Massive Webmail Credential Leak? – Daily Security Byte EP. 257

According to reports, a Russian cyber criminal has leaked over 272 million credentials, including many from popular webmail services. However, so far none of the companies have validated that the leaked credentials work today. Watch my video below to learn what I think, and what you can do to protect yourself.

(Episode Runtime: 3:34)

Direct YouTube Link: https://www.youtube.com/watch?v=1Icgdapc2uw

EPISODE REFERENCES:

• Article on massive webmail credential leak – Reuters
• Researchers’ blog post on the massive webmail credential leak – Hold Security
• My old blog post on Hold Security’s 1B leaked record claim – WatchGuard Blog
• May 5th is World Password Day – PasswordDay.org

— Corey Nachreiner, CISSP (@SecAdept)

Important OpenSSL Updates – Daily Security Byte EP. 256

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are two very important Internet protocols, as they help us encrypt Web traffic and much more. OpenSSL is a very popular Linux implementation of SSL/TLS, used in many products. If you use OpenSSL, watch the video to learn why you should update OpenSSL as soon as you can.

(Episode Runtime: 2:43)

Direct YouTube Link: https://www.youtube.com/watch?v=TE4pz9SD-mY

EPISODE REFERENCES:

• OpenSSL’s vulnerability page – OpenSSL
• Article on the latest OpenSSL security flaws – Ars Technica

— Corey Nachreiner, CISSP (@SecAdept)

DROWN Vulnerability – Daily Security Byte EP. 225

Researchers disclosed a critical new SSL vulnerability during one of the biggest security conferences in the world, RSA. DROWN, or Decrypting RSA with Obsolete and Weakened eNcryption, is an vulnerability that allows attackers to gain the public key of servers that still use SSLv2.0. Watch today’s video to learn more about it, and make sure to disable SSLv2.0 on all your servers, and to update OpenSSL.

(Episode Runtime: 5:25)

Direct YouTube Link: https://www.youtube.com/watch?v=TLMLw2sDB3E

EPISODE REFERENCES:

• The official DROWN vulnerability page – Drown Attack
• Full technical whitepaper on the DROWN attack [PDF] – Drown Attack
• OpenSSL’s guide to the DROWN attack – OpenSSL
• WatchGuard’s KB article on how DROWN affects our products – WatchGuard

— Corey Nachreiner, CISSP (@SecAdept)

OpenSSL DSA Vulnerability – Daily Security Byte EP. 209

Last week, the OpenSSL team fixed a vulnerability that could allow attackers to get the key used to encrypt your HTTPS or SSL connections. Watch today’s video to learn a bit more about this vulnerability, the update, and how WatchGuard products are affected.

(Episode Runtime: 3:17)

Direct YouTube Link: https://www.youtube.com/watch?v=I8yBGcTGtqM

EPISODE REFERENCES:

• OpenSSL fixes a serious vulnerability related to DSA – Ars Technica
• Details on OpenSSL key recovery attack – Blogspot
• OpenSSL security advisory for update – OpenSSL
• WatchGuard’s knowledge base article on our exposure [Requires login] – WatchGuard

— Corey Nachreiner, CISSP (@SecAdept)

Hacked Team Flash ’Sploit Patched – Daily Security Byte EP.112

Among all the embarrassing stolen data from The Hacking Team breach was a serious Adobe Flash zero day vulnerability, which is now in the hands of any blackhat criminal who knows how to use Google. If you don’t want cyber criminals exploiting this flaw against you, watch today’s video to learn what you can do.

(Episode Runtime: 1:47)

Direct YouTube Link: https://www.youtube.com/watch?v=05Vgkg9l-1M

EPISODE REFERENCES:

• Adobe emergency Flash update for July 2015 – Adobe
• Update on how Hacking Team was hacked – Engadget
• OpenSSL Security Advisory for July 2015 – OpenSSL\

— Corey Nachreiner, CISSP (@SecAdept)

Premera, CISA, and OpenSSL – WSWiR Episode 144

This week’s security news covered topics from biometrics, to nation-state cyber teams, to big data breaches, to new vulnerabilities. How’s the average network Joe to keep up? Let my weekly video help by quickly summarizing the important stuff.

Today’s show covers a US healthcare data breach, a new OpenSSL update, and the US CISA law. You’ll find it all in this week’s video, and more in the Reference section below.

