US NSA Director Rogers warned yesterday that the US should expect, as a matter of practical certainty, to sustain infrastructure attacks at least as damaging as December's disruption of electrical power in Ukraine.
The widely expected and hitherto mysterious OpenSSL patch arrived yesterday, and all now know what was being plugged: a TLS/SSL vulnerability now being called "DROWN" (a forced acronym derived from Decrypting RSA using Obsolete and Weakened eNcryption). It's generally regarded as serious: about a third of all https servers are thought to be susceptible to DROWN attacks, which depend upon the old EXPORT_GRADE backdoor formerly mandated for US-made security products.
TrendLabs finds a new variant of the BIFROS Trojan designed for deployment against Unix (and "Unix-like") systems. They attribute the development to the threat actors behind the "Shrouded Crossbow" campaign.
A group of Turkish hackers has claimed responsibility for the ransomware attack on Hollywood Presbyterian Medical Center. While the motive behind the attack seems clear enough—criminal extortion—those claiming responsibility cloak themselves in a nationalist mantle: they were also protesting American friendliness toward Kurds. (Sez they.)
Verizon releases a breach report with a difference: it doesn't replace the company's existing well-known annual report, but it supplements statistical treatment with instructive case studies.
In the UK, the Government prepares a new version of its surveillance bill. The Apple-FBI case is being closely watched in Europe, where observers fear it will have implications for the implementation of Privacy Shield. Partisans of both sides square off in Congressional testimony.