Doug Vitale Tech Blog

September-October 2014 News Archive

Cyberattacks Most Imminent Threat to U.S., Economy

ThreatPost, 28 Oct 2014 – In a panel discussion Monday morning, a crowded table of top-level security experts from industry, military and government agreed that the threat posed by cyberattacks targeting U.S. critical infrastructure and private industry now outweighs any other national security threat. [More]

PCI compliance under scrutiny following Big Data breaches

CSO Online, 22 Oct 2014 – As details filter out about the Home Depot hack (and many, many more data breaches), you can’t help but ask: How did this happen – especially when the company was supposed to adhere to specific safety regulations or else lose its capability to process credit card transactions? [More]

Windows Warning: Zero-Day ‘Sandworm’ Attack

infoRisk Today, 22 Oct 2014 – Microsoft is warning Windows users that they’re vulnerable to a new zero-day flaw that attackers have been exploiting to remotely execute arbitrary code. The alert follows Microsoft’s warning last week about a separate zero-day vulnerability which also exists in almost every supported version of the Windows operating system. That vulnerability came to light following its use for in-the-wild attacks by the “Sandwork Team” of hackers against Ukrainian targets, among others. [More]

POODLE vulnerability hastens the death of SSL 3.0

Tech Republic, 17 Oct 2014 – POODLE is a flaw in how browsers handle encryption; by negotiating down to SSL 3.0, attackers can alter padding data at the end of a block cipher in a way that forces a slow leak of data. Many of the cipher suites in SSL 3.0 have already been abandoned as insecure, due to small key sizes, biases, and simply having support already removed from browsers. [More]

The SSL 3.0 Vulnerability – POODLE Bug (AKA POODLEbleed)

Symantec, 17 Oct 2014 – A bug has been found in the Secure Sockets Layer (SSL) 3.0 cryptography protocol (SSLv3) which could be exploited to intercept data that’s supposed to be encrypted between computers and servers. Three Google security researchers discovered the flaw and detailed how it could be exploited through what they called a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566). [More]

Banks: Credit Card Breach at Staples Stores

Krebs on Security, 14 Oct 2014 – Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement. [More]

Poodle SSL 3.0 Attack Exploits Widely-used Web Encryption Standard

Hacker News, 14 Oct 2014 – Another Heartbleed-like vulnerability has been discovered in the decade old but still widely used Secure Sockets Layer (SSL) 3.0 cryptographic protocol that could allow an attacker to decrypt contents of encrypted connections to websites. Google’s Security Team revealed on Tuesday that the most widely used web encryption standard SSL 3.0 has a major security vulnerability that could be exploited to steal sensitive data. The flaw affects any product that follows the Secure layer version 3, including Chrome, Firefox, and Internet Explorer. [More]

Tyupkin malware infects ATMs worldwide

Threat Post, 9 Oct 2014 – Criminals in Eastern Europe have evolved their attacks against automated teller machines, moving beyond solely targeting consumers with card skimmers that steal debit card numbers, to attacks against banks using malware that allows someone to remove money directly from an ATM without the need for a counterfeit or stolen card. [More]

Microsoft scores poorly in latest virus protection test for Windows 7

TechRepublic, 6 Oct 2014 – The number of products having perfect scores is up in AV-TEST’s latest test for virus protection for Windows 7, and Microsoft is still at the bottom. [More]

Yahoo says 3 servers hacked via Shellshock

Business Week, 6 Oct 2014 – Yahoo! Inc. said three of its computer servers were breached by hackers who exploited the Shellshock security hole. No user data was stolen. “As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network,” Elisa Shyu, a spokeswoman for the Sunnyvale, California-based company, said in an e-mail. [More]

Open source’s “shallow bugs” theory hasn’t been shellshocked

TechRepublic, 3 Oct 2014 – It hasn’t been a good year for open source. Not for its generally golden reputation for software quality and security, anyway. But in a rush to lay blame for the Bash Shellshock vulnerability (and previously for Heartbleed) some, like Roger Grimes, want to dismantle some of the cardinal tenets of open source, like the suggestion that “given enough eyeballs, all bugs are shallow.” Sorry, but the criticism falls flat. Here’s why. [More]

The Unpatchable Malware That Infects USBs Is Now on the Loose

Wired, 2 Oct 2014 – It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer. [More]

Every USB Device Under Threat. New Hack Is Undetectable And Unfixable

Forbes, 1 Oct 2014 – It is well known that USB drives can be dangerous. But what if the threat was undetectable, unfixable and could be planted into any USB device be it a USB drive, keyboard, mouse, web camera, printer, even smartphone or tablet? Well this nightmare scenario just became reality. [More]

The Fight For HTTPS

Fast Company, 1 Oct 2014 – Since 2009, Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU) has been trying to make the Internet more secure. His goal–getting companies to add a layer of encryption to their websites, turning HTTP to HTTPS–might not sound like much. After all, what’s one letter on a URL? But that extra letter, it turns out, is all it takes to make government surveillance, censorship attempts by authoritative regimes, and attacks by ill-intentioned hackers more difficult to pull off. [More]


