Here is our latest news roundup of articles about network and SSL security. (Click here to see the whole series.)
SSL & Encryption
Security researchers have discovered a flaw dubbed the DROWN vulnerability that allows an attack to decrypt traffic from secure servers supporting SSLv2, which is obsolete. Soon after researchers announced the vulnerability, OpenSSL released a patch to fix it.
Data Security in General
The RSA Conference ran from February 29th to March 4th. Click the link for highlights of the conference.
In an effort to discover the vulnerabilities in their websites, the US Department of Defense issued a public invitation for hackers to participate in their “Hack the Pentagon” program.
Premier Healthcare revealed in a press release that a laptop containing PII for over 200 thousand patients was stolen.
Staminus Communications, a DDoS mitigation service provider, suffered a data breach and received advice from the hackers on how to better secure their network.
Bailey Inc., an outdoor equipment retailer, suffered a data breach affecting 250 thousand of their customers.
Microsoft patched almost 40 vulnerabilities in Windows, IE, and Edge, some of which allowed for a remote code execution.
Adobe released more updates for Flash Player that addressed 18 critical vulnerabilities.
Security researchers found that a security patch that was thought to have fixed a vulnerability in Java 30 months ago is still vulnerable to exploit.
Locky is a new ransomware, and although it is only a few weeks old, it has quickly become one of the most used types of ransomware.
A massive malvertising campaign targeted users visiting major news, entertainment sites such as The New York Times, the BBC, MSN, AOL and others.
A previous version of TeslaCrypt ransomware contained a flaw that allowed victims the ability to recover their encrypted files without having to pay a ransom. Unfortunately, the malware writers have fixed that flaw and there is no way to recover files without paying a ransom.
Hackers targeted Valve Corporation’s Steam online gaming platform, stealing gamers’ credentials and gaming items they in turn sell on the black market.
Phishers sent emails that appeared to come from FinCERT, a department of the Russian Central Bank that is tasked with dealing with cyberattacks, to dozens of Russian banks in a well-executed and planned phishing attack.
Researchers observed attackers using business email compromise, a type of phishing attack, to gain a foothold and then infect compromised computers with a keylogging malware.