Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 3, 2014. Covers enterprise, controversies, reports and more.
This week, JPMorgan treats us to the biggest known breach in history; the FBI has a very busy week; iOS and Android malware targets Hong Kong pro-democracy protesters; and Shellshock gets exploited nine ways until Sunday.
- The JPMorgan Chase breach has the public stunned today, with an epic 83 million records exposed, making it one of the biggest known breaches in history. Reuters reports, "The people affected are mostly account holders, but may also include former account holders and others who entered their contact information at the bank’s online and mobile sites, according to a bank spokeswoman."
- The FBI took out StealthGenie, first-ever criminal case concerning the advertisement and sale of a mobile device spyware app. ; the creepware is able to monitor calls, texts, videos and other communications on mobile phones without detection or the user’s consent. According to the FBI, Hammad Akbar allegedly conspired to advertise and sell the spyware application online, and the arrest marks the
- A Malware Investigator Portal for industry players was will allow security researchers and others to upload suspicious files they’ve collected and get correlation information and any other data the FBI has on them or related files. , showing the agency is ready to engage with malware researchers on a variety of levels. The portal, launched in August, is currently available to law enforcement officials, but FBI agent Jonathan Burns said in a talk at the Virus Bulletin conference that the FBI is developing a separate portal for outside experts. That system
Video of my talk at BlackHat USA 2014 "Data-Only Pwning Microsoft Windows Kernel" https://t.co/M6RxsY0G8N— Nikita Tarakanov (@NTarakanov) October 1, 2014
Pro-democracy activists and protestors in Hong Kong have been targeted by mobile device malware -- remote access Trojans (RATs) -- which have been spread through targeted mobile message phishing, successfully infecting both Android and iOS devices. The Android spyware is being spread via WhatsApp, while it is still unclear how iOS devices get infected with Xsser, which is not disguised as an app.
- An FBI informant led hacks against 30 countries -- now we know which ones. A cache of leaked IRC chat logs and other documents obtained by the Daily Dot reveals the 30 countries—including U.S. partners, such as the United Kingdom and Australia—tied to cyberattacks carried out under the direction of Hector Xavier Monsegur, better known as Sabu, who served as an FBI informant at the time of the attacks.
- Early in the week, four members of an international computer hacking ring were indicted for stealing Xbox technology and Apache Helicopter training software. The hackers broke into Microsoft, Epic Games, Valve, Zombie Studios and the US Army. In order to infiltrate these systems, the DoJ alleges that , as well as those gained from software development partners.
- Police agencies across the U.S. have distributed dodgy 'Internet Safety Software' ComputerCop to families saying the consumer spyware was the "first step" in protecting children. An investigation by the EFF shows the software is bought in bulk from a New York company that markets ComputerCop to agencies with fraudulent endorsements, such as one from the U.S. Department of Treasury, which has now issued a fraud alert over ComputerCop's false document. There is an EFF guide to removing ComputerCop.
- The exploitation of the BASH bug Shellshock is in full swing. Attackers have mobilized -- multiple proof-of-concept scripts are available, including a Metasploit module, making this vulnerability very accessible.
- With constant cloud security problems in the news, it's no wonder trust in cloud security has hit rock bottom. Which is why the BT report that is so interesting.