Weekly Infosec News Brief – Mar 16-22, 2015
New OpenSSL Vulnerabilities Revealed; Patches Available
The OpenSSL Project released a security advisory on Thursday the 19th detailing a number of newly-discovered vulnerabilities. Only one of these is rated as high severity, and primarily leads to a risk of server crashes or temporary loss of service, not compromise of communications confidentiality. OpenSSL does not believe that anyone is actively exploiting any of these vulnerabilities at this time. The appropriate patches should be available as update packages in most Linux distributions. OpenSSL is incorporated into many products, so look for vendor updates coming soon for firewalls, VPN devices, and anything with a web-based interface.
https://www.openssl.org/news/secadv_20150319.txt
http://www.computerworld.com/article/2899482/openssl-fixes-serious-denial-of-service-bug-11-other-flaws.html
Password-Only Authentication Still the Norm
Despite the many risks associated with the use, re-use, loss, and resetting of passwords, approximately half of US IT professionals in a recent survey stated that passwords were still the sole means of user authentication for their systems. Given the variety of options available, particularly using “soft tokens” or SMS on smartphones, two-factor authentication is now within the reach of any organization. This is one of the top measures available to prevent intrusions and to limit their severity.
http://www.net-security.org/secworld.php?id=18104
“TelsaCrypt” RansomWare Targets New File Types, Including Game Files
A new type of “ransomware” malware seeks to encrypt games and related files, as well as music and photos, and to seek payment for the capability to recover the data. While this specific software is targeted more at home and individual users than at businesses, it is a good example of the proliferation of ransomware varieties. Good backups are a key defense, but keep in mind that if your backups are accessible via a drive letter they can be encrypted as well! Also, if your backup system writes new backups over old backups, you could find that all you have backups of are encrypted files. Ensure that you can restore files back as far as at least a month old.
http://www.computerworld.com/article/2896408/gamers-targeted-by-teslacrypt-ransomware-1-000-to-decrypt-games-mods-steam.html
The OpenSSL Project released a security advisory on Thursday the 19th detailing a number of newly-discovered vulnerabilities. Only one of these is rated as high severity, and primarily leads to a risk of server crashes or temporary loss of service, not compromise of communications confidentiality. OpenSSL does not believe that anyone is actively exploiting any of these vulnerabilities at this time. The appropriate patches should be available as update packages in most Linux distributions. OpenSSL is incorporated into many products, so look for vendor updates coming soon for firewalls, VPN devices, and anything with a web-based interface.
https://www.openssl.org/news/secadv_20150319.txt
http://www.computerworld.com/article/2899482/openssl-fixes-serious-denial-of-service-bug-11-other-flaws.html
Password-Only Authentication Still the Norm
Despite the many risks associated with the use, re-use, loss, and resetting of passwords, approximately half of US IT professionals in a recent survey stated that passwords were still the sole means of user authentication for their systems. Given the variety of options available, particularly using “soft tokens” or SMS on smartphones, two-factor authentication is now within the reach of any organization. This is one of the top measures available to prevent intrusions and to limit their severity.
http://www.net-security.org/secworld.php?id=18104
“TelsaCrypt” RansomWare Targets New File Types, Including Game Files
A new type of “ransomware” malware seeks to encrypt games and related files, as well as music and photos, and to seek payment for the capability to recover the data. While this specific software is targeted more at home and individual users than at businesses, it is a good example of the proliferation of ransomware varieties. Good backups are a key defense, but keep in mind that if your backups are accessible via a drive letter they can be encrypted as well! Also, if your backup system writes new backups over old backups, you could find that all you have backups of are encrypted files. Ensure that you can restore files back as far as at least a month old.
http://www.computerworld.com/article/2896408/gamers-targeted-by-teslacrypt-ransomware-1-000-to-decrypt-games-mods-steam.html
Comments
Post a Comment