Hi! Big security news week with the Cloudflare Cloudbleed bug and the practical attack on SHA-1 (secu
| |
| February 24 · Issue #45 · View online |
|
|
Hi! Big security news week with the Cloudflare Cloudbleed bug and the practical attack on SHA-1 (secure hash algorithm) from Google, huh?
This week’s edition of #MobSec5 includes:
- Cloudbleed “…possibly worse than the Heartbleed bug.”
- Judge rules you can’t force building residents to attempt to unlock seized Apple devices with their fingerprint
- Will we see President Trump’s cybersecurity executive order next week?
Thanks for reading. Have a great weekend, be good, and stay safe.
|
|
Cloudbleed: Serious Bug Exposes Sensitive Data From Millions of Sites Sitting Behind CloudFlare | The Hacker News
“A severe security vulnerability has been discovered in the CloudFlare content delivery network that has caused big-name websites to expose private session keys and other sensitive data.” Cloudflare reports that 0.00003 percent of HTTP requests made through their systems between February 13 and February 18 may have exposed sensitive data. Working with a number of search engines, the company identified 770 unique cached URIs that included leaked memory and said that any leaked memory was purged. It is possible though that residual caches of this data still exist. This particular bug is an example of how a developer can do everything right but by relying on a third party’s library or service, make their app vulnerable. NowSecure CTO David Weinstein explained the “Cloudbleed” bug’s impact on mobile apps and published a list of popular iOS apps that may have been affected in a blog post.
|
Google Online Security Blog: Announcing the first SHA1 collision | Google Security Blog
“Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision.” Google has advocated for the sunsetting of SHA-1 and hopes the discovery will convince the industry that it needs to move on to SHA-256 and other more secure alternatives.
|
It's raining. It's pouring. This fake weather app is stealing your credentials | Graham Cluley
“A new Android banking trojan poses as a legitimate weather forecast app in an effort to steal users’ banking credentials.”
|
What to expect from the Trump administration on cybersecurity | CSO Online
“Look for U.S. President Donald Trump’s administration to push for increased cybersecurity spending in government, but also for increased digital surveillance and encryption workarounds.”
There’s still no official word on when to expect the release of the Trump administration’s executive order on cybersecurity (though it may come prior to the president speaking to Congress on Tuesday). A purported draft of the order states, “Effective immediately, Agency Heads shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework), or any successor document, developed by the National Institute of Standards and Technology to manage their agency’s cyber risk.” NIST will host webinars at the beginning of March discussing how to use the framework and explaining updates published in January. Unfortunately registration for the live events is already full, but recordings of the webinars will be published within two weeks.
|
Who is listening?: Hijacking devices | SC Magazine
“The next time you open your smartphone, be sure that you know what it’s doing behind the scenes.”
|
I Tracked Myself With $170 Smartphone Spyware that Anyone Can Buy | Motherboard
“For a relatively small fee, you can snoop on someone’s messages, call logs, photos, and location from across the planet.”
The reporter writes, “Within minutes, I had downloaded the malware, turned off an Android security setting that would allow it to install itself, entered my subscription key, and was ready to collect data.” So, to install the malware and compromise the device, physical access to the unlocked phone was necessary.
|
Judge: No, feds can’t nab all Apple devices and try everyone’s fingerprints | Ars Technica
“A federal magistrate judge in Chicago recently denied the government’s attempt to force people in a particular building to depress their fingerprints in an attempt to open any seized Apple devices as part of a child pornography investigation.”
|
iPhone Robbers Try to iPhish Victims | Krebs On Security
“Not long after the husband texted the stolen phone — offering to buy back the locked device — he soon began receiving text messages stating the phone had been found.”
|
How Peter Thiel’s Palantir Helped the NSA Spy on the Whole World | The Intercept
“Palantir has never masked its ambitions, in particular the desire to sell its services to the U.S. government — the CIA itself was an early investor in the startup through In-Q-Tel, the agency’s venture capital branch.”
|
|
Did you enjoy this issue?
|
|
|
|
If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
|
|
|
|
|
