Zero Day Weekly: Chrome for Android exploit, ransomware hijinks, the 'biggest breach ever'

Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending November 12, 2015.

From ZDNet: How F-Secure wants Sense to act as IoT watchdog for all your connected devices "Instead of installing a security app on each device, Sense from Finnish security firm F-Secure aims to protect them all, from smartphones to baby monitors, fridges and electronic locks. In the past F-Secure has only sold security software such as antivirus and a VPN. But it has gone back to the drawing board for the connected home and come up with Sense, its first piece of hardware, which it says can protect PCs and smartphones, but also devices that can't run traditional security apps."

From ZDNet: Linux hit by crypto-ransomware - but attackers botch private key "Admins are facing a variant of Linux malware that encrypts files on infected web servers. But the good news for now is the private key that locks down those files is predictable."

From Bloomberg: JPMorgan's 2014 Hack Tied to Largest Cyber Breach Ever "The U.S. described a vast, multi-year criminal enterprise centering on hacks of at least nine big financial and publishing firms and the theft of information on 100 million of their customers that fueled a web of stock manipulation, credit-card fraud and illegal online casinos. Two indictments, unsealed Tuesday, tied three of four suspects to previously reported hacks of JPMorgan Chase & Co., E*Trade Financial Corp., Scottrade Financial Services Inc. and Dow Jones & Co., a unit of News Corp."

Cybersecurity reads which belong on every bookshelf

From ZDNet: All Windows users should patch these two new 'critical' flaws "The software giant [Microsoft] released the patches Tuesday as part of its monthly release of security updates. All users running Windows Vista and later - including Windows 10 - are affected by two flaws, which could allow an attacker to install malware on an affected machine. The patch, MS15-112 addresses a memory corruption flaw in Internet Explorer. If exploited, an attacker could gain access to an affected machine, gaining the same access rights as the logged-in user, such as installing programs, and deleting data."

From ZDNet: Apple and Google yank Instagram password-stealing app from app stores "Google and Apple have removed a malicious third-party Instagram app that stole passwords - but only after it had become a top-grossing app in the App Store and gained over 100,000 users from Google Play. iOS developer David L-R yesterday raised the alarm over the app 'Who Viewed Your Profile - InstaAgent', posting on Twitter that it was storing Instagram usernames and passwords and sending it in cleartext to a remote server."

From SC Online: New Ransomware business cashing in on CryptoLocker's name "A new service launched this week is offering a new Ransomware product under the name CryptoLocker to anyone willing to pay ten percent of the collected ransom. In addition to the core Ransomware product, the ultimate goal of the business owner is to implement additional functions to the malware including linking it to recently produced exploits."

From Register: Latest Android phones hijacked with tidy one-stop-Chrome-pop "Google's Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset. The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo yesterday but not disclosed in full detail, targets the JavaScript v8 engine. It can probably hose all modern and updated Android phones if users visit a malicious website. It is also notable in that it is a single clean exploit that does not require multiple chained vulnerabilities to work, the researchers say."

From Wall Street Journal: If You Find a Software Bug, Don't Try to Report It to These Companies "Many computer-security researchers think the world would be a safer place if they could easily report bugs to software creators, so the holes could be patched before hackers exploit them. But there's a problem: Most large companies don't advertise a way for users to report bugs. This includes companies that collect reams of personal data, such as J.P. Morgan Chase & Co., Bank of America Corp. and Allstate Insurance Corp., as well as the designers of Internet-connected machines, like Ford Motor Co."

From Reuters: Tenable raises $250 million in record cyber funding round "Privately held software maker Tenable Network Security Inc said on Tuesday it is raising $250 million in venture capital funding, a record-sized round for a cyber security firm. Proceeds from the Series B round, which was led by Insight Venture Partners and existing investor Accel, will be used to fund product development, international expansion and marketing, said Chief Executive Ron Gula."

From ZDNet: Qualcomm and KT to build LTE-based IoT security solution "Global chipmaker Qualcomm and South Korean telco KT announced on Friday a joint business project to develop a "LTE based Internet of Things (IoT) security gateway solution" for new ATMs. Their IoT gateway solution will combine KT's expertise in IoT security with the design know-how underpinning Qualcomm's LTE microchips. This joint business ATM project is one of the biggest since the two companies inked an agreement in January to jointly develop equipment with secure gateways to the Internet of Things."

From Wall Street Journal: Israel's Cymmetria, Which Deceives Hackers, Raises $9 Million "Cymmetria Inc., an Israeli start-up whose software lures hackers into cyber traps within organizations' networks has raised around $9 million, the latest sign that investors are flocking to one of cyber-security's hottest trends: deceiving hackers and catching them red handed."