10Fold – Security Never Sleeps – 83

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Cyber thieves have succeeded in stealing sensitive tax and salary information on employees at a dozen companies that use the payroll giant ADP. Researchers have discovered that a critical image processing library has a severe vulnerability which has left a vast amount of websites open to attack. A new survey out by the Ponemon Institute found that the C-level executives are not engaged in their organizations’ third-party risk management processes and that a lack of formal programs in managing that risk is endangering the security and compliance of enterprises today. Maintainers of the OpenSSL cryptographic library have patched high-severity holes that could make it possible for attackers to decrypt login credentials or execute malicious code on Web servers.

Cyber thieves siphon tax forms from ADP payroll data – Publication: CNN Money – Reporter name: Jose Pagliery

On Tuesday, ADP (ADP) explained how fraudsters managed to siphon W-2 tax forms using a convenient online feature. The incident seems small in scope. But it shows how fraudsters have adopted novel techniques to steal personal information — especially the kind that can later be used to claim tax refunds. ADP didn’t say when the theft occurred, and wouldn’t tell CNNMoney how many people had their detailed income data exposed. But it noted the incident affected “around a dozen” of the company’s 630,000 corporate clients.


ImageMagick vulnerability exposes countless websites to exploit – Publication: ZDNet- Reporter name: Charlie Osborne

ImageMagick supplies the backbone library for image processing plugins, including PHP’s imagick, Ruby’s rmagick, paperclip and node.js’s imagemagick. The software is a set of command-line programs which make the bulk processing of images easier, as noted by Naked Security. This is a common feature of many websites, and now, a critical flaw within the software is placing these domains at risk of cyberattack. The vulnerability, CVE-2016-3714, was discovered by security researcher Stewie and the ramifications of the security flaw were explored by Nikolay Ermishkin from Mail.Ru’s security team.


Enterprises Lack Top-Down Management Of Third-Party Risk – Publication: DarkReading – Reporter name: Ericka Chickowski

Large-scale breaches that originate due to attackers targeting third-party weaknesses will continue to escalate until senior leadership and the C-suite starts taking third-party risk more seriously. As things stand, only about 30% of organizations assess security controls of business partners, vendors, and other third parties. When they do a review, the most common practice is a legal review. And one-third of organizations who do review controls said it would be unlikely that their organization would cease or terminate an agreement with a third party if the controls were found to be lacking compared to requirements. What’s more, over half of organizations say that their risk assessment of third-parties doesn’t give them visibility into the intellectual property or other high-value data in the hands of third parties.


Aging and bloated OpenSSL is purged of 2 high-severity bugs – Publication: Ars Technica – Reporter name: Dan Goodin

The updates were released Tuesday morning for both versions 1.0.1 and 1.0.2 of OpenSSL, which a large portion of the Internet relies on to cryptographically protect sensitive Web and e-mail traffic using the transport layer security protocol. OpenSSL advisories labeled the severity of both vulnerabilities “high,” meaning the updates fixing them should be installed as soon as possible. The fixes bring the latest supported versions to 1.0.1t and 1.0.2h.