Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 3, 2014. Covers enterprise, controversies, reports and more.
This week, JPMorgan treats us to the biggest known breach in history; the FBI has a very busy week; iOS and Android malware targets Hong Kong pro-democracy protesters; and Shellshock gets exploited nine ways until Sunday.
The JPMorgan Chase breach has the public stunned today, with an epic 83 million records exposed, making it one of the biggest known breaches in history. Reuters reports, "The people affected are mostly account holders, but may also include former account holders and others who entered their contact information at the bank’s online and mobile sites, according to a bank spokeswoman."
A Malware Investigator Portal for industry players was announced by the FBI this week, showing the agency is ready to engage with malware researchers on a variety of levels. The portal, launched in August, is currently available to law enforcement officials, but FBI agent Jonathan Burns said in a talk at the Virus Bulletin conference that the FBI is developing a separate portal for outside experts. That system will allow security researchers and others to upload suspicious files they’ve collected and get correlation information and any other data the FBI has on them or related files.
An FBI informant led hacks against 30 countries -- now we know which ones. A cache of leaked IRC chat logs and other documents obtained by the Daily Dot reveals the 30 countries—including U.S. partners, such as the United Kingdom and Australia—tied to cyberattacks carried out under the direction of Hector Xavier Monsegur, better known as Sabu, who served as an FBI informant at the time of the attacks.
Police agencies across the U.S. have distributed dodgy 'Internet Safety Software' ComputerCop to families saying the consumer spyware was the "first step" in protecting children. An investigation by the EFF shows the software is bought in bulk from a New York company that markets ComputerCop to agencies with fraudulent endorsements, such as one from the U.S. Department of Treasury, which has now issued a fraud alert over ComputerCop's false document. There is an EFF guide to removing ComputerCop.
The exploitation of the BASH bug Shellshock is in full swing. Attackers have mobilized -- multiple proof-of-concept scripts are available, including a Metasploit module, making this vulnerability very accessible.