Zero Day Weekly: Microsoft's big bug, Pwn2Own losers, USPS and NOAA bungle disclosure
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending November 14, 2014. Covers enterprise, controversies, reports and more.
This week, Microsoft fixed an 0day old enough to vote, Windows Phone couldn't be pwned, the USPS and NOAA divulged massive simultaneous breaches, and Samsung's KNOX came under fire again.
Microsoft’s Windows Phone emerged victorious and boasting excellent security among this year’s Mobile Pwn2Own hacking competition after the contest failed to fully pierce its defenses: Update to add that Blackberry took the top spot for being unhackable. An iPhone 5S, Samsung Galaxy S5, LG Nexus 5, and Amazon Fire Phone were all hacked and hijacked on the contest's first day.
WinShock (CVE-2014-6321): What is it & how to remediate [VIDEO] http://t.co/63afae5tcb #rapid7WbW pic.twitter.com/cK71fHSv9K
— Rapid7 (@rapid7) November 13, 2014
It was a hellish week for Microsoft security updates: In sum, Microsoft fixed a severe 19-year-old Windows 0day bug found in pretty much everything since Windows 95. Patch Tuesday had security departments scrambling; Microsoft released 14 security updates to address 33 vulnerabilities in Windows, Internet Explorer and Office. One Microsoft security update stands out from the rest for severity and unanswered questions. Apply the MS14-066 update now or at least make sure your IPS has updates for it. Microsoft also released version 5.1 of EMET (the Enhanced Mitigation Experience Toolkit).
The security hits just keep coming for Apple — this week, iPads and iPhones were revealed vulnerable to an app replacement exploit. Security researchers FireEye on Monday detailed a bug in which apps on iOS 7.1.1 and later, including the latest iOS 8 and iOS 8.1 update, can be effectively replaced with fake apps that can be used to install malware or vacuum up a user's data.
The US Postal System revealed Monday that it was massively hacked in September, in which personal data belonging to over 800,000 employees was swiped — including names, dates of birth, Social Security numbers, and addresses. The American Postal Workers Union (APUW) filed a complaint with the National Labor Relations Board claiming that the USPS announced the breach in the same timeframe it made unilateral changes in wages, hours and working conditions. The Union said it was left in the dark about the breach and received nothing but a "courtesy call" from Postmaster General Patrick Donahoe the night before the USPS announced the breach. Meanwhile, the USPS has shut down employee VPN access and suspended telecommuting until further notice for employees at Postal Service headquarters.
http://t.co/EDG4owq6Jk has made it 100% official: The guy behind the CBS show "Scorpion" is full of it. http://t.co/zQdEOn71lN
— InfoSec Taylor Swift (@SwiftOnSecurity) November 9, 2014
Also revealed this week to have been hacked back in September is the US meteorological agency the National Oceanic and Atmospheric Administration (NOAA). They're also in hot water over improper disclosure: Officials said that the agency did not notify the proper authorities when it learned of the attack, and despite media conjecture, NOAA officials declined to discuss the suspected source of the attack.
It was kind of a "no duh" moment for some of us, but it made plenty of headlines: The Pew Research Internet Project published a study on Nov. 12 that reveals Americans believe they have lost control of their personal information. Public Perceptions of Privacy and Security in the Post-Snowden Era showed that only 5 percent of respondents were not aware of U.S government programs to monitor American's calls and emails.
Retailers demand federal breach notification law. There are 51 different security breach regulations in effect in US. http://t.co/M9xiRlOXud
— Chris Wysopal (@WeldPond) November 12, 2014
Featured
Details of 2.7 million HSBC Turkey customers may have been compromised in a confirmed security breach that was spotted sometime last week by the bank’s internal security team. HSBC said that they identified the security breach on its debit and credit card systems and stopped it, but the hackers may have siphoned off information comprising of card and linked account numbers, card holder names and expiry dates.
Samung KNOX had another rough week. The US government-approved app got poked by Quarkslab researchers who found a working exploit in the Samsung Galaxy S5 ROM, which is part of the Samsung KNOX security solution for enterprise. Quarkslab provides a patch for the S5, Note4 and Alpha, but still warn "the Samsung Galaxy S4, S4 mini, Note3 and Ace 4 (and possibly others) are still vulnerable."
The EFF said this week that some ISPs appear to be removing their customers' email encryption. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag -- called STARTTLS -- from email traffic.