Zero Day Weekly: Sony settles breach suit, Pwn2Own loses HP, Mac keychain attacks
Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending September 4, 2015.
From SC Magazine: Sony settles federal [breach] suit with former employees, avoids class action "Sony Pictures Entertainment sidestepped a class action suit by reaching a settlement with former employees whose information was exposed in a high-profile breach. On the cusp of a hearing to determine whether a lawsuit against Sony Pictures Entertainment should be turned into a class action suit, the company has reached a settlement with nearly 50,000 former employees after a breach exposed their personal information online."
From LA Times: China and Russia are using hacked [OPM] data to target U.S. spies, officials say "Foreign spy services, especially in China and Russia, are aggressively aggregating and cross-indexing hacked U.S. computer databases - including security clearance applications, airline records and medical insurance forms - to identify U.S. intelligence officers and agents, U.S. officials said. At least one clandestine network of American engineers and scientists who provide technical assistance to U.S. undercover operatives and agents overseas has been compromised as a result, according to two U.S. officials."
From Ars Technica: Pwn2Own loses HP as its sponsor amid new cyberweapon restrictions "The next scheduled Pwn2Own hacking competition has lost Hewlett-Packard as its longstanding sponsor amid legal concerns that the company could run afoul of recent changes to an international treaty that governs software exploits. Dragos Ruiu, organizer of both Pwn2Own and the PacSec West security conference in Japan, said HP lawyers spent more than $1 million researching the recent changes to the so-called Wassenaar Arrangement. He said they ultimately concluded that the legal uncertainty and compliance hurdles were too high for them to move forward."
From PC World: Even encrypted medical record databases leak information "A new study from Microsoft researchers warns that many types of databases used for electronic medical records are vulnerable to leaking information despite the use of encryption. The paper, due to be presented at the ACM Conference on Computer and Communications Security next month, shows how sensitive medical information on patients could be pilfered using four different attacks. Researchers discovered the sex, race, age and admission information, among other data, using real patient records from 200 U.S. hospitals."
From SC Magazine: Waze allegedly stole its competitors data to better its app "A Waze competitor, PhantomAlert, filed a complaint on Wednesday alleging that Google-acquired company Waze stole information from its database. ... one attorney on the case, Karl Kronenberger told SCMagazine.com that the team can think of no "lawful way that Waze could have obtained possession of the PhantomAlert database." The company also clarified in the document that if proven true, Google would have acquired "all of Waze's liabilities, including all liability associated with Waze's copyright infringement" when it purchased the company in 2013."
From SC Magazine: Anonymous group launches phase of cyberattacks against IS "Anonymous has launched another online battle against members of the Islamic State (IS, formerly ISIS/ISIL) group. The hacktivists are targeting and attacking the online network of supporters and suspected websites of the IS. ... GhostSec members organised a list of potential Twitter accounts that are being used by the jihadists. By reporting these to Twitter, they managed to remove more than 60,000 accounts connected to the IS members. This encouraged GhostSec members to launch a wide range of attack methods including Distributed Denial of Service (DDoS) attacks, brute force attacks, and SL injection - resulting in a halt of their communication network."
From Ars Technica: Attacks accessing Mac keychain without permission date back to 2011 "On Tuesday, Ars chronicled an OS X technique that's being actively used by an underhanded piece of adware to access people's Mac keychain without permission. Now there's evidence the underlying weakness has been exploited for four years."
From ZDNet: iPhone malware KeyRaider stole thousands of Apple logins "Researchers at Weiptech and Palo Alto Networks said in a blog post Sunday they had discovered a database of thousands of Apple account accounts, which had been stolen by malware distributed through repositories used by popular jailbreak tool Cydia. The malware, dubbed KeyRaider, intercepts iTunes traffic on the device, stealing usernames, passwords, and unique device identifiers, which are then uploaded to the malware owner's server. More than 225,000 users from 18 countries are thought to be affected by the malware."
From ZDNet: Microsoft's Project Sonar: Malware detonation as a service "Microsoft looks to be gearing up to deliver a new distributed security service running on Azure that will help isolate and destroy malware. Codenamed "Project Sonar," the service "dynamically analyzes millions of potential exploit & malware samples in VMs (virtual machines) and collects terabytes of data during that analysis every day," according to a recent Cloud and Enterprise Group job posting describing the service."
From IT World: Despite reports of hacking, baby monitors remain woefully insecure "Disturbing reports in recent years of hackers hijacking baby monitors and screaming at children have creeped out parents, but these incidents apparently haven't spooked makers of these devices. A security analysis of nine baby monitors from different manufacturers revealed serious vulnerabilities and design flaws that could allow hackers to hijack their video feeds or take full control of the devices. The tests were performed by researchers from security firm Rapid7 during the first half of this year and the results were released Tuesday in a white paper."
From PC World: Microsoft will release its hackathon help tool to the world "Microsoft is planning to bring its internal tool for running hackathons to the public next year, starting by allowing a few select colleges to test drive it at their own events. It's part of a plan by the company's Garage division to help other organizations get better at handling the administrative side of organizing marathon hack sessions like the three-day-long bonanza Microsoft held in July as part of its Oneweek employee team-building session. Known inside Microsoft as the "Hackathon interactive project site," it was built to help 13,000 employees and interns work on 1,700 projects during the Oneweek hackathon."