Zero Day Weekly: Talk Talk faceplant, Google smacks Symantec, Joomla flaw, LifeLock deception settlement

Notable security news items for the week ending October 30, 2015. Covers enterprise, application and mobile security, reports and more.
Written by Violet Blue, Contributor

Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending October 30, 2015.

From Telegraph: Talk Talk faces hacking compensation bill running into millions "Talk Talk has conceded that it could face a compensation bill running into millions for customers whose bank accounts were raided after the telecoms company was targeted in a huge cyber-attack. Talk Talk says it is now preparing to investigate thousands of cases in which customers say they have either had their bank accounts raided directly, or have lost money after being persuaded to hand over access to their home computers." See also: BT chief warns over damage to broadband industry from Talktalk security crisis (Telegraph)

From ZDNet: Yahoo hires new CISO, now the third exec in role in 6 months "Yahoo on Monday said it has appointed Bob Lord as chief information security officer (CISO) to lead enterprise network security for Yahoo customers and employees. Lord is the third executive to hold the Yahoo CISO title in less than six months, following a concerning amount of executive churn at the search company."

From Naked Security: Train rider has his contactless card e-pickpocketed "It could have been just another one of those jostlings that happen on the train: a man bumped into a writer for SC Magazine. Except, as Roi Perez tells it, it all seemed a bit deliberate: the guy slowly bumped into him - and his pocket - for a bit too long. He said that it took him a minute to realize what had happened. But when it did dawn on him, he called his bank, only to find out that he'd been e-pickpocketed. That slow bump had apparently enabled the presumptive thief to get close to Perez's contactless card payment: there'd been an unauthorized £20 snorted from his card to make a transaction on the train."

From ZDNet: Cisco snaps up cybersecurity firm Lancope for $452 million "Cisco on Tuesday said it plans to acquire cybersecurity firm Lancope for $452.5 million. Based in Alpharetta, Georgia, privately held Lancope specializes in network behavior analytics, threat visibility and security intelligence - features Cisco said it plans to use to bolster its Security Business Group as well as the company's "security everywhere" strategy. Cisco and Lancope have been commercial partners for some time, with Lancope's threat visibility technology being used to turn a Cisco-run network into a security sensor. But coming together under one organization will allow the companies to integrate services more organically and detect network threats more rapidly."

From Bankinfosecurity: LifeLock Tentatively Settles with FTC "LifeLock says it has reached a tentative agreement on a settlement with the Federal Trade Commission regarding a number of issues, including alleged information security shortcomings. It says it's also reached agreement on a proposed settlement of a related consumer class action lawsuit. Back in July, the FTC alleged LifeLock had violated a 2010 settlement with the commission and 35 state attorneys by continuing to make deceptive claims about its identity theft protection services and by failing to take steps to protect users' data (see FTC Charges Lifelock with Deception)."

From ZDNet: Oracle's Larry Ellison makes case for better cloud security, M7 chip "The biggest concern in cloud right now is security, asserted Oracle executive chairman Larry Ellison. "We need much better security. We need a next-generation of security because we are not winning a lot of these cyber battles," Ellison argued. "We are losing a lot of these cyber battles. We haven't lost the war. But we're losing battles." Picking up from where he left off on Sunday night, Ellison continued to a packed conference hall on Tuesday afternoon that these battles, or "technology confrontations," can take many forms, whether they are nations and companies pitted against each other or even "hackers against ethical technologists.""

From ZDNet: Google to Symantec: Clean up your act or be branded unsafe "Google is evidently not very pleased about security firm Symantec's recent performance when it comes to issuing secure Web certificates and has outlined a list of demands to prevent the same mistakes from happening again. In September, Symantec fired a number of employees following glaring mistakes in issuing transport layer security (TLS) certificates. The company said "employee error" caused cryptographic certificates to be issued online without the consent of either Google or Symantec, allowing attackers to impersonate Google pages protected by HTTPS."

From Symantec: MySQL servers hijacked with malware to perform DDoS attacks "We've discovered malware that targeted MySQL servers to make them conduct distributed denial-of-service (DDoS) attacks against other websites. The attackers initially injected a malicious user-defined function (Downloader.Chikdos) into servers in order to compromise them with the Trojan.Chikdos.A DDoS malware."

From ZDNet: While US and UK governments oppose encryption, Germany promotes it. Why? "In the UK, David Cameron's administration has all but declared war on encryption. In the US, 63 percent of Americans approve of backdoors for the government to monitor encrypted business communications in response to a national security threat, according to a recent Vormetric survey. But in Germany, the government openly advocates that all citizens use encryption and has even pushed forward a De-Mail service to help make that a reality."

From Bloomberg: Pentagon Creates Cybersecurity Exchange Program With Industry "The U.S. Defense Department is sending career personnel on tours with private cybersecurity companies and bringing in specialists from those companies to gain the skills necessary to defend military networks from hackers, the Pentagon's chief information officer said. "There's not a time when I'm not being attacked somewhere in the world," Terry Halvorsen, said at an event in Washington Thursday hosted by the Christian Science Monitor. "We're looking to industry to help us solve some specific areas."

From Security Week: Joomla Flaw Exploited in the Wild Within Hours of Disclosure "The details of the flaw were disclosed by Trustwave shortly after Joomla developers announced the availability of version 3.4.5. Within four hours, web security firm Sucuri spotted attacks exploiting the vulnerability against two popular Joomla sites protected by its products. Within 24 hours of disclosure, Sucuri observed exploitation attempts against all the websites on its network. Researchers noticed two types of requests: ones designed to check if the website was running Joomla, and ones designed to exploit the SQL injection in an effort to obtain a valid admin user from the targeted site's database. Many of these malicious requests came from the Tor anonymity network, experts noted."

From Ars Technica: US regulators grant DMCA exemption legalizing vehicle software tinkering "Every three years, the Librarian of Congress issues new rules on Digital Millennium Copyright Act exemptions. Acting Librarian David Mao, in an order (PDF) released Tuesday, authorized the public to tinker with software in vehicles for "good faith security research" and for "lawful modification.""

From ZDNet: 000webhost hacked, 13 million customers exposed "Free website hosting service 000webhost has suffered a data breach which has placed the service's security practices under scrutiny. 000webhost is a free web hosting service which supports both PHP and MySQL, catering for millions of users worldwide. On Wednesday, the firm told users in a Facebook message that the company had suffered a databreach on its main server. A hacker used an exploit in an old, unpatched version of PHP to upload malicious files and gain access to the service's systems. Not only was the full database containing the usernames, passwords* and email addresses compromised, but this information has been dumped online." * Note: plaintext passwords.

Editorial standards