I can also be found writing on BH Consulting as Brian Honan's Social Media manager as well as appearing on Naked Security.




Heartbleed Research Shows Top Companies Are Slow To Mitigate Threat

According to Venafi, 97% of Global 2000 organisations’ public-facing servers remain vulnerable to cyber attacks due to incomplete Heartbleed remediation. This leaves the door open for attackers to spoof legitimate websites, decrypt private communications, and steal sensitive data sent over SSL.

Undiscovered for over two years, Heartbleed is an OpenSSL vulnerability that allows attackers to extract data in memory simply by communicating with a host server.

Successful exploits show that sensitive data, including passwords, SSL/TLS keys, and X.509 digital certificates, could be extracted. In addition to applying the OpenSSL patch, organisations must assume that all keys and certificates were compromised, given the extent and duration of the vulnerability.

Following Heartbleed’s discovery, experts from Bruce Schneier to Gartner warned that, to fully remediate Heartbleed, all SSL keys and certificates must be replaced.

Gartner analyst Erik Heidt warned that past “lazy” security and patch management was insufficient and that all keys and certificates should be replaced. Venafi Labs research from July 2014 found that critical security flaws remain due to a systemic failure to replace vulnerable keys and revoke and replace digital certificates.

For its Threat Research Analysis, Venafi Labs evaluated 1,639 Global 2000 organizations across more than 550,000 public-facing servers and found critical security flaws using the Venafi Labs Vulnerability Report.

The report reveals that only 387 Global 2000 organizations have fully remediated Heartbleed, accounting for an astonishingly small three percent of the total public-facing servers scanned. The remaining ninety-seven percent have significant exposure to ongoing cyber attacks and malicious activity.

Enterprises must also assume, just as many did with user IDs and passwords, that all keys and certificates were compromised – not just the keys and certificates that secured the systems hosting the Heartbleed vulnerability – and must be revoked and replaced. Thousands of applications behind the firewall, including those of Cisco, Juniper, HP, IBM, Oracle, McAfee, Symantec and many others, remain exposed.

Kevin Bocek, ‎vice president, security strategy and threat intelligence, Venafi, said:

“IT Security teams are under the false notion that they have remediated Heartbleed by applying a software patch. But if someone walks into your house through an open door and steals your house keys, you don’t then rely on the same locks once you’ve closed the door. Organizations must find and replace all of their keys and certificates — all of them. Otherwise massive security gaps and open doors remain. Enterprises need to equip themselves with systems to detect keys and certificates across their networks and in the cloud, and rapidly respond and remediate by replacing them.”

Recommended response and remediation:

  • Know where all of an organisation’s keys and certificates are located
  • Generate new cryptographic keys, request new certificates
  • Apply new keys and certificates, revoke old ones
  • Validate remediation to ensure new keys and certificates are in place and operational

Emmental, The Swiss Cheese Of Banking Security

Researchers at Trend Micro have discovered a new attack centred around a hole in Android-based two factor authentication systems used by some banks in Austria, Japan, Sweden and Switzerland. The attack begins in a familiar way – the prospective victim will receive a phishing email that will appear to be from a well-known and reputable site. [...]

Continue

Brits Abroad: Workaholic Holidaymakers Take Their Insecure Practices And Devices With Them

With the schools out for summer, it’s time for Brits to pack up their suitcases and jet off to sunnier destinations, and a new July 2014 survey from ESET in conjunction with One Poll has revealed most people won’t be forgetting their work-enabled mobile device in their luggage this year, with the anticipation of having to [...]

Continue

Infosec And Diversity

When I was younger I lived on the Essex/Suffolk border in an area probably best described as farmland. My village was what you may call ‘quaint’, consisting of a post office, four pubs, a great river for fishing in and nothing much else besides open space. It was so quiet and peaceful that the local police [...]

Continue

And Another Thing… What A Difference A Year Makes

They say time flies when you’re having fun and, for me, the last 12 months has proven that to be very true indeed. I cannot believe its been a whole year since I put out THAT post which, ultimately, made such a huge difference to my life. On June 25 last year I really was [...]

Continue