7MS #169: Infosec News and Links Roundup
Tim Tomes is teaching PWAPT in Charleston, April 28-29. Fly to it if you have to - it's a fantastic course!
BHIS has a Webinar called "Internal Pivot Pentest Go Kit" they'll be doing on Tuesday, Mar 22 at 11:00 a.m. CST. I definitely plan on attending.
I'm kind of interested in an itpro.tv subscription since Security Now listeners get 30% off for life. Anybody have any experience with this program?
As always, the Apple case is making lots of news. The FBI threatened to force Apple to hand over iOS source code and there's also a great Time article featuring an interview with Tim Cook and a deep exploration of the case and Apple's position.
In other Apple news, malware called AceDeceiver can pwn your info and passwords if you install a malicious Windows app to go along with it. From the Fortune article:
Additionally, for the malware to spread to an iOS device, users must have mistakenly installed a corrupted program on their Windows-powered PC to help manage their iOS device. Instead of helping a user backup their iPhone, however, the program covertly installs “malicious apps on any iOS device that is connected to the PC,” the report said.
LastPass introduced a two-factor auth app that appears to be a Google Authenticator competitor. I don't see a huge push to move to this, but might in the future just to have all my password "eggs" in one basket.
Brian Krebs has been seeing many companies fall to W2 scams lately. Seagate, Moneytree, and potentially many more. Per his article:
I’m working on a separate piece that examines the breadth of damage done this year by W2 phishing schemes. Just based on the number of emails I’ve been forwarded from readers who say they were similarly notified by current or former employers, I’d estimate there are hundreds — if not thousands — of companies that fell for these phishing scams and exposed their employees to all manner of identity theft.
- Stagefright is back for Android (oh noes!) if an attacker tricks you into visiting a page with a malicious multimedia file. This affects Android versions 2.2 to 4.0 and 5.0 to 5.1. Oh, and while you're investigating that vulnerability, see if you're running anything with the nasty Snapdragon vulnerability affecting more than 1 BEEELION devices!
If you're an email privacy enthusiast, definitely go and check out ProtonMail, featuring end-to-end encryption. I'm using it if you want someone to test with (see the contact page. You can even send password-protected, time-sensitive emails to people who don't use the service. I'm a fan!
The MOARTLS is a cool Chrome plugin to test whether all elements on a site/page use HTTPS.
NMAP 7.10 is out and has lots of new NSE scripts and other goodies. Will grab it this weekend.