(Episode Runtime: 11:23)

Direct YouTube Link: https://www.youtube.com/watch?v=nigzxITwPvI

EPISODE REFERENCES:

• Daily Security Bytes:
  • Monday: Securing HTTPS – Daily Security Byte EP.45
  • Tuesday: Premera Healthcare Breach – Daily Security Byte EP.46
  • Wednesday: Proof China Hacks – Daily Security Byte EP.47
  • Thursday: OpenSSL DoS – Daily Security Byte EP.48
  • Friday: CISA Passes Committee- Daily Security Byte EP.49

• HTTPS continues becoming a default
  • Pinterest beefs up security with HTTPS – Venture Beat
  • WatchGuard Firebox M500 keeps HTTPS safe – eWeek
  • WatchGuard Infographic on accelerated security – WatchGuard
• Premera data breach
  • Premera’s public announcement about their data breach – Premera
  • Me talking about the breach on local news – Q13 Fox
  • Bloomberg’s article on the Premera breach – Bloomberg
• Chinese government confirms cyber teams
  • Article describing proof that China admits to cyber attack teams – The Daily Beast
  • My article on how government hacking makes us all less secure – Dark Reading
• OpenSSL update not so bad
  • OpenSSL update to fix critical vulnerabilities – Krebs on Security
  • OpenSSL update is not as critical as first worried – Ars Technica
  • The OpenSSL advisory – OpenSSL
• CISA passes first Senate step
  • CISA passes the Senate intelligence committee – Wired
  • The full updated CISA bill – Scribd

EXTRAS:

• Popular Viner alleges that a hacker deleted all his Vines – BBC
• Snowden says Gov. will target IT admins – ZDNet
• Healthcare IoT exposes risk – Help Net Security
• More health insurers report breaches – Dark Reading
• Healthcare the new targeted vertical? – Dark Reading
• German Vice Chancellor said US threatened them over Snowden – The Intercept
• Tails (a secure OS) still vulnerable to BIOS malware – Forbes
• Bad software still found on Google Play – Betanews
• Great article on the increase InfoSec attack surface – Network World
• US gov. wants researchers to trust them about CFAA changes – Motherboard
• Is the President’s (US) fitbit a risk to his security? – IB Times
• Safari uses should update to fix 17 issues – ITPro
• DDoSers target Xbox’s latest popular online FPS – Daily Star
• Operation Woolen Goldfish targets European firms – Trend Micro
• Kaspersky allegedly has ties to Russian gov. – Bloomberg
• Litchfield finds critical Yahoo! Stores vulnerabilities – The Register
• $300 device cracks iOS passcodes in 17 hours – The Register
• Facial recognition becomes nouveau
  • Alibaba to use facial recognition for payments – Ubergizmo
  • Windows 10 Hello; built in biometric support – Microsoft News
  • Yet, it’s still easy to trick facial recognition – Popsci
• South Korea blames North Korea for nuclear reactor hacks – Reuters
• X-Force say 1B records leaked in 2014 – ZDNet
• Malware sets records in 2014 (again) – ITPro Portal
• Google play will adopt a human vetting process – Neowin
• Will USB-C limit our ability to avoid potentially malicious USB? – The Verge
• Krebs finds another healthcare hack [PDF] – KrebsonSecurity
• PCI Security Standards site suffers from XSS – Xssposed
• Cisco to change shipping practices to avoid interdiction – The Register
• Judicial committee approves FBI remote hacks – TechDirt
• Fed says it warned Premera of security issues – Seattle Times
• China wants source code and new encryption if you bank with them – Reuters
• Why law firms are a “cyber” target – Bloomberg
• Individual apps may still be vulnerable to FREAK – V3.co.uk
• A simple fake ID evades GoDaddy security (social engineering) – CSO Online
• Techniques link healthcare hacks – Computer World
• Great post on Anthem attack techniques – Threat Connect
• Did China hack Register.com? – Reuters
• Lots of new vulnerabilities ousted at Pwn2Own – The Register

— Corey Nachreiner, CISSP (@SecAdept)

OpenSSL DoS – Daily Security Byte EP.48

This week the information security (InfoSec) community was abuzz about an upcoming critical OpenSSL update. Would it fix the next FREAK or Heartbleed? Nope. It was much less severe than expected. Nonetheless, watch today’s video to learn how quickly you should patch.

 

(Episode Runtime: 1:55)

Direct YouTube Link: https://www.youtube.com/watch?v=UkehIk0KDaw

EPISODE REFERENCES:

• OpenSSL update to fix critical vulnerabilities – Krebs on Security
• OpenSSL update is not as critical as first worried – Ars Technica
• The OpenSSL advisory – OpenSSL

— Corey Nachreiner, CISSP (@SecAdept)

FREAK affects Windows – Daily Security Byte EP.39

I warned you about the FREAK SSL vulnerability on Tuesday. It turns out it affects Windows too. Learn how to mitigate the issue, and get an update on how WatchGuard’s products are affected in the video below.

