Security Alerts & News
by Tymoteusz A. Góral

History
#1509 Nearly all top global companies have leaked credentials online
Many CSOs live in fear of waking up to an email reporting a data breach at their company, but the threat to an enterprise isn’t limited to a compromise of that specific organization. A new report shows that there are leaked employee credentials online for 97 percent of the top 1,000 global companies, many of which came from third-party breaches.

The last few years have seen a number of large-scale breaches at popular sites and companies, including LinkedIn, Adobe, MySpace, and Ashley Madison, and many of the credentials stolen during those incidents have ended up online in various places. Corporate employees, like most other users, often reuse their credentials in several places. But the worrisome thing is that many of them are using their work email addresses and passwords as credentials on third-party sites.
#1508 OpenSSL patches high-severity OCSP bug, mitigates SWEET32 attack
A vulnerability in the OpenSSL implementation of the Online Certificate Status Protocol (OCSP) was patched this week, closing a denial-of-service weakness in affected servers.

The patch was the most severe of 14 released yesterday by OpenSSL.

OCSP is an alternative in many cases to Certificate Revocation Lists where a client can use the protocol to ping a server requesting the status of a digital certificate.
#1507 We're told data breaches cost millions on average - but this security study disagrees
Far from running into millions, the average cost of a data breach is less than $200,000, or roughly what firms are spending on IT security systems, according to a study from non-profit thinktank RAND.

The study, published in the Journal of Cybersecurity, challenges the much higher cost estimates provided by the Ponemon Institute. This year that research organization put the average cost of a breach at $4m.

RAND policy researcher Sasha Romanosky analyzed 12,000 events between 2004 and 2015 and found that the cost to each firm was on average less than $200,000. This figure is on a par with the 0.4 percent of revenues that firms in the study spent annually on IT security.
#1506 Cisco Talos: Spam at levels not seen since 2010
Spam is back in a big way – levels that have not been seen since 201o in fact. That’s according to a blog post today form Cisco Talos that stated the main culprit of the increase is largely the handiwork of the Necurs botnet, stated the blog’s author Jaeson Schultz.

“Many of the host IPs sending Necurs' spam have been infected for more than two years. To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions. An infected host might be used for two to three days, and then sometimes not again for two to three weeks. This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again. At Talos, we see this pattern over, and over again for many Necurs-affiliated IPs,” he wrote.
#1505 Vulnerable ISAKMP Scanning Project
This scan is looking for devices that contain a vulnerability in their IKEv1 packet processing code that could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

The goal of this project is to identify the vulnerable systems and report them back to the network owners for remediation.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12