Security

Hacker news logo

It takes roughly three steps to remediate the Heartbleed bug.
 

  1. Patching: Update your software to the latest versions of OpenSSL; thankfully almost all organization have accomplished this step.
  2. Creation of New Private Keys: Creating new private keys will prevent an attacker, who already exploited the flaw before patching, from being able to spy on your encrypted.
  3. Reissuance of Security Certificates: This step will eliminate the ability of any attacker to spoof organizations and fool or phish their customers.

http://thehackernews.com/2017/01/heartbleed-openssl-vulnerability.html

Here's a useful way to check whether an email address has been spotted in one of the known data breaches of the last few years: https://haveibeenpwned.com

As usual, Krebs has a much more detailed exigesis of how this thing actually works.

New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video advertising networks each day. Experts say the scam relies on a vast network of cloaked Internet addresses, rented data centers, phony Web sites and fake users made to look like real people watching short ad segments online.

https://krebsonsecurity.com/2016/12/report-3-5m-in-ad-fraud-daily-from-methbot/

And in other news, Yahoo is still in business...
Seriously, who has a Yahoo account?

 

The data breach officially disclosed on Wednesday actually occurred in 2013 and, just like the one in 2014, allowed the cyber crooks to obtain personal information of its users but not credit card details.

 

http://thehackernews.com/2016/12/yahoo-data-breach-billion.html

Please please please for the love of all that's good, stop using Flash.
And don't get me started on Windows.

According to analysis released this month by Recorded Future, Adobe Flash vulnerabilities provided six of the top 10 vulnerabilities used by exploit kits in 2016. Exploit kits are automated tools that criminals stitch into the fabric of hacked or malicious Web sites, so that visitors who visit one of these sites with an outdated version of Flash in their browser can have malware silently installed. 

https://krebsonsecurity.com/2016/12/new-critical-fixes-for-flash-ms-windows/

Carnegie Mellon's Computer Emerency Response Team (CERT) warns

Netgear's R7000 and R6400 routers, running current and latest versions of firmware, are vulnerable to arbitrary command injection attacks, though the number of users affected by the flaw is still unclear.

http://thehackernews.com/2016/12/netgear-router-hacking.html

Multi-level marketing comes to ransomware.

...to get their important files back, Popcorn Time gives victims option to pay a ransom to the cyber criminal or infect two other people and have them pay the ransom to get a free decryption key.

http://thehackernews.com/2016/12/ransomware-malware.html

Lots of deep info here about whole classes of devices that are vulnerable to Mirai.

The fact that these things run telnet simply boggles the mind.

https://krebsonsecurity.com/2016/12/researchers-find-fresh-fodder-for-iot-attack-cannons/

If you're seeing this in your Analytics reports,

“Secret.ɢoogle.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!”

and are sufficiently technical to do something about it, here's a great article on how to proceed.

http://blog.analytics-toolkit.com/2016/future-proofing-your-ga-vs-google-analytics-spam/

I've posted before on why HTTPS is important, and how to enable encryption.
There's even a free solution for SSL certs (Let's Encrypt).
Here's a very accessible explanation of the benefits:

https://blog.hubspot.com/marketing/enable-https-on-your-website#sm.000z8158sthpeky111x2e0m6s7erv