This Month in SSL: March 2016

Here is our latest news roundup of articles about network and SSL security. (Click here to see the whole series.)

SSL & Encryption

  • Security researchers have discovered a flaw dubbed the DROWN vulnerability that allows an attack to decrypt traffic from secure servers supporting SSLv2, which is obsolete. Soon after researchers announced the vulnerability, OpenSSL released a patch to fix it.

Data Security in General

  • The RSA Conference ran from February 29th to March 4th. Click the link for highlights of the conference.
  • In an effort to discover the vulnerabilities in their websites, the US Department of Defense issued a public invitation for hackers to participate in their “Hack the Pentagon” program.

Data Breaches

  • Premier Healthcare revealed in a press release that a laptop containing PII for over 200 thousand patients was stolen.
  • Staminus Communications, a DDoS mitigation service provider, suffered a data breach and received advice from the hackers on how to better secure their network.
  • Bailey Inc., an outdoor equipment retailer, suffered a data breach affecting 250 thousand of their customers.

Vulnerabilities

  • Microsoft patched almost 40 vulnerabilities in Windows, IE, and Edge, some of which allowed for a remote code execution.
  • Adobe released more updates for Flash Player that addressed 18 critical vulnerabilities.
  • Security researchers found that a security patch that was thought to have fixed a vulnerability in Java 30 months ago is still vulnerable to exploit.

Malware

  • Locky is a new ransomware, and although it is only a few weeks old, it has quickly become one of the most used types of ransomware.
  • A massive malvertising campaign targeted users visiting major news, entertainment sites such as The New York Times, the BBC, MSN, AOL and others.
  • A previous version of TeslaCrypt ransomware contained a flaw that allowed victims the ability to recover their encrypted files without having to pay a ransom. Unfortunately, the malware writers have fixed that flaw and there is no way to recover files without paying a ransom.
  • Hackers targeted Valve Corporation’s Steam online gaming platform, stealing gamers’ credentials and gaming items they in turn sell on the black market.

Cybercrime

  • Phishers sent emails that appeared to come from FinCERT, a department of the Russian Central Bank that is tasked with dealing with cyberattacks, to dozens of Russian banks in a well-executed and planned phishing attack.
  • Researchers observed attackers using business email compromise, a type of phishing attack, to gain a foothold and then infect compromised computers with a keylogging malware.
  • As Tax Day approaches, the IRS expects cyber criminals to target taxpayers using phishing emails. They estimate that income tax fraud will cost Americans $21 billion.

IoT

  • A hacker revealed at RSA how he is able to hijack police and military drones because of their lack of encryption.
  • This month the FBI released a PSA, stating that they now regard remote hacking and hijacking a vehicle as a very real threat the public faces.

Research & Studies

  • In a new cybersecurity digest, Verizon explains the reasons behind the do’s and don’ts of cybersecurity practices.
  • Akamai released their 2015 Q4 State of the Internet Security Report. The report covers the changes attackers have implemented in executing DDoS attacks.
  • Crypto-ransomware is now the preferred attack method cybercriminals use, according to a new study by Trend Micro.
  • A new Ponemon study discusses malware and the difficulty IT experts have in mitigating malware attacks.
  • According to another study, Ponemon found that Healthcare organizations suffer one cyberattack each month on average.
  • A LastPass survey revealed that 55% of UK consumers are okay with sharing their passwords with others.
  • Another study on passwords shows how important it is to include case sensitivity in password policies.