Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending December 5, 2014. Covers enterprise, controversies, reports and more.
This week, Sony's breach went nuclear, banks were cleared to sue Target for credit card hack negligence, Microsoft readied its patches, security seals lost their standing, and much more.
The unbelievably extreme Sony Pictures Entertainment hack became Hollywood's Snowden moment in what might turn out to be the breach of the century (so far). CSO reports in Thursday's file dump, "Among the IT data leaked by GOP, totaling more than 11,000 files, are hundreds of RSA SecurID tokens, Lotus Notes IDs, and certificates - many of them with the required passphrase stored alongside." Hacking crew Guardians Of Peace have published more sensitive Sony internal files than anyone can keep track of: There's no end in sight -- or answers as to who or why. Silver spoon tech media darling Re/code incorrectly reported (and later insisted) that North Korea was responsible for the attack; Sony then went on record to state that Re/code's reporting was inaccurate.
The US Justice Department announced Thursday it's creating a new cyber unit within the criminal division to advise on electronic surveillance in cyber investigations and work with the private sector to prevent online crime. The new unit, housed within the Computer Crime and Intellectual Property section, will work with law enforcement, the private sector, and Congress.
Security seals sold by almost a dozen companies, including Symantec, McAfee, Trust-Guard, and Qualys aren't worth the bits they're made of, let alone the fees. Sites certified as secure with the so-called trust marks are often more vulnerable to hacking, scientists concluded in a recent paper analyzed this week.
The 2014 Cyber Claims Study was published on Wednesday (by NetDiligence and sponsored by AllClear ID, McGladrey and ICSA Labs). It's based on the sampling of 117 data breach insurance claims; the focus is on 111 of these cases in which sensitive personal data was exposed. The average claim payout for a large company was $1.9 million.
On Tuesday a District Court judge in Minnesota ruled that banks can sue Target for negligence in the 2013 credit card hack. "Although the third-party hackers' activities caused harm, Target played a key role in allowing the harm to occur," the judge wrote in his order.