Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending February 13, 2015. Covers enterprise, controversies, reports and more.
This week U.S. President Obama visited Stanford for a cybersecurity summit with Silicon Valley's corporate technorati, Jeb Bush doxed 12,000 unsuspecting victims, cloud security research got aggressive, Sony argued to dismiss its eight class-action lawsuits, NIST announced updates, Microsoft had a rough Patch Tuesday, Facebook launched ThreatExchange, and much more.
- This week's Microsoft Patch Tuesday release includes three updates rated Critical, including a massive security update that fixes more than 40 flaws in Internet Explorer. A recently disclosed XSS vulnerability remains unpatched, however, and one Windows Server 2003 bug won't be fixed.
- On Tuesday, iSIGHT Partners and Invincea disclosed an attack on Forbes.com, assumed to be the work of actors from China conducting an espionage campaign. But the way the disclosure was handled, including a sensational news cycle and required registration for actual details, makes it look as if both vendors are using the incident to increase their sales channel.
- The Washington Post reported this week that there will be a new agency to sniff out threats in cyberspace: The Cyber Threat Intelligence Integration Center, modeled after the National Counterterrorism Center. Some infosec professionals think it'll likely fail, because "the President continues to ask the wrong questions of the wrong people."
-- Trey (@treyford) February 10, 2015
- President Obama is expected to unveil executive actions today designed to increase information sharing among private sector companies and federal law enforcement, at a cybersecurity summit at Stanford University. Chief executives from four major technology companies will not attend a cybersecurity summit in California on Friday. Instead, senior security staffers from the invited companies, Facebook, Google, Yahoo, and Microsoft, will go in their boss' places. Bloomberg hinted that the reason why the tech executives are not turning up are in part due to a recent back-and-forth between the US government and their companies.
- Florida governor (and potential U.S. presidential candidate) Jeb Bush has had his team hurriedly [after-the-fact] redact the social security numbers and other identity details of 12,000 people from emails he released online covering the putative presidential candidate's eight years. The emails contained names, sensitive healthcare and employment information, birthdates and social security numbers -- the three pieces of information key to identity theft. Bush had opened up the 332,999 emails to public scrutiny, seeking to portray himself as a tech-savvy executive.
I am not jeb bushes technical advisor or in anyway associated with his campaign.
-- F is for Fail (@failymonster) February 10, 2015
- Cloud security: Reports slam data protection, national Internets, access myths: "Security is often compared to an arms race -- a constant grind of building the newer, the better, and the more effective." We're told in Leviathan Security Group's revelatory whitepapers released this week. Leviathan's research shows why organizations urgently need to understand that "This comparison is inaccurate."
- Around 16 million mobile devices worldwide were infected by malware at the end of 2014, while attacks on communications networks rose during the year, according to new research by Alcatel-Lucent.
- The security hiring crisis: In a whitepaper released by Leviathan Security Group this week, the firm revealed infosec's problematic hiring arc -- where current solutions appear ruinous, at best. Leviathan's research team reports that, "With more than one million cybersecurity positions unfilled worldwide, currently-identified security needs couldn't be met if every employee at GM, Costco, Home Depot, Delta, and Procter & Gamble became security experts tomorrow."
- On Monday, Sony Pictures Entertainment offered its first substantive response to the eight class action lawsuits that have been filed by former employees in the wake of a large-scale hack. The company isn't arguing that the hack was unforseen, but instead Sony believes that victim harm can't be proven because no one -- so far -- has filed complaints of identity theft, fraudulent charges, or misappropriation of medical information. Research and experience shows, however, that unless the employees are in a bubble of statistical anomaly, this is just a matter of time.
- 10 million passwords and usernames published: This week, Mark Burnett, a security consultant and researcher, released 10 million passwords and linked usernames in a data set compiled from existing information. In order to stop the FBI coming after him, Burnett explained why the information was divulged: The information, sourced from the Internet, was compiled with the intention of furthering research in passwords and user behavior.
- HSBC's Swiss banking arm helped wealthy customers dodge taxes and conceal millions of dollars of assets, doling out bundles of untraceable cash and advising clients on how to circumvent domestic tax authorities, according to a huge cache of leaked secret bank account files.
- Facebook launched ThreatExchange on Wednesday, a social network of sorts designed to allow companies to share threat information and intel. The move is the latest example in how an age of cooperation may be emerging as companies increasingly battle cyberattacks of various stripes.
-- Security Humor (@SecurityHumor) February 12, 2015
- The National Institute of Standards and Technology (NIST) announced on Tuesday it is updating its security guide for industrial control systems (ICS) to include tailored guidance for utilities, automakers, chemical firms and other companies that utilize such systems. The current draft (PDF), which has already been revised in light of input from around 30 organizations, is under final public review, meaning comments can be submitted before March 10, 2015.
- Ten U.S. states are officially saying that Anthem lagged in telling customers that it was hacked and that the personal information of 80 million people had been stolen. In a letter, Connecticut Attorney General George Jepsen called on Anthem to reimburse policyholders who experience fraud between the breach and the time they gain access to free credit monitoring, a benefit the company has promised to all affected.
- Chief information officers see employee training as the top way to beef up their corporate information security, according to a survey by IT staffing firm Robert Half Technology. The survey, which is based on 2,400 CIOs with 100 or more employees, is instructive because it reflects how internal workers are still the largest security risk.