The ongoing furor over fake SSL certificates continued to dominate security headlines, while increasing SpyEye botnet activity and leaked patient health information also drew attention the week of Sept. 5.
week's biggest data breach news had nothing to do with Anonymous or any other
online group. Instead, Stanford
confirmed that a spreadsheet containing 20,000
patient records had been posted onto a commercial Website.
incident, an employee of a third-party service provider to the hospital posted
the entire patient information spreadsheet to a Website in search of help on
creating bar graphs. This is a remarkable, yet telling example of what can
go wrong if employees are not trained to be privacy conscious.
organizations increasingly share sensitive data with partners and contractors,
it's critical that IT administrators implement strong security controls
internally and demand their third-party providers to do the same.
the fallout from the hacking of Dutch certificate authority DigiNotar
continues, as major browser makers revoked the compromised company's root
removed the root certificates
from all supported versions of Windows so
that Internet Explorer and other programs won't allow users to access sites
with an SSL certificate signed by DigiNotar.
followed suit, but went one step further by demanding that all other
CAs audit their systems
, especially after reports that other certificate
authorities may also have been compromised.
moved quickly to update Chrome, and Opera Software has followed suit. Apple on
Sept. 9 finally released its Mac OS X update to protect Safari users. Adobe
also removed DigiNotar's Qualified CA certificate from the Adobe Approved Trust
List, protecting Adobe Reader and Adobe Acrobat versions 9 and X.
the fragility of the infrastructure powering the Internet, Turkish attackers
breached a European DNS provider and modified
the Domain Name System records
for several major Websites, including the
United Kingdom newspapers The Register and the Daily Telegraph.
though there's been a lot of talk by domain owners and DNS providers about the
necessity of deploying the security protocol DNSSEC to protect domains,
researchers pointed out that this wouldn't have stopped the attackers, since
the orders to redirect the sites came from the actual DNS provider. It
underscores the importance of securing Websites from basic issues such as SQL
injection because attackers will always go after the lowest hanging fruit
instead of sophisticated exploits.
announced a small
Patch Tuesday release for September
, with only five bulletins, none of
which was rated "critical." The company accidentally released the
final bulletins detailing the vulnerabilities fixed on Sept. 9, four days too
early, but managed to keep the links to the patches inactive.
bulletins have been yanked, but researchers at SANS Institute are concerned
that some of the bugs are misclassified and should have been ranked
"critical." The actual Patch Tuesday updates are expected to be
released on Sept. 13.
continue to rely on botnets to push out their malicious operations, and SpyEye
was the most dominant in the first half of 2011, according to a report released
Sept. 7. The researchers speculated that SpyEye's dominance could be the result
of the merger with the Zeus Trojan, and speculated even bigger activity now
that a version of the toolkit is readily available online.