Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending May 22, 2015. Covers enterprise, controversies, reports and more.
- Wassenaar changes considered harmful: Without a doubt, the biggest news this week for security researchers was the unveiling of the Bureau of Industry and Security's proposed changes to the Wassenaar Agreement on [software and code] export controls, which would basically require an export license on certain kinds of code. Randy Wheeler, director of BIS, confirmed during a teleconference yesterday afternoon that the development, testing, evaluating and productizing of exploits, zero days and intrusion software would be controlled, but the same did not apply to vulnerability research. Security researchers everywhere are upset.
-- Thomas Rid (@RidT) May 20, 2015
Export controls on code solve nothing. Gov spying will continue unabated, blackmarkets don't care and money will find a way to get licensed.
-- DJ Capelis (@djcapelis) May 20, 2015
-- Dino A. Dai Zovi (@dinodaizovi) May 21, 2015
- Computer scientist and Stanford lawyer Jonathan Mayer crawled the hacker's market, and emerged... strangely disappointed. He also found that, "The owner of Hacker's List told the New York Times last week that over 250 jobs have been completed. That claim is not consistent with the site's own data, which includes just 21 finished tasks."
- Widely despised commercial spyware peddler mSpy has denied it was hacked... So, it was bad news when mSpy's database surfaced via the darkweb earlier this week, following a smash and grab on its systems around a fortnight ago. Emails, text messages, payment details, Apple IDs, passwords, photos and location data for mSpy users, as well as the targets of their snooping, were all exposed. mSpy's "mobile monitoring software" is marketed as a means for parents and employers to surreptitiously snoop on family members or employees.
- Thieves are using signal jammers to break into almost any modern car - and sometimes, dozens at a time. Nearly every car in a Manchester carpark was left unable to be locked last Sunday, the Register reports, in an apparent signal jamming attack. Any car that uses electronic locking is at risk of jammers.
-- Black Hat (@BlackHatEvents) May 21, 2015
- Dating and hookup site AdultFriendFinder was hacked, attackers have exposed details of nearly four millions users, first reported at TekSecurity. The compromised information includes sexual preferences and personal details, whether they are gay or straight, and whether they are seeking extramarital affairs, along with email addresses, usernames, dates of birth, postcodes and the unique internet addresses of users' computers.
- Data on about 1.1 million current and former subscribers of health insurance company CareFirst has been stolen by hackers, the company confirmed. In a statement, the non-profit said it was the target of a "sophisticated" cyberattack, in which a single database of members' names, birth dates, email addresses, and other subscriber data was stolen.
The NSA's Google Play malware will have to be really awesome if it hopes to gain marketshare from existing Google Play malware.
-- Tim Sweeney (@TimSweeneyEpic) May 22, 2015
- The National Security Agency planned to infiltrate the Google and Samsung app stores to plant spying software on smartphones, according to new documents published from files leaked by Edward Snowden. The Intercept and CBC News jointly published the documents Thursday, which outline the snooping efforts designed by the U.S. and its "Five Eyes" alliance: Canada, the United Kingdom, New Zealand and Australia.
- Cloud services used by businesses are placing enterprise companies at risk from Logjam, according to Skyhigh Networks. On Tuesday, reports surfaced that tens of thousands of HTTPS websites, mail servers and other services reliant on the Diffie-Hellman key exchange algorithm could potentially be vulnerable to a security flaw named Logjam.
'How to Check for Logjam Using Nmap' https://t.co/MMaqief9gP < highly useful
-- Jeremiah Grossman (@jeremiahg) May 21, 2015
- Hackers cause major data breach for Telstra's Pacnet: The ink has barely dried on Telstra's multi-million dollar deal to acquire Asia-Pacific data center supplier Pacnet, but already the Australian telco has had to reveal a significant security breach on Pacnet's networks. In a media call on Wednesday, Telstra revealed it had been informed, shortly after the acquisition deal went through on April 16, a third party had gained access to Pacnet's corporate IT network.
- Headlines and infosec pros alike have been going mental over security researcher Chris Roberts' alleged mid-flight hacking of a commercial airplane, and his subsequent detainment by the FBI in April. But as a result, the world is openly wondering whether there's truth to the assurances from manufacturers and officials that aviation systems are as secure as claimed - and if the warnings of information security professionals are going ignored.
New Dan Geer talk, delivered at the LangSec Workshop, May 21st: "Driven by Data" http://t.co/HCIk7pm1yu
-- haroon meer (@haroonmeer) May 22, 2015
This post was updated May 22 6:55PM PST to reflect correct attribution to the first discovery of the AdultFriendFinder breach, which has been widely misreported; the first site to report the discovery wasTekSecurity.