START CONTENT * New SSL attack called FREAK * Has to do with falling RSA back to a deprecated and weak level * Requires the client and server are both vulnerable * The solution is to patch * Many orgs will also want to note which servers were vulnerable * The lesson is that you don’t reduce security to increase it * Backdoors x time = regret * Using Ruby’s Open-URI could be dangerous * open-uri monkeypatches kernel.open * open(params[:url]) can execute |ls * Hilary Clinton used a personal email address and did not store correspondence on government servers for her entire 4 years as Secretary of Defense * This seems highly suspect * First you’re putting that data at risk in a personal system * Second you’re obviously trying to hide your conversations * Facebook can access your account without your password * Google no longer encrypting Lollipop by default * Was one of the main selling points for 5, and now it’s gone * They said it was simply a driver issue * DLink routers have a remote command injection bug * Could allow DNS hijacking and other attacks * ISIS has threatened some members of the Twitter team for disabling their accounts * This really puts a point on public presence for me * I’m a strong proponent of the belief that the way to avoid attack is to avoid being a target, not to be hard to attack once people want to * This works for personal attacks, not for countries obviously * There has been some major fraud happening with people connecting stolen cards to ApplePay * The issue isn’t a security problem with ApplePay, but rather with standard bank / card security issue * Up to 18.8 non-Anthem customers exposed in the Anthem breach * This is in addition to the 80 million actual anthem customers * GoPro vulnerability on its website exposes customer Wi-fi passwords * Expect more of this * Uber took over 5 months to issue a breach notification * There was a breach of driver names and license numbers that they just now disclosed * Seagate NAS vulnerability allows unauthorized root access * This raises the cloud storage issue I blogged about last week END CONTENT Play Podcast Notes * Sorry about my voice on this one. I’m a bit sick. :(
Become a Member: https://danielmiessler.com/upgrade
See omnystudio.com/listener for privacy information.
START CONTENT * New SSL attack called FREAK * Has to do with falling RSA back to a deprecated and weak level * Requires the client and server are both vulnerable * The solution is to patch * Many orgs will also want to note which servers were vulnerable * The lesson is that you don’t reduce security to increase it * Backdoors x time = regret * Using Ruby’s Open-URI could be dangerous * open-uri monkeypatches kernel.open * open(params[:url]) can execute |ls * Hilary Clinton used a personal email address and did not store correspondence on government servers for her entire 4 years as Secretary of Defense * This seems highly suspect * First you’re putting that data at risk in a personal system * Second you’re obviously trying to hide your conversations * Facebook can access your account without your password * Google no longer encrypting Lollipop by default * Was one of the main selling points for 5, and now it’s gone * They said it was simply a driver issue * DLink routers have a remote command injection bug * Could allow DNS hijacking and other attacks * ISIS has threatened some members of the Twitter team for disabling their accounts * This really puts a point on public presence for me * I’m a strong proponent of the belief that the way to avoid attack is to avoid being a target, not to be hard to attack once people want to * This works for personal attacks, not for countries obviously * There has been some major fraud happening with people connecting stolen cards to ApplePay * The issue isn’t a security problem with ApplePay, but rather with standard bank / card security issue * Up to 18.8 non-Anthem customers exposed in the Anthem breach * This is in addition to the 80 million actual anthem customers * GoPro vulnerability on its website exposes customer Wi-fi passwords * Expect more of this * Uber took over 5 months to issue a breach notification * There was a breach of driver names and license numbers that they just now disclosed * Seagate NAS vulnerability allows unauthorized root access * This raises the cloud storage issue I blogged about last week END CONTENT Play Podcast Notes * Sorry about my voice on this one. I’m a bit sick. :(
Become a Member: https://danielmiessler.com/upgrade
See omnystudio.com/listener for privacy information.
Kliv in i en oändlig värld av stories
Svenska
Sverige