Zero Day Weekly: Sony's epic hack, Home Depot lawsuits, Regin malware

A collection of notable security news items for the week ending November 28, 2014. Covers enterprise, controversies, reports and more.
Written by Violet Blue, Contributor
zero day weekly

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending November 28, 2014. Covers enterprise, controversies, reports and more.

This week, Sony Pictures was critically compromised, Home Depot got hit with 44 lawsuits over its breach, Craigslist got DNS hijacked, the SEA made a comeback, and much more.

  • The UN moved aggressively this week to strenghten digital privacy. A resolution presented by Germany and Brazil calls for governments to strengthen digital privacy builds on a landmark text presented last year after revelations of widespread surveillance by the US and British governments. It followed weeks of tough negotiations with Australia, Britain, Canada, New Zealand, and the US -- members of the so-called Five Eyes intelligence alliance -- which sought to limit the resolution's scope. The five countries are not among the 65 co-sponsors of the Bill.

  • Regin malware finally washed up: Symantec Security Response (and others) this week disclosed a new malware called Regin which, they say, "...displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals -- since at least 2008. So: Which nation-state is behind the sophisticated, stealthy Regin malware?

  • Siemens released security updates for several of its SCADA (supervisory control and data acquisition) products for industrial environments, in order to fix critical vulnerabilities that may have been exploited in recent attacks. One of the vulnerabilities allows unauthenticated attackers to remotely execute arbitrary code on a Siemens SIMATIC WinCC SCADA server by sending specially crafted packets to it. The flaw received the maximum severity score of 10 in the Common Vulnerability Scoring System and can lead to a full system compromise.
  • Both Uber and Twitter apps came under fire this week when analysis was done on app access and the privacy anhiliating permissions of seemingly benign apps under the guise of improving or enhancing user experience. According to Cult of Mac, GironSec claims Uber's app “calls home” and sends data to Uber, but it isn’t typical app data: "Uber has access to users’ entire SMSLog even though the app never requests permission. It also accesses call history, Wi-Fi connections used, GPS locations and every type of device ID possible."

  • Google's Project Zero bug hunters published details of a critical vulnerability in Adobe Reader for Windows that was patched in September. Windows users who haven't updated to the latest version of Acrobat and Adobe Reader probably should do so right now, after a Google security researcher revealed details of a vulnerability affecting the pair, and how to exploit it.

  • StealthGenie is a federal crime. In the US, it's a federal crime to sell spyware: On Tuesday, we saw the first-ever criminal conviction concerning the advertisement and sale of a mobile device spyware app. The Department of Justice announced that the creator of StealthGenie, 31-year-old Danish citizen Hammad Akbar, had pleaded guilty to advertising and selling StealthGenie. The court sentenced Akbar to time served, ordered him to pay a $500,000 fine and ordered to turn over the source code for StealthGenie to the government.

Editorial standards