Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending March 20, 2015. Covers enterprise, controversies, reports and more.
- With Windows 10, coming later this fall, Microsoft plans to go big with biometric technology. At the WinHEC conference in China this week, Microsoft executives showed off the new feature, called Windows Hello. At first glance, it sounds like Microsoft's response to TouchID -- biometric authentication that can use a fingerprint reader, illuminated IR sensor, or other biometric sensor to provide instant access to a Windows 10 device. Show your face or touch a finger, Microsoft says, and you'll be instantly authenticated on the local device.
Thankfully, new OpenSSL vulnerabilities, while numerous, are mainly DoS, not info/key disclosure. Still, upgrade! https://t.co/Z0Ogd17sWF
-- Ryan Lackey (@octal) March 19, 2015
- Steven J. Vaughan-Nichols explains, that "At first glance, you might not think that the latest set of OpenSSL security patches are that important. Sure, there's a dozen of them and two are serious, but are they really that bad? Yes, actually they're not just bad, they're awful." Amazon said the issues do not affect AWS services or its services that have mitigations in place.
False statements + misleading facts + allegations + anonymous sources = sensation? My reply is coming.
-- Eugene Kaspersky (@e_kaspersky) March 19, 2015
- Kaspersky and KGB? When Bloomberg Business published an article saying that The Company Securing Your Internet Has Close Ties to Russian Spies, Mr. Eugene Kaspersky was not consulted -- nor was he pleased about the allegations. Six current and former employees told Bloomberg that Kaspersky employees "actively aid[s] criminal investigations by the FSB, the KGB's successor, using data from some of the 400 million customers who rely on Kaspersky Lab's software."
Mr. Kaspersky fired back in a blog post refuting the article and calling it "sensationalist" saying, "I'm really interested in who exactly joined our top management team since 2012 with 'closer ties to Russia's military or intelligence services'. I'm dying of curiosity!. He added, "curiously this happened not long after our investigation on the Equation Group."
- Obama administration seeks additional authority to combat botnets: This week it came to light that the language the White House wants to use to amend the Computer Fraud and Abuse Act makes it illegal to use more than 100 computers "without authorization." It also criminalizes password "trafficking and the sharing of any "means of access" to computers "without authorization." Legitimate uses for botnets would become illegal if the law is revised.
- Four different research teams on Wednesday cracked four products -- Adobe Flash, Reader, Mozilla Firefox, and Microsoft Internet Explorer -- on the first day of Pwn2Own 2015. The annual hacking contest, which kicked off Wednesday in Vancouver, ran concurrently with CanSecWest and is hosted by HP's Zero Day Initiative and Google's Project Zero; there were 13 bugs disclosed and 317.5 K paid out.
- Cisco has shipped equipment to addresses that are unrelated to a customer, said John Stewart, Cisco's chief security and trust officer, on Wednesday during a panel session at the Cisco Live conference in Melbourne. In theory, that makes it harder for the NSA to target an individual company and scoop up their package. But supply chains are tough to secure, Stewart said, and once a piece of equipment is handed from Cisco to DHL or FedEx, it's gone.
-- Stefan Esser (@i0n1c) March 18, 2015
- Yahoo made major announcements surrounding its security protocol: Primarily, the company announced its new "on-demand" passwords, and followed up with news that its end-to-end encryption source code for Yahoo Mail was available on GitHub. Users won't need to use a predetermined password to log into an account; instead, each time they want to log in, they will receive a text message with a verification code.
- $10 Million Settlement in Target Data Breach: A federal judge on Thursday gave preliminary approval to a $10 million settlement of a lawsuit brought by customers of Target, which experienced an online attack involving confidential customer data during the holiday season in 2013. It's believed that few Target data breach victims will likely get anything, and even fewer will get the maximum $10,000 they're eligible for
- Premera Blue Cross revealed Tuesday that it was the target of a cyber attack last year that may have affected 11 million customers. The Washington-based health insurance company, which is licensed by Blue Cross Blue Shield, said the data breach occurred last May, but it was not discovered until January 29 of this year. More than two weeks prior, on April 18, 2014, Premera received an audit report and was advised -- in 10 recommendations -- to address vulnerabilities that could be exploited by attackers to compromise sensitive data.
- A high-level Chinese military organization has for the first time formally acknowledged that the country's military and its intelligence community have specialized units for waging war on computer networks. The acknowledgment could have political and diplomatic implications for China's relationship with the United States and other Western powers. "It means that the Chinese have discarded their fig leaf of quasi-plausible deniability," researcher Joe McReynolds told Daily Beast.
- A total of 1,228 popular Android apps found in the Google Play store are still vulnerable to a FREAK attack, according to FireEye's security team.
- Forrester's 2015 "Planning for Failure" shows that breaches are as unavoidable as bad weather, but hits a sour note when it characterizes enterprise organizations as unprepared. The whitepaper, prepared in conjunction with Veracode, found that it's mot a matter of if, but when enterprise orgs will suffer a serious cyberattack -- and that 60 percent of enterprises will suffer a breach in 2015.
- On Tuesday, security journalist Steve Ragan's personal account at GoDaddy was compromised. When he detailed the way in which the combination of a phone call and a Photoshopped ID was used to do so by Vinny Troia, the CEO of Night Lion Security, GoDaddy was not pleased.