Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending October 2, 2015.
Experian / T-Mobile breach UPDATE (10:51am PST): A T-Mobile spokesperson has told ZDNet some critical details about who is affected by the breach. "Technically it's 15m credit applicants, or 15m T-Mobile customers and applicants."
"In reality it was applicants for T-Mobile services," the spokesperson added. "Not everyone impacted is or has been a T-Mobile customer, and we want to make sure those facts are clear. If folks read your story, they may think they're OK because they're not a T-Mobile customer, when in fact, they could be at risk. We need to get this message out more accurately, so they sign up for protection services."
Original [un-updated] excerpt from Engadget: Experian leaks info from 15 million T-Mobile credit applications:"T-Mobile has just revealed that it has been the victim of a major hack that has exposed the personal details, including social security numbers, for approximately 15 million of its customers. CEO John Legere has just posted a letter regarding the hack in which he says that a data breach of credit vendor Experian has revealed the info; T-Mobile uses Experian to process its credit applications. Names, addresses and birth dates for those 15 million customers were revealed to the hackers as well as encrypted data that contained details like social security numbers and drivers license numbers. Unfortunately, Experian believes that the encryption protecting those bits of data was compromised, as well."
From CNET: Every Android device is vulnerable to newly discovered bugs "With two new "Stagefright" vulnerabilities discovered, almost every Android device ever released is vulnerable to malicious hackers. The have been discovered in Google's Android mobile software by the same security company that found a whole series of dangerous bugs earlier this year. Several of the bugs discovered by the security researchers pose a danger to every active Android device out there. More than a billion Android smartphones and tablets are at risk of being compromised by the new bugs if their owners even just preview video or audio files that have been specially crafted to exploit the vulnerability, zLabs said. "
From Engadget:Patreon donation site's user data published online after hack "Patreon, the crowdfunding platform for artists, has been hacked recently, and almost 15 gigabytes of data stolen from the site is now available online. Security researcher Troy Hunt of have I been pwned? told Ars Technica that he found 2.3 million email addresses (including his own) in the data dump, along with password and donation records, private messages and even the website's source code. Note that some screenshots of the data dump that surfaced online indicate that part of the data stolen was generated as recently as September 24th."
From Macworld: Gatekeeper bypass in OS X relies on renaming an app "A researcher has discovered that the OS X Gatekeeper setting to restrict app launching only to those cryptographically signed by Apple or to both Apple and third-party developers has a flaw: A signed app can access other software or components that have been replaced with malware without a separate verification stage. "Gatekeeper only verifies that first application," says Patrick Wardle, the director of research at enterprise research firm Synack. That means s malicious party can swap out a dynamic software library, a command-line executable (such as a script), or another app with a same-named version. In his testing, Wardle found that a signed Photoshop installer would load plug-ins from another directory that were changed out for malware without any further notification. He also tested with an Apple-distributed program that he declined to disclose at Apple's request."
From ZDNet: China, US agree on cybercrime cooperation amid continued tension "China and the US have mutually agreed that neither should support cyber espionage, but details on what exactly this involves are sketchy and discussions involving cyberspying remain touchy. No clear details on what this "agreement" entailed were provided at the joint media conference held by the two heads of states, but Obama noted "significant progress" in agreeing to how their respective law enforcement would cooperate, exchange information, and track culprits involved in cybercrimes or cyberattacks."
From ZDNet: VMware vCenter and ESXi fall foul of remote code execution bugs "An insecure configuration of Java Management Extensions (JMX) within VMware's vCenter has been pinned as the cause of an exploit that would allow code execution on host machines. One of the discoverers of the security hole, 7 Elements' Doug Mcleod, said the vulnerability allowed for system level access to virtual machine host servers, and resulted in a full compromise of the environment."
From ZDNet: Critical WinRAR vulnerability places 500 million users at risk "An unpatched, critical remote code execution flaw within WinRAR's SFX archive features has been disclosed by a researcher; a security flaw which reportedly allows for remote code execution has been discovered in WinRAR SFX version 5.21. Iranian researcher Mohammad Reza Espargham posted his findings on Full Disclosure. Granted a CVSS score of 7.4, the vulnerability could allow hackers to remotely execute system code and compromise victim machines, leading to control, surveillance and potentially data theft. A CVE score is yet to be issued."
From US Department of Justice: Russian Developer of the Notorious "Citadel" Malware Sentenced to Prison "Dimitry Belorossov, a/k/a Rainerfox, has been sentenced to four years, six months in prison following his guilty plea for conspiring to commit computer fraud. Belorossov distributed and installed Citadel, a sophisticated malware that infected over 11 million computers worldwide, onto victim computers using a variety of infection methods. Citadel was a sophisticated form of malware known as a "banking Trojan" designed to steal online banking credentials, credit card information, personally identifiable information, and, ultimately, funds through unauthorized electronic transfers. Cybercriminals, including Belorossov, distributed and installed Citadel onto victim computers through a variety of infection methods, including malicious attachments to spam emails and commercial Internet ads containing malware or links to malware."
From Daily Dot: FBI and DEA under review for use of NSA mass surveillance data "The Justice Department is investigating the FBI's use of information taken directly from mass surveillance conducted by the National Security Agency (NSA)'s collection of telephone metadata. The yield of that NSA spying program was described by a judge as a "staggering" amount of data when the agency's ability to collect it was struck down as illegal in court earlier this year. The program was resumed in June and will run until at least December. Another ongoing Justice Department investigation is examining the Drug Enforcement Administration (DEA)'s use of "parallel construction.""
From The Stack: Cookies can facilitate attacks on secure web sites "CERT have issued a new directive notifying that cookies can be used to allow remote attackers to bypass a secure protocol (HTTPS) and reveal private session information - and that modern browsers, including Apple's Safari, Mozilla's Firefox and Google's Chrome, currently provide no protection against the attack vector. Research indicates that secure sites as important as Google and the Bank of America are vulnerable to the technique."