November 11, SecurityWeek – (National) U.S. authorities reach settlement with Adobe over 2013 breach. Authorities in 15 States reached a $1 million settlement with Adobe Systems November 10 after the company reportedly failed to employ reasonable measures to protect its customers’ personal information and detect malicious activity within its network, causing a massive data breach in 2013 that compromised over 150 million records. As part of the settlement, Adobe agreed to institute new policies and practices to prevent future breaches, including effectively separating payment card data from public-facing servers, performing ongoing risk assessments, and providing security training to employees, among other practices. Source
November 11, SecurityWeek – (International) Low-bandwidth “BlackNurse” DDoS attack can disrupt firewalls. Researchers from Danish telecom operator TDC warned that certain distributed denial-of-service (DDoS) attacks based on the Internet Control Message Protocol (ICMP) Type 3 Code 3 packets, dubbed “BlackNurse” can be highly effective over low bandwidths and can cause firewalls, including Cisco Adaptive Security Appliance (ASA) and SonicWall, to enter a temporary denial-of-service (DoS) condition. TDC reported that all the firewalls observed recovered once the DDoS attacks stopped. Source
November 10, SecurityWeek – (International) High severity DoS flaw patched in OpenSSL. The OpenSSL Project released OpenSSL 1.1.0c resolving three vulnerabilities after a Google security researcher discovered a heap-based buffer overflow associated with Transport Layer Security (TLS) connections using ChaCha20-Poly1305 cipher suites that can lead to a denial-of-service (DoS) condition, which could result in a crash of OpenSSL. The update also addresses a moderate severity flaw that can cause applications to crash, and a low severity issue related to the Broadwell-specific Montgomery multiplication procedure. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report