You are viewing 'SSL'
Additional 24 months allowed for compliance
In April 2015, the Payment Card Industry Security Standards Council (PCI SSC) released version 3.1 of the PCI Data Security Standard (PCI DSS), only four months after version 3.0 went into full effect. The most important changes are in the communications protocols SSL (all versions) and TLS (version 1.0). These protocols are now considered insecure. They are vulnerable to well-known exploits such as Heartbleed and POODLE.
The PCI deadline for migrating to newer, more secure protocols was originally June 2016. This gave organizations 14 months to address the changes. The generous schedule was an acknowledgement of real-world staffing and budget concerns, despite the fact that the... read more >
Here's the Cliff's Notes version of this week's announcement from the OpenSSL Project:
- Information that OpenSSL is releasing patches for high severity vulnerability
- The Internet "OH NO THE INTERNET IS COMING TO AN END!"
- Patches released
- It wasn't a big deal
Here's the extended version:
Early this week, information came out that the OpenSSL Project was going to release patches for a "high severity" vulnerability, along with multiple others. Of course, at the time, there were no additional details. Cue the Internet, in usual form, expounding how this was going to be the next Heartbleed.
"Well, I've been to one world fair, a picnic, and a rodeo, and that's the stupidest thing I ever heard come over a set of earphones. You sure you got today's codes?" Major T.J. "King" Kong
The logical side, on the other hand, figured out that there isn't much we could do until there was actual information available.... read more >
2014 is the Year of the Retro Vulnerability
Last month, Shellshock exploited a 24+ year old flaw in the bash shell. Now we find that SSL 3.0, which is almost old enough to drive, is the basis of an attack which renders more modern encryption useless. This one goes by the name of POODLE (Padding Oracle On Downgraded Legacy Encryption).
Despite its name, this one has nothing to do with the Oracle database system (or dogs, for that matter). It’s a new way to exploit known flaws (CVE-2014-3566) in SSL 3.0. The details are in this short research paper, published by Google researchers on the OpenSSL site. The paper contains some heavy math, but the upshot is a conversation similar to this one:
Server: Please log in using a secure protocol. I recommend TLS.
Client: I don’t speak... read more >
My kids (now grown and mostly gone) have always called me paranoid or crazy. But I have always been aware of how unsafe the Internet really is.
Security is a state of mind or awareness. What do I mean by this? Have you ever considered who was watching your "private" Internet connection at home, a public wireless hotspot or work? At a minimum, any of the following are tracking your activity and the sites you are on:
- Home ISP (Internet Service Provider)
- Browsers and social media sites (Google, Yahoo!, IE, Twitter, Facebook, etc.)
- Random tracking cookies (picked up during your previous Internet sessions)
- Any of the three-letter government agencies (looking for trends or patterns)
- Your company (if you are browsing from your work computer)
Remember: What happens on the Internet can be watched, and it... read more >
Something Old, Something New
The Solutionary Security Engineering Research Team (SERT) has released its Q2 2014 Quarterly Threat Intelligence Report. SERT has identified both old and new trends and information during research efforts this past quarter. For instance, it may not surprise anyone to know that the United States dominated malware hosting countries, but it is new that this included 56% of the malware identified by the SERT honeynet (that’s up from 44% since Q4, 2013).
There were some changes in the top 10 hosting countries, but United States sites still rules this particular category. It may surprise you; however, to hear that Amazon hosted 41% of the malware SERT identified during the quarter (that’s an increase of over 2.5 times the 16% found in Q3, 2013). We had hoped that hosting providers would take action to reduce the number of “hostile” sites, yet it appears that attackers are flocking to Amazon hosted services because of the ease with which the new sites can be provisioned, and up and running in a few moments. By contrast, GoDaddy dropped... read more >