Zero Day: Home Depot liability, Microsoft vs Google, endpoint risk in focus, DHS cyberfail

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending January 16, 2015. Covers enterprise, controversies, reports and more.

This week DHS failed in a cybersecurity overview, Google stopped security updates for nearly one billion users, Microsoft had a very unusual first Patch Tuesday of 2015, President Obama made cybersecurity moves, the Home Depot breach liability court battle lawsuit begins, and more.

• Assessing DHS cybersecurity performance 12 years after its creation, a new Federal report called "A Review of the Department of Homeland Security's Missions and Performance" contains a blistering summary on the state of DHS cybersecurity. The report concludes that DHS's cybersecurity practices and programs are so bad, the DHS fails at even the basics of computer security and is "unlikely" able to protect both citizens and government from attacks.

• In the 2015 State of the Endpoint study by Ponemon Institute, researchers found that 78 percent of the 703 people surveyed consider negligent or careless employees who do not follow security policies to be the biggest threat to endpoint security. In addition, 63 percent agreed that employees operating from home offices and other offsite locations have significantly increased endpoint risk throughout the organization.

• After CES 2015, AT&T predicts that BYOD will hit an 'inflection point' in 2015, as security for connected devices could possibly weigh heaviest on telecommunications providers going into 2015. "In 2014, it was a topic starting to hit areas of concern, but we're ready to take off in terms of proliferation of Bring-Your-Own-Device," reflected AT&T's Andy Daudelin, vice president of security services for AT&T's Mobile Business Solutions team. "This is where destructive malware really becomes an issue."

• Google is under fire for quietly killing critical Android security updates for nearly one billion users this week. Without warning any of the 939 million affected (2/3 of users), Google decided to stop security updates for the Android WebView tool on Android 4.3 (Jelly Bean) or below. Mobile security company Lookout released its annual Mobile Threat Report on Thursday, which detailed threats both enterprises and individual mobile users came across this past year. Approximately 6.4 million Android devices were exposed to mobile malware in the U.S. this year.

  Special Feature

  IT Security in the Snowden Era

  The Edward Snowden revelations have rocked governments, global businesses, and the technology world. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices that technology leaders can put to good use.

  Read now

• Newly-discovered "Skeleton Key" malware is able to circumvent authentication on Active Directory systems, according to Dell researchers. The Dell SecureWorks Counter Threat Unit (CTU) team published their findings in an advisory notice this week. The team said attackers can use a password of their choosing to authenticate as any user -- before diving into the network and doing as they please.

• For Microsoft's first Patch Tuesday of 2015, "the company released a total of eight new security updates (one rated Critical, the other seven rated Important) for Windows desktop and server editions. In addition, the company released an update to an Internet Explorer patch from last month and an update for the Adobe Flash Player component built into Internet Explorer 11." Ed Bott explains, "But this batch of patches is strikingly different from its predecessors in two respects."

• Microsoft slammed Google this week for spilling the beans on Windows 8.1 security flaw. Charlie Osbourne details in her report, "The Redmond giant isn't exactly chipper after Google disclosed a Windows bug just two days before Microsoft planned to issue a fix."

• Phishing scam uses LinkedIn 'security update' to steal credentials: On Wednesday, Satnam Narang, senior security response manager at Symantec, wrote about the phishing campaign observed over the past week.

• John McAfee, the anti-virus pioneer, says he knows who is behind the attack on Sony Pictures and while he won't identify the group, guarantees it is not North Korea. Mr. McAfee claims to have been in contact with the group of hackers behind the devastating cyber-attack against Sony Pictures.

• Home Depot court battle over data breach liability begins in Atlanta today: At least 44 lawsuits have been filed against The Home Depot since the home improvement giant confirmed its data breach last September. More than 30 of these have been consolidated into one court action which will be fought out in U.S. District Court for the Northern District of Georgia in Atlanta.

• President Obama on Tuesday called on Congress to pass broad legislation to bolster cybersecurity across the United States government and private industry, working to capitalize on concern about recent high-profile computer breaches. Mr. Obama's proposal, which would be subject to approval by Congress, would increase the prosecution of crimes conducted through computer networks and toughen penalties for them.

• British Prime Minister David Cameron is taking his UK government campaign against encrypted communication to the White House. During a White House dinner Thursday and confab with President Obama Friday, Cameron is expected to press Obama to more publicly denounce the heightened encryption recently adopted by major tech companies like Facebook, Apple and Google.