Zero Day Weekly: IRS blames Russia, a loose Moose, Megaupload malware
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending May 29, 2015. Covers enterprise, controversies, reports and more.
- Criminals used the IRS website's own "Get Transcript" system to access personal tax info for over 100,000 taxpayers, the IRS said Tuesday. The IRS also says that additional security checks, PII questions typically known only by the taxpayer, were cleared by the attackers, suggesting they had all the details needed via previous acts of fraud, Phishing, or targeted reconnaissance. The IRS is blaming Russia for the breach.
- Three years after the U.S. Department of Justice shutdown of Megaupload, some of the seized sites are being used to distribute malware. Instead of displaying a banner identifying them as sites seized as part of an investigation, Megaupload.com and Megavideo.com sites are directing users to a Zero-Click advertising feed that contains malicious links and ads.
- Microsoft is making available to anyone who wants to kick the tires a first public preview release of its coming SQL Server 2016 on-premises database. The list of capabilities and features is extensive. A follow-up to the company's analytics-friendly SQL Server 2014 release, it keeps a tighter lid on sensitive information courtesy of a Microsoft Research technology called Always Encrypted.
Secure IoT when vendors hack each other? "Fitbit employees were "systematically plundering" confidential information" http://t.co/2GZmboxFc8
-- Chris Rouland (@chris_rouland) May 28, 2015
- A proposed $19 million settlement reached last month between Target Corp. and MasterCard over a 2013 security breach fell apart after not enough banks who had sued the retailer agreed to be part of the deal they said fell short of actual damages, according to MasterCard. The failure basically gives the banks what they didn't get in court and it now appears settlement talks will resume.
- A Linux worm called Moose that targets cable and DSL modems, home routers, and other embedded computers is turning those devices into a proxy network for launching armies of fake Instagram, Twitter, and Vine accounts as well as other social networks. It exploits routers via Telnet via brute-force using default or common admin credentials. While not intended to target Internet of Things devices, Moose could, including medical ones.
- Security researchers have published proof-of-concept code for a major router vulnerability leveraging a popular driver to compromise millions of connected devices. Certain TP-LINK and Netgear devices are known to be vulnerable, but researchers believe devices from a range of manufacturers including IOGear, Western Digital, and ZyXEL are affected. For a full list of devices, check out the advisory.
Security reporters PLEASE get competing views and analysis - else you fall prey to being the PR arm of security vendors.
-- Robert M. Lee (@RobertMLee) May 28, 2015
- Amid delivering better-than-expected third quarter earnings, Palo Alto Networks announced it is acquiring cybersecurity startup CirroSecure. Palo Alto Networks plans to use CirroSecure's resources to expand functionality on is own enterprise security platform for better guarding popular SaaS collaboration products from the likes of Salesforce.com, Google Drive, Box and Dropbox, among others.
- China will prepare a five-year cybersecurity plan to protect state secrets and data, the official China Daily said on Thursday, citing a senior official of the Ministry of Industry and Information Technology. Such a plan could add to the challenges of foreign technology firms doing business in the world's second-largest economy, by prompting government agencies and companies to opt for domestically-made software.
- The price of losing sensitive customer data is about to get a lot higher for Dutch companies: The upper house of the Dutch parliament has approved a new law that makes not declaring data breaches punishable with fines of up to €450,000. Whenever sensitive data is lost or stolen, companies now have to inform both the Dutch Data Protection Authority and those directly affected by the leak. Companies will have to give up information on the scale of the breach, the exact content lost, possible consequences, and what changes the company will make to prevent any future mishaps.
Here's the tl;dr from @lady_nerd, although we could have listened to her all day. GREAT presentation. #velocityconf pic.twitter.com/dPhak07o9K
-- Load Impact (@LoadImpact) May 28, 2015
- The NSA is testing gesture software for use as a possible replacement for passwords, and is looking at technology developed by Lockheed Martin called Mandrake Secure Gesture. Mandrake is computer software that features gesture recognition technology for use in user authentication and the encryption and decryption of digital files, including audio, video, text, binary, still images, graphics and multimedia files.
- The director of the NSA said that encryption is not a bad thing - but that the authorities still need to be able to gain access to encrypted communications to protect the country's citizens. He added: "I certainly have great respect for those that would argue that they most important thing is to ensure the privacy of our citizens and we shouldn't allow any means for the government to access information. I would argue that's not in the nation's best long term interest, that we've got to create some structure that should enable us to do that mindful that it has to be done in a legal way and mindful that it shouldn't be something arbitrary."
- Mozilla has included a feature in Firefox that can dramatically speed up web browsing, but you won't find it exposed as an official Firefox option. Instead, it's an experimental feature that must be manually toggled on. The privacy.trackingprotection.enabled setting is in about:config, which you can only reach after clicking past the stern "You might void your warranty!" warning. Ed Bott explains how it works, and asks, Is privacy protection impossible?
Dear subscriber: we are sending you this breach notification on paper because our email systems are mining Bitcoin for a Chinese botnet.
-- Matthew Green (@matthew_d_green) May 28, 2015