Zero Day Weekly: Kaspersky hacked, OPM breach implodes, UK citizen spying continues

A collection of notable security news items for the week ending June 12, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.
Written by Violet Blue, Contributor
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending June 12, 2015. Covers enterprise, controversies, reports and more.
  • Single block cipher on backup system allowed customer detail access in Adobe breach: The Office of the Australian Information Commissioner (OAIC) concluded that Adobe failed to take reasonable steps to protect personal information that it held when the company suffered an online attack in 2013 that saw attackers snatch customer email addresses, payment data, customer names, password hints, and physical addresses. Also this week, Adobe issued the firm's latest set of security updates, specifically for the Adobe Flash Player. The updates for Windows, Mac and Linux users address "vulnerabilities that could potentially allow an attacker to take control of the affected system."
  • Cisco said it will seek to have security at every point of contact on its network as part of a new Security Everywhere offering. The aim will be to have security throughout Cisco's network offering in the datacenter right up to the end user, and all connected devices. Also this week, Cisco's outgoing CEO John Chambers publicly denied there was a global reputation hit from NSA revelations, talking down the impact of the claims that the NSA had used "load stations" to implant spy beacons in servers and networking gear shipping from the US to particular customers -- despite a 19 percent revenue dip in China in Q2 earnings.
  • The Syrian Electronic Army claimed responsibility for defacing the US Army's website. On Monday, the official US Army website www.army.mil, used for news releases and special features, was taken down for several hours following defacement of the homepage.
  • The results of RAND's multiphased study of the future of cybersecurity, The Defender's Dilemma: Charting a Course Toward Cybersecurity, was released this Wednesday The entire report is a bucket of cold water as to how unprepared, confused, and unsupported the people are whose job it is to protect your data. RAND flatly states that today's combination of skyrocketing cybersecurity spending and its "questionable success" creates a setup in which "security efforts cannot continue on this course."
  • A bug in the default Apple Mail program appears to allow the theft of iCloud passwords. An iCloud password phishing email generator was created by a researcher as a proof of concept of an unpatched bug affecting millions of Apple users. Register reported the researcher created the iOS 8.3 Mail.app inject kit which exploits a bug in the operating system's native email client to produce a realistic pop-up of which Apple users are accustom. Soucek (@jansoucek) says Cupertino did not respond when he informed it of the bug in January.
  • Fake mobile towers in the UK that scoop up data from passing phones are routinely being used in London, according to BBC. Working with German security company GMSK Cryptophone, BBC stated Sky News claims to have uncovered direct evidence, the first in the UK, of at least 20 instances of the use of these cell site simulators.
Editorial standards