SSL News, Articles and Updates

Threats in SSL traffic rocket by 30 percent

While the use of HTTPS encryption is on the rise, the same is unfortunately true of attackers using it to mask their operations, according to a new report.

Cisco warns of a critical vulnerability in its SSL VPN solution

Hackers could run code on VPN box. Cisco has confirmed a critical security vulnerability in its SSL VPN solution, Adaptive Security Appliance (ASA), one of the most widely-deployed SSL VPNs on the market.

Terror EK spotted using SSL certificates to beat security

Cyber-criminals using the Terror exploit kit have recently starting using SSL certificates to help sneak the EK and its malware passed cyber-security staffers.

SSL encrypted malware doubles this year, phishing over SSL/TLS up 400%

Increasingly sophisticated malware strains are using SSL to encrypt their activity with malicious SSL-encrypted content more than doubling in the last six months according to a study from Zscaler ThreatLabZ.

US-CERT warns of MiTM security threats around inline SSL inspection

SSL inspection is much more widespread than previously thought and could help a MiTM attack, leading the US-CERT, part of the DHS in America, to issue a special advisory.

Microsoft update left Azure Linux virtual machines open to hacking

Microsoft patches configuration hole that allowed hackers to upload software packages to its Azure update infrastructure.

SSL handshake weakness leaves MacOS, iOS devices open to MitM attacks

A fundamental fault in the SSL handshake could allow hackers to use subvert MacOS and iOS devices and recruit them into a DDoS attack.

Ponemon: Financial institutions not prepared to address cyber-attacks in encrypted traffic

Duncan Hughes explains how SSL decryption will increasingl be needed to ensure encrypted traffic does not become a facilitator for attackers.

OPenSSL patch introduced flaw, critical fix advised

Critical bug in patch means OPenSSL security fix needs fixing.

Study claims economic globalisation brings on cyber-risk

Businesses have learned to embrace economic globalisation and have expanded operations around the world. A new report from BitSight studies how entering new countries can bring on financial, operational and legal risks, including cyber-risks, to an organisation.

WhiteHat reports The FREAKS are out

Whitehat's top 10 web hacking techniques of 2015 have been released and the freaks have topped the list.

2 Minutes On: DROWNing in SSL2 connection requests - the web's latest large-scale vulnerability

One of the latest large scale web vulnerabilities, dubbed DROWN (Decrypting RSA with Obsolete and Weakened Encryption), again targets SSL.

Google creates list of untrusted certificate authorities

Google has instituted a blacklist of untrustworthy certificates for use in the company's browser Chrome.

Researchers manage to derive user info from HTTPS

Researchers have demonstrated how encrypted comms traffic can be used to extract data on users' operating systems, browsers and applications.

Over 600 cloud providers not protecting users against Drown

Continuing exposure to DROWN vulnerability in cloud service providers could indicate deeper security issues and lackadaisical approach to software updates.

How to deal with the blind spots in your security created by SSL encrypted traffic

Robert Arandjelovic provides practical advice for CISOs, examining five of the most common network traffic inspections to protect against attacks that use security holes found in SSL encrypted traffic.

Drown attack could break TLS for third of websites

A new vulnerability could kill a certain kind of encryption for plenty of websites. An OpenSSL update has been rushed out to fix major flaw.

Mathletics coding error provokes security upgrades

A coding error that transmits children's login details has been discovered in the mathematics e-leaning platform, Mathletics

SSL visibility: decrypt and conquer

As internet traffic is increasingly encrypted, so the need to inspect encrypted traffic grows as that's where the malware will be says Ron Symons, adding that the time to invest in such systems is now.

Encryption increasingly used to hide attacks, says new report

Dell's new threat report adds further evidence to support the observation that attackers are increasingly hiding activity within HTTPS.

UK school awareness on secure logins is lacking

A UK school technology supplier has committed to providing secure logins for a service used by many schools.

Malware using legit certs to avoid detection, surveil users

Researchers have discovered a new family of malware that hides behind legitimate digital certificates and spies on the infected device.

ICYMI: OS X most vulnerable? Bank SSL use; GDPR agreed; Dutch damn backdoors; Baltic security boost

The latest In Case You Missed It (ICYMI) looks at Apple OS X vulnerability ranking; Banks still using SSL; GDPR agreed; Dutch oppose encryption backoors; Baltics boost national IT security

Let's Encrypt certificates issued for malvertising campaign

The generosity of the free TSL certificate non-profit, Let's Encrypt, has been abused by malvertising cyber-criminals

UK high-street banks accused of "shockingly bad" online security

Security you can bank on? Not quite, according to inquiries by Mike Kemp, co-founder of Xiphos Research, who found that outdated SSL security is the norm.

PCI SSC pushes back deadline for secure TLS

The PCI SSC has pushed back the date by which members must change to a secure version of TLS (currently 1.1 or higher); the migration is being revised today and pushed back from June 2016 to June 2018.

ICYMI: Aviation risk; netgear patch delay; legal threats; android malware variants; SSL weakness

This week's In Case You Missed It (ICYMI): Aviation risk warning; netgear patch delay; vulnerability disclosure -legal threats; android SMS malware variants; SSL weakness exploited for phishing.

Fraudsters exploit weak SSL certificate security to set up hundreds of phishing sites

Certificate authorities are granting SSL certificates to the owners of spoof domain names which are being used to phish customers of well-known retail and banking brands.

Unprotected keys and certificates losing customers for businesses

Certificate and key errors are costing businesses dearly and undermining the global economy, according to a Ponemon/Venafi report.

Symantec purges employees after unauthorised use of Google SSL certificates

Symantec have fired several staff members after they created unauthorised and potentially malicious Google SSL certificates