Zero Day Weekly: IBM says block Tor, Google undermines ATS, much ado about Windows 10

Notable security news items for the week ending August 28, 2015. Covers enterprise, application and mobile security, reports and more.

Zero Day Weekly 1984

Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending August 28, 2015.

From Tech Week Europe: IBM Tells Companies To Block Tor Anonymisation Network "Companies have "little choice" but to block Tor-based communications, IBM said [in its "Threat Intelligence" report for the third quarter of this year]. "The networks contain significant amounts of illegal and malicious activity. Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions." The company offered technical pointers on blocking Tor access, including altering computer boot configurations and limiting the use of proxy services."

From Computerworld: More than 80% of healthcare IT leaders say their systems have been compromised "Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey by KPMG. The KPMG report also states that only half of those executives feel that they are adequately prepared to prevent future attacks. The attacks place sensitive patient data at risk of exposure, KPMG said."

From Guardian UK: Digital surveillance 'worse than Orwell', says new UN privacy chief "The first UN privacy chief has said the world needs a Geneva convention style law for the internet to safeguard data and combat the threat of massive clandestine digital surveillance. Speaking to the Guardian weeks after his appointment as the UN special rapporteur on privacy, Joseph Cannataci described British surveillance oversight as being "a joke", and said the situation is worse than anything George Orwell could have foreseen."

From Ars Technica: Former [FireEye] intern admits developing super-stealthy Android spyware "A former intern at security firm FireEye has admitted in federal court that he designed a malicious software tool that allowed attackers to take control of other Android phones so they could spy on their owners. Morgan Culbertson, 20, pleaded guilty to federal charges involving Dendroid, a software tool that provided everything needed to develop highly stealthy apps that among other things took pictures using the phone's camera, recorded audio and video, downloaded photos, and recorded calls."

From Motherboard (VICE): Google Is Undermining Apple's New Security Protections "Apple's iOS 9 is coming soon, and one of the new features in the mobile operating system enhances privacy and security for users by blocking unencrypted traffic for apps. It's called App Transport Security (ATS). Google's response today was to explain to its developers how to circumvent it, so ads can load."

From Washington Post: NSA uses Google cookies to pinpoint targets for hacking "The National Security Agency is secretly piggybacking on the tools that enable Internet advertisers to track consumers, using "cookies" and location data to pinpoint targets for government hacking and to bolster surveillance. (...) [The NSA and its British counterpart, GCHQ] have found particular use for a part of a Google-specific tracking mechanism known as the "PREF" cookie. These cookies typically don't contain personal information, such as someone's name or e-mail address, but they do contain numeric codes that enable Web sites to uniquely identify a person's browser."

From Quartz: A rare detailed look inside the IRS's massive data breach, via a security expert who was a victim "A few hours after Michael Kasper tried to submit his tax return online, he got an email saying it had already been filed-a week earlier. The story of Kasper's tax return would eventually turn out to involve a bank account in rural Pennsylvania, a go-between on Craigslist, and a Western Union wire transfer to Nigeria. He was almost certainly one of the more than 330,000 Americans who fell victim to an audacious hack of the Internal Revenue Service (IRS), which was disclosed earlier this year. And the hackers didn't use sophisticated malware or social engineering tactics-the hallmarks of many recent data breaches. Instead, they walked in through the front door of the IRS website, pretending to be regular people filing their taxes, and walked out with millions of dollars in fraudulent refunds." See also: Taxpayers sue the IRS over data breach

From ZDNet: BitTorrent tracker blocks Windows 10 users "Some BitTorrent sites don't trust Windows 10 at all. So, at least one BitTorrent tracker, iTS, has blocked Windows 10 users from accessing torrents from their site. Others are considering banning Windows 10 users. In a YouTube video, iTS proclaimed that "Windows 10 is nothing more than a spy tool that will keep track of every action, email, conversation, video, picture, or anything else that you do on your computer." See also: No, Microsoft is not spying on you with Windows 10, Here's How To Keep Microsoft's Nose Out Of Your Personal Data In Windows 10

From ThreatPost: Inside the Unpatched OS X Vulnerabilities "Luca Todesco still won't say why he disclosed over the weekend details and proof of concept code for a pair of unpatched and previously unreported OS X vulnerabilities, instead standing firm by his pat response: "I had my reasons." The 18-year-old Italian researcher, however, is sure his attacks will root current versions of OS X, Yosemite and Mavericks. Apple is reportedly working on a patch that will address both the kernel-level flaws and security bypass bug that Todesco reported on Sunday, hours before he went public."

From Security Week: Adobe Releases Hotfix to Patch ColdFusion Vulnerability "Adobe has released a hotfix to address an important vulnerability in the company's ColdFusion development platform. The hotfix includes an updated version of BlazeDS, a server-based Java remoting and web messaging technology. Adobe revealed earlier this month that BlazeDS is plagued by an XML External Entity (XXE) vulnerability that can result in information disclosure (CVE-2015-3269). The vulnerability affects ColdFusion 10 update 16 and earlier versions, and ColdFusion 11 update 5 and earlier versions. The flaw has been addressed with the release of ColdFusion 10 update 17, and ColdFusion 11 update 6."

From The Hill: Pentagon unveils data breach rules for defense contractors "The Pentagon is rolling out long-awaited rules governing how the defense industry should report cybersecurity incidents. The regulations, published in the Federal Register on Wednesday, require contractors and subcontractors to report "cyber incidents that result in an actual or potentially adverse effect" on either the contractor's information system and data, or its ability to "provide operationally critical support." The new rules are intended to create a single pathway for all Defense Department contractors to report cyber incidents, "minimiz[ing] duplicative reporting processes.""