Zero Day Weekly: Thousands doxed by Jeb Bush, Obama's cybersummit, Facebook's ThreatExchange

A collection of notable security news items for the week ending February 13, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.

zero-day-weekly.jpg

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending February 13, 2015. Covers enterprise, controversies, reports and more.

This week U.S. President Obama visited Stanford for a cybersecurity summit with Silicon Valley's corporate technorati, Jeb Bush doxed 12,000 unsuspecting victims, cloud security research got aggressive, Sony argued to dismiss its eight class-action lawsuits, NIST announced updates, Microsoft had a rough Patch Tuesday, Facebook launched ThreatExchange, and much more.

  • This week's Microsoft Patch Tuesday release includes three updates rated Critical, including a massive security update that fixes more than 40 flaws in Internet Explorer. A recently disclosed XSS vulnerability remains unpatched, however, and one Windows Server 2003 bug won't be fixed.
  • Florida governor (and potential U.S. presidential candidate) Jeb Bush has had his team hurriedly [after-the-fact] redact the social security numbers and other identity details of 12,000 people from emails he released online covering the putative presidential candidate's eight years. The emails contained names, sensitive healthcare and employment information, birthdates and social security numbers -- the three pieces of information key to identity theft. Bush had opened up the 332,999 emails to public scrutiny, seeking to portray himself as a tech-savvy executive.
  • Cloud security: Reports slam data protection, national Internets, access myths: "Security is often compared to an arms race -- a constant grind of building the newer, the better, and the more effective." We're told in Leviathan Security Group's revelatory whitepapers released this week. Leviathan's research shows why organizations urgently need to understand that "This comparison is inaccurate."
  • The security hiring crisis: In a whitepaper released by Leviathan Security Group this week, the firm revealed infosec's problematic hiring arc -- where current solutions appear ruinous, at best. Leviathan's research team reports that, "With more than one million cybersecurity positions unfilled worldwide, currently-identified security needs couldn't be met if every employee at GM, Costco, Home Depot, Delta, and Procter & Gamble became security experts tomorrow."
  • On Monday, Sony Pictures Entertainment offered its first substantive response to the eight class action lawsuits that have been filed by former employees in the wake of a large-scale hack. The company isn't arguing that the hack was unforseen, but instead Sony believes that victim harm can't be proven because no one -- so far -- has filed complaints of identity theft, fraudulent charges, or misappropriation of medical information. Research and experience shows, however, that unless the employees are in a bubble of statistical anomaly, this is just a matter of time.
  • 10 million passwords and usernames published: This week, Mark Burnett, a security consultant and researcher, released 10 million passwords and linked usernames in a data set compiled from existing information. In order to stop the FBI coming after him, Burnett explained why the information was divulged: The information, sourced from the Internet, was compiled with the intention of furthering research in passwords and user behavior.
  • HSBC's Swiss banking arm helped wealthy customers dodge taxes and conceal millions of dollars of assets, doling out bundles of untraceable cash and advising clients on how to circumvent domestic tax authorities, according to a huge cache of leaked secret bank account files.
  • Ten U.S. states are officially saying that Anthem lagged in telling customers that it was hacked and that the personal information of 80 million people had been stolen. In a letter, Connecticut Attorney General George Jepsen called on Anthem to reimburse policyholders who experience fraud between the breach and the time they gain access to free credit monitoring, a benefit the company has promised to all affected.
  • Chief information officers see employee training as the top way to beef up their corporate information security, according to a survey by IT staffing firm Robert Half Technology. The survey, which is based on 2,400 CIOs with 100 or more employees, is instructive because it reflects how internal workers are still the largest security risk.