Stuxnet kicked things off, and since then, there's been an explosion in sophisticated viruses targeting businesses and critical infrastructure in the Gulf region. But, prevention is still an option.
Microsoft plugged 26 vulnerabilities, and Adobe shored up 26 of its own as part of a monster Patch Tuesday. Each company is grappling with an active exploit as well.
In addition to 15 other vulnerabilities, Microsoft plugged a gaping Core XML Services hole that was being used in active exploits being foisted through Internet Explorer.
Illegitimately signed Microsoft certificates were used to help spread the nefarious Flame malware, another sign detailing just how sophisticated the espionage toolkit is.
GlobalSign, which briefly halted operations in September out of concern that it was the latest SSL certificate authority hacked, has determined that its CA infrastructure was never compromised.
New standards, set to go into effect July 1, 2012, are based on best practices across the SSL/TLS sector. But some researchers, who have called for an overhaul of a system they say is antiquated, don't think standards will help.
Netherlands-based KPN Corporate Market, a major telecommunications firm, has decided to exercise caution after uncovering a possible web server breach.
The slowness by which an offspring of Stuxnet was discovered may be further proof that attackers have a significant leg up on the security community.
Authentication solutions provider Vasco expects the bankruptcy of its Dutch-based certificate authority (CA), DigiNotar, to cost it between $3.3 and $4.8 million, according to a statement Tuesday. The estimate does not include losses that may arise through possible lawsuits filed against the company. On Sept. 20, DigiNotar was "declared bankrupt" by a District Court judge in The Netherlands after it emerged that the CA issued hundreds of counterfeit SSL credentials after hackers breached its systems. At least one phony certificate, for Google.com, appeared in the wild, presumably so Iranian users could be spied on the government. Vasco is based in Oakbrook Terrace, Ill.
The foundational assurance of the internet is in doubt these days, following attacks against certificate authorities Comodo and DigiNotar.
DigiNotar, the Dutch-based certificate authority that issued hundreds of counterfeit SSL certificates, is no more.
Are we seeing the decline and fall of SSL and the Certificate Authority model?
Microsoft released five important bulletins addressing 15 flaws, along with an update revoking six more DigiNotar certificates, while Adobe issued critical updates for Reader and Acrobat.
Certificate authority GlobalSign has discovered that the web server hosting its site was compromised by hackers .
Portsmouth, N.H.-based certificate authority (CA) GlobalSign plans to be back fully operating on Monday after temporarily suspending the issuance of SSL credentials due to claims from a hacker linked to attacks on Comodo and DigiNotar. In a Monday post to Pastebin, a hacker claimed responsibility for the major attack on DigiNotar and said he has access to four other CAs, including GlobalSign. "We are adopting a high-threat approach to bringing services back online and we are working with a number of organizations to audit the process," the company said in a news release. GlobalSign is still investigating the hacker's claims, but said it believes CAs are facing an "industry-wide" attack.
Browser manufacturers and the Dutch government are acting quickly to contain the breach at certificate authority DigiNotar. The incident, meanwhile, has prompted calls for a system overhaul.
Like Comodo before it, the certificate authority DigiNotar said its infrastructure was breached, allowing adversaries to create fraudulent SSL certificates.
Researchers have confirmed that for the second time in less than six months, a provider of SSL certificates has issued a phony credential for Google.com
Well-known researcher Moxie Marlinspike proposed a solution to revamp the current trust-relationship model on the web, essentially turning the power over to the users.
Sign up to our newsletters
SC Magazine Articles
- Malware on Lime Crime website, payment cards compromised
- Florida law enforcement docs show widespread stingray use, secrecy
- After Superfish-Lenovo incident, Facebook probes larger issue of SSL-sniffing adware
- Gemalto investigates claims that gov't spies hacked SIM card encryption keys
- Disconnect yawns between CISOs, exec leadership, study says
- Carbanak APT campaign made off with $1B from banks globally
- BMW issues security patch for bug allowing attackers physical access into vehicles
- NIST requests final comments on ICS security guide
- New attack uses ransomware to drop trojans and keyloggers
- Microsoft phishing emails target corporate users, deliver malware that evades sandboxes
- State breakdowns: Anthem breach by the numbers
- Botnet of Joomla servers furthers DDoS-for-hire scheme
- Study: SMBs lack thorough understanding of state data breach notification laws
- Bug in popular WordPress plugin opens up websites to SQL injection attacks