7MS #190: Infosec News and Links Roundup
If you're interested on whether it's time to invest in "smart things" for your home, you might want to listen to the latest Security Now episode first. About 1.5 hours in, Steve and Leo talk about the current state of smart/dumb things development, and warn that the tech might not be mature enough to operate securely at this time. Plus, once the dust settles on the ioT frontier, you might end up having to re-buy a lot of tech.
The BHIS Webinar from yesterday called "We can hardware hack! And you can too!" was good. I know absolutely zero about hardware hacking, but this presentation wanted to make me want to start :-). I'll post the recording when available.
I'm still pursuing CCSP but kind of going bonkers at how high level it is.
- Patch your stuff for goodness sake - Adobe/Microsoft/others have lots of critical ickiness that was patched this week. Krebs covers the overview well (as always) but don't forget Shavlik produces a nice summary too. Highlights from the Shavlik article include:
In total, Microsoft released 16 bulletins today, eight critical and eight deemed important. There are also 33 unique CVEs being resolved, including one Zero Day that affects two bulletins and two public disclosures.
Today, Adobe released bulletins for Adobe Reader, Cold Fusion and an advisory for Flash Player that should see a bulletin release as soon as this Thursday. The two bulletins resolve for a total of 85 CVEs. With the addition of Flash Player later this week, if the Microsoft bulletin is accurate, it should bring the total to 109 CVEs resolved from Adobe this month.
A big week for breaches including Kiddicare, UserVoice, Google, and a London-based HIV clinic. One lesson learned from these: learn how to use email properly (i.e. BCC field) and don't email sensitive stuff to the wrong people :-/
Lenovo's Solution Center may soon recommend the following solution to using a Lenovo machine: don't. The flawed software could let attackers leverage Solution Center to take over a machine. According to the article:
"The flaw allows an attacker to elevate privileges and is tied to the LSC application’s backend. It opens the door for a malicious attacker to start the LSC service and trick it in to executing arbitrary code in the local system context", says Karl Sigler, who is responsible for finding this flaw.
In general, I go with the general mindset of the following: whenever I get a new machine, I immediately pop in the OS disc and do a format C: and reload fresh.
WhatsApp now has desktop clients for Win and Mac users for a bit more mainstream access to end-to-end encryption goodness.
OWTF (Offensive Web Testing Framework) is OWASP's:
...project focused on penetration testing efficiency and alignment of security tests to security standards
So far it looks to be awesome, but if you're running Kali2 you might need to downgrade pip to get it working. See my Github thread on that.
Be careful when flying, as it's no longer safe to do algebra in front of nervous passengers!
A whole slug of 7ms.us updates!
- The complete episode guide is finally up! It's broken into two chunks: featured episodes and complete episode guide.
- Disqus comments are finally fixed. Apparently they load via HTTP even though this is an HTTPS-forced site. #LessonLearned.
- Resources page has some mini best practice articles as well as blogs, podcasts, books, etc. that have helped me in my infosec career.
- All podcast episodes should be fixed and downloadable - thanks to the listeners who pointed out issues. Let me know if you see any that are being stubborn!