Information Security News
Employee Retention is Critical to Solving the Security Skills Shortage
A good infosec professional is insatiably curious, a job that attempts to satiate them will have the most success. There should be freedom around this acquisition too. Employers should be cognizant of cross-training, but also letting people find new ...
Maintainers of the OpenSSL cryptographic code library have fixed a high-severity vulnerability that made it possible for attackers to obtain the key that decrypts communications secured in HTTPS and other transport layer security channels.
While the potential impact is high, the vulnerability can be exploited only when a variety of conditions are met. First, it's present only in OpenSSL version 1.0.2. Applications that rely on it must use groups based on the digital signature algorithm to generate ephemeral keys based on the Diffie Hellman key exchange. By default, servers that do this will reuse the same private Diffie-Hellman exponent for the life of the server process, and that makes them vulnerable to the key-recovery attack. DSA-based Diffie-Hellman configurations that rely on a static Diffie-Hellman ciphersuite are also susceptible.
Fortunately, the requirements don't appear to be met by many mainstream applications that rely on OpenSSL and use DSA-based Diffie-Hellman. The Apache Web server, for instance, turns on the SSL_OP_SINGLE_DH_USE option, which causes different private exponents to be used. The OpenSSL-derived BoringSSL code library, meanwhile, got rid of SSL_OP_SINGLE_DH_USE support a few months ago, and LibreSSL deprecated it earlier this week. The applications and libraries may still be vulnerable when using a static ciphersuite, however.
SANS Atlanta Cybersecurity Training will Detail the Most Effective Steps to Prevent Against Attacks
PR Newswire (press release)
BETHESDA, Md., Jan. 28, 2016 /PRNewswire-USNewswire/ -- SANS Institute, the global leader in information security training, today announced SANS Atlanta 2016 taking place April 4 – 9. This hands-on immersion style security training event will provide ...
Security Requirements Are Driving Identity Management
Cybersecurity professionals are getting more involved in identity and access management (IAM) decisions and day-to-day operations driving changes to IT and infosec. Email a friend. To. Use commas to separate multiple email addresses. From. Get a new ...
LG is closing a security hole that makes it possible for attackers to steal chat histories and other sensitive data stored on an estimated 10 million G3 phones.
The vulnerability resides in an LG app called Smart Notice. It comes preinstalled on new LG G3 devices and displays a variety of notifications and suggestions, including recommendations to stay in touch with favorite contacts, saving recent callers' contact information, and birthday reminders. The app fails to validate data presented to users, making it possible for attackers to manipulate data such as contact information so that it executes malicious code on affected handsets.
"Using the vulnerability, an attacker can easily open the user device to data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images; put the user in danger of phishing attack by misleading the end-user; and enable the installation of a malicious program on the device," researchers wrote in a blog post published Thursday. "We informed LG, which responded quickly to notice of the vulnerability and we encourage users to immediately upgrade their application to new Smart Notice release, which contains a patch."
Careers in InfoSec: Don't Be Fooled By The Credential Alphabet
There is no shortage of people in the information security community who seem to have an endless sea of letters following their name. Degrees and certifications abound, and some people seem to be on a mission to collect as many of them as possible.
5 ways to kickstart your infosec job search in 2016
Sign up now and get free access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content from the best tech brands on the Internet: CIO, CSO, Computerworld, InfoWorld, IT World and Network World Learn more.