Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending August 21, 2015.
From BankInfoSecurity: Target, Visa Reach Breach Settlement "Visa and retail giant Target have reached an agreement that reportedly will reimburse card issuers a total of up to $67 million for fraud losses and other expenses tied to the retailer's 2013 breach, which exposed an estimated 40 million credit and debit cards. While The Wall Street Journal, quoting people familiar with the deal, places the value of the agreement at up to $67 million, Visa and Target, in acknowledging an agreement has been reached, have yet to confirm its value. In a statement provided to Information Security Media Group on Aug. 18, Target states that it reached a settlement agreement with Visa on Aug. 17, after Visa's largest card issuers agreed to the terms of the deal."
From ZDNet: Core Infrastructure Initiative seeks help to improve open-source security "How do you know if an open-source project is mature, well-staffed, and secure? Those are darn good questions with no easy ways to find the answers. Reputation alone won't cut it. OpenSSL's Heartbleed security hole blew the doors off that idea last year. So, the Core Infrastructure Initiative (CII), which enables companies and developers to identify and fund critical impoverished open-source projects, announced at LinuxCon that it's developing a Badge Program to promote projects that do security right."
From Engadget: The latest Ashley Madison data release is twice as big as the first "It looks like the Ashley Madison hackers aren't done releasing data they pilfered from the company in July. As reported by Motherboard, another set of data has been posted on the same "Dark Web" site that hosted the original release. The data dump is accompanied by a statement that reads "Hey Noel, you can admit it's real now" -- a reference to Avid Life (Ashley Madison's parent company) CEO Noel Biderman. ... It looks as though this release is more focused on private internal company information rather than more details about Ashley Madison users. The question now is whether or not Impact Team has any more data to release on the company. Meanwhile, the fallout from this week's revelations continues to expand." See also: Data stolen from Ashley Madison posted online
From ZDNet: Microsoft issues emergency patch for all versions of Windows "Microsoft has released an emergency out-of-band patch for a "critical"-rated security vulnerability, affecting all supported versions of Windows. The software giant said in an advisory Tuesday that users visiting a specially-crafted website can lead to remote code execution on an affected machine."
From ZDNet: IRS breach claims 220,000 additional US taxpayers "The United States Internal Revenue Service (IRS) has revealed that in excess of 220,000 taxpayers may have had their personal information accessed, in addition to the 100,000 originally reported, as a result of a data breach."
From ProPublica:NSA Spying Relies on AT&T's extreme willingness to help'The NSA'S ability to spy on vast quantities of Internet traffic passing through the United States has relied on its extraordinary, decades-long partnership with a single company: the telecom giant AT&T. While it has been long known that American telecommunications companies worked closely with the spy agency, newly disclosed NSA documents show that the relationship with AT&T has been considered unique and especially productive. One document described it as "highly collaborative," while another lauded the company's "extreme willingness to help."" See also: UN demands NSA respect its privacy amid AT&T spying report
From NextGov: Pentagon Researchers Will Wage Counterattack on Crippling 'DDoS' Cyber Strikes "The Pentagon has in mind a three-pronged counterattack against a decades-old form of cyber assault that continues to paralyze government and industry networks, despite its low cost of sometimes $10 a hit. Beginning next spring, military-funded researchers are scheduled to produce new tools that would quickly enable organizations to bounce back from so-called distributed denial-of-service attacks. A recovery rate of at most 10 seconds is the goal, according to the Defense Department. ... Researchers chosen by the Defense Advanced Research Projects Agency will attempt to deny attackers such openings through a three-year program called Extreme DDoS Defense, according to Pentagon officials. The tentative start date is April 1, 2016."
From ThreatPost: Web.com Loses 93,000 Credit Card Numbers in Breach "Florida-based web hosting company Web.com on Tuesday announced that it had suffered a data breach and payment card and personal information belonging to 93,000 customers was accessed. The company did not say in a statement or press release whether the stolen data was encrypted, nor how it was accessed."
From Reuters: Exclusive: Russian antivirus firm faked malware to harm rivals - Ex-employees "Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees. They said the secret campaign targeted Microsoft Corp (MSFT.O), AVG Technologies NV (AVG.N), Avast Software and other rivals, fooling some of them into deleting or disabling important files on their customers' PCs."
From SC Magazine: BitTorrent protocol family vulnerable to DRDoS attacks "Researchers at the 2015 USENIX Workshop on Offensive Technologies (WOOT '15) demonstrated how the BitTorrent protocol family is vulnerable to distributed reflective denial-of-service (DRDoS) attacks. Actors can exploit BitTorrent protocols and BitTorrent Sync (BTSync) to reflect and amplify traffic from peers, according to a whitepaper, which explained that popular clients such as uTorrent, Mainline, and Vuze are the most vulnerable to these types of attacks."
From ZDNet: Google patches another 'high severity' bug in Android "Google has patched yet another security bug affecting Android versions 2.3 to 5.1.1, which security firm Trend Micro says could be used to abuse device owners' privacy. The bug, likely to be fixed in Google's next monthly security update for Nexus devices, could allow attackers to abuse Android's mediaserver program to spy on device owners. The bug adds to a growing list of vulnerabilities stemming from the Android component, which was at the root of one of the seven of bugs found in the Stagefright media library."