Zero Day Weekly: Facebook Reconnect hijack, Rowhammer, CISA quietly approved

A collection of notable security news items for the week ending March 13, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.
Written by Violet Blue, Contributor

zero day weekly

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending March 13, 2015. Covers enterprise, controversies, reports and more.

  • The average enterprise has over 2000 unsafe or malicious apps installed on staff mobiles, according to new research from security vendor Veracode. The firm analyzed hundreds of thousands of mobile apps installed in enterprise environments across a variety of industries and found 14,000 of them to be "unsafe". Of these, 85% exposed sensitive phone data such as device location, call history, contacts, SMS logs and SIM information. A further 37% apparently performed "suspicious" actions such as recording phone conversations, installing or uninstalling apps, running additional programs or checking to see if the device is rooted or jailbroken.
  • IBM's X-Force Application Security Research Team revealed the existence of a severe vulnerability in the Dropbox SDK for Android. The now-patched vuln, DroppedIn, allowed attackers to connect applications on a user's mobile device to a Dropbox account that they controlled. Dropbox said no files were compromised before the patch; IBM says it first reported the vulnerability to Dropbox in December and praised Dropbox for issuing a patch within four days.
  • Kaspersky Labs on March 10 revealed details of what it claims is the first malware that outwits CAPTCHA. (See also: In 2012, a trio of hackers unveiled a free system that defeats CAPTCHA with 99% accuracy; DEFCON 16 (2008).) The Podec malware (Trojan-SMS.Android.Podec) targets Android devices; it send CAPTCHA requests to online human translation service, Antigate.com, which converts the image to text and relays that data back to the malware code within seconds, convincing CAPTCHA it's a person. Podec extorts money from victims by subscribing infected Android users to costly services.
  • Blue Coat Systems, an enterprise security company specializing in corporate networking and hardware, confirmed on Tuesday it has been acquired by Bain Capital for approximately $2.4 billion. The transaction is expected to close during the first half of 2015. Blue Coat boasted it now counts approximately 80 percent of the Fortune 500 as customers of its on-premise, hybrid and cloud-based solutions.
  • Verizon's 2015 PCI compliance report shows that companies bulk up IT security just in time for their PCI inspection, but only 29% keep it up afterward. Verizon found that insurance companies that offer cybersecurity policies are rejecting retailer's claims "because they have failed to take adequate security measures."
Editorial standards