Archives: December 2015
You are here: Home \ 2015 \ December
Well, if you thought you had it rough in 2014 because of big, bad Poodles and an irritating case of Heartbleed, things only got worse this year. Rather than intrusions permeating our IT systems and stealing our data, attacks got a bit more personal in 2015. Not only were privacy and civil liberties put at...
With 2015 more or less in the rear view mirror Mike Mimoso and Chris Brook discuss the year in security: Wassenaar, ransomware, Carbanak and Equation Group,how big of a deal Stagefright was, that Juniper backdoor, and more. Download: tp_2015_in_review.mp3 Music by Chris Gonsalves
Microsoft has taken steps to impede the next Superfish from impacting users. Superfish was pre-installed adware found on new Lenovo laptops earlier this year. The software exposes users to man-in-the-middle attacks because of the way it injects advertisements into the browser. It comes with a self-signed root cert that generates certs for HTTPS connections, replacing...
The NSA’s subversion of encryption standards may have come home to roost. As more eyes examine the Juniper backdoor in ScreenOS, the operating system standing up its NetScreen VPNs, it’s becoming clear that someone backdoored the NSA backdoor in Dual_EC_DRBG, opening the door to passive decryption of any VPN traffic moving through a NetScreen gateway....
Yahoo has announced it will follow in the footsteps of Twitter and Facebook and begin warning users when it believes their accounts have been targeted by a state-sponsored actor. Bob Lord, who was hired as the company’s new CISO in October, discussed the initiative in a blog post Monday. Lord said Yahoo will only notify users...
Oracle’s stewardship of Java has been scrutinized by the security community, which in 2013 languished through nearly a full year of targeted attacks exploiting zero days and other vulnerabilities in the platform. Since then, Oracle has improved the Java user experience by denying unsigned applets the ability to execute by default, and putting security restrictions...
Researchers from two security firms have uncovered the password guarding one of the backdoors discovered in Juniper Networks’ ScreenOS, the operating system behind its NetScreen enterprise-grade firewalls. Fox-IT and Rapid7 found the secret code, which was disguised to look like debug code, said Rapid7 chief research officer HD Moore. “This password allows an attacker to...
Google has announced its timeline for deprecating SHA-1 certificates, despite concerns expressed recently that sunsetting the broken encryption hashing algorithm will disconnect millions from the Internet. SHA-1’s demise has been accelerated in recent months since researchers published a paper explaining that practical collision attacks could be months, instead of years, away. Google, on Friday, announced...
Automation and energy management company Schneider Electric patched a vulnerability in a product line this week that was leaving a handful of programmable automation controllers at risk of being hacked. Thirteen different builds of the Modicon M340 PLC are affected by the vulnerability, a buffer overflow that could let an attacker crash the device, or carry out...
Nothing in Google’s arsenal carries more weight than its search engine rankings. Pair that weapon with a desire to inspire encrypted connections on the web, and you have a pretty powerful combination. More than a year ago, Google said it was testing a method where a site’s search ranking would be influenced by whether it...