You are viewing 'SSL'

PCI SSC Revises Deadline – Should You?

Additional 24 months allowed for compliance

Bob Bybee

February 04, 2016 - Posted by Bob Bybee to Security News

PCI

In April 2015, the Payment Card Industry Security Standards Council (PCI SSC) released version 3.1 of the PCI Data Security Standard (PCI DSS), only four months after version 3.0 went into full effect. The most important changes are in the communications protocols SSL (all versions) and TLS (version 1.0). These protocols are now considered insecure. They are vulnerable to well-known exploits such as Heartbleed and POODLE.

The PCI deadline for migrating to newer, more secure protocols was originally June 2016. This gave organizations 14 months to address the changes. The generous schedule was an acknowledgement of real-world staffing and budget concerns, despite the fact that the... read more >

OpenSSL Update Release or: How I Learned to Stop Worrying and Love The Patch

Chad Kahl

March 19, 2015 - Posted by Chad Kahl to Security Insight

Here's the Cliff's Notes version of this week's announcement from the OpenSSL Project:

  1. Information that OpenSSL is releasing patches for high severity vulnerability
  2. The Internet "OH NO THE INTERNET IS COMING TO AN END!"
  3. Patches released
  4. It wasn't a big deal

Here's the extended version:

Early this week, information came out that the OpenSSL Project was going to release patches for a "high severity" vulnerability, along with multiple others. Of course, at the time, there were no additional details. Cue the Internet, in usual form, expounding how this was going to be the next Heartbleed.

"Well, I've been to one world fair, a picnic, and a rodeo, and that's the stupidest thing I ever heard come over a set of earphones. You sure you got today's codes?" Major T.J. "King" Kong

The logical side, on the other hand, figured out that there isn't much we could do until there was actual information available.... read more >

POODLE - Teaching an Old Dog New Tricks

2014 is the Year of the Retro Vulnerability

Bob Bybee

October 15, 2014 - Posted by Bob Bybee to Threat Intelligence

notebook poodle

Last month, Shellshock exploited a 24+ year old flaw in the bash shell. Now we find that SSL 3.0, which is almost old enough to drive, is the basis of an attack which renders more modern encryption useless. This one goes by the name of POODLE (Padding Oracle On Downgraded Legacy Encryption).

Despite its name, this one has nothing to do with the Oracle database system (or dogs, for that matter). It’s a new way to exploit known flaws (CVE-2014-3566) in SSL 3.0. The details are in this short research paper, published by Google researchers on the OpenSSL site. The paper contains some heavy math, but the upshot is a conversation similar to this one:

Server: Please log in using a secure protocol. I recommend TLS.

Client: I don’t speak... read more >

Five Tips for Safe Internet Browsing

Kurt Osburn

August 05, 2014 - Posted by Kurt Osburn to Security Insight

https

My kids (now grown and mostly gone) have always called me paranoid or crazy. But I have always been aware of how unsafe the Internet really is.

Security is a state of mind or awareness. What do I mean by this? Have you ever considered who was watching your "private" Internet connection at home, a public wireless hotspot or work? At a minimum, any of the following are tracking your activity and the sites you are on:

  • Home ISP (Internet Service Provider)
  • Browsers and social media sites (Google, Yahoo!, IE, Twitter, Facebook, etc.)
  • Random tracking cookies (picked up during your previous Internet sessions)
  • Any of the three-letter government agencies (looking for trends or patterns)
  • Your company (if you are browsing from your work computer)

Remember: What happens on the Internet can be watched, and it... read more >

The SERT Q2 Quarterly Threat Intelligence Report

Something Old, Something New

Jon-Louis Heimerl

July 15, 2014 - Posted by Jon-Louis Heimerl to Threat Intelligence

The Solutionary Security Engineering Research Team (SERT) has released its Q2 2014 Quarterly Threat Intelligence Report. SERT has identified both old and new trends and information during research efforts this past quarter. For instance, it may not surprise anyone to know that the United States dominated malware hosting countries, but it is new that this included 56% of the malware identified by the SERT honeynet (that’s up from 44% since Q4, 2013).

There were some changes in the top 10 hosting countries, but United States sites still rules this particular category. It may surprise you; however, to hear that Amazon hosted 41% of the malware SERT identified during the quarter (that’s an increase of over 2.5 times the 16% found in Q3, 2013). We had hoped that hosting providers would take action to reduce the number of “hostile” sites, yet it appears that attackers are flocking to Amazon hosted services because of the ease with which the new sites can be provisioned, and up and running in a few moments. By contrast, GoDaddy dropped... read more >

1 | 2 | 3 | 4 | Older Entries >>

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS