Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending June 12, 2015. Covers enterprise, controversies, reports and more.
BREAKING: Massive OPM data & PII breach FAR worse. Undetected for over a year. Complete & utter cyberdefense failure. http://t.co/Z9AGkz3Otv
-- Thomas Drake (@Thomas_Drake1) June 11, 2015
- The hack of U.S. government employee records (aka the OPM hack) was actually discovered in a product demo. Attackers stole personnel data and Social Security numbers for every federal employee, a government worker union said Thursday, asserting that the cyber theft of U.S. employee information was more damaging than the Obama administration has acknowledged. Meanwhile, the website set up to aid millions of victims of the OPM attack crashed for several hours Thursday morning because so many people were trying to use it. Washington hasn't officially blamed China, but practically every US media outlet is reporting claims of exactly that, as according to "anonymous sources" -- prompting China to accuse the United States of making "groundless accusations" and being "irresponsible" in blaming Chinese hackers.
Why do we always have to assume the worst? Maybe the Chinese just want to send birthday cards to all our federal workers.
-- Tim Siedell (@badbanana) June 12, 2015
- Single block cipher on backup system allowed customer detail access in Adobe breach: The Office of the Australian Information Commissioner (OAIC) concluded that Adobe failed to take reasonable steps to protect personal information that it held when the company suffered an online attack in 2013 that saw attackers snatch customer email addresses, payment data, customer names, password hints, and physical addresses. Also this week, Adobe issued the firm's latest set of security updates, specifically for the Adobe Flash Player. The updates for Windows, Mac and Linux users address "vulnerabilities that could potentially allow an attacker to take control of the affected system."
- Cisco said it will seek to have security at every point of contact on its network as part of a new Security Everywhere offering. The aim will be to have security throughout Cisco's network offering in the datacenter right up to the end user, and all connected devices. Also this week, Cisco's outgoing CEO John Chambers publicly denied there was a global reputation hit from NSA revelations, talking down the impact of the claims that the NSA had used "load stations" to implant spy beacons in servers and networking gear shipping from the US to particular customers -- despite a 19 percent revenue dip in China in Q2 earnings.
Q: How many cyber threat analysts does it take to change a lightbulb? A: Doesn't matter, that's infrastructure's problem.
-- Rebekah Brown (@PDXbek) June 10, 2015
- The Syrian Electronic Army claimed responsibility for defacing the US Army's website. On Monday, the official US Army website www.army.mil, used for news releases and special features, was taken down for several hours following defacement of the homepage.
- Microsoft's monthly release of security updates arrived today, right on schedule. The June 2015 list contains eight items, with two of them rated Critical. That's good news for IT pros who've struggled with an abundance of updates in recent months.
- The results of RAND's multiphased study of the future of cybersecurity, The Defender's Dilemma: Charting a Course Toward Cybersecurity, was released this Wednesday The entire report is a bucket of cold water as to how unprepared, confused, and unsupported the people are whose job it is to protect your data. RAND flatly states that today's combination of skyrocketing cybersecurity spending and its "questionable success" creates a setup in which "security efforts cannot continue on this course."
- Security company Kaspersky revealed this week that its systems had been breached by what it described as an extremely sophisticated and likely state-sponsored attack -- a condition that appears to be going around.
a bro FOIA'd Osama Bin Laden's porn stash http://t.co/atvwh5jdHb
-- Paul Szoldra (@PaulSzoldra) June 10, 2015
- UK security services should be allowed to continue bulk collecting data on people's web browsing, emails, and other communications, an official review has found. The report by the UK government's independent reviewer of terrorism legislation, David Anderson QC, found that the mass interception of online traffic by government surveillance agency GCHQ should be allowed to continue but under "strict additional safeguards". Meanwhile, UK police will join intelligence agencies in deploying hacking techniques to get past the use of strong encryption by their targets, according to the same report.
- A bug in the default Apple Mail program appears to allow the theft of iCloud passwords. An iCloud password phishing email generator was created by a researcher as a proof of concept of an unpatched bug affecting millions of Apple users. Register reported the researcher created the iOS 8.3 Mail.app inject kit which exploits a bug in the operating system's native email client to produce a realistic pop-up of which Apple users are accustom. Soucek (@jansoucek) says Cupertino did not respond when he informed it of the bug in January.
- Fake mobile towers in the UK that scoop up data from passing phones are routinely being used in London, according to BBC. Working with German security company GMSK Cryptophone, BBC stated Sky News claims to have uncovered direct evidence, the first in the UK, of at least 20 instances of the use of these cell site simulators.
I love when my phone asks me if I can trust a computer. Frankly, I don't trust either of you.
-- emily nussbaum (@emilynussbaum) June 11, 2015