• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

WatchGuard Security Week in Review: Episode 55 – SSL/TLS Weakness

March 15, 2013 By Corey Nachreiner

Lots of Patches, Celebrity Hacks, and a SSL/TLS Weakness

If you’re anything like the average IT professional, you’re probably too busy putting out proverbial IT helpdesk fires, and installing new business IT solutions to spend much time each week staying on top of the latest security news and threats. That’s where we come in! For a quick recap of the biggest information and network security news from the week, check out the YouTube video below.

In this episode, I cover a ton of software updates from the week (it was Patch Day after all), the latest celebrity hack incident, an ironic breach of a security organization’s web site, and yet another weakness in the SSL/TLS encryption protocol. I even share a tip on how webmasters can learn to recover from web site hacks.

Enjoy the episode, and share your thoughts, suggestions, and questions in the comment section below. You can also find more details about these stories in the Reference section. Thanks for watching, and enjoy your St. Patty’s Day weekend.

(Episode Runtime: 11:00)

Direct YouTube Link: http://www.youtube.com/watch?v=yD6wNDXVsHE

Episode References:

  • Microsoft Patch Day March 2013 – WGSC
  • Adobe Flash Update March 2013 – WGSC
  • Apple Updates OS X and Safari – Apple
  • Attacker leaks PII for many celebrities – Hollywood Reporter
  • Facebook hacker finds another OAuth vulnerability  – Nir Goldshlanger blog
  • NIST NVD web site breached due to Cold Fusion issue – InfoSecurity
  • New weakness found in SSL/TLS RC4 implementation [Slides PDF] – Forbes
  • Pro-Tip: Google teaches webmasters how to recover from hacks – Google

— Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: Adobe, Chrome, cyber war, DoD, Evernote, firefox, Hacked, Hacking, Infosec news, Internet Explorer, Malware, nuclear retaliation, oday, Oracle, pwn2own, Reader, Security breach, Software vulnerabilities, Updates and patches, Zero day exploit

Comments

  1. Alexander Kushnarev (Rainbow Security) says

    March 17, 2013 at 1:15 pm

    Thank you, Corey for interesting materials. I’ve thoroughly read two articles of Nir Goldshlager about hacking the Facebook, and couple of thoughts drill my mind (as a conclusion):
    – if only OAuth technology include 2 things: “time-limitation control mechanism” for lifetime of access token (better – session life-time limitation, like tickets in Kerberos) and simple obfuscation technology for the access token value – then this kind of attack would not have had the successful result.
    – Those tricks with “next=%23/xxxx”, “redirect_uri” and sub-domain names can be classified as an “application injection”, “bad games” with Web-app (methods logically similar with SOL-injection).
    As an IT-security expert – what do you think about these two vulnerabilities?

    Reply
    • Corey Nachreiner says

      March 25, 2013 at 10:20 am

      I think you are right about the additional OAuth mechanisms. Adding a limited time period and more obfuscation to the token would certainly help.

      Right now, web application attacks, like various injection attacks, are the most exploited online. Injection attacks are the number one attack of the OWASP’s top ten. Developers definitely need to work on writing secure web code. They need to leverage input validation and sanitation on all parameters, and do more to harden the SQL db associated with their web site… for instance, using stored parameterized queries for web applications, to limit what queries the web app can do.

      Reply
  2. jessesToons says

    April 8, 2013 at 8:43 am

    Thanks for sharing this article, its been a really great read. I’ve heard a lot of great things about security Calgary but I’ve never considered how and what they have to go through. I could never do that, I need sleep I literally can’t function if I’m a few hrs short of it. Those people have to work weird hrs.

    Reply
  3. Jose says

    May 29, 2013 at 5:46 am

    I leave a response when I appreciate a post on a site or if I have something
    to valuable to contribute to the discussion. It’s triggered by the passion displayed in the post I browsed. And after this post WatchGuard Security Week in Review: Episode 55 – SSL/TLS Weakness | WatchGuard Security Center. I was actually moved enough to drop a thought 😉 I actually do have a few questions for you if it’s okay.
    Could it be simply me or does it look as if like some of these
    remarks look like they are coming from brain dead individuals?
    😛 And, if you are writing at additional social sites, I would like to follow anything new
    you have to post. Could you make a list all of all your social pages like your Facebook page, twitter feed, or
    linkedin profile?

    Reply
  4. miumiu says

    November 6, 2013 at 6:21 pm

    miu miu アウトレット

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use