Zero Day Weekly: Kaspersky and KGB, Cisco subterfuge, Yahoo on-demand passwords

A collection of notable security news items for the week ending March 20, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.
Written by Violet Blue, Contributor

zero day weekly by violet blue

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending March 20, 2015. Covers enterprise, controversies, reports and more.

  • With Windows 10, coming later this fall, Microsoft plans to go big with biometric technology. At the WinHEC conference in China this week, Microsoft executives showed off the new feature, called Windows Hello. At first glance, it sounds like Microsoft's response to TouchID -- biometric authentication that can use a fingerprint reader, illuminated IR sensor, or other biometric sensor to provide instant access to a Windows 10 device. Show your face or touch a finger, Microsoft says, and you'll be instantly authenticated on the local device.
  • Obama administration seeks additional authority to combat botnets: This week it came to light that the language the White House wants to use to amend the Computer Fraud and Abuse Act makes it illegal to use more than 100 computers "without authorization." It also criminalizes password "trafficking and the sharing of any "means of access" to computers "without authorization." Legitimate uses for botnets would become illegal if the law is revised.
  • Four different research teams on Wednesday cracked four products -- Adobe Flash, Reader, Mozilla Firefox, and Microsoft Internet Explorer -- on the first day of Pwn2Own 2015. The annual hacking contest, which kicked off Wednesday in Vancouver, ran concurrently with CanSecWest and is hosted by HP's Zero Day Initiative and Google's Project Zero; there were 13 bugs disclosed and 317.5 K paid out.
  • Cisco has shipped equipment to addresses that are unrelated to a customer, said John Stewart, Cisco's chief security and trust officer, on Wednesday during a panel session at the Cisco Live conference in Melbourne. In theory, that makes it harder for the NSA to target an individual company and scoop up their package. But supply chains are tough to secure, Stewart said, and once a piece of equipment is handed from Cisco to DHL or FedEx, it's gone.
  • A high-level Chinese military organization has for the first time formally acknowledged that the country's military and its intelligence community have specialized units for waging war on computer networks. The acknowledgment could have political and diplomatic implications for China's relationship with the United States and other Western powers. "It means that the Chinese have discarded their fig leaf of quasi-plausible deniability," researcher Joe McReynolds told Daily Beast.
  • Forrester's 2015 "Planning for Failure" shows that breaches are as unavoidable as bad weather, but hits a sour note when it characterizes enterprise organizations as unprepared. The whitepaper, prepared in conjunction with Veracode, found that it's mot a matter of if, but when enterprise orgs will suffer a serious cyberattack -- and that 60 percent of enterprises will suffer a breach in 2015.
  • On Tuesday, security journalist Steve Ragan's personal account at GoDaddy was compromised. When he detailed the way in which the combination of a phone call and a Photoshopped ID was used to do so by Vinny Troia, the CEO of Night Lion Security, GoDaddy was not pleased.
Editorial standards