Bash shell vulnerabilities plague Linux systems, and may be more damaging than Heartbleed

ShellShock: All you need to know about the Bash Bug vulnerability

Attackers exploiting Shellshock (CVE-2014-6721) in the wild

Retired NSA Technical Director Explains Snowden Docs

Alexa O’Brien, 30 Sep 2014 – I had an opportunity to attend a presentation by a retired technical director at the NSA, William Binney, which provided context for some of the published documents released by former NSA contractor, Edward Snowden. Because of the public value of Binney’s expertise on the subject, I decided to publish his presentation and comments on my website. [More]

Peak IPV4? Global IPv6 traffic is growing, DDoS dying

The Register, 30 Sep 2014 – European carriers are also among the top contributors of IPv6 traffic. Belgium’s Telenet, Germany’s Kabel Deutschland, and the Netherlands’ XS4ALL were among those carrying the highest rates of IPv6 traffic. Verizon Wireless in the US led all carriers with 50 per cent of its traffic being IPv6. [More]

‘Spike’ toolkit scales multi-vector DDoS with Windows, Linux hosts

SC Mag, 26 Sep 2014 – Distributed denial-of-service (DDoS) attacks aimed at regions of Asia and the U.S. have been linked to a new toolkit, dubbed “Spike.” Capable of scaling large, multi-vector attacks – which include SYN flood, UDP flood, domain name system (DNS) query flood and GET floods – the toolkit can communicate and execute commands to infected Windows, Linux and ARM-based devices, researchers with Akamai Technologies found. [More]

Could ultrafast broadband over copper speed the rollout of gigabit Internet?

Tech Republic, 26 Sep 2014 – For the most bandwidth hungry users fibre optic cable tends to be the best option; but as most UK consumers and small businesses are still on the old-style copper phone lines they’re forced to languish in the broadband slow lane. Now researchers claim to have demonstrated speeds approaching those seen over fibre optic – but without the hassle and expense of having to connect fibre to the premises, using instead a combination of fibre and copper. [More]

How Boston Children’s Hospital hit back at Anonymous

CSO, 15 Sep 2014 – Hackers purportedly representing Anonymous hit Boston Children’s Hospital with phishing and DDoS attacks this spring. The hospital fought back with vigilance, internal transparency and some old-fashioned sneakernet. That – and a little bit of luck – kept patient data safe. [More]

About 5 Million Google Account Credentials Dumped Online

Softpedia, 10 Sep 2014 – A database containing usernames and passwords for almost five million Google accounts emerged on a Russian forum late on September 9. The user dumping the information on Bitcoin Security board uses the online alias “tvskit” and says that although not all the entries are valid, more than 60% of them should be working; all passwords are provided in plain text. [More]

Home Depot Hit By Same Malware as Target

KrebsOnSecurity, 7 Sep 2014 – The apparent credit and debit card breach uncovered last week at Home Depot was aided in part by a new variant of the malicious software program that stole card account data from cash registers at Target last December, according to sources close to the investigation. [More]

Android: 33% more device shipments, 60% more fragmentation

TechRepublic, 5 Sep 2014 – Android has a problem. Or, rather, Android developers have a problem. Despite dominating a whopping 84.7% of the global smartphone market (up from 79.6% in 2013), Android fragmentation gets worse each year, with developers needing to account for at least 18,796 different Android devices in circulation this year. What’s a developer to do? [More]

Analysis of Chinese MITM on Google

Netresec, 4 Sep 2014 – The Chinese are running a MITM attack on SSL encrypted traffic between Chinese universities and Google. We’ve performed technical analysis of the attack, on request from, and can confirm that it is a real SSL MITM against and that it is being performed from within China. [More]

Hospital Hacks Are Skyrocketing Because Hospitals Are Easy to Hack

Gizmodo, 3 Sep 2014 – According to a fresh report from cybersecurity experts, hospitals are hackers’ new favorite playground. That’s unsettling news for anyone who’s ever visited a hospital (read: everyone) but it also offers a curious window into how we guard our most important data. Put bluntly, we do a pretty piss poor job of it. [More]

USB firmware: An upcoming threat for home and enterprise users

TechNet, 2 Sep 2014 – USB is a common industry standard for connecting peripherals like keyboards, webcams, and thumb drives to computers. During their presentation, the researchers illustrated a serious problem in how many USB devices are implemented. USB peripherals run their own processor and firmware to talk to the PC they are connected to, and the problems arise when the firmware on the USB peripheral is changed to be malicious. All major platforms such as Windows, Mac OS X, and Linux are affected since these problems are in the USB devices themselves, not the platforms they are connected to. [More]


Written by Doug Vitale

November 14, 2014 at 10:06 AM

%d bloggers like this: