In-brief: The resignation of the Office of Personnel Management’s Director may have ended official Washington’s search for a fall guy, but it won’t solve anything and may make recovering from the hack harder, experts warn.
Recent Posts
Hacking Team incident prompts calls to retire Adobe Flash
In-brief: Adobe’s Flash technology may end up being the highest profile victim of the attack on software arms dealers the Hacking Team, as news of that group’s reliance on Flash vulnerabilities prompts calls for Adobe to permanently retire the web-enhancing technology.
Morpho Is A Profit-Based Hacking Group, Says Symantec
Attribution in information security attack is a difficult thing. Being able to put a particular person behind a keyboard is often the problem. However, in recent years, security companies have been doing a better job of identifying groups of individuals with similar attack methods and preferences. For example CrowdStrike has identified over seven thousand discrete groups of state-sponsored groups, criminals, and hacktivists solely by their methods of operation, their patterns of attack. A report this week from Symantec looks at one particular group they call Morpho, which they believe is not state-sponsored but nonetheless responsible for intellectual property theft for monetary gain. Symantec notes that one key difference between attacks coming from competitors and state-sponsored attackers is that competitors are likely in a better position to request the theft of specific information of economic value. They make faster use of this information than a state-sponsored group. Morpho hs a preference […]
Opinion: The Security Case for Software Defined Networking
In-brief: Recent news events underscore the threat that companies face from inadequately protected internal network assets. Cisco’s Scott Harrell argues that the adoption of software-defined networking may provide a powerful new tool to halt hackers ability to move within compromised networks.
New OpenSSL Flaw Is No Heartbleed
In Brief: Although severe, a new vulnerability in OpenSSL that allows an attacker to impersonate a trusted CA serveris expected to have minimal impact. OpenSSL today issued a high severity advisory warning of forged certificates. During certificate verification, the alert says OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. This could allow an adversary to impersonate a trusted CA server and eavesdrop on otherwise encrypted communication. Fortunately, the flaw only affects versions of OpenSSL released last month and not yet available in some OSs such as Ubuntu. Affected versions are OpenSSL 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Despite the severity, experts expect the overall impact will be minimal. “Exploiting the OpenSSL vulnerability (CVE-2015-1793) is not quick or easy, making it nowhere near as serious as Heartbleed,” said Veracode’s Vice President of Research Chris Eng in an email. “For starters, an […]
