Zero Day Weekly: Facebook Reconnect hijack, Rowhammer, CISA quietly approved

A collection of notable security news items for the week ending March 13, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.

zero day weekly

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending March 13, 2015. Covers enterprise, controversies, reports and more.

  • Facebook declined to fix it: The "Reconnect" tool allows attackers to generate URLs to hijack accounts on sites using Facebook Login. Reconnect was released last week by San Francisco based pentester Egor Homakov. It takes advantage of a cross-site request forgery (CSRF) issue in Facebook Login, the service that allows users to log in on websites using their Facebook accounts. The Reconnect proof-of-concept tool generates malicious URLs to hijack accounts on,, Stumbleupon,, Mashable and Vimeo ( has since closed the hole). The vuln was disclosed in January 2014 after Facebook declined to fix it; Facebook this week denied that it's refusing to fix the attack, pushing the blame to developers who don't follow Facebook's best practices. However, other sites using Facebook Login can be targeted by manually inputting links that trigger Facebook login requests on behalf of their users into the tool.

    What was in this month's super-sized batch of Windows and Office updates?

    No, it wasn't just you. This month's Patch Tuesday updates from Microsoft contained an epic number of updates. Here's what was included.

    Read More

  • The average enterprise has over 2000 unsafe or malicious apps installed on staff mobiles, according to new research from security vendor Veracode. The firm analyzed hundreds of thousands of mobile apps installed in enterprise environments across a variety of industries and found 14,000 of them to be "unsafe". Of these, 85% exposed sensitive phone data such as device location, call history, contacts, SMS logs and SIM information. A further 37% apparently performed "suspicious" actions such as recording phone conversations, installing or uninstalling apps, running additional programs or checking to see if the device is rooted or jailbroken.
  • IBM's X-Force Application Security Research Team revealed the existence of a severe vulnerability in the Dropbox SDK for Android. The now-patched vuln, DroppedIn, allowed attackers to connect applications on a user's mobile device to a Dropbox account that they controlled. Dropbox said no files were compromised before the patch; IBM says it first reported the vulnerability to Dropbox in December and praised Dropbox for issuing a patch within four days.
  • Kaspersky Labs on March 10 revealed details of what it claims is the first malware that outwits CAPTCHA. (See also: In 2012, a trio of hackers unveiled a free system that defeats CAPTCHA with 99% accuracy; DEFCON 16 (2008).) The Podec malware (Trojan-SMS.Android.Podec) targets Android devices; it send CAPTCHA requests to online human translation service,, which converts the image to text and relays that data back to the malware code within seconds, convincing CAPTCHA it's a person. Podec extorts money from victims by subscribing infected Android users to costly services.
  • Blue Coat Systems, an enterprise security company specializing in corporate networking and hardware, confirmed on Tuesday it has been acquired by Bain Capital for approximately $2.4 billion. The transaction is expected to close during the first half of 2015. Blue Coat boasted it now counts approximately 80 percent of the Fortune 500 as customers of its on-premise, hybrid and cloud-based solutions.
  • Verizon's 2015 PCI compliance report shows that companies bulk up IT security just in time for their PCI inspection, but only 29% keep it up afterward. Verizon found that insurance companies that offer cybersecurity policies are rejecting retailer's claims "because they have failed to take adequate security measures."