This week’s revelations about leaks of user passwords from the professional networking site LinkedIn, dating Web site eHarmony.com and music site Last.fm suggest that even tech-savvy firms are slow to accept that hashes -a once-reliable technology for storing data online – now offer scant protection for sensitive data.
The past week has brought to light more revelations about the mysterious Flame (or sKyWIper) worm that was first identified at the end of May. Among them: the eye-popping admission from Microsoft that the malware’s authors found a way to use that company’s Windows Update feature to distribute the malware.
UPDATE Professional social networking site LinkedIn announced early Wednesday morning that it was looking into reports of stolen passwords, according to a post on their Twitter page.
Two independent researchers are proposing an extension for TLS to provide greater trust in certificate authorities, which have become a weak link in the entire public key infrastructure after some big breaches involving fraudulent SSL certificates.
In a bulletin, the Department of Homeland Security (DHS) is warning healthcare organizations about the threat posed by insecure, network attached medical devices and the proliferation of smart phones, tablet PCs and other mobile devices in medical settings.
The recent trend of attackers using stolen digital certificates to make their malicious executables look legitimate is continuing unabated, with researchers now having come across a series of variants of the Etchfro Trojan that are using certificates taken from several companies and issued by VeriSign, Thawte and other certificate authorities.
The Dutch government has asked DigiNotar, the Dutch certificate authority that was broken into last summer, for €8.7 million ($11M USD) to recoup money it spent buying new certificates, according to several Dutch news reports. The Dutch interior ministry asked for €1 million in January, yet the number “has now risen to €8.7 million,” according to the company’s curator Rocco Mulder in an interview with Dutch news site nu.nl.
There’s a serious weakness in certain versions of Apple OS X that causes the operating system to store users’ login credentials for the FileVault encrypted storage in plaintext. The bug, which is found in older versions of FileVault present on OS X Lion 10.7.3 systems, enables anyone with admin access to the machine to get the login password for the FileVault system. The flaw also can be exploited when a machine is in FireWire disk mode and accessible to another computer.
A new project that was setup to monitor the quality and strength of the SSL implementations on top sites across the Internet found that 75 percent of them are vulnerable to the BEAST SSL attack and that just 10 percent of the sites surveyed should be considered secure.
FBI investigators have broadened their probe into emailed bomb threats at the University of Pittsburgh to an anonymous remailer in Austria.
Earlier this week, at the request of U.S. authorities, police visited Christian Mock, an Austrian provider who offers anonymous remailing services. Authorities had a court order allowing them to “create a forensic disk image” of the remailer. “Therefore, I had to destroy any exisiting keys and create new keys,” he announced in the alt.privacy.anon-server Google Group.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
