Take 1 Security Podcast: Episode 8

START CONTENT

• New SSL attack called FREAK

  • Has to do with falling RSA back to a deprecated and weak level

  • Requires the client and server are both vulnerable

  • The solution is to patch

  • Many orgs will also want to note which servers were vulnerable

  • The lesson is that you don’t reduce security to increase it

  • Backdoors x time = regret

• Using Ruby’s Open-URI could be dangerous

  • open-uri monkeypatches kernel.open

  • open(params[:url]) can execute |ls

• Hilary Clinton used a personal email address and did not store correspondence on government servers for her entire 4 years as Secretary of Defense

  • This seems highly suspect

  • First you’re putting that data at risk in a personal system

  • Second you’re obviously trying to hide your conversations

• Facebook can access your account without your password

• Google no longer encrypting Lollipop by default

  • Was one of the main selling points for 5, and now it’s gone

  • They said it was simply a driver issue

• DLink routers have a remote command injection bug

  • Could allow DNS hijacking and other attacks

• ISIS has threatened some members of the Twitter team for disabling their accounts

  • This really puts a point on public presence for me

  • I’m a strong proponent of the belief that the way to avoid attack is to avoid being a target, not to be hard to attack once people want to

  • This works for personal attacks, not for countries obviously

• There has been some major fraud happening with people connecting stolen cards to ApplePay

  • The issue isn’t a security problem with ApplePay, but rather with standard bank / card security issue

• Up to 18.8 non-Anthem customers exposed in the Anthem breach

  • This is in addition to the 80 million actual anthem customers

• GoPro vulnerability on its website exposes customer Wi-fi passwords

  • Expect more of this

• Uber took over 5 months to issue a breach notification

  • There was a breach of driver names and license numbers that they just now disclosed

• Seagate NAS vulnerability allows unauthorized root access

  • This raises the cloud storage issue I blogged about last week

END CONTENT

Notes

1. Sorry about my voice on this one. I’m a bit sick. 🙁

Related posts:

1. Stop Trying to Violently Separate Privacy and Security

2. Those Bashing Smart Locks Have Forgotten How Easy it is to Pick Regular Ones