Preview Mode Links will not work in preview mode

DevelopSec: Developing Security Awareness


Oct 20, 2015

Hi and welcome to the DevelopSec newscast for October 20th, 2015.  I am James Jardine and I wanted to take a few moments to talk about some recent news stories over the past week.

 

  • Apps installed a root certificate on device.
  • Could allow monitoring of data, even SSL/TLS traffic.
  • Recommended to uninstall the apps, unfortunately it was not made clear which ones they are.
  • com CSRF bug pays security tester $25,000 - http://www.theregister.co.uk/2015/10/09/hotmail_hijack_hole_earns_boffin_25k_double_bug_bounty_trouble/
    • Wesley Wineberg found a Cross-Site Request Forgery flaw in the Microsoft Outlook.com website.
    • Could hijack user sessions.
    • Responsible/Coordinated disclosure allowed flaw to be resolved before publicly disclosed.
  • Medicaid Data Breach, Security Issue at NC and CA Facilities - http://healthitsecurity.com/news/medicaid-data-breach-security-issue-at-nc-and-ca-facilities
    • Spreadsheet sent via email unencrypted.
      • Highlights importance of attention to detail. Sometimes the simplest mistakes create a potential risk.
      • Difficult to prove if data was accessed by unauthorized users.
      • What options could be used instead of emailing the attachment?
    • Thumb drive stolen from employees home
      • Data should be encrypted.
      • Ensure policies exist that cover acceptable use of portal storage.
      • Ensure that employees are trained on the policies.

 

Join the conversation on google+ (https://www.google.com/+Developsec) and Twitter (@DevelopSec)