Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending May 8, 2015. Covers enterprise, controversies, reports and more.
- Netflix has released under an open-source license an internal tool it developed to manage a deluge of security alerts and incidents. Called FIDO (Fully Integrated Defense Operation), the tool is designed to research, score and categorize threats in order to speed up handling of the most urgent ones.
- Patch Tuesday may be dead, but Microsoft's not confessing to the crime: Is Patch Tuesday, the second Tuesday of each month -- the day since 2003 that Microsoft has painted on the calendar for distributing security updates -- dead? Those questions began circulating Monday, after Microsoft announced its new update service, Windows Update for Business (WUB). As Terry Myerson, Microsoft's operating system chief, touted WUB, he suggested, or some thought he suggested, that Patch Tuesday was no more.
- The US Internet Revenue Service has launched a new unit dedicated to tackling the rising rate of identity theft through hacking. The US agency's unit comprises of roughly a dozen agents, as reported by the Wall Street Journal. The agents, based in Washington, will focus on cybercrime related to tax fraud, including the theft of data which is then used to collect victim tax refunds without their consent.
Hard Rock, Sally Beauty Data Breaches http://t.co/6XCzU1WAUB < What if payment card industry had focused on chip&pin instead of PCI DSS?
-- Chris Wysopal (@WeldPond) May 5, 2015
- Apple patches multiple security bugs in Safari: Mac users should keep an eye out for the updates, released on Wednesday, which fix a handful of bugs that could allow an attacker to take control of a system using a malicious website. The versions released include Safari 8.0.6, Safari 7.1.6, and Safari 6.2.6. The updates are appearing around one month after Apple released its last lot of security fixes for the browser, alongside a monster security update for OS X Mountain Lion, Mavericks, and Yosemite. The last Safari updates for Yosemite shipped with version v10.10.3 in April.
- Apple security program, MacKeeper, celebrates difficult birthday: Released in 2010, MacKeeper has been dogged by accusations that it exaggerates security threats in order to convince customers to buy. A class-action suit contends that MacKeeper falsely flagged security and performance problems in order to coax consumers into paying $39.95 for the full version. The suit sought $5 million in damages. It is close to being settled, according to recent documents filed in U.S. District Court for the Western District of Pennsylvania.
- This is a bad month for the medical equipment maker Hospira. First, security researcher Billy Rios finds a raft of serious and remotely exploitable holes in the company's MedNet software, prompting a vulnerability alert from ICS CERT. Now, one month later, ICS CERT is again warning of a "10 out of 10" critical vulnerability, this time in Hospira's LifeCare PCA drug infusion pump. According to this report by Security Ledger the main problem was an almost total lack of security controls on the device.
-- Nick Galbreath (@NGalbreath) May 5, 2015
- The US is building a "cyber mission force" which will include nearly 6,200 military, civilian, and contractor support personnel from across the military departments and defense components. A new document, the US Department of Defence Cyber Strategy, sheds light on US military thinking and capabilities. It will be made up of 133 teams, including 68 teams of "cyber protection forces," which will defend key military networks and systems, while 13 "national mission teams" aim to defend broader US interests against cyberattacks of significant consequence.
- Lenovo has issued a patch for a flaw in its computers, which researchers say could allow hackers to replace trusted apps with malicious versions. Security researchers at IOActive said in an advisory detailing three separate vulnerabilities that hackers could bypass checks to ensure the integrity of apps, allowing them to run malware on an affected Lenovo machine.
- The Rombertik malware strain takes extra measures to stop the analysis of its core functions and abilities, security researchers have discovered. Ben Baker and Alex Chiu from Cisco Systems' Talos Group said in a blog post Monday that a new strain of spyware, dubbed Rombertik, is a complex system complete with "multiple layers of obfuscation and anti-analysis functionality".
- A proposed back-door listing of Mega, the privacy service founded by Kim Dotcom, has failed. Listed shell TRS, which was to acquire Mega in order to list it on the New Zealand Stock Exchange, informed the market on Wednesday that it would be unable to secure shareholder approval for the deal before a May 29 cut-off date.