Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 10, 2014. Covers enterprise, controversies, reports and more.
This week, Chase's big breach raises official questions about the victims, WaPo's "golden key" op-ed on encryption backfired, Yahoo didn't get "shellshocked," ATM malware surfaced in the wild, and the BadUSB shenanigans continue.
WA Post op-ed on golden key "an insult to anyone savvy enough to use encryption;" great @kpoulsen take on Apple saga: http://t.co/mUAOvvwiuO— Hanni Fakhoury (@HanniFakhoury) October 9, 2014
Because a magical “secure golden key" is totally different from a backdoor. The "wizards" will get right on that.... http://t.co/2ilQRHuhit— Liz Goodson (@lizgoodson) October 4, 2014
Actual photograph of Apple and Google delivering secret golden key pic.twitter.com/QreguhuflC— Nadim Kobeissi (@kaepora) October 5, 2014
Two months after BadUSB was revealed at Black Hat, Adam Caudill and Brandon Wilson decided to replicate the attacks and publish them to GitHub for their presentation at hacker conference DerbyCon. Caudill and Wilson said they did it to "motivate vendors to take action." Caudill and Wilson were criticized for 'helping malicious hackers,' and SANS Institute's Paul Wilson told CSO Online that he doesn't think the stunt will end well for consumers. When Berlin-based Security Research Labs (SRLabs) demonstrated the BadUSB vulnerability, SRLabs held back on releasing tools or details of its exploit, saying the flaw in firmware on the USB controller was not easily fixed. Over the weekend, Caudill and Wilson published a limited, impractical pseudo-patch for only one kind of USB stick, which Nohl dismissed as a "band-aid".