This Month in SSL: January 2016

Here is our latest news roundup of articles about network and SSL security. (Click here to see the whole series.)

SSL & Encryption

  • Firefox  users experienced some hiccups when Mozilla decided that the browser should reject all SHA-1 certificates starting January 1. Security scanners and antivirus products failed to connect to HTTPS sites when the change was implemented. Mozilla ended up reversing the decision. Google, on the other hand, anticipated the implications of deprecating all SHA-1 certificates for security scanners and antivirus software, and they will only untrust SHA-1 certificates from a public CA.

Data Breaches

  • Cyber criminals hit Hyatt Hotels with a POS attack, compromising guest credit cards in 250 hotels and 50 nations.
  • Recently a hacker compromised the PayPal account of security researcher Brian Krebs twice in the same day. The hacker was attempting to send money to a deceased ISIS hacker.
  • After suffering repeated DDoS attacks and then a suspected data breach, New Jersey-based company Linode reset passwords for all their users.

Vulnerabilities

  • OpenSSH released an update for a vulnerability that could leak cryptographic keys.
  • A flaw in Linux could affect tens of millions of servers and Android devices. If exploited, the flaw could grant any unauthorized user root access to servers or devices.
  • Cisco warned users in an advisory statement that they found a vulnerability in their chat client Jabbar. An attacker could exploit the vulnerability by performing a TLS downgrade attack and then a man-in-the-middle attack.
  • In a controversial move, ICS/SCADA researchers recently posted a list of popular industrial products that ship with default passwords. Their hope was to motivate vendors to build products with better security in mind.

Cybercrime

  • Hackers attacked power authorities in Ukraine leaving hundreds of thousands without power. More details revealed that the hackers used several attack techniques, including malware injection and a telephone denial-of-service attack.
  • A DDoS attack against the BBC website may prove to be the largest attack in history. The group who launched the attack said it reached 602 Gbps, which is almost double that of the largest attack observed.
  • A researcher discovered a way to spoof LastPass notifications that are indistinguishable from legitimate notifications. The fraudulent notification leads to a unsecure website where an attacker could capture a user’s login credentials.
  • Scammers impersonating technical support are targeting Dell customers. The scams are difficult to detect because the scammers obtained sensitive consumer information only Dell workers would have access to.

Research & Studies

  • Survey reveals that 64% of senior IT executives feel that adhering to compliance requirements is more than enough to secure their organization.
  • New research estimates that fraudulent web traffic could cost advertisement firms $7.2 billion this year.
  • Although companies are spending on average over $320,000 on spear phishing prevention, almost 30% of phishing emails still make it through the nets.
  • Stolen healthcare records are not a problem just for the health sector. A new report shows that the problem extends to all sectors.
  • Nearly 30% of users share personal information with everyone on social media and not just friends, compromising themselves and their employers.