Zero Day Weekly: Plex ransomed, FBI on California cable-cutting, MasterCard’s selfie passwords, BitStamp breach
A collection of notable security news items for the week ending July 3, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.
Welcome to Zero Day’s Week In Security, our roundup of notable security news items for the week ending July 3, 2015. Covers enterprise, controversies, reports and more.
- With the launch of Windows 10, anyone who walks into your house and gets your Wi-Fi password could potentially let all their friends onto your network, thanks to a feature called “Wi-Fi Sense,” which has ignited controversy online.
- One takeaway from a breach report prepared for Bitstamp, a European bitcoin exchange – don’t allow PCs that run software such as Skype and Microsoft Office to connect to a server that hosts your bitcoin wallet. The UK registered company suffered a Jan. 4 breach resulting in the theft of 18,977 bitcoins, which at the time were worth 4.4 million euros, or $5.3 million.
- Plex was hacked on July 1st, and the hacker claiming to be responsibletook to the Plex forums, saying they had “obtained all of your data, customers as well as software and files.” The hacker also demanded a ransom, payable in the form of Bitcoin, or else the data would be released by way of “multiple torrent networks.”
- The FBI is investigating internet cable-cutting in the San Francisco Bay Area. On Tuesday, 30 June, the 11th such attack cut off service for customers of Wave Broadband, near the state capital of Sacramento, which the internet service provider said was the result of a widespread “coordinated attack.” The FBI branch in San Francisco said there is “no indication these incidents are linked” to a case of vandalism in April 2013 that local law enforcement officials called “sabotage,” where a suspect cut fiber-optic cables, knocking out 911 service, and then fired a rifle at a PG&E power substation.
- Twin brothers have pleaded guilty to a slate of computer hacks, including breaking into State Department networks while working as government contractors. Muneeb and Sohaib Akhter, 23, admitted during a Friday hearing that they infiltrated the department’s networks in order to pilfer passport and visa information, according to the U.S. Attorney’s Office for the Eastern District of Virginia. The plea comes amid growing fears that government contractors pose an increasing threat to federal networks.
- Amazon is introducing a new TLS implementation: “Signal to noise,” s2n. This new library is meant to answer an inherent problem with the older open-source encryption programs. s2n, with its mere 6,000 lines of code, focuses only on encryption. Amazon is not trying to replace OpenSSL: Instead, s2n replaces the functionality of only one of OpenSSL’s two main libraries: Libssl, which implements TLS. There is no s2n equivalent to libcrypto, OpenSSL’s general-purpose cryptography library. Thus, s2n can take the place of “libssl,” but not “libcrypto.”
- MasterCard users may soon be able to pay for online purchases with their face or finger, with the payments giant to begin experimenting with facial-scan technology as well as fingerprint identification in an attempt to eliminate digital fraud. According to a report by CNNMoney, MasterCard will launch a pilot program with 500 participants over the next few months to develop the infrastructure to approve purchases without the need to enter a password.
- 3-D ultrasonic fingerprint scanning is being developed with an eye on strengthening smartphone security. Researchers at the University of California, Davis and Berkeley have managed to miniaturize medical ultrasound technology to create a fingerprint sensor that scans your finger in 3D. This low-power technology, which could improve on the robustness of current-generation capacitive scanners, could soon find its way to our smartphones and tablets.
- Google Monday added controls for two-step verification to a pair of its Google Apps services, giving enterprise and education administrators tools to deploy, monitor and manage physical hardware-based tokens for strong authentication. The two Google services supported are Google Apps Unlimited, the premium business version of Google Apps, and Google Apps for Education, a suite of productivity tools for classroom collaboration.
- Cisco has announced its intention to purchase threat protection (and internet filtering) security firm OpenDNS in a deal worth $635 million. Announced on Tuesday, the tech giant said the move will accelerate the development of the Cisco Cloud Delivered Security Portfolio, and OpenDNS will prove a boost to advanced threat protection services for Cisco clients.