Here is our latest news roundup of articles about network and SSL security. (Click here to see the whole series.)
SSL & Encryption
- Security researchers have discovered a flaw dubbed the DROWN vulnerability that allows an attack to decrypt traffic from secure servers supporting SSLv2, which is obsolete. Soon after researchers announced the vulnerability, OpenSSL released a patch to fix it.
Data Security in General
- The RSA Conference ran from February 29th to March 4th. Click the link for highlights of the conference.
- In an effort to discover the vulnerabilities in their websites, the US Department of Defense issued a public invitation for hackers to participate in their “Hack the Pentagon” program.
Data Breaches
- Premier Healthcare revealed in a press release that a laptop containing PII for over 200 thousand patients was stolen.
- Staminus Communications, a DDoS mitigation service provider, suffered a data breach and received advice from the hackers on how to better secure their network.
- Bailey Inc., an outdoor equipment retailer, suffered a data breach affecting 250 thousand of their customers.
Vulnerabilities
- Microsoft patched almost 40 vulnerabilities in Windows, IE, and Edge, some of which allowed for a remote code execution.
- Adobe released more updates for Flash Player that addressed 18 critical vulnerabilities.
- Security researchers found that a security patch that was thought to have fixed a vulnerability in Java 30 months ago is still vulnerable to exploit.
Malware
- Locky is a new ransomware, and although it is only a few weeks old, it has quickly become one of the most used types of ransomware.
- A massive malvertising campaign targeted users visiting major news, entertainment sites such as The New York Times, the BBC, MSN, AOL and others.
- A previous version of TeslaCrypt ransomware contained a flaw that allowed victims the ability to recover their encrypted files without having to pay a ransom. Unfortunately, the malware writers have fixed that flaw and there is no way to recover files without paying a ransom.
- Hackers targeted Valve Corporation’s Steam online gaming platform, stealing gamers’ credentials and gaming items they in turn sell on the black market.
Cybercrime
- Phishers sent emails that appeared to come from FinCERT, a department of the Russian Central Bank that is tasked with dealing with cyberattacks, to dozens of Russian banks in a well-executed and planned phishing attack.
- Researchers observed attackers using business email compromise, a type of phishing attack, to gain a foothold and then infect compromised computers with a keylogging malware.
- As Tax Day approaches, the IRS expects cyber criminals to target taxpayers using phishing emails. They estimate that income tax fraud will cost Americans $21 billion.
IoT
- A hacker revealed at RSA how he is able to hijack police and military drones because of their lack of encryption.
- This month the FBI released a PSA, stating that they now regard remote hacking and hijacking a vehicle as a very real threat the public faces.
Research & Studies
- In a new cybersecurity digest, Verizon explains the reasons behind the do’s and don’ts of cybersecurity practices.
- Akamai released their 2015 Q4 State of the Internet Security Report. The report covers the changes attackers have implemented in executing DDoS attacks.
- Crypto-ransomware is now the preferred attack method cybercriminals use, according to a new study by Trend Micro.
- A new Ponemon study discusses malware and the difficulty IT experts have in mitigating malware attacks.
- According to another study, Ponemon found that Healthcare organizations suffer one cyberattack each month on average.
- A LastPass survey revealed that 55% of UK consumers are okay with sharing their passwords with others.
- Another study on passwords shows how important it is to include case sensitivity in password policies.