Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending March 20, 2015. Covers enterprise, controversies, reports and more.
With Windows 10, coming later this fall, Microsoft plans to go big with biometric technology. At the WinHEC conference in China this week, Microsoft executives showed off the new feature, called Windows Hello. At first glance, it sounds like Microsoft's response to TouchID -- biometric authentication that can use a fingerprint reader, illuminated IR sensor, or other biometric sensor to provide instant access to a Windows 10 device. Show your face or touch a finger, Microsoft says, and you'll be instantly authenticated on the local device.
Thankfully, new OpenSSL vulnerabilities, while numerous, are mainly DoS, not info/key disclosure. Still, upgrade! https://t.co/Z0Ogd17sWF
Kaspersky and KGB? When Bloomberg Business published an article saying that The Company Securing Your Internet Has Close Ties to Russian Spies, Mr. Eugene Kaspersky was not consulted -- nor was he pleased about the allegations. Six current and former employees told Bloomberg that Kaspersky employees "actively aid[s] criminal investigations by the FSB, the KGB's successor, using data from some of the 400 million customers who rely on Kaspersky Lab's software."
Mr. Kaspersky fired back in a blog post refuting the article and calling it "sensationalist" saying, "I'm really interested in who exactly joined our top management team since 2012 with 'closer ties to Russia's military or intelligence services'. I'm dying of curiosity!. He added, "curiously this happened not long after our investigation on the Equation Group."
Obama administration seeks additional authority to combat botnets: This week it came to light that the language the White House wants to use to amend the Computer Fraud and Abuse Act makes it illegal to use more than 100 computers "without authorization." It also criminalizes password "trafficking and the sharing of any "means of access" to computers "without authorization." Legitimate uses for botnets would become illegal if the law is revised.
Four different research teams on Wednesday cracked four products -- Adobe Flash, Reader, Mozilla Firefox, and Microsoft Internet Explorer -- on the first day of Pwn2Own 2015. The annual hacking contest, which kicked off Wednesday in Vancouver, ran concurrently with CanSecWest and is hosted by HP's Zero Day Initiative and Google's Project Zero; there were 13 bugs disclosed and 317.5 K paid out.
Cisco has shipped equipment to addresses that are unrelated to a customer, said John Stewart, Cisco's chief security and trust officer, on Wednesday during a panel session at the Cisco Live conference in Melbourne. In theory, that makes it harder for the NSA to target an individual company and scoop up their package. But supply chains are tough to secure, Stewart said, and once a piece of equipment is handed from Cisco to DHL or FedEx, it's gone.
Looks like Chinese and Koreans now fix our bugs at #pwn2own because westerners get into legal trouble for it. #wassenaar
A high-level Chinese military organization has for the first time formally acknowledged that the country's military and its intelligence community have specialized units for waging war on computer networks. The acknowledgment could have political and diplomatic implications for China's relationship with the United States and other Western powers. "It means that the Chinese have discarded their fig leaf of quasi-plausible deniability," researcher Joe McReynolds told Daily Beast.
Forrester's 2015 "Planning for Failure" shows that breaches are as unavoidable as bad weather, but hits a sour note when it characterizes enterprise organizations as unprepared. The whitepaper, prepared in conjunction with Veracode, found that it's mot a matter of if, but when enterprise orgs will suffer a serious cyberattack -- and that 60 percent of enterprises will suffer a breach in 2015.
On Tuesday, security journalist Steve Ragan's personal account at GoDaddy was compromised. When he detailed the way in which the combination of a phone call and a Photoshopped ID was used to do so by Vinny Troia, the CEO of Night Lion Security, GoDaddy was not pleased.