Zero Day Weekly: Facebook Reconnect hijack, Rowhammer, CISA quietly approved

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending March 13, 2015. Covers enterprise, controversies, reports and more.

• Facebook declined to fix it: The "Reconnect" tool allows attackers to generate URLs to hijack accounts on sites using Facebook Login. Reconnect was released last week by San Francisco based pentester Egor Homakov. It takes advantage of a cross-site request forgery (CSRF) issue in Facebook Login, the service that allows users to log in on websites using their Facebook accounts. The Reconnect proof-of-concept tool generates malicious URLs to hijack accounts on Bit.ly, About.me, Stumbleupon, Angel.co, Mashable and Vimeo (Booking.com has since closed the hole). The vuln was disclosed in January 2014 after Facebook declined to fix it; Facebook this week denied that it's refusing to fix the attack, pushing the blame to developers who don't follow Facebook's best practices. However, other sites using Facebook Login can be targeted by manually inputting links that trigger Facebook login requests on behalf of their users into the tool.

  See also

  What was in this month's super-sized batch of Windows and Office updates?

  No, it wasn't just you. This month's Patch Tuesday updates from Microsoft contained an epic number of updates. Here's what was included.

  Read now

• A U.S. Senate committee has quietly approved CISA (formerly called CISPA, which does away with warrants to get your online records). Behind closed doors at the end of the day Thursday, The Senate Intelligence Committee voted to approve the controversial bill, which facilitates businesses to share user information with government agencies, obviating the need for warrants. Sen. Ron Wyden, the only lawmaker to vote against the new bill, said the measure "lacks adequate protections for the privacy rights of American consumers, and...will have a limited impact on US cybersecurity."

• This month's Patch Tuesday updates from Microsoft contained an epic number of updates. Microsoft patched Stuxnet and FREAK vulnerabilities; five updates (four for Windows and one for Office) are rated Critical. The remaining nine are rated Important, all for Windows except for a lone Exchange Server patch. That Microsoft had failed to patch it five years ago caused no small amount of controversy in online discussions. The FREAK cleanup continues with Cisco and Apple releasing fixes almost in unison with Microsoft and Google.

• Google's Project Zero uncovered a serious security problem lurking in modern DRAM devices -- one the hardware industry may have written off as a reliability issue. Project Zero has called on hardware makers for more information about efforts to mitigate Rowhammer: a hardware bug that renders notebooks vulnerable to a memory-based exploit. It affects DRAM from three major vendors, suggesting to the researchers that many systems in use are likely to be at risk. Rowhammer can't be mitigated by just upgrading software: Cisco has outlined two widely known mitigations for Rowhammer.

• The average enterprise has over 2000 unsafe or malicious apps installed on staff mobiles, according to new research from security vendor Veracode. The firm analyzed hundreds of thousands of mobile apps installed in enterprise environments across a variety of industries and found 14,000 of them to be "unsafe". Of these, 85% exposed sensitive phone data such as device location, call history, contacts, SMS logs and SIM information. A further 37% apparently performed "suspicious" actions such as recording phone conversations, installing or uninstalling apps, running additional programs or checking to see if the device is rooted or jailbroken.

• IBM's X-Force Application Security Research Team revealed the existence of a severe vulnerability in the Dropbox SDK for Android. The now-patched vuln, DroppedIn, allowed attackers to connect applications on a user's mobile device to a Dropbox account that they controlled. Dropbox said no files were compromised before the patch; IBM says it first reported the vulnerability to Dropbox in December and praised Dropbox for issuing a patch within four days.

• Kaspersky Labs on March 10 revealed details of what it claims is the first malware that outwits CAPTCHA. (See also: In 2012, a trio of hackers unveiled a free system that defeats CAPTCHA with 99% accuracy; DEFCON 16 (2008).) The Podec malware (Trojan-SMS.Android.Podec) targets Android devices; it send CAPTCHA requests to online human translation service, Antigate.com, which converts the image to text and relays that data back to the malware code within seconds, convincing CAPTCHA it's a person. Podec extorts money from victims by subscribing infected Android users to costly services.

• Blue Coat Systems, an enterprise security company specializing in corporate networking and hardware, confirmed on Tuesday it has been acquired by Bain Capital for approximately $2.4 billion. The transaction is expected to close during the first half of 2015. Blue Coat boasted it now counts approximately 80 percent of the Fortune 500 as customers of its on-premise, hybrid and cloud-based solutions.

• CIA tried to hack into iPhone, iPad for years, say leaked documents from 2012: The CIA once focused its efforts on cracking the security keys used to encrypt personal data on iPhones and iPads, according to an article published by The Intercept on Tuesday. According to The Intercept, researchers working for the CIA looked into both "physical" and "non-invasive" ways of gaining access to a device's firmware.

• Verizon's 2015 PCI compliance report shows that companies bulk up IT security just in time for their PCI inspection, but only 29% keep it up afterward. Verizon found that insurance companies that offer cybersecurity policies are rejecting retailer's claims "because they have failed to take adequate security measures."