Hundreds of cloud apps still vulnerable to DROWN

Complacency in addressing known vulnerabilities puts users at risk


If you have even a passing interest in security vulnerabilities, there’s no chance that you missed the news about the DROWN vulnerability. It’s one of the biggest vulnerabilities to hit since Heartbleed, potentially impacting a third of all HTTPS websites. By exploiting the obsolete SSLv2 protocol, this flaw makes it possible for an attacker to eavesdrop on a TLS session.

Because we use SSL and TLS encryption to shop, send messages, and send emails online, DROWN potentially allows attackers to access our messages, passwords, credit card details, and other sensitive data.

DROWN was disclosed on March 1, but a full week later Netskope identified 676 SaaS applications that were still vulnerable to the attack. This highlights a recurring problem we see time and time again in the security industry — a failure to remediate vulnerabilities.

Detecting issues is only the first step, companies must take action to close loopholes and protect their customers.

Interestingly, Netskope also pointed out that of those 676 SaaS apps, 73 are also still vulnerable to FREAK, 42 are still vulnerable to Logjam, and 38 are still vulnerable to OpenSSL CCS attack.

The longer it takes to deal with a known vulnerability, the higher your risk of a successful attack. Known vulnerabilities still pose the biggest IT security threats, and there’s little sign that’s going to change any time soon.

We saw the same pattern of complacency after the Heartbleed vulnerability was unveiled. A full year later, 74% of Global 2000 companies with public-facing systems vulnerable to Heartbleed had failed to remediate the problem across all servers, according to security firm, Venafi.

Netskope has been posting daily updates on DROWN, and it’s clear that some companies are taking action, but as of March 14, two weeks after the disclosure, there are still 513 vulnerable apps.


Dealing with DROWN

There has been some disagreement about how easy it is to exploit DROWN, but it’s certainly a potentially serious vulnerability that’s worth addressing. You can check to see whether your own website is vulnerable by visiting the DROWN Attack website.

It’s also not especially difficult to remediate, simply don’t allow SSLv2 on any of your servers, and ensure that private keys are not being used anywhere with server software that allows SSLv2 connections. This is an obsolete protocol that should have already been removed due to its inherent weaknesses.

Vulnerabilities like DROWN and FREAK really highlight the dangers of obsolete cryptography. This is something we should all be taking more seriously.

There’s a real need to break down department barriers, so that threats can be dealt with efficiently and in a timely fashion. The latest IT Security and Operations Survey from BMC and Forbes Insights, found that 44% of data breaches in the U.S. and Europe are caused by known vulnerabilities. The report lays the blame on a disconnect between security and IT operations teams, which often have different goals and priorities. Lack of communication, coordination, and proper oversight is disastrous for data security.

It’s up to CIOs, working with the CISO, to ensure that security and IT groups work more closely together, not just to identify issues but to fix them as quickly as possible. Organizations need to understand that these kinds of vulnerabilities are not just a theoretical concern.

It’s also not always possible to determine when data has been breached. It can also be difficult to categorize threats and understand their severity. But one thing is perfectly clear: burying your head in the sand and failing to deal with a known vulnerability puts your customer’s data and potentially the future of your business at serious risk.


This article was originally posted on NetworkWorld.

Image credit: Cutcaster

Do you have the right person for the job?

According to Cisco’s 2015 Annual Security Report, 91 percent of companies have an executive with direct responsibility for security, but only 29 percent of them have a Chief Information Security Officer.

The enterprise is facing a dangerous combination of mounting cybersecurity threats of increasing subtlety, and a widening gap in the skills required to identify and combat them. Having someone that knows how to lead the charge in identifying and analyzing threats, creating strategic security plans and ensuring compliance, requires the right level of expertise is essential. (

Do You Have the Right Person for the Job?

View our VCISO Program >

Save the Date: Information Security Summit 2016

Click here for more information & to register!

Please save the date and plan to  join us for this timely forum on what you need to know about the latest security issues, threats, and technologies that will help you protect your business!

Towerwall Security Alert Vol 13.05 – IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2s

WASHINGTON –  The Internal Revenue Service today issued an alert to payroll and human resources professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

The IRS has learned this scheme part of the surge in phishing emails seen this year already has claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives.

This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments, said IRS Commissioner John Koskinen. If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.

IRS Criminal Investigation already is reviewing several cases in which people have been tricked into sharing SSNs with what turned out to be cybercriminals. Criminals using personal information stolen elsewhere seek to monetize data, including by filing fraudulent tax returns for refunds.

This phishing variation is known as a spoofing email. It will contain, for example, the actual name of the company chief executive officer. In this variation, the CEO sends an email to a company payroll office employee and requests a list of employees and information including SSNs.

The following are some of the details contained in the e-mails:
Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review. Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary). I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

The IRS recently renewed a wider consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season and other reports of scams targeting others in a wider tax community.

The emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. The phishing schemes can ask taxpayers about a wide range of topics. E-mails can seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.

The IRS, state tax agencies and tax industry are engaged in a public awareness campaign Taxes. Security. Together. to encourage everyone to do more to protect personal, financial and tax data. See or Publication 4524 for additional steps you can take to protect yourself.

DROWN attack sinks security for millions of websites

Security researchers reveal new technique to break TLS using SSLv2 server.

This article was originally featured in NetworkWorld
Image credit Victor Cruz