Hello, welcome to the Friday, September 23rd, 2016 edition of the Sandus Stormcast.

My name is Johannes Ulrich and the day I'm recording from Baltimore, Maryland.

As expected, OpenSL released an update today.

This update fixes a total of 14 different vulnerabilities. Most of them only apply to the 1.01 and 1.02

branch, but a couple of them do apply also to the just released 1.1.0.0 branch.

All three branches are still fully supported, so you should be okay with either

one of these of course the latest and greatest one dot one does support some of

the newer features there was one particular vulnerability here and OCSP

status request vulnerability that was rated high for all three releases.

This is a memory leak issue where essentially you end up with a denial of service condition because memory fills up.

This was also the only high vulnerability. The suite 32 vulnerability is also

mitigated in this particular release. Now the only thing they did is they downcrated the

death ciphers from high to medium. So if you already configured these ciphers to no longer be used, then you're fine.

This change just makes it easier and a little bit more obvious to configure OpenSL.

So in short, no heart bleed here, nothing that you have to rush out.

Just wait for your respective Linux release or whatever you're using

OpenSL on to actually come up with a patch for this particular update.

ATM machines have often been compromised in the past with skimmers and banks are looking into new ways to authenticate customers

and one way of course they're considering is biometrics with fingerprints and iris scans

being used to identify the user apparently bad guys are getting ready as well in order to defeat these authentication

mechanisms by collecting the same biometric data with their skimmers. Kasperski did publish a report

where they're sort of speculating with possible attacks against these new generation of ATMs.

...