S3 Ep121: Can you get hacked and then prosecuted for it? [Audio + Text]

By Paul Ducklin — February 9^th 2023 at 19:41

Latest epsiode. Listen now!

The Hacker News

OpenSSL Fixes Multiple New Security Flaws with Latest Update

By Ravie Lakshmanan — February 9^th 2023 at 09:51

The OpenSSL Project has released fixes to address several security flaws, including a high-severity bug in the open source encryption toolkit that could potentially expose users to malicious attacks. Tracked as CVE-2023-0286, the issue relates to a case of type confusion that may permit an adversary to "read memory contents or enact a denial-of-service," the maintainers said in an advisory. The

Naked Security

OpenSSL fixes High Severity data-stealing bug – patch now!

By Paul Ducklin — February 8^th 2023 at 02:58

7 memory mismanagements and a timing attack. We explain all the jargon bug terminology in plain English...

The Hacker News

CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems

By Ravie Lakshmanan — January 18^th 2023 at 05:56

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9)

The Hacker News

Royal Ransomware Threat Takes Aim at U.S. Healthcare System

By Ravie Lakshmanan — December 12^th 2022 at 07:57

The U.S. Department of Health and Human Services (HHS) has cautioned of ongoing Royal ransomware attacks targeting healthcare entities in the country. "While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal," the agency's Health Sector Cybersecurity

The Hacker News

Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions

By Ravie Lakshmanan — November 25^th 2022 at 11:15

An analysis of firmware images across devices from Dell, HP, and Lenovo has revealed the presence of outdated versions of the OpenSSL cryptographic library, underscoring a supply chain risk. EFI Development Kit, aka EDK, is an open source implementation of the Unified Extensible Firmware Interface (UEFI), which functions as an interface between the operating system and the firmware embedded in

Naked Security

S3 Ep107: Eight months to kick out the crooks and you think that’s GOOD? [Audio + Text]

By Paul Ducklin — November 3^rd 2022 at 17:51

Listen now - latest episode - audio plus full transcript

Naked Security

The OpenSSL security update story – how can you tell what needs fixing?

By Paul Ducklin — November 3^rd 2022 at 00:44

How to Hack! Finding OpenSSL library files and accurately identifying their version numbers...

ossl-code-1200

Naked Security

OpenSSL patches are out – CRITICAL bug downgraded to HIGH, but patch anyway!

By Paul Ducklin — November 1^st 2022 at 17:24

That bated-breath OpenSSL update is out! It's no longer rated CRITICAL, but we advise you to patch ASAP anyway. Here's why...

The Hacker News

OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

By Ravie Lakshmanan — November 1^st 2022 at 16:26

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email

Naked Security

OpenSSL fixes two “one-liner” crypto bugs – what you need to know

By Paul Ducklin — July 6^th 2022 at 16:52

"As bad as Heartbleed"? We heard that concern a week ago, but we think it's less ungood than that...

Naked Security

S3 Ep89: Sextortion, blockchain blunder, and an OpenSSL bugfix [Podcast + Transcript]

By Paul Ducklin — June 30^th 2022 at 12:57

Latest episode - listen and read now! Use our advice to advise your own friends and family... let's all do our bit to stand up to scammers!

The Hacker News

OpenSSL to Release Security Patch for Remote Memory Corruption Vulnerability

By Ravie Lakshmanan — June 28^th 2022 at 08:59

The latest version of the OpenSSL library has been discovered as susceptible to a remote memory-corruption vulnerability on select systems. The issue has been identified in OpenSSL version 3.0.4, which was released on June 21, 2022, and impacts x64 systems with the AVX-512 instruction set. OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected.  Security

Naked Security