Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending February 6, 2015. Covers enterprise, controversies, reports and more.
This week the Anthem breach saw millions exposed from an unencrypted database, Obama created a new White House cyber unit, HipChat got popped, we learned more about the iOS espionage app Pawn Storm. About.com ignored its massive XSS problem, and much more.
Healthcare insurance provider Anthem admitted this week that hackers accessed a database containing "tens of millions" of records, including customers and employees. The unencrypted data included names, birthdates, physical/email addresses, medical IDs and SS#'s. Apparently, encrypting your data would have been inconvenient. UPDATE/CORRECTION: Mandiant/FireEye has been engaged by Anthem, and we incorrectly reported here this morning that the firm had accused China: This was based on reports from several news outlets, which we have now been told by FireEye was media speculation. We also included a tweet representing a number of tweets criticizing FireEye/Mandiant for naming China as the Anthem hack culprit, when, in fact, it had not. ZDNet and I apologize for any part we had in perpetuating this inaccuracy. Even more relevant to this report in light of this correction is that some researchers say this current attribution blame game trend isn't necessarily helpful or accurate.
Mandiant says Anthem attack = sophisticated 'cos of use of "custom backdoor" but doesn't explain initial penetration http://t.co/zUMRDfdBhQ
The Obama administration will spend about $20 million on a new White House cyber unit to oversee dot-gov network security, including, for the first time, making sure agencies notify victims of breaches according to a specific timetable. The "E-gov Cyber" division is aimed at making clear OMB's role in government-wide cybersecurity: Policymaking and enforcement. The newly enacted 2014 Federal Information Security Modernization Act formally tasks the Department of Homeland Security with operational aspects of guarding the dot-gov network, and cements OMB's strategic role.
Stolen names, address, birth dates and social security numbers used to buy $700,000 of Apple gift cards: On Thursday, the Manhattan District Attorney's office said it has indicted five people for using personal information stolen from around 200 people to fund the purchase of hundreds of thousands of dollars in Apple gift cards, which in turn were used to buy Apple products.
This week over 110,000Facebook users have been tricked into downloading a porn-based Trojan attack. The malware lures users of the social network by offering up a link to a porn video via a friend's account, which has already been infected, according to security researcher Mohammad Faghani. By clicking the link, users get a video preview, but it stops midway through, prompting them to download a Flash player to continue watching.
Our #SuperBowl commercial was rejected. Then again, it was just 30 seconds of redacted video.