A roadmap for triaging Heartbleed exposures

By Byron Acohido, Last Watchdog

The acute notoriety of Heartbleed is a good thing in this sense: it ought to compel CIOs and CISOs to drill down on developing a roadmap for dealing with exposures that could run very deep.

The most worrisome aspect of Heartbleed arguably is the fact that  this gaping security hole is so pervasively embedded in the fabric of the  commercial Internet.  “There are a few protocols that dominate when it comes to the security and operation of the Internet as a whole, SSL/TLS is one of them.” says TK Keanini, CTO at Lancope.   “Everyone should have seen this coming.”

Companies and organizations ought to be scrambling over the next several days and weeks to triangulate and mitigate potential exposures relating to the wide use of the  OpenSSL encryption protocal recently shown to be dangerously squishy, from a security standpoint, observes  Dr. Mike Lloyd, CTO of RedSeal .  Top of mind should be the spectre of data thieves and cyber spies  hustling to exploit  the Heartbleed flaw in order to exfiltrate sensitive data, especially  private encryption keys, Lloyd says. …more

Heartbleed threat should boost Always On SSL as a best practice



Web site owners who are taking a closer look at their use of the SSL/TSL cryptographic protocols in the aftermath of the disclosure of the Heartbleed bug would be wise to heed the The Online Trust Alliance’s longstanding call to adopt Always On SSL. This best practice calls for using SSL/TLS across the entire website, instead of just the logon page, an all too common practice.

Last Watchdog …more

Über nasty Heartbleed bug exposes fabric of the Internet

By Byron Acohido, Last Watchdog

KINGSTON, Wash. – An über nasty security flaw has arisen from the din to command the attention of the global security community, rightfully so.

The so-called “Heartbleed” flaw represents a path bad guys can use to tap into OpenSSL, the open-source implementation of the SSL and TLS protocols that are used all across the Internet to encrypt sensitive data.

“This is a very serious vulnerability. It allows attackers to see a portion of the contents of memory of the vulnerable server,” says Matt Willems, LogRhythm Labs engineer. “This particular vulnerability still exists in many locations, so changing your password may just mean that the new password is vulnerable.”

John Miller, Security Research Manager at Trustwave, observes that the Heartbeat flaw was spawned when OpenSSL was tweaked more than two years ago. He says it makes sense that criminals took notice prior to good guy researchers at Google and a small security firm, codenomicon, identifying the flaw this week. …more

Why more steps to protect critical infrastructure are needed



(Editor’s note: In this Last Watchdog guest essay, By Lior Frenkel, CEO and co-founder of Waterfall Security Solutions, points out that some level of work is being done to protect industrial controls.)

By Lior Frenkel, Special to Last Watchdog

Most computers controlling critical infrastructures are protected by IT-style security at best. The problem is that IT-style protections are routinely bested by everyone from Chinese intelligence agencies to hacktivists who adopted …more

Senators blame Target execs for big data breach

By Byron Acohido, Last Watchdog

Target’s top dogs were raked over the coals at a Congressional hearing on Wednesday.

Two Democratic senators criticized Target’s management for not stopping a huge data breach of its systems, citing several missed opportunities to thwart the attack and protect customer data.

Sen. John D. Rockefeller IV, D-West Virg., and Sen. Richard Blumenthal, D-Con., pointed to Target’s failure to heed alerts issued by its expensive new FireEye malware detection systems and blamed its top executives.

“The best technology in the world is useless unless there’s good management,” Blumenthal said. “And here, to be quite blunt, there were multiple warnings from the company’s anti-intrusion software; they were missed by management.” …more

Q&A: Why FireEye alerts failed to stop Target hackers

(courtesy Threat Geek)

(courtesy Threat Geek)

By Byron Acohido, Last Watchdog

KINGSTON, Wash. – Target paid good money to install FireEye’s malware detection technology last year.

FireEye caught the bad guys already inside Target’s network. Alerts were issued – but ignored, according to Bloomberg Businessweek.

Were the tools oversold or poorly implemented? Or was dysfunction in Target management more to blame? LastWatchdog asked Jim Jaeger, Chief Cyber Services Strategist, General Dynamics Fidelis …more

Faked tax returns using stolen Social Security numbers swamp IRS

sh_IRS tax_550pxBy Byron Acohido, Last Watchdog

KINGSTON, Wash. – Fraudsters once again are having a field day using stolen personal data to file bogus tax returns, ripping off billions from the U.S. treasury and setting in motion a huge hassle for victimized citizens.

This crime is so easy to execute that petty thieves and organized crime gangs are doing it at scale. The government has stepped up arrests, but is no where near making a substantive dent, nor creating a meaningful deterrent.

Falsified returns are so easy to cash in because the IRS does not authenticate tax returns or W-2 forms prior to issuing a refund. And all a scammer needs is a name and Social Security Number. He or she can then fabricate a return and route the  refund to an address or bank account he or she controls. Last Watchdog asked iovation’s CTO Scott Waddell for some context: …more