Inside | Real news, curated by real humans
Inside Security

Inside Security (Aug 15th, 2017)

David’s Take

Today, according to my rather idiosyncratic accounting, is my 200th edition of this newsletter. In a little more than a year, I have been enjoying curating and writing these stories and giving you what I hope is a great view of the infosec industry several times a week. I hope you have been enjoying these missives as well and welcome your comments as always.

 -- David Strom, editor of Inside Security

  • Email gray
  • Permalink gray

Top story: LinkedIn vs. third-party data scrapers

Can a third -party company scrape publicly accessible data from your website? According to the recent ruling from the US District Court in San Francisco, the answer is yes. The case is HiQ v. Microsoft/LinkedIn, and a judge this week decided in the startup’s favor. “The information isn’t something the LinkedIn users made private or limited so that only their friends or contacts could see,” according to the startup’s description of their case. Rather, the information HiQ uses is something anyone with an internet connection could access because it pulls public data from individual LinkedIn accounts to create analytics that employers can use to manage their workforce, such as predicting when they might quit or be dissatisfied with their current jobs. LinkedIn will appeal the decision. -- LAW360

  • Email gray
  • Permalink gray

Beginner’s corner

If you need a cogent and tight explanation of the various kinds of VPNs available and some recommendations of personal ones from my colleague Steven Vaughan-Nichols, you should check out this post. It explains how they use encrypted tunnels to protect network traffic and how “your ISP can tell that you're using a VPN, but they can't see where you're going or what you're doing within it since all your traffic is encrypted. “-- IGN

  • Email gray
  • Permalink gray

Reports

An interesting history lesson on how Estonia became a cyber power in just a few decades, after freeing itself from the Soviet Union and being hacked with a then-massive DDoS attack in 2007. The attacks made Estonia more determined than ever to develop its digital economy and make it safe from future attacks, including establishing a special data exchange portal called X-Road (shown below). -- QUARTZ

  • Email gray
  • Permalink gray

An advanced cyber security network called Fednet was rolled out across 35 federal bodies on Saturday with the aim to protect the UAE government against advanced persistent threats. The network allows interconnection and data exchange between all local and federal government entities. -- GULFNEWS

  • Email gray
  • Permalink gray

Attacks

Unit 42 researchers at Palo Alto Networks have discovered new attack activity targeting individuals involved with United States defense contractors. The team identified weaponized Microsoft Office Document files masquerading as job descriptions which use the same malicious macros as the Operation Blockbuster attacks from earlier this year. (See a closeup of the network graph below.) -- PALO ALTO NETWORKS BLOG

  • Email gray
  • Permalink gray

We knew many personal password policies are miserable, but the same is true when it comes to commercial sites too. Here are some facts from a recent survey from the researchers at Dashlane, a password management company. For example, six websites did not have policies to prevent brute-force attacks: Apple, Dropbox, Google, Twitter, Venmo, and Walmart. And of all the tested sites, only GoDaddy, Stripe, and QuickBooks obtained a perfect score in each of the five categories shown below. -- DASHLANE BLOG

  • Email gray
  • Permalink gray

Tools

If you are running Firefox as your main browser, your older extensions will stop working in a couple of months if you upgrade to the newest version 57. Mozilla is giving you plenty of advance notice in this blog post, along with an explanation of how they have changed to a new and hopefully better protected extension API with that version. “Add-on compatibility is one of the most complex features, so it’s possible that some things won’t work exactly right at first.”-- MOZILLA BLOG 

  • Email gray
  • Permalink gray

New AWS third-party services

McAfee vNSP is built specifically for AWS and provides a hands-on experience running advanced security in a public cloud environment. It protects at the individual workload level and also can be managed from the same console as the on-premises McAfee Network Security Protection. The company offers new users the first 72 hours of usage for free.  -- MCAFEE

Lacework for AWS Cloudtrail can automatically detect anomalies in your AWS account activity logs, such as changes to your S3 buckets, new user roles or activation of new services. They also offer a free trial. -- LACEWORK

  • Email gray
  • Permalink gray

Just for fun

I had a chance to see Reuben Paul, an 11 year-old cyber expert, in person at a conference this week. He was quite entertaining. Paul has made a name for himself by hacking into a Bluetooth and Internet-connected plush toy bear using a Raspberry Pi and some common networking discovery tools, plus some quick Python commands. He runs several websites, including this one that helps teach kids basic cybersecurity concepts. If you ever get a chance to see him in person, do make the effort. 

  • Email gray
  • Permalink gray

How likely are you to recommend Inside Security to a friend or colleague?

          

Subscribe to Inside Security