If you missed anything or happened to be offline this past week, we hope you find this post useful as a quick reference. For those readers that may not have noticed, I actually tack on a bit of commentary to some the industry articles – so check out my italicized/bolded opinions and let me know if you agree in the comments.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that I haven’t covered.
Microsoft Squashes Hotmail Password Hijack Bug: Microsoft has smacked down a Hotmail bug that allowed hackers to lock users out of their own accounts. Redmond took one day to slap down a glitch that allowed anyone with a Firefox add-on to remotely reset the password of a Hotmail account. (continued here) (@grecs: Time to change my password on my spam collection account… I think I registered mine way back in 1996. That might be older than some of you reading this post.)
Skype Slurping Software Threatens IP Exposure: Code posted online that can skim the last known IP address of users is being checked out by Skype as a possible security flaw. The software, posted on Pastebin, works on a patched version of Skype 5.5 and involves adding a few registry keys that allow the attacker to check the IP address of users currently online without calling them. (continued here) (@grecs: There was a nice site that automated all this … Microsoft had it taken down for copyright reasons. Really?)
Kaspersky: Apple security is like Microsoft’s in 2002: Apple customers are more at risk from malware now because of their misconception that their iDevices and Macs are secure and because of Apple’s poor attitude to security, according to experts. David Emm … told The Reg that Apple had cultivated the image of the Mac as intrinsically safer than PCs and … (continued here) (@grecs: How does someone’s misconception relate to the underlying security of an OS? Plus they’re measuring the wrong thing. It’s risk … and iDevices are at much less of a risk than most of the other popular platforms out there.)
Skype Replaces P2P Supernodes with Linux Boxes Hosted by Microsoft: Microsoft has drastically overhauled the network running its Skype voice-over-IP service, replacing peer-to-peer client machines with thousands of Linux boxes that have been hardened against the most common types of hack attacks, a security researcher said. (continued here) (@grecs: Great for performance … not so great for privacy…)
Serious Remote PHP Bug Accidentally Disclosed: A serious remote-code execution vulnerability in PHP was accidentally disclosed Wednesday, leading to fears of an outbreak of attacks on sites that were built using vulnerable versions of PHP. The bug has been known privately since January when a team of researchers used it in a capture the flag contest and then subsequently reported it to the PHP Group. (continued here) (@grecs: Hopefully all our WAFs will protect us. 😉 )
Our Blog Posts
Wanna Be a CISO? Career Advice for Getting There: For many of us in the infosec industry one of our ultimate career goals might be to become the CISO of an organization. Phil Muncaster posted a interesting article on this topic titled “Wannabe infosec kingpins: Forget tech, grab a clipboard” on The Register recently. In it he recommended focusing on improving your business, communication, and risk management skills rather than getting to bogged down in the tech. (continued here)
The Fallout of “Cyber Week”: You may remember last week we did a quick post on four cyber-related bills being voted on in the House. Well since then we’ve done a poll and kept up on some of the news regarding this legislation. Apparently no one in the House saw our poll results. Over 82% of the people responded with “Definitely not … the new bills are there only to fulfill an agenda.”. We’ve heard a lot about Cyber Intelligence Sharing and Protection Act (CISPA) but what ever happened to the other three bills? (continued here)
Plain Text Offenders: Fight Back Against Cleartext Password Reminders: Yes, it’s that time of the month again when many of those friendly MailMan services email password reminders to us. I’ve covered this before and it’s very easy to disable the whole password reminder feature from a subscribee perspective. To jog your memory, below is the relevant setting within your MailMan configuration panel. The reminder email should contain a link to your preferences page where you can find this option. (continued here)
Technical Skills to Pay the Bills … And More: On Monday we talked about skills to obtain if you want to be a CISO. But maybe that isn’t your career goal and you’d rather stay technical … or you are just starting out. TimesUnion.com posted a good article based on research from Wanted Analytics™ and Hiring Scale™ that details the most in-demand infosec skills based on resent job ads. To improve your chances of better growth and being more in demand, the following skills may be something you might want to pickup now for that next job. (continued here)
Rant & Poll: Can We Just Let this Google Wifi Slurping Thing Die?: In the past few weeks Google has been back in the news for their whole wifi slurping mess. First it was the FCC slap on the wrist $25K fine. More recently, Google disclosed the name of the programmer responsible for the wifi software. It turns out it was none other than Marius Milner of NetStumbler fame. And then there was the recollection that he wrote down in his todo list to speak to legal about possible privacy issues. (continued here)
Job: Senior Penetration Tester in Reston, VA: Came across this awesome position on EthicalHacker.net’s forums. Although the req reads like they are looking a mid-career candidate, in the forum post they mentioned that they have multiple pen testing positions at various levels. The POC is listed at the end of the req below. If you decide to apply, please mention that you heard about this position through NovaInfosecPortal.com. (continued here)
Hope everyone had a wonderful week. Have a great weekend! See ya!