MAC Rotator
Ladies and Gentlemen, Girls and Boys, here's why Apple Inc. (NasdaqGS: AAPL) iOS 8.x driven devices are marginally better for privacy concerns: Rotating (Programmatic MAC Spoofing) Media Access Control addresses. Today's MustRead; whilst, another view of tracking iOS devices has surfaced.
Apologies to the good ship Peter Iredale...
Dread Pirate Roberts, Leaking Data...
Today's MustRead - via the inimitable Brian Krebs at Krebs on Security - targets the nefarious Dread Pirate Roberts. Allegedly the Master of the Silk Road, and the ramifications to the configuration of the sites' conceptually flawed CAPTCHA configuration (utilizing data from the open interweb, rather than the apparently less-than-dark web). Enjoy!
The Shaming →
Evidently, Public Shaming, a la 16th Century European public pillorying and taunt, is the vogue, when targeting mindless, and therefore vulnerable, web deployments. The latest body incarnate example of this manouevre, is HTTP Shaming, a Tumblr blog dedicated to exposing the less-than-well-planned-sites floating around our interweb.
Proactive OWASP
OWASP has released it's 2014 Top Ten Proactive Controls for Developers, in both PDF and HTML formats. Outstanding news.
- OWASP-C1: Parameterize Queries
- OWASP-C2: Encode Data
- OWASP-C3: Validate All Inputs
- OWASP-C4: Implement Appropriate Access Controls
- OWASP-C5: Establish Identity and Authentication Controls
- OWASP-C6: Protect Data and Privacy
- OWASP-C7: Implement Logging, Error Handling and Intrusion Detection
- OWASP-C8: Leverage Security Features of Frameworks and Security Libraries
- OWASP-C9: Include Security-Specific Requirements
- OWASP-C10: Design and Architect Security In
Not Here
via HOPE X conference speaker and forensic scientist Jonathan Zdziarski, comes this fascinating slide deck of backdoors in motion, and targeting Apple Inc. (NasdaqGS: AAPL) iOS 7 devices. Today's Must Read.
Insert Here
Via the inimitable Brian Krebs, of Krebs on Security, comes reports of insert, thin and mini card skimmers, and the perils of automated banking and commerce for consumers worldwide. The astonishing component to this litany of miscreant evil-doers is the apparent inability of hardware manufacturers' to detect, notify and terminate these devices at will [or, at the very least, reject all cards on the machine when nefarious activities are suspected].
Ex-Parte Praedictum, IV Decies Centena Milia
This is what we need more of... via the inimitable Brian Krebs, at Krebs On Security, comes the astounding story of Microsoft Corporations' (NasdaqGS: MSFT) Big Stick, as it were; and why, in a highly orchestrated chain of events fraught (in this case, predicated upon an ex-parte restraining order) with technical errors, nearly 4,000,000 web sites have been neutralized.
BitCoin Security, Kaput
Fascinating screed, via ArsTechnica, by the inimitable Dan Goodin. In which, the well-lettered Mr. Goodin details the discovery of the paucity of BitCoin security. Surprised? Read more at Ars.
Staunch the Bleeding...
Dan Goodin, writing at ArsTechnica, regales us with this sorry tale of another deep and aged flaw (in existence for nearly 16 years) in OpenSSL's cryptolib. This time, the flaw exists in the ChangeCipherSpec component of the crypto-library. Outstanding research, crafted by Lepidum tells it all.
Kali Linux, The Update Chronicles
News, of the release of the latest update of security distribution Kali Linux [now at 1.0.7]; just in time for a proverbial weekend update-fest, methinks!
Darkcoin, Riseth
Darkcoin is apparently- if you believe the chatter- the truly anonymous, successor to Bitcoin. May the Bestcoin win...
The money quote (pun only partially intended):
'Darkcoin adds an extra layer of privacy by automatically combining any transaction its users make with those of two other users–a feature it calls Darksend–so that anyone analyzing the blockchain has a harder time figuring out where a particular user’s money ended up' - via Wired's Andy Greenburg
Locked Life
Via the erudite Dan Goodin at ArsTechnica comes the latest litany of ne'er do well personal privacy company LifeLock. Consisting, if you will, of the latest foul-up at the embattled firm, Mr. Goodins' screed has succeeded in the task assigned:
An excoriation of the ham-handedness in situ at LifeLock; describing in luxurious & excruciating detail the sorrowful tale of blatant incompetence rampant at the company. Simply, astonishing.
SecDevOps, The Change
In a tour-de-force example of Security Automation, those crazy kids at DevOps have produced a model for enterprise implementation. You'll be well served, I reckon, in taking the time to read their vision of an automated firewall modification.
A Workflow by any other name, would smell as sweet...
Android Applications, The Evil Within
Well constructed how-to, targeting the detection of evil Google Inc. (NasdaqGS: GOOG) Android applications.