This Month in SSL: March 2016

March 25, 2016 Mark Santamaria

Here is our latest news roundup of articles about network and SSL security. (Click here to see the whole series.)

SSL & Encryption

  • Security researchers have discovered a flaw dubbed the DROWN vulnerability that allows an attack to decrypt traffic from secure servers supporting SSLv2, which is obsolete. Soon after researchers announced the vulnerability, OpenSSL released a patch to fix it.

Data Security in General

  • The RSA Conference ran from February 29th to March 4th. Click the link for highlights of the conference.
  • In an effort to discover the vulnerabilities in their websites, the US Department of Defense issued a public invitation for hackers to participate in their “Hack the Pentagon” program.

Data Breaches

  • Premier Healthcare revealed in a press release that a laptop containing PII for over 200 thousand patients was stolen.
  • Staminus Communications, a DDoS mitigation service provider, suffered a data breach and received advice from the hackers on how to better secure their network.
  • Bailey Inc., an outdoor equipment retailer, suffered a data breach affecting 250 thousand of their customers.

Vulnerabilities

  • Microsoft patched almost 40 vulnerabilities in Windows, IE, and Edge, some of which allowed for a remote code execution.
  • Adobe released more updates for Flash Player that addressed 18 critical vulnerabilities.
  • Security researchers found that a security patch that was thought to have fixed a vulnerability in Java 30 months ago is still vulnerable to exploit.

Malware

  • Locky is a new ransomware, and although it is only a few weeks old, it has quickly become one of the most used types of ransomware.
  • A massive malvertising campaign targeted users visiting major news, entertainment sites such as The New York Times, the BBC, MSN, AOL and others.
  • A previous version of TeslaCrypt ransomware contained a flaw that allowed victims the ability to recover their encrypted files without having to pay a ransom. Unfortunately, the malware writers have fixed that flaw and there is no way to recover files without paying a ransom.
  • Hackers targeted Valve Corporation’s Steam online gaming platform, stealing gamers’ credentials and gaming items they in turn sell on the black market.

Cybercrime

  • Phishers sent emails that appeared to come from FinCERT, a department of the Russian Central Bank that is tasked with dealing with cyberattacks, to dozens of Russian banks in a well-executed and planned phishing attack.
  • Researchers observed attackers using business email compromise, a type of phishing attack, to gain a foothold and then infect compromised computers with a keylogging malware.
  • As Tax Day approaches, the IRS expects cyber criminals to target taxpayers using phishing emails. They estimate that income tax fraud will cost Americans $21 billion.

IoT

  • A hacker revealed at RSA how he is able to hijack police and military drones because of their lack of encryption.
  • This month the FBI released a PSA, stating that they now regard remote hacking and hijacking a vehicle as a very real threat the public faces.

Research & Studies

  • In a new cybersecurity digest, Verizon explains the reasons behind the do’s and don’ts of cybersecurity practices.
  • Akamai released their 2015 Q4 State of the Internet Security Report. The report covers the changes attackers have implemented in executing DDoS attacks.
  • Crypto-ransomware is now the preferred attack method cybercriminals use, according to a new study by Trend Micro.
  • A new Ponemon study discusses malware and the difficulty IT experts have in mitigating malware attacks.
  • According to another study, Ponemon found that Healthcare organizations suffer one cyberattack each month on average.
  • A LastPass survey revealed that 55% of UK consumers are okay with sharing their passwords with others.
  • Another study on passwords shows how important it is to include case sensitivity in password policies.

Previous Article
Debunking SSL and HTTPS Security Myths
Debunking SSL and HTTPS Security Myths

Myths about SSL protection and HTTPS encryption may elicit false misperceptions about proper enterprise sec...

Next Article
PKI: Solving the IoT Authentication Problem
PKI: Solving the IoT Authentication Problem

According to Gartner, public key infrastructure (PKI) will re-emerge as one of the most relevant mechanisms...