Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending January 2, 2015. Covers enterprise, controversies, reports and more.
This week the Internet Systems Consortium site was hacked, a Lizard Squad member was caught (and released), a privilege escalation bug was revealed in Windows, SS7 research nuked mobile privacy beliefs, The Interview became an Android malware vector, post-breach perceptions of Sony and Staples were analyzed, and more.
Steven J. Vaughan-Nichols reports on some Bad, bad Internet news: Internet Systems Consortium site hacked. Cyphort, an Internet security company, reported that they'd told ISC that their site had malware on it on December 22. ISC's main site, which used an out of date version of WordPress, had, according to Cyphort been compromised to point visitors to the sites infected with Angler Exploit Kit.
The U.S. went to the Trade in Services Agreement (TiSA) talks in Geneva ready to negotiate immunity from online security breach investigations for U.S. companies. If the terms are accepted, the U.S. companies doing business in the EU would be beyond the reach of regulators and law enforcement in the host country. As a result, European governments would have to turn to U.S. courts to go after those companies for breaches or negligence. And EU data protection laws could be diluted.
Google researcher Forshaw discovered and discloseda privilege escalation bug in Windows. The vulnerability is identified in the function AhcVerifyAdminContext. Forshaw included a proof of concept (POC) program for the vulnerability. He says he has only tested it on an updated Windows 8.1 and that it is unclear whether earlier versions, Windows 7 specifically, are vulnerable.
Shocking new SS7 research destroys the fallacies of mobile privacy and security. Three groundbreaking research presentations and live demonstrations this week on SS7 have shown that the NSA -- or any government's ability or access -- isn't needed to track you completely (and terrifyingly) with your cell phone. Talks announcing the research were presented at Hacker conference Chaos Communication Congress 31c3 which is under way in Hamburg, Germany.
Analysis: How Sony and Staples breaches affected public perception of the companies. Ashton Webster wanted to see if two of 2014's widely-reported breaches changed the way people see the corporate entities using Semantria. He posted his results in Analyzing Sony and Staples Breaches with Sentiment Analysis.
Hacking Facebook with a forged Microsoft Word document: A vulnerability on Facebook's Careers Page was discovered and patched in a third-party service that handles resumes. The discovery was worth more than $6,000 in a bounty paid out by Facebook to researcher Mohamed Ramadan of Egypt, who published some details of the vulnerability and exploit on his website. Ramadan said the vulnerability is a blind XXE (XML External Entity) Out of Band bug. It allowed him to upload a .docx file to the careers page with some additional code that was not vetted by the third-party service.
Android banking trojan poses as fake "The Interview" app. Graham Cluley writes, "Researchers at McAfee in a joint investigation with the Technische Universität Darmstadt and the Centre for Advanced Security Research Darmstadt (CASED), identified that a threat campaign has been active in South Korea in the last few days, attempting to exploit the media frenzy surrounding Sony film The Interview's release. McAfee security expert Irfan Asrar tells Graham Cluley that a torrent making the rounds in South Korea poses as an Android app to download the movie to mobile devices."
Politician's fingerprint 'cloned from photos' by hacker: In a presentation this week, security researcher "Starbug" showed how to clone the thumbprint of the German Defense Minister. To get that into something that could be used on a biometric scanner, Starbug employed the same technique he used to defeat Apple's TouchID fingerprint lock. He also examined other biometric security hacks, like copying the iris print of German Chancellor Angela Merkel to fool a basic iris scanner.
The week in Sony hack drama: A shrinking spotlight
While no further data had been released by GOP, the group behind the Sony Entertainment Pictures hack, press, pundits, Sony's legal team, and authorities continue to turn themselves inside out trying to dominate the situation -- and its spotlight.
Norse said a former employee allegedly involved in the attack was laid off by Sony this past May, using human resources documents released in the hack to identify and track the suspect for the past several months.