(Episode Runtime: 1:56)

Direct YouTube Link: https://www.youtube.com/watch?v=JZNdJfMZnik

EPISODE REFERENCES:

• FREAK affects Windows too – Microsoft Advisory

— Corey Nachreiner, CISSP (@SecAdept)

Don’t FREAK Out – Daily Security Byte EP.36

I’m going to freak out if I hear about another security vulnerability in SSL…. Too late! Watch today’s episode to see whether or not you should freak about the FREAK SSL flaw.

(Episode Runtime: 2:17)

Direct YouTube Link: https://www.youtube.com/watch?v=ps3a7U0TOvo

WatchGuard customers might be curious if our products are affected by FREAK. Probably not! As far as our engineers have found, we do not enable the RSA_EXPORT cipher suite in our SSL implementations. We’re continuing to check to be sure, but so far we don’t appear to be affected by FREAK.

EPISODE REFERENCES:

• Official FREAK page and description – Freakattack
• CVE listing for FREAK vulnerability –  Mitre
• Good Ars Technica write-up on the FREAK flaw – Ars Technica

— Corey Nachreiner, CISSP (@SecAdept)

Poodle’s Back – WSWiR Episode 132

Another week, another batch of information security (infosec) news. Would you like a quick summary, rather than hunting it down yourself? No problem! Just check out our weekly video every Friday.

Today’s episode covers the Patch Day bonanza, lots of updates on the Sony Pictures breach, and a new twist on the “Poodle” SSL/TLS vulnerability. Press play for the scoop, and check our the References and Extras section for more stories and details.

(Episode Runtime: 7:13)

Direct YouTube Link: https://www.youtube.com/watch?v=WbbZjRtyODA

EPISODE REFERENCES:

• December Patch Day
  • Microsoft December 2014 Patch Day – WatchGuard Blog
  • UPDATE: Microsoft pulled the Exchange patch. Don’t install it yet! – Microsoft
  • Adobe December 2014 Patch Day – Adobe
  • Apple’s December Security Updates – Apple
• Sony Pictures Breach Updates
  • Sony attackers knew all about Sony’s network beforehand – Dark Reading
  • Attacker’s Also threaten Sony employees – The Guardian
  • North Korea denies Sony hack again, but says it was righteous – Computer World
  • FBI can’t attribute Sony hack to North Korea – CNET
  • FBI says GOP’s attack would beat 90% of defenses – IT Pro Portal
  • Details on Sony breach malware; Destover – Securelist
  • Sony breach traced to Bangkok hotel – Gizmodo
  • Sony allegedly hacks back – Re/code
  • Sony malware signed with Sony certificate; probably prank – SC Magazine
  • GOP threatens Sony employees in email – WSJ
  • Sony exec calls Angelina Jolie a “spoilt brat” in stolen email – The Guardian
  • Sony cancels “The Interview” marketing and interviews – Bloomberg
  • What one alleged employee feels about the Sony breach – Gizmodo
  • UPDATE: GOP sends some Sony employees yet another threatening message – Time
• Poodle Bites Again
  • The Poodle SSL/TLS flaw is back – Network World
  • Details on the new Poodle variant – Imperial Violet
  • Even more details on Poodle 2.0 – Vivaldi.net
  • CVE advisory for new Poodle variant – NIST
  • F5’s advisory on the new Poodle issue – F5
  • Scan your site for the new Poodle issue – Qualys SSL Labs

EXTRAS:

• Lizard Squad DDoSes PSN after Xbox Live – Forbes
• Anonymous warns Lizard Squad to back off on gaming DDoS attacks – CNR Online
• Fake malicious site warning helps distribute Zeus bot – Maximum PC
• Mobile payments company, Charge Anywhere, has been breached for five years – The Register
• The Sand’s allegedly hacked by Iranian hacktivists – Slashgear
• Some information security tips for retails (and everyone really) – Forbes
• Three ways the US government can help fight cyber crime – Network World
• Did a Russian cyber attack cause a Turkish pipeline fire? – Slate
• Nintendo plugs the first software 3DS exploit – Ars Technica
• Trip Advisor site suffers from major XSS vulnerability – Tech Week Europe
• Old vulnerabilities found in Linux X Windows –  The Register
• Rock guitarist sentenced to 10-day for being part of Anonymous attack – The Verge
• Smart watched have been hacked (no surprise there) – Phys.org
• The Pirate Bay raided; watch out for torrent-related scams – WatchGuard Blog
• A new market around surveillance – Daily Dot
• Inception malware hits European governments – Sky.com
• Attackers still using cloud servers for C&C – CBR Online
• Mobile malware might rack up your cell bill – The Guardian
• Canadian teen arrested for SWATing – Kotaku
• BGP hijacking still going strong – Slashdot
• FUN: Watch the trailer for “Blackhat” the movie – Gizmodo

— Corey Nachreiner, CISSP (@SecAdept)