Zero Day Weekly: Thousands doxed by Jeb Bush, Obama’s cybersummit, Facebook’s ThreatExchange

Posted on

This week U.S. President Obama visited Stanford for a cybersecurity summit with Silicon Valley’s corporate technorati, Jeb Bush doxed 12,000 unsuspecting victims, cloud security research got aggressive, Sony argued to dismiss its eight class-action lawsuits, NIST announced updates, Microsoft had a rough Patch Tuesday, Facebook launched ThreatExchange, and much more.

This week’s Microsoft Patch Tuesday release includes three updates rated Critical, including a massive security update that fixes more than 40 flaws in Internet Explorer. A recently disclosed XSS vulnerability remains unpatched, however, and one Windows Server 2003 bug won’t be fixed.
On Tuesday, iSIGHT Partners and Invincea disclosed an attack on, assumed to be the work of actors from China conducting an espionage campaign. But the way the disclosure was handled, including a sensational news cycle and required registration for actual details, makes it look as if both vendors are using the incident to increase their sales channel.
The Washington Post reported this week that there will be a new agency to sniff out threats in cyberspace: The Cyber Threat Intelligence Integration Center, modeled after the National Counterterrorism Center. Some infosec professionals think it’ll likely fail, because “the President continues to ask the wrong questions of the wrong people.”

President Obama is expected to unveil executive actions today designed to increase information sharing among private sector companies and federal law enforcement, at a cybersecurity summit at Stanford University. Chief executives from four major technology companies will not attend a cybersecurity summit in California on Friday. Instead, senior security staffers from the invited companies, Facebook, Google, Yahoo, and Microsoft, will go in their boss’ places. Bloomberg hinted that the reason why the tech executives are not turning up are in part due to a recent back-and-forth between the US government and their companies.
Florida governor (and potential U.S. presidential candidate) Jeb Bush has had his team hurriedly [after-the-fact] redact the social security numbers and other identity details of 12,000 people from emails he released online covering the putative presidential candidate’s eight years. The emails contained names, sensitive healthcare and employment information, birthdates and social security numbers — the three pieces of information key to identity theft. Bush had opened up the 332,999 emails to public scrutiny, seeking to portray himself as a tech-savvy executive.

Cloud security: Reports slam data protection, national Internets, access myths: “Security is often compared to an arms race — a constant grind of building the newer, the better, and the more effective.” We’re told in Leviathan Security Group’s revelatory whitepapers released this week. Leviathan’s research shows why organizations urgently need to understand that “This comparison is inaccurate.”
Around 16 million mobile devices worldwide were infected by malware at the end of 2014, while attacks on communications networks rose during the year, according to new research by Alcatel-Lucent.

Zero Day Weekly: Thousands doxed by cybersummit, Facebook's
Zero Day Weekly: Thousands doxed by cybersummit, Facebook’s

The security hiring crisis: In a whitepaper released by Leviathan Security Group this week, the firm revealed infosec’s problematic hiring arc — where current solutions appear ruinous, at best. Leviathan’s research team reports that, “With more than one million cybersecurity positions unfilled worldwide, currently-identified security needs couldn’t be met if every employee at GM, Costco, Home Depot, Delta, and Procter & Gamble became security experts tomorrow.”
On Monday, Sony Pictures Entertainment offered its first substantive response to the eight class action lawsuits that have been filed by former employees in the wake of a large-scale hack. The company isn’t arguing that the hack was unforseen, but instead Sony believes that victim harm can’t be proven because no one — so far — has filed complaints of identity theft, fraudulent charges, or misappropriation of medical information. Research and experience shows, however, that unless the employees are in a bubble of statistical anomaly, this is just a matter of time.
10 million passwords and usernames published: This week, Mark Burnett, a security consultant and researcher, released 10 million passwords and linked usernames in a data set compiled from existing information. In order to stop the FBI coming after him, Burnett explained why the information was divulged: The information, sourced from the Internet, was compiled with the intention of furthering research in passwords and user behavior.
HSBC’s Swiss banking arm helped wealthy customers dodge taxes and conceal millions of dollars of assets, doling out bundles of untraceable cash and advising clients on how to circumvent domestic tax authorities, according to a huge cache of leaked secret bank account files.
Facebook launched ThreatExchange on Wednesday, a social network of sorts designed to allow companies to share threat information and intel. The move is the latest example in how an age of cooperation may be emerging as companies increasingly battle cyberattacks of various stripes.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s