Security Analyst – Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH

Interesting article about Google’s idea to test for rooted phones for developers who want to make sure that your phone is ‘safe’ to run their applications.

https://koz.io/inside-safetynet/

I was reading this article about the sentencing of a 17 year old in the UK for a Web attack that happened in 2015. He says he won’t do it again but do we really want that?

http://www.infosecurity-magazine.com/news/talktalk-breach-17yearold-confesses/

It tells us that several websites were vulnerable to a SQL injection attack which leaked personally identifiable info (Pii).

Aren’t we punishing the wrong people here? I mean his motives were to show off his abilities and not to obtain and exploit the data. It also appears that the site already knew about the attack and was not able to do anything to mitigate?

I know that we would all like to live in a world where lost wallets are always returned to us with all the money inside but isn’t the company primarily responsible for continuing to neglect the security of the data?

Until we start legislative accountability for companies that hold service availability over security, we will continue to have breaches. To penalize individuals who help to find these flaws instead of congratulating them is like forgiving the dog and scolding the bone for just being there.  

Had a great night out in Mexico watching the new Cirque du Soleil production called ‘Joya’. I saw golfer Greg Norman at the event and the only thing I could think of saying to him was ‘Happy 20Th Anniversary’ 😦

http://www.golfdigest.com/story/the-sharks-collapse-20-years-later&sa=U&ved=0ahUKEwiqjojX_sTQAhWG2SYKHROPC4sQFggaMAQ&usg=AFQjCNGzj3xeuushjxvo5w5em-zuVYJ0Jg

Think of it, you walk into a building, see a computer that (hopefully) is locked and you plug in a USB device and walk away. Just like James Bond, you look at your watch and a few minutes pass by. You unplug your device and head back to the Astin Martin…

Well okay this part is fictitious but the rest isn’t. Read more about the the technique in this article.

https://www.schneier.com/blog/archives/2016/11/hacking_passwor.html

New Threat Can Auto-Brick Apple Devices http://krebsonsecurity.com/2016/04/new-threat-can-auto-brick-apple-devices/

If you haven’t already read about it, I wanted to alert my readers to a story regarding the Trane ComfortLink thermostats – yes I said Thermostats. If you were one of the ‘lucky’ one to purchase this and thought it would be cool to enable your thermostat over your WiFi at home you should read more about this story that come to us from KrebsonSecurity – https://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/

The Internet Storm Center brings us this wealthy tidbit of knowledge that can help any shop get a reactive grip on the status of vulnerabilities using a trial of Nessus. Thanks to Rob VandenBrink for his magic lesson on how to use the raw output from Nessus to make sense of it all. A must see for anyone not using realtime reporting of vulnerabilities in your organization.

https://isc.sans.edu/diary/Nessus+and+Powershell+is+like+Chocolate+and+Peanut+Butter%21/20431

Bruce Schneier writes about the disadvantage that the US spook agency (NSA) has put everyone in who uses IPSec in this story. It’s time for a new key exchange method…

Breaking Diffie-Hellman with Massive Precomputation (Again) https://www.schneier.com/blog/archives/2015/10/breaking_diffie.html

The Federal Bureau of Investigation (as they would like to be known) recently came out with there own Top 4 Security Controls list in this article (http://www.healthcareitnews.com/news/fbi-issues-alert-iot-device-security) about the health care industry but many of you might already see that the proliferation of Internet devices affects all of us at our office and at home. The threat remains the same but the FBI has a solution.

In a stunning editorial they have decided that there are really only four things you need to do to protect your site from the increasing threat of cyber attack thereby making companies like SANs and NIST and all the work that they have accomplished obsolete.