing emails may contain links that direct users to websites which collect personal information, such as login credentials, or contain malicious attachments that can infect a system,” read the advisory.