Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending January 23, 2015. Covers enterprise, controversies, reports and more.
This week President Obama's State of the Union rubbed infosec the wrong way, Adobe has a zero day, Symantec has a remote code execution, enterprise is drowning in unnecessary security alerts, and more.
FireEye: Enterprise overwhelmed with redundant security notifications. Rich Costanzo, FireEye Australia/NZ systems engineering lead, said its findings underscored that organizations are inundated with redundant alerts, therefore increasing the risk of critical alerts being missed. Two separate FireEye surveys, one focused on European C-level executives and one on international staff, found that in Europe there has been a steady increase in alerts over the past two years. However, the number of people tasked with resolving and following up on alerts has stagnated, or in some cases, decreased.
A GoDaddy CSRF vulnerability allows domain takeover: An attacker can leverage a CSRF vulnerability to take over domains registered with GoDaddy. The vulnerability was patched as of January 18th. Breaking Bits (Dylan Saccomanni) writes, "I noticed that there was absolutely no cross-site request forgery protection at all on many GoDaddy DNS management actions (...) I was told there was no timeline for a fix."
Verizon My FiOS mobile application vulnerability allowed any user access to any Verizon email account. As reported by ThreatPost, Verizon pushed a fix out for the flaw last week after security researcher Randy Westergren Jr disclosed the vulnerability. The flaw was severe enough that the telecommunications giant patched the problem within 48 hours.
Journalist and former Anonymous member Barrett Brown was sentenced to 63 months in prison by a federal judge in Dallas on Thursday. Kevin Gallagher warned that the long sentence would nonetheless set a precedent for journalists. "Basically," he said, "if you share a link to publicly available material without knowing what's in it -- maybe it could contain stolen credit card info -- you could be prosecuted."