You are viewing 'Heartbleed'
Solutionary blogs about the Heartbleed bug.
Additional 24 months allowed for compliance
In April 2015, the Payment Card Industry Security Standards Council (PCI SSC) released version 3.1 of the PCI Data Security Standard (PCI DSS), only four months after version 3.0 went into full effect. The most important changes are in the communications protocols SSL (all versions) and TLS (version 1.0). These protocols are now considered insecure. They are vulnerable to well-known exploits such as Heartbleed and POODLE.
The PCI deadline for migrating to newer, more secure protocols was originally June 2016. This gave organizations 14 months to address the changes. The generous schedule was an acknowledgement of real-world staffing and budget concerns, despite the fact that the... read more >
An alternate take on the snake
I guess it is time to take off my shoes, because I have run out of fingers to count the number of times I read "OMG THIS IS THE NEXT HEARTBLEED!" for normal vulnerabilities.
Marketing firms have definitely figured out how to promote their researchers' activities:
Scary Name + Cool Logo == Unique Hit Counts == KPI met on your next review
I get it. I totally do. It becomes an issue, however, when every blog site picks it up and people start getting freaked out about relatively normal things.
- New vulnerabilities occur all the time
This includes high, medium and low priority vulnerabilities. Some are pretty bad, allowing for sensitive information disclosure, denial of service, or remote code execution. Most software engineers are not magicians who create perfect code every time. Even those who are have their code pieced together with the work of others, resulting in unintended...
2015: Year of the ___?
2014 is behind us. Depending on your perspective, 2014 is either known as “The Year of the Data Breach” or the “Year of the Undisclosed Vulnerability.”
According to the Identity Theft Resource Center, there were 761 breaches reported in the U.S. during 2014, with over 83 million records exposed in 2014 (as of December 23, 2014). This is an increase of over 25% over the same timeframe in 2013.
With the seemingly never-ending data breach announcements, the general public has started taking a “so what, it's just another data breach” kind of attitude about data breaches. It’s as if there is now almost an expectation that your data will end up in the... read more >
Was Heartbleed at the Heart of This Health Care Breach?
Community Health Systems (CHS), a publically-held company operating 206 hospitals in 29 states, recently announced in an 8-K filing that it has become one of the latest victims of a major data breach. The filing revealed that the attack most likely occurred in April and June of 2014, compromising approximately 4.5 million records. This number surpasses the previous health care data breach record of 1.3 million records at the Montana Department of Public Health in May 2014.
While no credit card information was revealed, the attackers did gain access to non-medical personal health information (PHI) that included “patient names, addresses, birthdates, telephone... read more >
Something Old, Something New
The Solutionary Security Engineering Research Team (SERT) has released its Q2 2014 Quarterly Threat Intelligence Report. SERT has identified both old and new trends and information during research efforts this past quarter. For instance, it may not surprise anyone to know that the United States dominated malware hosting countries, but it is new that this included 56% of the malware identified by the SERT honeynet (that’s up from 44% since Q4, 2013).
There were some changes in the top 10 hosting countries, but United States sites still rules this particular category. It may surprise you; however, to hear that Amazon hosted 41% of the malware SERT identified during the quarter (that’s an increase of over 2.5 times the 16% found in Q3, 2013). We had hoped that hosting providers would take action to reduce the number of “hostile” sites, yet it appears that attackers are flocking to Amazon hosted services because of the ease with which the new sites can be provisioned, and up and running in a few moments. By contrast, GoDaddy dropped... read more >