Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending November 7, 2014. Covers enterprise, controversies, reports and more.
This week, IBM announced what amounted to a pivot to embrace enterprise security services, Apple's OS X Yosemite took another security hit, Home Depot shared that a stunningly huge email address payload was snatched in its breach, and consumers officially got breach fatigue.
Researchers have uncovered a new and sophisticated form of malware which attacks iOS devices through USB connections from OS X systems. Palo Alto Networks has named it WireLurker and say that "...this malware family heralds a new era in malware" and if the claims are true, the find is indeed significant.
Details are finally emerging about a serious vulnerability in Apple's OS X Yosemite, called "Rootpipe" which allows root access by attackers. The privilege escalation vulnerability was discovered by Swedish hacker Emil Kvarnhammar, who has been asked by Apple to withhold details until January 2015 — since Apple likely wouldn't allow details until they have a fix, this is probably when users can expect a patch.
A bill which punishes hacking with a jail sentence of seven years has been approved by senators in Nigeria. The draft law, known as the Cybercrime Bill, had been debated and proposed in a variety of formats for a decade. It seeks to create legal frameworks that bring Nigerian laws into line with international standards for prosecuting a variety of digital offenses. The Nigerian scam (now expanded beyond the typical email campaigns) — alone cost $12.7 billion in global losses in 2013, according to an Ultrascan AGI report.
Breach fatigue sets in: A new report confirms that in the wake of mega breaches at retailers like Target and Home Depot, consumers are reaching a point of "breach fatigue." Conducted by Ponemon Institute on behalf of RSA, the report shows that consumers really do little to alter their shopping behavior following breaches at their favorite stores. However, they do have preferences about how online retailers handle security measures such as authentication.
Google this week also released a security testing tool to help ensure HTTPS connections aren't undermined by common configuration mistakes or known bugs. Called "nogotofail" and apparently named in honor of the "goto fail" bug that affected Mac and iOS systems earlier this year, the tool offers a way to confirm that Internet-connected devices and applications aren't vulnerable to transport layer security (TLS) and secure sockets layer (SSL) encryption issues, such as known bugs or misconfigurations.