March 2015 was a month marked by global security exploits and the beginning of the end for an old browser friend, Internet Explorer. Well, when it came to Internet security, maybe IE was always more of a “frenemy.” All that and more in this month’s news roundup:
- FREAK Vulnerability for SSL/TSL: Researchers recently uncovered a long-standing, major weakness in the connection between computers and web servers around the world. The vulnerability, named FREAK (for Factoring attack on RSA-Export Keys), allows hackers to break 512-bit RSA keys and spy on decrypted Web traffic. Although the standard security protocol employs 2,048-bit RSA, the 512-bit protection is still common outside the US Companies are scrambling to fix the FREAK flaw by securing host devices and web browsers.
- The Scope of FREAK Looms Large Thanks To Lazy Security Key Standards: Following the headlines about FREAK, research from the University of London estimated that approximately 10% of hosts on the Internet are vulnerable to this kind of attack. Digging deeper, the British researchers discovered an even bigger problem. Among their test sample, they found nearly 28,000 hosts that accepted the exact same public RSA key. This means that a hacker could crack just one of these hosts and grab financial data and other private information passing through thousands of other servers and devices. Sounds like it’s time to change keys.
- Mazel Tov! The Bar Mitzvah Exploit Takes The Pulpit: Itsik Martin of the security firm Imperva, disclosed a new potential hack that takes advantage of the out-dated RC4 algorithm. RC4 is still common around the globe despite the availability of the more secure AES algorithm. Cracking the weak keys of RC4 allows a criminal to view account credentials as well as personal and financial information. The hack was dubbed the “Bar Mitzvah Exploit” because the RC4 weakness was first reported 13 years ago. No word yet if the Bar Mitzvah Exploit will have a live band, or DJ at its reception.
- Disturbing Trends in Zero Day Vulnerabilities: Zero Day exploits are on the rise. These vulnerabilities are IT security holes that a manufacturer hasn’t yet patched. The number of such gaps rose from 2013 to 2014, according to Danish research firm, Secunia. Among Web browsers, security flaws increased from 728 to 1,035 last year. Just think: instead of tracking and patching over a thousand security holes among your employees’ browsers, consolidating to a single, cloud-based browser would simplify your job and improve your company’s network protection.
- Medical Record Theft Is A Booming Business: According to the 5th Annual Study On Medical Identity Theft, rates of medical ID theft have nearly doubled over the past five years. Last year, nearly 2 million people were victims of medical identity theft. Well over half of these victims paid at least $13,000 to resolve the crime and restore their information. In a survey of healthcare customers, almost half the respondents said they would consider switching providers if their medical records were lost or stolen. Translation: For an insurer, hospital, or private practice, increasing network security might be the key to getting more patients.
- Farewell to Internet Explorer: Microsoft announced it is discontinuing its signature browser, Internet Explorer. The company’s new browser, code-named “Project Spartan,” will be part of the Windows 10 suite. Among its many features, the new browser will be faster, allow annotation of web pages, simplify a page’s appearance for ease of reading, and sync reading lists across devices. But Luddites can rest easy -- IE will still be available for enterprise customers with legacy apps that rely on the old browser.
- Two Healthcare Hacks, One Culprit: Health insurer, Premera Blue Cross, announced that clinical and financial records of up to 11 million people were compromised in a May 2014 data breach. Following the disclosure, security firms discovered a striking similarity between the Premera incident and the Anthem digital break-in reported last month. In both cases, hackers created fake domain names that appeared similar to the insurers’ real URLs. The combination of bogus domains and successful phishing campaigns against employees created an opportunity for thieves. The current thinking is that both breaches were orchestrated by China-based hacking collective, Deep Panda.