Weekly Rewind – Top Industry News, Leaky Emails, Dirty Disks, & More…

Icon of Rewind ButtonIf you missed anything or happened to be offline this past week, we hope you find this post useful as a quick reference. For those readers that may not have noticed, I actually tack on a bit of commentary to some the industry articles – so check out my italicized/bolded opinions and let me know if you agree in the comments.

A la Schneier … you can also use this rewind post to talk about the security stories in the news that I haven’t covered.

Industry Articles

Antivirus Founder, John McAfee, says politics caused GSU raid: John McAfee is the founder of McAfee Antivirus has been a philanthropist and investor in Belize. How rich is McAfee? We’re not sure, but rich enough to donate a vessel worth one point two million dollars to the Belize Coastguard in January 2009. McAfee lives in Belize and he says that he has become a target of the Gang Suppression Unit. (continued here) (@grecs: I just find this story weird … but interesting.)

Everyone Has Been Hacked. Now What?: On Apr. 7, 2011, five days before Microsoft patched a critical zero-day vulnerability in Internet Explorer that had been publicly disclosed three months earlier on a security mailing list, unknown attackers launched a spear-phishing attack against workers at the Oak Ridge National Laboratory in Tennessee. (continued here)

Apple Security Blunder Exposes Lion Login Passwords in Clear Text: An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text. (continued here) (@grecs: I guess they weren’t testing the password encryption feature when debugging this software.)

Malware Installed on Travelers’ Laptops Through Software Updates on Hotel Internet Connections: Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms. Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. (continued here) (@grecs: Be careful out there.)

Password Protection Act: Ban bosses asking for Facebook passwords: A group of Democrats today introduced legislation in both the House and Senate to prevent employers from forcing employees and job applicants into sharing information from their personal social networking accounts. In other words, Maryland may soon not be the only state that has banned employers demanding access to Facebook accounts. (continued here) (@grecs: It all started in MD and is now it’s going nationwide!)

Our Blog Posts

Is Your Email Client Leaking Sensitive Information?: In following up with some interesting security services … I came across another great website on Reddit last week called EmailPrivacyTester.com. Created by Mike Cardwell over the past year or so, the service performs 38 privacy checks “to test your email client for privacy leaks and security bugs.” In this post I plan to explain how the service works, some concerns I originally had, and some pics I took when testing the service. Later in the week I plan to post a chat I had with developer over email (with his permission of course). To use EmailPrivacyTester.com just enter your email and hit enter. (continued here)

Call for Guest Bloggers, New Submission Form, and Free Beer: As most of you probably already know we are always looking for guest bloggers and with the addition of our new Submit Article form we hope that this makes it makes it easier than ever. Just fill in the info and your submission will be on it’s way to us. Now this doesn’t mean we are going to blindly post anything submitted to us. We’ll be vetting all posts for relevancy and coolness. And obviously locals (or their extended family & friends) will have precedence. 😉 The form itself is pretty simple. Just enter your name and email followed by the article title and text. (continued here)

Poll: Should We Change Our Name?: Well the poll for this week is a little self-serving but before making any changes we just like to run things by you, the readers, to see what everyone thinks. This change would just involve changing the title of the site from NovaInfosecPortal.com. You’d see a name change in the header of the site, in search results, etc. as being NovaInfosec.com instead of NovaInfosecPortal.com. The URL would probably remain the same but https://www.novainfosec.com would just point to https://www.novainfosec.com. Anyway, we’d appreciate your opinion. (continued here)

Is the Dirty Disk Problem the First Practical Chink in Cloud Security’s Armour?: TechWeekEurope published some interesting research in their “‘Dirty Disk’ Vulnerability Threatens The Cloud” post several weeks ago and I’ve been brewing on it since. The problem harkens back to the original “delete” function present in most OSs. Instead of really deleting a file, OSs simply remove the pointer to where the file was stored on disk. The same problem could occur in the cloud as demonstrated by Context Information Security’s research except the non-referenced data would find it’s way into part of a newly created VM. (continued here)

EmailPrivacyTester.com Q&A: As a follow-up to Monday’s post, “Is Your Email Client Leaking Sensitive Information?,” I reached out to the developer of EmailPrivacyTester.com for some quick Q&A about his site. The developer, Mike Cardwell, was kind enough to take part and provided very thoughtful answers to some questions I thought many of us would probably have. Some of the highlights for me were confirmation that the iOS email client triggers many of these checks by default, the testing of DNS prefetches to discover your DNS settings, the existence of a few XSS techniques to checkup on web-based clients, and of course the fact that the source is available for all to see and contribute to. (continued here)

RFC Prophecies: Contributed By: Mrs. Y The other day a few of us at work were looking through the April Fool’s RFCs. If you haven’t seen them, they’re only for the most dedicated nerds. Almost every year, on April 1st, the IETF publishes facetious RFCs. It’s a tradition that started in 1973 with the Arpawocky RFC, which was a parody of Lewis Carroll’s Jabberwocky. Beware the ARPANET, my son; The bits that byte, the heads that scratch; Beware the NCP, and shun the frumious system patch, I’ve generally seen them referenced by subversive engineers in project or team meetings to make a point about the absurdity of an endeavor. (continued here)

NovaInfosec D-List Interview – Mark Shrout: Today’s interview is with aspiring penetration tester Mark Shrout. Practically a life-long metro-DC resident, Mark has served in various DoD network analysts positions and is is currently the primary engineering for several clients. In his free time he’s studying pen testing and contemplating some good relevant certs to tackle. As usually we would like to give a big shout-out to Andrew “@andrewsmhay” Hay, who started this whole Information Security D-List Interview idea. (continued here)

#####

Hope everyone had a wonderful week. Have a great weekend! See ya!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.