Zero Day Weekly: LastPass, Samsung, baseball hacks, and the US Navy buying zero days

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending June 19, 2015. Covers enterprise, controversies, reports and more.

• Samsung is finally responding to a major security bug that affects the keyboards on its Galaxy smartphones and tablets. The security firm NowSecure revealed the exploit earlier this week, which gives hackers the ability to execute code on Samsung's mobile devices. Up to 600 million devices are affected.

• Baseball hack attack: This week NYT reported that the FBI and the U.S. Justice Department are investigating whether St. Louis Cardinals officials hacked into the Houston Astros' internal networks. Investigators told the Times they uncovered evidence that Cardinals officials breached Astros databases containing information on trades, proprietary statistics and scouting information.

• Federal auditors are blasting a decade-in-the-making government computer system that was supposed to simplify the immigration application process and improve national security. The so-called "Transformation Program" the Department of Homeland Security conceived in 2005 should have transformed paper-based transactions into online forms years ago. But because DHS has reversed course on software development strategies, the initial $536,000 effort faces a $3.1 billion price tag and a March 2019 rollout, according to a newly released Government Accountability Office report.

• Vulnerabilities affecting Apple's Mac OS X and iOS operating systems could allow attackers to steal passwords and other credentials if successfully exploited. In a PoC paper, researchers from Indiana University, Peking University, and Georgia Institute of Technology demonstrated that cross-app resource access (XARA) attacks are possible. The vulnerabilities were reported to Apple in October 2014 and the company said it would require six months to roll out fixes. Although some issues have been addressed, most of the vulnerabilities remain unpatched.

• LastPass, a cloud-based password security site, isn't immune to data breaches. The company's chief executive Joe Siegrist said in a blog post that account email addresses, password reminders, server per user salts, and authentication hashes were compromised. But, he said, the company has "found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed." However, before you panic, there are some things you should know.

• Rapid7, a Boston, Mass.-based provider of security analytics software and services, has filed an S-1 registration statement with the Securities and Exchange Commission (SEC) for a proposed initial public offering (IPO) of its common stock. The company is looking to raise roughly $80 million in an IPO.

• What made Shylock so dangerous was the way it defied attempts to remove it, according to Adrian Nish, London-based head of cyberthreat intelligence at BAE Systems Applied Intelligence, who spent years studying it. "It was able to resurrect itself," he said. It was a banking Trojan, designed to sneak into a computer and drain your bank account; broken fragments of Shakespeare, from The Merchant of Venice, were buried in the program files.

• Canadian federal government websites were hit by a cyberattack Wednesday and Anonymous has claimed responsibility for the attack. Sites for several federal departments -- including Weather.gc.ca, ServiceCanada.gc.ca and Parl.gc.ca -- went down around the lunch hour ET Wednesday.

• US Navy caught by EFF while trying to buy Zero-days: The Electronic Frontier Foundation (EFF) spotted the US Navy publicly soliciting people to sell security vulnerabilities to well-known software. It seems that the US Navy was also buying the Zero-days as NSA, to build backdoors into the software.

• The European Union faces a huge shortfall of qualified IT staff in Europe by 2020, prompting EU countries to redouble efforts to offer technology training. There are not enough IT specialists graduating in Europe to fill all jobs, creating a digital skills gap that could lead to 825,000 vacancies in the sector five years from now, according to figures released by the European Commission on Thursday.

• Google on Tuesday added a new effort that pays when you find a security issue in Android. Every verifiable issue in the new Android Security Rewards program will pay a minimum of $500 with the total reward reaching $8,000 in some cases.

• The Inverse Path USB armory ($130) is a little USB stick with an entire computer onboard (800MHz ARM processor, 512MB RAM), designed to be a portable platform for personal security applications. It stands to change personal information security as we know it: In its current state, it's pretty dreamy for most hackers and infosec pros (it's especially sexy for pentesters), but right now it's a bit challenging for non-technical people.