July 22, Securityweek – (International) Siemens patches vulnerabilities in SIPROTEC, SIMATIC, RuggedCom products. Siemens released updates for its SIPROTEC 4 and SIPROTEC Compact devices addressing a vulnerability in which an attacker could cause a denial-of-service (DoS) condition, a locally exploitable flaw in its SIMATIC WinCC Sm@rtClient application for Android in which an attacker could extract credentials for the Sm@rtServer, and a flaw in RuggedCom devices leaving them vulnerable to Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks in which a man-in-the-middle (MitM) attacker could extract sensitive information from encrypted communications. Source
July 22, Help Net Security – (International) It’s official: the average DDoS attack size is increasing. Arbor Networks reported analysis from Quarter 2, 2015 global distributed denial-of-service (DDoS) attack data revealing that the average size of attacks increased, and that the majority of large volumetric attacks leveraged Network Time Protocol (NDP), Simple Service Discovery Protocol (SSDP), and Domain Name System (DNS) servers for reflecting amplification, among other findings. Source
July 22, Securityweek – (International) Researcher discloses local privilege escalation vulnerability in OS X. Security researchers from SektionEins released details on a vulnerability in Mac Operating System (OS) X in which an attacker could open or create arbitrary files owned by the root user anywhere in the file system by leveraging an environmental variable that enables error logging to arbitrary files. Source
July 22, Help Net Security – (International) Google Chrome update includes 43 security fixes. Google released an update for Chrome addressing 43 heap-buffer-overflow, use-after-free, and memory corruption vulnerabilities, among others, that could allow an attacker to take control of an affected system. Source
July 22, IDG News Service – (International) Bug exposes OpenSSH servers to brute-force password guessing attacks. Security researchers reported that OpenSSH servers with keyboard-interactive authentication enabled by default are vulnerable to unlimited authentication retries over a single connection, exposing users to brute-force password guessing attacks. Source
July 21, Nextgov – (National) Security experts point to OPM’s biggest cybersecurity failure. The Institute for Critical Infrastructure Technology released a report citing the lack of a comprehensive governing policy for cybersecurity as the greatest failure leading to the June breach of its systems, and recommended that the agency address security gaps identified by auditors and implement a behavioral analytics system to compensate for rapidly advancing advanced persistent, sophisticated threats. Source