Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending October 9, 2015.
From The Hill: Senate Democrats press T-Mobile on data breach "Three Senate Democrats are seeking answers from credit agency Experian about the recent data breach that exposed up to 15 million T-Mobile customers. Sens. Richard Blumenthal (D-Conn.), Bill Nelson (D-Fla.) and Brian Schatz (D-Hawaii) - all leading Democrats on the Senate Commerce Committee - wrote the two companies Wednesday, requesting information on how both firms were handling fallout from the hack. "Experian and T-Mobile's recent incident demonstrates the need for legislation," the letter said." See also: In wake of hack, anti-CISA group targets Experian (The Hill)
From Reuters: Exclusive: Uber checks connections between hacker and Lyft "Eight months after disclosing a major data breach, ride service Uber [UBER.UL] is focusing its legal efforts on learning more about an internet address that it has persuaded a court could lead to identifying the hacker. That address, two sources familiar with the matter say, can be traced to the chief of technology at its main U.S. rival, Lyft."
From CNET: New California law requires police to get warrants for online data "If the police want to take a look at your email, they'll now have to get a warrant. At least in California. Gov. Jerry Brown signed a privacy bill into law Thursday requiring law enforcement agencies in California to get a warrant for online data. The bill had the support of Silicon Valley and privacy advocates, showing that tech firms are resisting government collection of customer data in the aftermath of Edward Snowden's surveillance revelations. A federal law is pending with similar restrictions. For now, federal law enforcement doesn't need a warrant to access online data, even in California."
From ZDNet: HTC says monthly Android security updates are "unrealistic" "The recent Stagefright vulnerability that could affect hundreds of millions of Android phones may have been a blessing in disguise. Responding to the situation, Google in August announced monthly security update availability for its Nexus phones. Samsung also commited to "near monthly" updates and LG has followed suit. HTC, however, has not. President of HTC America, Jason Mackenzie, tweeted over the weekend that the company "will push for them, but unrealistic for anyone to say guaranteed every month.""
From The Hill: House passes bill mandating DHS cybersecurity strategy "The House on Tuesday passed a bill requiring the Department of Homeland Security to develop a formal cybersecurity strategy. "This legislation is proof that there is bipartisan support for finding effective solutions to this issue, and that we are not content to leave security to improvisation," bill sponsor Rep. Cedric Richmond (D-La.) said in a statement."
From ZDNet: Cost of cybercrimes climbs to $6.8m per firm in Japan, $3.4m in Australia "The average cost of cybercrime per organisation a year across seven countries has increased to $7.7 million in 2015, with companies taking 46 days to resolve a cyber attack. According to a study commissioned by Hewlett-Packard and conducted by Ponemon Institute, the average annualised cost of cybercrimes in Japan, for instance, climbed 14 percent to an estimated $6.81 million. In Australia, this figure increased 13 percent to $3.47 million, revealed the annual study, which sampled 60 respondents in the two markets."
From Ars Technica: Report finds many nuclear power plant systems "insecure by design" "A study of the information security measures at civilian nuclear energy facilities around the world found a wide range of problems at many facilities that could leave them vulnerable to attacks on industrial control systems-potentially causing interruptions in electrical power or even damage to the reactors themselves. The study found that many nuclear power plants' systems were "insecure by design" and vulnerable to attacks that could have wide-ranging impacts in the physical world-including the disruption of the electrical power grid and the release of "significant quantities of ionizing radiation."" See also: Nuclear nightmare: Industrial control switches need fixing, now (ZDNet)
From ZDNet: Google patches Stagefright 2.0 in Nexus, fixes land in 'nightly' CyanogenMod builds "In tandem with the release of Android Marshmallow 6.0 for Nexus phones, Google has also delivered a critical security update for Nexus devices vulnerable to the latest Stagefright bugs. Revealed last Friday, Stagefright 2.0, like its predecessor, has left virtually every Android device in the wild exposed to a dangerous attack on the operating system's media player engine, which can be triggered after receiving a malicious MP3 or MP4 media file."
From ZDNet: Fretting about Stagefright on Galaxy S5? CyanogenMod's stable release has a fix "CyanogenMod has rolled out stable builds for about 50 handsets and is including the October security fixes that Google released this week for Nexus devices. For Android users concerned about easily exploited bugs like Stagefright 1.0 and 2.0, it seems that the fastest way to get critical security updates is to replace the device's existing firmware with CyanogenMod. So far, the only devices that have received Google's October Android security update, which carries fixes for dozens of critical vulnerabilities including Stagefright 2.0, are Nexus devices. The fixes are also included in Android Marshmallow 6.0, but again that's only available to Nexus devices for now."
From CNET: Samsung says customer payment data not affected by hack attack "Customers who use the Samsung Pay mobile payments system weren't hurt by a hack attack on LoopPay, a company Samsung acquired to help power the service, the company said on Thursday. A government-affiliated Chinese hacker group known as the Codoso Group or Sunshock Group was responsible for the attack, The New York Times said. LoopPay believes they were trying to steal the company's magnetic strip technology -- the primary reason Samsung bought the company."
From ZDNet: Kemoge malware: Yet another reason not to use unofficial Android app installs "Security and cyber-attack firm FireEye announced on Wednesday that it tracked a new mobile malware threat in more than 20 countries worldwide, including the U.S. Dubbed Kemoge, the threat poses as standard, readily available Android apps but trick users into installing them via ads. On the surface, the apps are duplicates of software that can be found on the Google Play Store; the key difference is that they attack the user's device after installation."