UPDATE 2/24/17, 4:30 PM PST: Researcher Hanno Böck (@hanno) has confirmed that leaked CloudFlare data was not entirely purged from multiple search engine caches ahead of the public disclosure.In April 2014, the security community was shocked with the revelation that a poorly implemented TLS extension in OpenSSL could allow attackers to easily disclose privat

F5 Networks BIG-IP appliances are affected by a serious vulnerability, tracked as CVE-2016-9244 and dubbed ‘Ticketbleed’ that exposes it to remote attacks The F5 Networks BIG-IP appliances are affected by a serious flaw, tracked as CVE-2016-9244 and dubbed ‘Ticketbleed’, that can be exploited by a remote attacker to extract the conten

More than two years after the disclosure of the HeartBleed bug, 200,000 services are still affected. Systems susceptible to Heartbleed attacks are still too many, despite the flaw was discovered in 2014 nearly 200,000 systems are still affected. Shodan made a similar search in November 2015 when he found 238,000 results, the number dropped to 237,539 resul

A recent report released by Shodan found that as of January 22, 2017, nearly 200,000 publicly accessible internet devices were vulnerable to Heartbleed.The detailed report gives some insight into those who continue to be exposed to this vulnerability. It’s no surprise that the majority of these systems are HTTPS pages hosted by Apache and running on Li

SSL is a primary layer of defense on the Internet that makes it possible to have authenticated private conversations even over an untrusted network. Implementing a robust and secure SSL stack, however, is not trivial. Mistakes can lead to large attack surfaces, such as what we witnessed with OpenSSL when “Heartbleed” was discovered.In the wake of “Heartbleed

On April 7, 2014, the world first learned about the Heartbleed vulnerability. A small flaw in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520), Heartbleed enables an attacker to unravel the encryption measures in systems protected by vulnerable OpenSSL software, which some at the time estimated

The notorious hacker Detox Ransome was searching for Heartbleed vulnerable servers when found and stole a Democratic National Committee DB in 2015. According to The Epoch Times, the notorious hacker Detox Ransome stole Democrat Databases in 2015. In September 2015, the hacker breached a service linked to the operations of the Democratic National Committee ac

A critical bug that can leak secret cryptographic keys has just just been fixed in OpenSSH, one of the more widely used implementations of the secure shell (SSH) protocol.The vulnerability resides only in the version end users use to connect to servers and not in versions used by servers. A maliciously configured server could exploit it to obtain the content

Twice in the past year, security researchers have found and reported critical vulnerabilities in Modbus gateways built by Advantech that are used to connect serial devices in industrial control environments to IP networks.Most recently, independent security researcher Neil Smith found hard-coded SSH keys in the Advantech EKI series of devices, while a year a

Many merchants will tell you that PCI compliance is time-consuming and a drain on resources that should be focused on attracting more business – there is even a well-established market of PCI consultants and businesses to hire.The general sentiment is how to quickly and easily check the box. Monitoring and logging activity to create custom reports for the au

Two-factor authentication (2FA) is a type of multi-factor authentication that verifies a user based on something they have and something they know.The most popular 2FA method currently in use is the token code, which generates an authentication code at fixed intervals. Generally, the user will enter in their username, and their password will be a secret PIN

In December 1890, Samuel Warren and Louis Brandeis, concerned about privacy implications of the new “instantaneous camera,” penned The Right to Privacy, where they argue for protecting “all persons, whatsoever their position or station, from having matters which they may properly prefer to keep private, made public against their will.”125 years later, our pr

Why the Rapid Request for PCI 3.1?Announced April 15, 2015 with a high sense of urgency, PCI 3.1 is an unusual update occurring outside the typical three-year lifecycle for PCI DSS. But is it really that unusual for the data security world? The threat landscape is highly dynamic and requires continuous updates & monitoring, so why not PCI? PCI 3.1 is a d

Authentication is a weak link in any enterprise security solution, primarily because it relies heavily on how people use it. It’s also one of the most important factors, and any flaws can lead to significant issues and costly cyberattacks. As just one example, earlier this year the IBM-discovered Dyre Wolf campaign stole over $1 million from targeted e

Over a year has now passed since we were first alerted to a flaw in the OpenSSL cryptography library, widely used in the implementation of Transport Layer Security (TLS) protocol. The bug CVE-2014-0160, was quickly dubbed “Heartbleed” (http://heartbleed.com/) after a missing bounds check in the TLS heartbeat extension. Despite the passing of time and the hig