Lots of Patches, Celebrity Hacks, and a SSL/TLS Weakness
If you’re anything like the average IT professional, you’re probably too busy putting out proverbial IT helpdesk fires, and installing new business IT solutions to spend much time each week staying on top of the latest security news and threats. That’s where we come in! For a quick recap of the biggest information and network security news from the week, check out the YouTube video below.
In this episode, I cover a ton of software updates from the week (it was Patch Day after all), the latest celebrity hack incident, an ironic breach of a security organization’s web site, and yet another weakness in the SSL/TLS encryption protocol. I even share a tip on how webmasters can learn to recover from web site hacks.
Enjoy the episode, and share your thoughts, suggestions, and questions in the comment section below. You can also find more details about these stories in the Reference section. Thanks for watching, and enjoy your St. Patty’s Day weekend.
(Episode Runtime: 11:00)
Direct YouTube Link: http://www.youtube.com/watch?v=yD6wNDXVsHE
Episode References:
- Microsoft Patch Day March 2013 – WGSC
- Adobe Flash Update March 2013 – WGSC
- Apple Updates OS X and Safari – Apple
- Attacker leaks PII for many celebrities – Hollywood Reporter
- Facebook hacker finds another OAuth vulnerability – Nir Goldshlanger blog
- NIST NVD web site breached due to Cold Fusion issue – InfoSecurity
- New weakness found in SSL/TLS RC4 implementation [Slides PDF] – Forbes
- Pro-Tip: Google teaches webmasters how to recover from hacks – Google
— Corey Nachreiner, CISSP (@SecAdept)
Alexander Kushnarev (Rainbow Security) says
Thank you, Corey for interesting materials. I’ve thoroughly read two articles of Nir Goldshlager about hacking the Facebook, and couple of thoughts drill my mind (as a conclusion):
– if only OAuth technology include 2 things: “time-limitation control mechanism” for lifetime of access token (better – session life-time limitation, like tickets in Kerberos) and simple obfuscation technology for the access token value – then this kind of attack would not have had the successful result.
– Those tricks with “next=%23/xxxx”, “redirect_uri” and sub-domain names can be classified as an “application injection”, “bad games” with Web-app (methods logically similar with SOL-injection).
As an IT-security expert – what do you think about these two vulnerabilities?
Corey Nachreiner says
I think you are right about the additional OAuth mechanisms. Adding a limited time period and more obfuscation to the token would certainly help.
Right now, web application attacks, like various injection attacks, are the most exploited online. Injection attacks are the number one attack of the OWASP’s top ten. Developers definitely need to work on writing secure web code. They need to leverage input validation and sanitation on all parameters, and do more to harden the SQL db associated with their web site… for instance, using stored parameterized queries for web applications, to limit what queries the web app can do.
jessesToons says
Thanks for sharing this article, its been a really great read. I’ve heard a lot of great things about security Calgary but I’ve never considered how and what they have to go through. I could never do that, I need sleep I literally can’t function if I’m a few hrs short of it. Those people have to work weird hrs.
Jose says
I leave a response when I appreciate a post on a site or if I have something
to valuable to contribute to the discussion. It’s triggered by the passion displayed in the post I browsed. And after this post WatchGuard Security Week in Review: Episode 55 – SSL/TLS Weakness | WatchGuard Security Center. I was actually moved enough to drop a thought 😉 I actually do have a few questions for you if it’s okay.
Could it be simply me or does it look as if like some of these
remarks look like they are coming from brain dead individuals?
😛 And, if you are writing at additional social sites, I would like to follow anything new
you have to post. Could you make a list all of all your social pages like your Facebook page, twitter feed, or
linkedin profile?
miumiu says
miu miu アウトレット