OpenSSL Patches Multiple Vulnerabilities

Original release date: December 03, 2015

OpenSSL has released updates patching four vulnerabilities. Exploitation of one of these vulnerabilities could allow an attacker to cause a cause a Denial of Service condition. Updates available include:

  • OpenSSL 1.0.2e for 1.0.2 users
  • OpenSSL 1.0.1q for 1.0.1 users
  • OpenSSL 1.0.0t for 1.0.0 users
  • OpenSSL 0.9.8zh for 0.9.8 users

Users and administrators are encouraged to review the OpenSSL Security Advisory and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


IRS Releases Second Tax Security Tip

Original release date: December 03, 2015

The Internal Revenue Service (IRS) has released the second in a series of tips intended to increase public awareness of how to protect personal and financial data online and at home. A new tip will be available each Monday through the start of the tax season in January, and will continue through the April tax deadline. US-CERT and the IRS recommend taxpayers prepare for heightened risk this tax season and remain vigilant year-round.

The second tip focuses on awareness of phishing attempts and prevention of malware infection when conducting business online. US-CERT encourages users and administrators to review IRS Security Awareness Tax Tip Number 2 for additional information.


This product is provided subject to this Notification and this Privacy & Use policy.


VTech Hack – Over 7 Million Records Leaked (Children & Parents)

And once again, the messy technical flaws of a company are being exposed with the recent VTech hack – it’s really not looking good for them with account passwords ‘secured’ with unsalted md5 hashes and all kinds of private information being leaked includes parents addresses, kids birthdays, genders, secret answers and...

Read the full post at darknet.org.uk

Newest ransomware pilfers passwords before encrypting gigabytes of data

A new wave of crypto ransomware is hitting Windows users courtesy of poorly secured websites. Those sites are infected with Angler, the off-the-shelf, hack-by-numbers exploit kit that saves professional criminals the hassle of developing their own attack.

The latest round is especially nasty because before encryption, the drive-by attacks first use malware known as Pony to harvest any login credentials stored on the infected computer, according to a blog post published by a firm called Heimdal Security. The post explains:

The campaign is carried out by installing a cocktail of malware on the compromised PC. The first payload consists of the notorious data thief Pony, which systematically harvests all usable usernames and passwords from the infected system and sends them to a series of Control & Command servers controlled by the attackers.

The purpose of this action is to abuse legitimate access credentials to web servers and CMS systems used by websites and to inject the malicious script in these websites so that the campaign achieves the largest possible distribution.

In the second phase, the drive-by campaigns unfolds via the victim being moved from the legitimate website, which has been compromised, to a heap of dedicated domains which drop the infamous Angler exploit kit.

The Angler exploit kit will then scan for vulnerabilities in popular third-party software and in insecure Microsoft Windows processes, if the system hasn’t been updated. Once the security holes are identified, Angler will exploit them and force-feed CryptoWall 4.0 into the victim’s system.

To consider just how insidious attacks like these are, consider this: earlier this week, Ars reported that the Reader's Digest website was actively infected by Angler. A reader promptly replied that someone in his organization had visited the site in early November—four weeks before the article was published—and was infected by CryptoWall after reading an article. The target's only mistake, it seems, was failing to update one of several apps.

Read 2 remaining paragraphs | Comments