Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.
Big items to consider: HSBC blames the banking outage on a DDoS attack and claims that everything is fine, contrary to what the customers believe. OpenSSL cryptographic code library suffered a high-severity vulnerability that allowed attackers to obtain the key’s to decrypts secured communication. NYC has launched an investigation into four baby monitor companies that have been lacking in security for their devices. A report released by a security researcher revealed that UK businesses are 25% more likely to suffer from constant threats.
HSBC online banking suffers major outage, blames DDoS attack Publication: Ars Technica Reporter name: Kelly Fiveash
HSBC has been battling an apparent Distributed Denial of Service (DDoS) attack on its online banking system for the past few hours. HSBC blamed the outage on a DDoS attack, and attempted to spin the whole thing as a success story to mainstream news outlets. By way of example, witness this headline over at ITV News. The bank’s customers may see things a little differently, however, given the major disruption to the service on what will be one of the busiest days of the year for many people. Not only is the final Friday of the month payday for many folk in the UK, it’s also the end of January—which is a big deal for any freelance bods currently filing their annual tax returns.
High-severity bug in OpenSSL allows attackers to decrypt HTTPS traffic Publication: Ars Technica Reporter name: Dan Goodin
Maintainers of the OpenSSL cryptographic code library have fixed a high-severity vulnerability that made it possible for attackers to obtain the key that decrypts communications secured in HTTPS and other transport layer security channels. While the potential impact is high, the vulnerability can be exploited only when a variety of conditions are met. First, it’s present only in OpenSSL version 1.0.2. Applications that rely on it must use groups based on the digital signature algorithm to generate ephemeral keys based on the Diffie Hellman key exchange. By default, servers that do this will reuse the same private Diffie-Hellman exponent for the life of the server process, and that makes them vulnerable to the key-recovery attack.
NYC Launches Investigation Into Hackable Baby Monitors Publication: Wired Reporter name: Andy Greenberg
On Wednesday the New York City Department of Consumer Affairs launched an investigation into the baby monitor industry’s hackable vulnerabilities, sending subpoenas to four companies—which the agency has declined to name for now—demanding information about their security practices. The subpoenas, according to the agency, demand to see evidence to back up claims that the companies make about the security of their devices, complaints they’ve received about unauthorized access to the cameras, their use of encryption on the devices, and their history of handling vulnerabilities discovered in the devices, including alerting customers, releasing patches, and whether those patches were actually implemented by the devices’ owners.
UK businesses under constant and increasing malware threat Publication: ITProPortal Reporter name: Sead Fadilpasic
UK’s businesses have had a bigger chance of being attacked by a malware than those in the US or the Republic of Ireland in December 2015, a new report by security researchers suggest. The risk of malware infection in the UK thus increased 17 percent, the company concludes, with the number of active malware families increasing by 25 percent. The company says more than 1,500 different active malware families were identified in December, up from 1,200 in November same year.