Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending July 31, 2015. Covers news and business, is allergic to press releases: Enterprise, controversies, reports, and more.
- The US backpedaled this week on its plan to regulate hacking software under the Wassenaar Arrangement after outcry from domestic information security researchers. The Department of Commerce wants to heavily restrict the development and testing of exploits, zero-days and other intrusion software, which sounds like a good thing on the face of it. However, security professionals discovered that it would have severely limited, and possibly even criminalized, research into surveillance software. The Commerce Department said that "a second iteration of this regulation will be promulgated, and you can infer from that that the first one will be withdrawn."
- NSA access to phone data ending in November: The office of the Director of National Intelligence said on Monday that the telephone data it obtained from phone companies, such as Verizon, would be destroyed in compliance with the recently passed Freedom Act, which mandated a 180-day transition period ending November 29. Once this period expires, the intelligence agency's access to the data will cease.
- In the lead up to their August Black Hat presentation and Defcon presentation on hacking a rifle, security researchers Runa Sandvik and Michael Auger showed Wired how they devised a way to hack into (civilian, commercial) hunting startup TrackingPoint's computer-augmented rifle sights, better known as the ShotView targeting system, to shut it off or change its targeting. Last we heard, however, TrackingPoint was having financial troubles and wasn't taking orders for new weapons so this might not be too much of a problem.
- The US Census Bureau said in a blog post last weekend that the hackers who managed to pull employee records from its computers (a pop claimed by Anonymous before the disclosure) did so by targeting the Federal Audit Clearinghouse -- which is a service provided by the bureau for the federal government. According to a new requisition order, the agency is seeking a contractor who can provide training to census office employees on phishing safety.
- Twenty one million people still remain unprotected from whomever stole their U.S. Office of Personnel Management (OPM) records, but the OPM has announced it has repaired the the e-QIP system security hole. Um, yay? Um, no. At this time, if you go to the e-QIP site you'll still find the following message: "The e-QIP login page is accessible only for limited user testing. The application will remain inaccessible to most users until testing is complete. Please check back for updates." The OPM stated that it will be "working closely with agencies to re-enable e-QIP users incrementally in an effort to resume this service in an efficient and orderly way. This action is being taken after extensive testing of the system -- both by OPM and its partner agencies -- and consultation with key stakeholders." At this time, the OPM has not made arrangements to protect individuals whose records were stolen. Indeed, the OPM can't. It doesn't have the funding.
- In a series of events that raised a lot of questions, this week the Washington Post published, and then removed, and then re-published a controversial opinion piece by senior (ex) intelligence industry brass, in favor of strong, backdoor-free encryption. The article was reposted with a note saying that it was first accidentally published without fully going through its editing process. WaPo has been widely criticized and ridiculed for its clueless editorial advocating "golden key" backdoor encryption.
-- Infosec Hype Tracker (@InfosecHype) July 28, 2015
- Android's Stagefright security hole is scary, but you can avoid it. Stagefright can attack any Android smartphone, tablet, or other device running Android 2.2 or higher. In short, of the approximately 1-billion Android gadgets out there, Stagefright could, in theory, hit 95 percent of them.
- Facebook is rolling out its new Security Checkup tool worldwide. The development of the tool, which started testing earlier this year, initially appears like a reaction (and potential answer) to years of concerns over auto opt-in functions on the world's largest social network. Security Checkup was designed to walk users through all the security tools available to them, one by one, while asking them which ones they would like on or off.
- Windows 10's Wi-Fi Sense is not a security risk, and Ed Bott tells us why. It turns out that the fears were overblown by a security reporter who didn't look past the Settings icon: you actually have to take an extra step to make a Wi-Fi network available for sharing by your contacts.
"Yahoo has paid over $1M to security researchers via bug bounty program" - weird shut-in syndrome where a decent company is trapped in Yahoo
-- Pinboard (@Pinboard) July 28, 2015
- The not-for-profit Cloud Security Alliance (CSA), has launched an initiative to unite cloud providers and create a new, peer-based cloud information security sharing center. Brian Kelly (CSO at cloud firm Rackspace, who is hosting the center) said the initiative will allow sharing center members from cloud firms such as Rackspace, Amazon, Google, Microsoft, and Dropbox to share information and leverage off each other's knowledge base.
- Users of Google Compute Engine can now provide their own keys to secure data, turning Infrastructure-as-a-Service (IaaS) into even more of a self-service affair. Google on Tuesday said it is now supporting Customer-Supplied Encryption Keys for Google Compute Engine, turning Infrastructure-as-a-Service (IaaS) into even more of a self-service affair.
- A researcher warns about General Motors Co's (GM.N) OnStar vehicle communications system mobile app, saying hackers can exploit a security flaw in the product to remotely unlock cars and start engines. "White-hat" hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to "locate, unlock and remote-start" vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service. Kamkar said he reported his findings to GM last week and on Thursday the automaker told Wired that the flaw was fixed. Kamkar disagreed with GM's claims of a fix.