SSL.com’s Friday Security Roundup – June 19, 2015
Full-Time HTTPS: Massive Upvote
Securing their traffic, though HTTPS-only connections: Reddit and Wikimedia. The “front page of the internet” reports this week that SSL-only viewing will be mandatory starting June 29th of this year. Meanwhile, Wikimedia announced the transition of all sites under their aegis to full-time encrypted connections “within a couple of weeks”. Both are also implementing HSTS, which helps prevent insecure connections. Meanwhile, perfectly adequate search provider Bing states they will begin encryption by default “beginning this summer“. All this is of course on the heels of last week’s call by the US CIO for HTTPS-only connections to .gov websites by the end of 2016.
Compromised: “Account email addresses, password reminders, server per user salts, and authentication hashes” held by LastPass, the popular password manager. Although according to the company no master passwords were themselves stolen, they (and we) still suggest resetting these, as well as enabling two factor authentication for enhanced security.
“I just want to say one word to you, Benjamin. Just one word. Malware.”
Made, by black hats wielding malware: mad bank, according to a recent report from security firm Trustwave. The most startling and reported finding: cybercriminals can “expect to earn a breathtaking 1,425% return on investment (ROI) – or $84,000 in revenue – over 30 days.” Also worth noting is that 98 percent of applications tested had at least one vulnerability, while the most vulnerabilities found in one application was an astounding 747.
Support User Privacy, See Your Business Grow 600%
Expanded sixfold: The number of daily search requests processed by DuckDuckGo, scrappy contender in the search engine field. Notable is that this growth began only after the revelation of widespread NSA snooping, and that DDG very pointedly does not harvest search results, track locations or store search data in any way at all – they instead make pretty decent money through old-school methods like ad views and affiliate links.
Winning Is a Habit. Success Is a Choice. Hacking Gets You a Visit From the Feds.
Opened, by the FBI : An investigation of the St. Louis Cardinals, for possibly hacking into the Houston Astro’s network. Compromised, per the New York Times, are “internal discussions about trades, proprietary statistics and scouting reports.” The owner of the Cardinals admitted that someone in his organization had committed “roguish behavior”, which sounds more like twirling one’s mustache while fencing with the queen’s guards than stealing personal data from an opposing team’s database and triggering a Federal investigation. The Gray Lady may be a mite off kilter about minor matters like WMD programs and whatnot, but given how the past couple of seasons have gone, their headline for this reportage was fair, full and accurate: “Of All Teams to Hack, Why the Astros?”
Meanwhile, there’s all the stuff that we couldn’t quite fit into this week’s roundup, including this week’s OS X/iOS vulnerability, the latest details about the unfolding OPM hack (but we’ll be surveying that particular trainwreck in more depth next week), the Let’s Encrypt initiative finally announcing hard launch dates, how Chinese neer-do-wells are sniffing VPN and Tor traffic and oh so much more – but we’ll be back with more next week.
As ever, we appreciate your reading these words, and remind you – a safer internet is a better internet.