Software vendors and security officials in several countries have been working for nearly six months on a fix for a serious flaw in a number of TCP implementations that caused a lot of controversy and speculation last fall. The problem could allow attackers to consume all of the resources on a given remote server, essentially making it unusable.
Now, it appears that the release of a patch for the weakness may not come for several more months.
By Robert McMillan, IDG News Service
Researchers at the University of Texas at Austin have taken a close look at the way anonymous data can be analyzed and have come to some troubling conclusions [infoworld.com].
In a paper [33bits.org] set to be delivered at an upcoming security conference, they showed how they were able to map out the connections on public social networks such as Twitter and Flickr. They were then able to identify people who were on both networks by looking at the many connections surrounding their network of friends. The technique isn’t 100 percent effective, but it may make some users uncomfortable about whether they should allow their data to be shared in an anonymous format.
Read the full article [infoworld.com]
The OpenSSL Project has released new versions of its popular implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to fix multiple security vulnerabilities.
According to an advisory [openssl.org], the update fixes three security flaws that carry “moderate severity” ratings. The raw details:
Our friends at F-Secure have put together a very valuable FAQ [f-secure.com] on the Conficker worm to help strip away the hype around the April 1st date. It’s a must read.
Mozilla’s security response team is scrambling to ready a patch [zdnet.com] for what appears to be a serious security vulnerability affecting users of its flagship Firefox browser.
By Gregg Keizer, Computerworld
Cybercrooks have hit on a new twist to their aggressive marketing of fake security software, and are duping users into downloading a file utility [computerworld.com] that holds users’ data for ransom, security researchers warned today.
By Chuck Miller, SC Magazine
Security updates for Cisco’s Internetwork Operating System (IOS) were released Wednesday [scmagazine.com] to shield against a number of vulnerabilities.
The security issues [cisco.com] are varied and relate to TCP, UDP, mobile and VPN vulnerabilities. In describing one bug, an advisory warned about a problem that could block traffic to a router or even cause it to crash.
By Andrew Storms
According to a this news article [computerworld.com] and a statement by Heartland [2008breach.com], competitors of the now PCI-delisted payment processor are using the breach as means to lure their customers. Competitors are apparently suggesting that doing business with Heartland will result in fines from Visa. That part is not true. Visa has publicly stated that no fines will be levied against Heartland’s customers.
However, would you continue to trust Heartland, its auditor and the PCI compliance standard to do their jobs in protecting your information?
By Kim Zetter, Wired.com
U.S. authorities are investigating the possibility of indicting and extraditing an Israeli man [wired.com] accused of hacking into Canadian banks as part of a credit and debit card scam that may also have affected two American banks. Ehud Tenenbaum has been in Canadian jail since last year and now U.S. law enforcement officials are looking into whether he was responsible for an attack on two U.S. banks that netted about $10 million.
By Gregg Keizer, ComputerWorld
Adobe Systems Inc. revealed today that it patched five critical vulnerabilities behind the scenes [computerworld.com] when it updated its Reader and Acrobat applications earlier this month to fix a bug already under attack.
According to a security bulletin issued today [adobe.com], the updates to Reader 9.1 and Acrobat 9.1 that Adobe delivered on March 10 included patches for not just one bug — as Adobe indicated at the time — but for five other vulnerabilities as well.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
