Zero Day Weekly: Breach fatigue, Home Depot, Rootpipe, IBM's enterprise security pivot

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending November 7, 2014. Covers enterprise, controversies, reports and more.

This week, IBM announced what amounted to a pivot to embrace enterprise security services, Apple's OS X Yosemite took another security hit, Home Depot shared that a stunningly huge email address payload was snatched in its breach, and consumers officially got breach fatigue.

• Researchers have uncovered a new and sophisticated form of malware which attacks iOS devices through USB connections from OS X systems. Palo Alto Networks has named it WireLurker and say that "...this malware family heralds a new era in malware" and if the claims are true, the find is indeed significant.

• Details are finally emerging about a serious vulnerability in Apple's OS X Yosemite, called "Rootpipe" which allows root access by attackers. The privilege escalation vulnerability was discovered by Swedish hacker Emil Kvarnhammar, who has been asked by Apple to withhold details until January 2015 — since Apple likely wouldn't allow details until they have a fix, this is probably when users can expect a patch.

• AR + VR

  • I replaced my boring workouts with Meta Quest's Supernatural app, and can't imagine going back
  • This Finnish startup's new VR headset rivals Apple's Vision Pro - and business users will love it
  • Meta's $500 Quest 3 is the mainstream VR headset I've been waiting for, and it delivers
  • I tried Apple Vision Pro and it's far ahead of where I expected
  • The best VR headsets right now (and they're not just from Meta)

  Microsoft has released their advance notification for the November 2014 Patch Tuesday updates. There will be a total of 16 updates issued next Tuesday, November 11, five of them rated critical. Nearly all of the updates affect Windows. Microsoft also released Microsoft Antimalware for Azure Cloud Services and Virtual Machines to Microsoft Azure customers.

• A bill which punishes hacking with a jail sentence of seven years has been approved by senators in Nigeria. The draft law, known as the Cybercrime Bill, had been debated and proposed in a variety of formats for a decade. It seeks to create legal frameworks that bring Nigerian laws into line with international standards for prosecuting a variety of digital offenses. The Nigerian scam (now expanded beyond the typical email campaigns) — alone cost $12.7 billion in global losses in 2013, according to an Ultrascan AGI report.

• Home Depot on Thursday said that 53 million email addresses were also swiped in its recent data breach where 56 million credit card accounts were also compromised. For the home improvement retailer the security hits just keep coming.

• Breach fatigue sets in: A new report confirms that in the wake of mega breaches at retailers like Target and Home Depot, consumers are reaching a point of "breach fatigue." Conducted by Ponemon Institute on behalf of RSA, the report shows that consumers really do little to alter their shopping behavior following breaches at their favorite stores. However, they do have preferences about how online retailers handle security measures such as authentication.

• IBM doubled down on enterprise security this week, releasing new cloud-based security products under an umbrella it’s calling a "hybrid cloud model" for companies to manage security as they shift to the cloud. Gartner in June called IBM the largest vendor selling exclusively to enterprises.

• Google: Manual Account Hijacks Much More Dangerous Than Bot Takeovers. Targeted attacks are less common but cause more problems and financial losses for victims than nontargeted mass account takeovers, a new report from Google says. In the report the firm gets up close and personal with hijackers that target not businesses, not governments, but you.

• Google this week also released a security testing tool to help ensure HTTPS connections aren't undermined by common configuration mistakes or known bugs. Called "nogotofail" and apparently named in honor of the "goto fail" bug that affected Mac and iOS systems earlier this year, the tool offers a way to confirm that Internet-connected devices and applications aren't vulnerable to transport layer security (TLS) and secure sockets layer (SSL) encryption issues, such as known bugs or misconfigurations.

• Researchers found a VISA contactless payment card exploit that allows users to override the spending limit. Researchers from Newcastle University in the UK have discovered a way to authorize transactions using VISA contactless payment cards beyond the pre-set spending limit. If the transaction is specified in a foreign currency, it will proceed at larger amounts.