You are viewing 'Heartbleed'

Solutionary blogs about the Heartbleed bug.

PCI SSC Revises Deadline – Should You?

Additional 24 months allowed for compliance

Bob Bybee

February 04, 2016 - Posted by Bob Bybee to Security News

PCI

In April 2015, the Payment Card Industry Security Standards Council (PCI SSC) released version 3.1 of the PCI Data Security Standard (PCI DSS), only four months after version 3.0 went into full effect. The most important changes are in the communications protocols SSL (all versions) and TLS (version 1.0). These protocols are now considered insecure. They are vulnerable to well-known exploits such as Heartbleed and POODLE.

The PCI deadline for migrating to newer, more secure protocols was originally June 2016. This gave organizations 14 months to address the changes. The generous schedule was an acknowledgement of real-world staffing and budget concerns, despite the fact that the... read more >

VENOM - Virtualized Environment Neglected Operations Manipulation

An alternate take on the snake

Chad Kahl

May 13, 2015 - Posted by Chad Kahl to Threat Intelligence

VENOM

I guess it is time to take off my shoes, because I have run out of fingers to count the number of times I read "OMG THIS IS THE NEXT HEARTBLEED!" for normal vulnerabilities.

Marketing firms have definitely figured out how to promote their researchers' activities:

Scary Name + Cool Logo == Unique Hit Counts  == KPI met on your next review

I get it. I totally do. It becomes an issue, however, when every blog site picks it up and people start getting freaked out about relatively normal things.

  1. New vulnerabilities occur all the time
    This includes high, medium and low priority vulnerabilities. Some are pretty bad, allowing for sensitive information disclosure, denial of service, or remote code execution. Most software engineers are not magicians who create perfect code every time. Even those who are have their code pieced together with the work of others, resulting in unintended...
read more >

What Will 2015 Mean for IT Security?

2015: Year of the ___?

Joseph (JB) Blankenship

January 06, 2015 - Posted by Joseph (JB) Blankenship to Security Insight

IT Security 2015

2014 is behind us. Depending on your perspective, 2014 is either known as “The Year of the Data Breach” or the “Year of the Undisclosed Vulnerability.”

According to the Identity Theft Resource Center, there were 761 breaches reported in the U.S. during 2014, with over 83 million records exposed in 2014 (as of December 23, 2014). This is an increase of over 25% over the same timeframe in 2013.

With the seemingly never-ending data breach announcements, the general public has started taking a “so what, it's just another data breach” kind of attitude about data breaches. It’s as if there is now almost an expectation that your data will end up in the... read more >

The Community Health Systems Breach

Was Heartbleed at the Heart of This Health Care Breach?

Joseph (JB) Blankenship

August 22, 2014 - Posted by Joseph (JB) Blankenship to Security Insight

Healthcare Data Security

Community Health Systems (CHS), a publically-held company operating 206 hospitals in 29 states, recently announced in an 8-K filing that it has become one of the latest victims of a major data breach. The filing revealed that the attack most likely occurred in April and June of 2014, compromising approximately 4.5 million records. This number surpasses the previous health care data breach record of 1.3 million records at the Montana Department of Public Health in May 2014.

While no credit card information was revealed, the attackers did gain access to non-medical personal health information (PHI) that included “patient names, addresses, birthdates, telephone... read more >

The SERT Q2 Quarterly Threat Intelligence Report

Something Old, Something New

Jon-Louis Heimerl

July 15, 2014 - Posted by Jon-Louis Heimerl to Threat Intelligence

The Solutionary Security Engineering Research Team (SERT) has released its Q2 2014 Quarterly Threat Intelligence Report. SERT has identified both old and new trends and information during research efforts this past quarter. For instance, it may not surprise anyone to know that the United States dominated malware hosting countries, but it is new that this included 56% of the malware identified by the SERT honeynet (that’s up from 44% since Q4, 2013).

There were some changes in the top 10 hosting countries, but United States sites still rules this particular category. It may surprise you; however, to hear that Amazon hosted 41% of the malware SERT identified during the quarter (that’s an increase of over 2.5 times the 16% found in Q3, 2013). We had hoped that hosting providers would take action to reduce the number of “hostile” sites, yet it appears that attackers are flocking to Amazon hosted services because of the ease with which the new sites can be provisioned, and up and running in a few moments. By contrast, GoDaddy dropped... read more >

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS