Arggh Matey, Be Gone With Ya... →
Dan Goodin, writing at Ars Technica shares the tale of user data leakage of the most egregious* sort. Read it and weep.
Suspicious Package →
Now nearly eight years old, MAC Freeware Suspicious Package, the tightly focused security tool for Apple Inc's (NasdaqGS: AAPL) OS X hit another milestone this year (in February) now at version 2.0.1.
Crafted by Mothers Ruin, Suspicious Package takes a deep view into installer packages (in the Finder). The bits utilize Quick Look to display the contents of the package, popping up a preview in the Quick Look window. A superb, single purpose security tool for your toolkit.
"Shouldn't I be suspicious of the Suspicious Package package? Yes, we're aware of the ... irony of distributing Suspicious Package as a package, but it's very awkward to distribute it any other way. If you want an alternative, though, there are instructions here. The Suspicious Package package is signed with an Apple-issued “Developer ID” certificate, and so will be recognized as valid by the Gatekeeper feature of OS X. The signer, as displayed by Suspicious Package itself, will be “Randy Saldinger,” which is the real name of the person who writes in the first person plural for Mothers Ruin Software." - via the Mothers Ruin Suspicious Package FAQ
Evidence of Recent Evolutionary Changes In Humans Discussed →
Evidence of recent evolutionary modifications in Homo Sapiens Sapiens, first published in 2014, is gaining traction in a fascinating reposted article, at Nautilus. Sacrebleu! Most certainly today's Must Read.
Oops, Secure Credit Card Chips Defeated →
Ars Technica's Megan Geuss reports the apparent defeat of security technologies associated with so-called 'secure chip-and-pin' credit cards. Today's Must Read.
Symantec Certificate Authority Investigated →
Google, Inc. (NasdaqGS:GOOG) has warned Symantec Corporation (NASDAQ:SYMC) of imposed requirements applied to the Symantec Certificate Authority due to apparent malfeasence in managing the company's Certificate Authority infrastructure and specifically Certificates issued without notifying the holders of same.
The implications of the action are range far both in scope (related to the specific certificates under scrutiny ("Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered. - posted by Ryan Sleevi, Software Engineer at Google, Inc.)), and in Google's efforts to enforce the WebTrust in the Digital Certificate realm. This is why I say, Trust - But Verify...
"It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner." - Posted by Ryan Sleevi, Software Engineer at Google, Inc.
Snowden Annointed, Europe Bends The Knee →
Apparently the European Union has nearly canonized Edward Snowden (in a non-binding piece of legislation). That is, of course, if the EU Parliament could annoint sainthood on a living person. Astounding.
Old, Yet Relevant - Schneier's 'The Security Mirage'
Like many ideas, lessons and viewpoints, this nearly six year old description of the foibles of security at that time remain as baggage we labor to carry 72 months later...
Android Security, The Fail →
Join Chris Hoffman, writing at How-To Geek, as he leads us through the voluminous maze of Android information security and it's failures. Read It and Weep, My Friends. Deemed Todays' Must Read.
Seven Xen Itch
News, via Dan Goodin, writing at Ars Technica, details a seven year old, pernicious bug in Xen virtualiztion wares. In which, users can exploit the bug to breakout of their local machines, thence into the underlying hypervisor layer. FYI - One high profile customer of the Xen Hypervisor is Amazon Web Services. Time to Patch, eh?
"Admittedly this is subtle bug, because there is no buggy code that could be spotted immediately. The bug emerges only if one looks at a bigger picture of logic flows (compare also QSB #09 for a somehow similar situation). On the other hand, it is really shocking that such a bug has been lurking in the core of the hypervisor for so many years. In our opinion the Xen project should rethink their coding guidelines and try to come up with practices and perhaps additional mechanisms that would not let similar flaws to plague the hypervisor ever again (assert-like mechanisms perhaps?). Otherwise the whole project makes no sense, at least to those who would like to use Xen for security-sensitive work." - via Dan Goodin, writing at Ars Technica.
PhoneBoy Speaks, Smartphone Risks →
Dameon Abernathy-Welch, a Security Architect for Check Point Software Technologies, C-List Infosec Celebrity and widely known as PhoneBoy, publishes a typically erudite podcast. In this episode, PhoneBoy presents his thoughts on the risk to the enterprise (this time cuased by the enterprises' management), with the use of ubiquitous 'smartphones'. Listen here.
Herzog, The Truth About Vulnerability Scanners →
Superlative post, well-crafted by the eponymous Pete Herzog (writing at Norses' [Darkmatters), elucidating the truth of vulnerability scanners. Today's Must Read.
NirSoft's AV List o' Shame
Nir Sofer's List of Shame, The Anti-Virus Edition. FYI: We happily make use of Nir's tools and recommend them highly. Enjoy
