Zero Day Weekly: ICANN hacked, critical GitHub vuln, too much Sony drama

A collection of notable security news items for the week ending December 19, 2014. Covers enterprise, controversies, reports and more. UPDATED.
Written by Violet Blue, Contributor
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending December 19, 2014. Covers enterprise, controversies, reports and more.

This week a critical GitHub vuln was found, ICANN was hacked, International Business Times was hacked by the SEA, Microsoft's update blunders continued, a new Boleto malware family was discovered, the Sony drama reached the heights of hysteria, and more. Updated with FBI announcement on the Sony hack attribution, and reactions.

  • A critical GitHub vulnerability was found, and you're urged to update our clients immediately. GitHub told ZDNet, "I'd like to clarify that the vulnerability is in Git itself, and because it is client-side only, github.com and GitHub Enterprise are not vulnerable. More details in our blog." Git just announced version 2.2.1, a maintenance release that includes a security fix for a critical vulnerability that affects those using Windows and Mac OS X Git clients. This update also includes new releases with the same security fix for older Git versions. GitHub confirmed that GitHub for Windows and GitHub for Mac are both affected and should be updated immediately
  • ICANN hacked: The Internet Corporation for Assigned Names and Numbers (ICANN) announced Tuesday that they have fallen victim to a phishing attack which resulted in the attackers gaining administrative access to some of ICANN's systems, including its Centralized Zone Data Service (CZDS). ICANN believes that the attack was committed in late November using emails sent to staff members that were designed to look like they came from within ICANN. As a result of the attack, the email credentials of several ICANN staff members were compromised. Those credentials were then used to compromise other ICANN systems, including the CZDS.
  • Microsoft update blunders seem to be going out of control. The last several months have seen a disturbing string of problems in updates released for Microsoft products. Last week we saw four. It's time to worry about what's behind it all.
  • RSA detailed a new Boleto malware family this week. The "Onyx" family has strayed from the original "Eupuds" family primarily in the way it infects victims' browsers, according to an RSA report. While Eupuds injects malicious code into various web browsers' memory during runtime, Onyx alters its attack depending on the browser.
  • A built-in backdoor was found in millions of Chinese Android smartphones. A popular Android smartphone sold primarily in China and Taiwan but also available worldwide, contains the "CoolReaper" backdoor from the manufacturer, that is being used to push pop-up advertisements and install apps without users' consent. The Coolpad devices, however, are ripe for much more malicious abuse, researchers at Palo Alto Networks said today, especially after the discovery of a vulnerability in the backend management interface that exposed the backdoor's control system.
  • Ars Technica announced it was hacked on Wednesday. In a very concise, up-front and open post about the incident, Ars explained that it had been infiltrated and while the situation had been resolved, Ars urged its comment community to change their passwords as a matter of personal security.

Sony hack week in review: Much drama

The week began with Sony threatening news outlets and bloggers to destroy any leaked Sony documents and not to publish any docs, accompanied by a misinformed op-ed by Aaron Sorkin, best described as mansplaining the hack. Both aggressions caused reporters and news outlets to double-down on the story. Sony also sent its teams in to remove users and threads on Reddit about the leaked trove, resulting in a after takedown than with the leaked celebrity nudes (angering the Reddit community), causing some to wonder if Sony's so-called 'Diamond Lane' for fast takedown access, also discovered in the leaks, had come to pass.

Also Monday, Sony sent out letters to employees outlining the full scope of data that was compromised by attackers shortly before the Thanksgiving holiday, including medical records -- weeks after the hack was first reported. By Thursday no less than three lawsuits were filed against Sony by current and former employees, and many expect this is just the beginning.

Reporters continue to go through the leaks, and it's no wonder Sony doesn't want anyone to report on what they're finding. Emails revealed more racism, but worse. Thursday Techdirt caught The MPAA's Secret Plan To Reinterpret The DMCA Into A Vast Censorship Machine That Breaks The Core Workings Of The Internet with DNS blocking. Further Sony emails revealed collusion between the MPAA and US Attorneys General to target Google and essentially revive SOPA in a campaign called "Project Goliath." Google's legal team struck back with a very angry post Thursday night.

Meanwhile, press played a bizarre he-said, she-said game of fingering North Korea as the perpetrator, which came to a climax when a Pastebin allegedly by Guardians of Peace suggested a terrorist attack on movie theaters if Sony's no-one-heard-of-it-until-now, previously doomed to flop film about killing North Korea's Great Leader wasn't pulled.

The paste was so different than the rest of the hacker group's communication in every way that it caused many following and reporting on the story to question its veracity, or discussing its possibility of being a false flag.

Sony pulled the film from theaters, getting more attention for the film than anything, and causing the majority of people who weren't following the nuances of the situation to declare the 'terrorist hackers' had won -- while the greater security communities watched in disbelief wondering if everyone had lost their minds. Spoiler alert: they had.

The threat became a convenient foil for Sony's worsening headlines, and has been re-reported to extremes, fanning flames of terrorist attack hysteria from Hollywood to Fox News, to the US Government. As media attention shifted to the alleged threat, the White House decided that the Sony hack was now a 'serious national security matter'. Despite the lack of credible evidence that North Korea is behind the attack, and the FBI saying there's nothing linking North Korea to the Sony hack, many now believe it to be true, helped along with outlets like the Washington Post stating "intelligence officials" believe with "99% certainty it's gotta be North Korea.

The whole thing turned into even more of a three-ring circus Wednesday when the New York Times and other outlets announced that an 'unnamed source' at the White House said it was North Korea, followed by a named source from the White House Thursday morning saying the White House refused to confirm North Korea as the culprit.

By Thursday, the amount of respected infosec professionals, researchers, hackers and professional security researchers calling the North Korea theory out as BS is truly a news story unto itself. Sony's poor reaction to everything about this attack isn't escaping seasoned infosec industry members. One called it "beyond the realm of the stupid."

While everyone was distracted, more Sony email communication leaks surfaced showing that Sony's North Korea film was made in communication with and received the 'blessing' of the US State Department.

One thing is for sure: The evidence had better be credible and believable, because there are a lot of expert eyes on this. In my opinion, the 'who' isn't the most interesting unanswered question. It's the 'how' -- just how did they exfiltrate that gigantic dump? And of course, the 'why' of it: what aren't we seeing? And I really hope someone writes up an opsec think-piece about all this, because the operational security practices of these attackers is already seeming like the stuff of legends.

Update: The US FBI has officially announced that it believes North Korea to be responsible for the attack on Sony Pictures Entertainment. The FBI has not provided evidence to satisfy info sec critics, and simultaneously the Department of Homeland Security has declared what amounts to a war on hackers.

Important reactions to this development:

Editorial standards