Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending January 23, 2015. Covers enterprise, controversies, reports and more.
This week President Obama's State of the Union rubbed infosec the wrong way, Adobe has a zero day, Symantec has a remote code execution, enterprise is drowning in unnecessary security alerts, and more.
- President Obama dedicated more time on cybersecurity than any other president has on a State of the Union address. While it's a positive sign that politicians consider cybersecurity a pressing concern, many in the security community believe the President's proposed cybersecurity legislation would be ineffective at curtailing black hat hacking and would criminalize the type of research and penetration testing that vendors and enterprises depend on to harden software and hardware implementations.
- Adobe is investigating reports that a zero-day flaw in Flash Player is being used by an exploit kit known as Angler. Following the Blackhole exploit kit's demise last year, Angler is the new "one to watch" this year, according to Cisco security researchers.
-- InfoSec Taylor Swift (@SwiftOnSecurity) January 23, 2015
- Oracle rolled out a mammoth batch of patches on Tuesday in the first of four annual security fixes for its vast array of enterprise software products. Oracle's quarterly critical patch update includes security updates and patches for 169 problems affecting products including Java, Fusion Middleware, Enterprise Manager and MySQL.
- Blackhat the movie, as reviewed in Loki gifs: Hollywood's new cybersecurity film Blackhat opened this weekend and bombed hard, despite high praise from infosec elites.
On the 7th day, God rested, and the devil created Android development and God was pretty pissed.
-- I Am Devloper (@iamdevloper) January 22, 2015
- U.S. firms spending millions on false positive security alerts: A new report on the costs of malware containment has revealed that US firms are spending approximately US$1.3 million (£860,000) a year dealing with false positive cyber-security alerts, the equivalent of nearly 21,000 man hours.
- FireEye: Enterprise overwhelmed with redundant security notifications. Rich Costanzo, FireEye Australia/NZ systems engineering lead, said its findings underscored that organizations are inundated with redundant alerts, therefore increasing the risk of critical alerts being missed. Two separate FireEye surveys, one focused on European C-level executives and one on international staff, found that in Europe there has been a steady increase in alerts over the past two years. However, the number of people tasked with resolving and following up on alerts has stagnated, or in some cases, decreased.
- A GoDaddy CSRF vulnerability allows domain takeover: An attacker can leverage a CSRF vulnerability to take over domains registered with GoDaddy. The vulnerability was patched as of January 18th. Breaking Bits (Dylan Saccomanni) writes, "I noticed that there was absolutely no cross-site request forgery protection at all on many GoDaddy DNS management actions (...) I was told there was no timeline for a fix."
-- Security Humor (@SecurityHumor) January 21, 2015
- Verizon My FiOS mobile application vulnerability allowed any user access to any Verizon email account. As reported by ThreatPost, Verizon pushed a fix out for the flaw last week after security researcher Randy Westergren Jr disclosed the vulnerability. The flaw was severe enough that the telecommunications giant patched the problem within 48 hours.
- The Cisco 2015 annual security report has revealed that while governments are providing more assistance to reduce online crime, criminals are finding new ways to unleash attacks on organizations.
- Journalist and former Anonymous member Barrett Brown was sentenced to 63 months in prison by a federal judge in Dallas on Thursday. Kevin Gallagher warned that the long sentence would nonetheless set a precedent for journalists. "Basically," he said, "if you share a link to publicly available material without knowing what's in it -- maybe it could contain stolen credit card info -- you could be prosecuted."
- Over 90 percent of data breaches in the first half of 2014 could have been prevented if businesses rethought their risk cyberstrategies, according to the Online Trust Alliance. Only 40 percent of data breaches involving the loss of personally identifiable information (PII) were caused by external intrusions -- while 29 percent were caused either accidentally or maliciously by employees. According to enterprise data security provider Vormetric, 93 percent of US corporations are vulnerable to threats from the inside.
Symantec Data Center Security, now with remote code execution: http://t.co/2wzK5lyTBF
-- HD Moore (@hdmoore) January 23, 2015