Zero Day Weekly: Sony hack goes nuclear, banks to sue Target, security seal fallacy

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending December 5, 2014. Covers enterprise, controversies, reports and more.

This week, Sony's breach went nuclear, banks were cleared to sue Target for credit card hack negligence, Microsoft readied its patches, security seals lost their standing, and much more.

• The unbelievably extreme Sony Pictures Entertainment hack became Hollywood's Snowden moment in what might turn out to be the breach of the century (so far). CSO reports in Thursday's file dump, "Among the IT data leaked by GOP, totaling more than 11,000 files, are hundreds of RSA SecurID tokens, Lotus Notes IDs, and certificates - many of them with the required passphrase stored alongside." Hacking crew Guardians Of Peace have published more sensitive Sony internal files than anyone can keep track of: There's no end in sight -- or answers as to who or why. Silver spoon tech media darling Re/code incorrectly reported (and later insisted) that North Korea was responsible for the attack; Sony then went on record to state that Re/code's reporting was inaccurate.

• This week Microsoft readied seven security bulletins for Patch Tuesday. Windows, IE, Exchange and Office will be patched next week; three updates are rated critical. The critical update for Office affects Office for Mac as well.

Researcher finds way to hack PayPal accounts with single click | News | http://t.co/X8mqjKIP8C - http://t.co/gBwIkh0tel

-- Autodidact (@Secbuff) December 5, 2014

• Google simplified reCAPTCHA challenges: Long on the cutting edge of CAPTCHA development, Google's reCAPTCHA project has released a new and ironic version of the service which will make life easier for users.

• The US Justice Department announced Thursday it's creating a new cyber unit within the criminal division to advise on electronic surveillance in cyber investigations and work with the private sector to prevent online crime. The new unit, housed within the Computer Crime and Intellectual Property section, will work with law enforcement, the private sector, and Congress.

• Not all online retailer user security is created equal, and some collect more information. Password management company LastPass compared ten web retail companies based on user security and came up with a list of "naughty" and "nice". The best is Apple, the worst is Sears.

Doctor, it hurts when I bang my head against the wall repeatedly. Well stop doing that. I can't, I work in defensive security.

-- Jeffrey Czerniak (@geekable) December 5, 2014

• Fingerprint scanning comes to banking apps in 2015: Starting in January, fingerprint-sensor technology (known as Touch ID) will become part of Westpac Group's aim to implement biometrics across all the banking applications of its brand.

• Security seals sold by almost a dozen companies, including Symantec, McAfee, Trust-Guard, and Qualys aren't worth the bits they're made of, let alone the fees. Sites certified as secure with the so-called trust marks are often more vulnerable to hacking, scientists concluded in a recent paper analyzed this week.

• The 2014 Cyber Claims Study was published on Wednesday (by NetDiligence and sponsored by AllClear ID, McGladrey and ICSA Labs). It's based on the sampling of 117 data breach insurance claims; the focus is on 111 of these cases in which sensitive personal data was exposed. The average claim payout for a large company was $1.9 million.

• On Tuesday a District Court judge in Minnesota ruled that banks can sue Target for negligence in the 2013 credit card hack. "Although the third-party hackers' activities caused harm, Target played a key role in allowing the harm to occur," the judge wrote in his order.