Zero Day Weekly: Wassenaar backpedaling, rifle hacking, Stagefright, Wi-Fi Sense hysteria

Notable security news items for the week ending July 31, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.

zero-day-ipad-gun.jpg

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending July 31, 2015. Covers news and business, is allergic to press releases: Enterprise, controversies, reports, and more.

  • The US backpedaled this week on its plan to regulate hacking software under the Wassenaar Arrangement after outcry from domestic information security researchers. The Department of Commerce wants to heavily restrict the development and testing of exploits, zero-days and other intrusion software, which sounds like a good thing on the face of it. However, security professionals discovered that it would have severely limited, and possibly even criminalized, research into surveillance software. The Commerce Department said that "a second iteration of this regulation will be promulgated, and you can infer from that that the first one will be withdrawn."
  • NSA access to phone data ending in November: The office of the Director of National Intelligence said on Monday that the telephone data it obtained from phone companies, such as Verizon, would be destroyed in compliance with the recently passed Freedom Act, which mandated a 180-day transition period ending November 29. Once this period expires, the intelligence agency's access to the data will cease.
  • The US Census Bureau said in a blog post last weekend that the hackers who managed to pull employee records from its computers (a pop claimed by Anonymous before the disclosure) did so by targeting the Federal Audit Clearinghouse -- which is a service provided by the bureau for the federal government. According to a new requisition order, the agency is seeking a contractor who can provide training to census office employees on phishing safety.
  • Twenty one million people still remain unprotected from whomever stole their U.S. Office of Personnel Management (OPM) records, but the OPM has announced it has repaired the the e-QIP system security hole. Um, yay? Um, no. At this time, if you go to the e-QIP site you'll still find the following message: "The e-QIP login page is accessible only for limited user testing. The application will remain inaccessible to most users until testing is complete. Please check back for updates." The OPM stated that it will be "working closely with agencies to re-enable e-QIP users incrementally in an effort to resume this service in an efficient and orderly way. This action is being taken after extensive testing of the system -- both by OPM and its partner agencies -- and consultation with key stakeholders." At this time, the OPM has not made arrangements to protect individuals whose records were stolen. Indeed, the OPM can't. It doesn't have the funding.
  • Android's Stagefright security hole is scary, but you can avoid it. Stagefright can attack any Android smartphone, tablet, or other device running Android 2.2 or higher. In short, of the approximately 1-billion Android gadgets out there, Stagefright could, in theory, hit 95 percent of them.
  • Facebook is rolling out its new Security Checkup tool worldwide. The development of the tool, which started testing earlier this year, initially appears like a reaction (and potential answer) to years of concerns over auto opt-in functions on the world's largest social network. Security Checkup was designed to walk users through all the security tools available to them, one by one, while asking them which ones they would like on or off.
  • The not-for-profit Cloud Security Alliance (CSA), has launched an initiative to unite cloud providers and create a new, peer-based cloud information security sharing center. Brian Kelly (CSO at cloud firm Rackspace, who is hosting the center) said the initiative will allow sharing center members from cloud firms such as Rackspace, Amazon, Google, Microsoft, and Dropbox to share information and leverage off each other's knowledge base.
  • A researcher warns about General Motors Co's (GM.N) OnStar vehicle communications system mobile app, saying hackers can exploit a security flaw in the product to remotely unlock cars and start engines. "White-hat" hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to "locate, unlock and remote-start" vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service. Kamkar said he reported his findings to GM last week and on Thursday the automaker told Wired that the flaw was fixed. Kamkar disagreed with GM's claims of a fix.