Zero Day Weekly: Xfinity doxing users, D-Link exposing networks, China’s uncrackable smartphone

zero day weekly

Welcome to Zero Day’s Week In Security, ZDNet’s roundup of notable security news items for the week ending November 20, 2015.

From CNET: On encryption, Clinton tells Silicon Valley to be a team player “Hillary Clinton wants Silicon Valley to stop being so obstinate. That’s the message from the Democratic frontrunner in the US presidential race following attacks in Paris last week that renewed debate about technology’s role in terrorism. Clinton told the tech industry it can’t simply ignore the federal government’s need to track down extremists. “We need Silicon Valley not to view government as its adversary,” Clinton said Thursday at a speech on national security at the Center on Foreign Relations in New York.” See also: Let’s have an argument about encryption (Engadget)

From The Hill: Tech group rejects push to let feds into encrypted data “In its first comments since the attacks, which killed at least 129 people and wounded hundreds more, the Information Technology Industry Council (ITI) argued that ensuring access to encrypted devices would be ruinous for global security. “We deeply appreciate law enforcement’s and the national security community’s work to protect us,” said ITI CEO Dean Garfield in a statement. “But weakening encryption or creating backdoors to encrypted devices and data for use by the good guys would actually create vulnerabilities to be exploited by the bad guys, which would almost certainly cause serious physical and financial harm across our society and our economy.””

From CSO Online: Comcast Xfinity Wi-Fi discloses customer names and addresses “The Xfinity Wi-Fi service from Comcast is disclosing the full name and home address of residential customers, which is something the company says isn’t supposed to happen. The disclosure of such information increases an already exposed attack surface, by allowing anyone with malicious intent to selectively target their marks… the problem is, names and addresses were listed, and they’re still being displayed in the search results when someone searches for an Xfinity Wi-Fi hotspot.”

From SC Magazine: Automakers urge Congress to limit regulation on Internet of Cars “Automotive executives urged Congress Wednesday to limit legislation concerning connected automobiles while discussing cybersecurity and car hacking and at the “Internet of Cars” hearing held before two House subcommittees. The hearing highlighted the efforts that automakers are making to address cybersecurity concerns as well as to give members of the Subcommittee on Information Technology and the Subcommittee on Transportation and Public Assets an opportunity to learn more about connected vehicles.”

From SecurityWeek: Flaw in D-Link Switches Exposes Corporate Networks: Researchers “A vulnerability in certain D-Link smart switches can be exploited by remote attackers to access log and configuration files without any authentication credentials, researchers claim. Independent security researcher Varang Amin and Aditya Sood, chief architect at Elastica’s Cloud Threat Labs, reported discovering a flaw in DGS-1210 Series Gigabit Smart Switches from D-Link.”

From ZDNet: SMBs the main target for Q3 PoS malware: Trend Labs “Small to medium businesses (SMBs) were a lucrative and easy point of sale (PoS) target for malware attacks in the third quarter of 2015, according to security firm Trend Micro. In Trend Micro’s TrendLabs third quarter 2015 security roundup, Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks, for the three months ending September 2015, the Tokyo-headquartered firm said attackers went after as many vulnerable PoS devices as possible with the intention of “hitting the jackpot”.”

From ZDNet: Dyre banking malware: Windows 10 and Edge browser now targets “The notorious Dyre banking malware has been updated to take on Windows 10 machines and hook its claws into the Edge browser. Dyre, also known as Dyreza, appeared on the cybercrime scene in July 2014 and has quickly gained a reputation as a nasty piece of malware that aims to steal credentials. It’s been found to target Salesforce users and banking customers, and more recently was discovered to have been adapted to steal credentials from a range of supply-chain businesses, including fulfillment and warehousing, inventory-management software vendors and wholesale computer distributors.”

From ZDNet: Why Dell is picking thermal fingerprint scanning for next year’s notebooks, tablets “In 2016, Dell’s commercial and ruggedized notebooks and tablets will feature patented fingerprint scanner units from Norwegian firm NEXT Biometrics. NEXT says it is providing Dell with at least 1.2 million scanners, which are based on thermal scanning, as opposed to the capacitive fingerprint scanners almost all other vendors employ. That approach means scanners from NEXT, headquartered in Oslo, Norway, registers temperature differences between the valleys and the ridges in a fingerprint. Other scanners use a radio frequency-based signal, measuring signal-response differences between fingerprint features.”

From TechDirt: Ted Koppel Writes Entire Book About How Hackers Will Take Down Our Electric Grid… And Never Spoke To Any Experts “Famous TV news talking head Ted Koppel recently came out with a new book called Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath. The premise, as you may have guessed, is that we’re facing a huge risk that “cyberattackers” are going to take down the electric grid… Want to know how useful the book actually is? All you really need to read is the following question and answer from an interview Koppel did with CSO Online:

Did you interview penetration testers who have experience in the electric generation/transmission sector for this book?

No, I did not.”

From ZDNet: Crooks use old-school Conficker virus to infect police body cams “Jarrett Pavao and Charles Auchinleck of the IT integrator iPower Technologies said they have discovered the infamous Conficker virus pre-installed on two Frontline police body cameras from Martel Electronics. iPower, which is working on a cloud-based storage system for government agencies and police departments to store and search camera video, said it discovered the malware after testing two of the $499 body cams it had ordered. The malware infected PCs physically connected to the body cams.”

From ZDNet: Microsoft spending on security R&D rivals Symantec “Microsoft’s spending on security research and development is on par with Symantec and highlights how the company has the potential to poach additional wallet share. In a blog post highlighting Microsoft’s security plans, the software giant said that it spends more than $1 billion a year on security research and development. To put that in context, that sum represents a bit more than 1 percent of Microsoft’s annual sales and about 8.33 percent of what the company spent on research and development in fiscal 2015. Microsoft spends about 13 percent of its annual sales on R&D.”

From The Hill: China building its own uncrackable smartphone “China is seeking to construct its own uncrackable smartphones in an attempt to evade U.S. surveillance programs. The effort is part of the Asian power’s efforts to develop homegrown technology to replace foreign products. The majority of the smartphone operating systems and processors in China rely on either Apple or Google technology. Hackers frequently infiltrate phones through these components, and China fears that American companies are compromised by U.S. intelligence agencies.”