Inside | Real news, curated by real humans
Inside Security

Inside Security (Jan 9th, 2018)

David’s Take

The aftermath of Meltdown and Spectre continues. Microsoft has halted some software patches for AMD chips, Apple has updates for various devices, including iOS and Safari. Please apply updates.

Two federal agencies have released a draft joint report on cybersecurity threats and are looking for public comments before February 12. They list several goals for both the government and the private sector to improve cybersecurity, including network edge detection innovations, infrastructure changes, and better security awareness. While the report is more of a vision and governance document, it makes for interesting reading.

-- David Strom, Editor of Inside Security

  • Email gray
  • Permalink gray

Top Story: WPA3

At CES, the Wi-Fi Alliance announced planned enhancements to the tired old WPA protocols, and as the Register says, “Wi-Fi security should become a bit less laughable” with the changes, called WPA3. Devices supporting the new protocols should be available later this year, and include features like improved protection when users choose weak passwords, individualized encryption and improved security setup on devices with limited or no interface screens. There will also be a new security suite using 192-bit encryption. WPA2 has had security issues for years. – WI-FI ALLIANCE

  • Email gray
  • Permalink gray

Attacks and vulnerabilities

Researchers have found more than 20 different Android flashlight apps that are really hidden automated ad clickthroughs. The apps have millions of downloads and have been removed from the Google Play Store. – CHECKPOINT BLOG

  • Email gray
  • Permalink gray

Certain AMD-based Trusted Computing modules that are found in many modern laptops have a stack-based overflow vulnerability, according to researchers. AMD has a fix and is rolling it out to its partners. -- FULL DISCLOSURE MAILING LIST

  • Email gray
  • Permalink gray

Popular wallet developer Electrum issued two emergency patches over the weekend for a critical bug that left thousands of its Bitcoin wallets exposed. The flaw allowed any website access to the coins stored in the wallet. Why two patches? The first one didn’t actually solve the issue. – BITCOIN NEWS

  • Email gray
  • Permalink gray

Microsoft has added a new and very important detail on the support page describing incompatibilities between AV products and the recent Windows Meltdown and Spectre patches. The update says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the AV program they are using becomes compatible with the Windows Meltdown and Spectre patches. AV programs will need to add a special Registry key in the future. One researcher is keeping of track of which AV programs are updated on this spreadsheet. – BLEEPING COMPUTER

  • Email gray
  • Permalink gray

Why haven't webcams evolved in the past 20 years? With the Meeting Owl by Owl Labs, they have.

In the words of Inside CEO Jason Calacanis: “The Meeting Owl is a game changer. It’s a 360-degree camera that focuses on people as they speak. When you run your next meeting with the Meeting Owl you’re going to have your mind blown.” To see what all the fuss is about, check out the Meeting Owl today.


Check out the Meeting Owl and see what the fuss is all about.

Here is another case of sloppy cert management, this time by the British government. The Conservative Party website let their SSL certs expire last week. Not quite “their darkest hour,” but still a big oops. – INFOSECURITY MAGAZINE (UK)

  • Email gray
  • Permalink gray

Security researchers found three different vulnerabilities in the Dell/EMC Avamar product line. The vendor worked quickly to resolve these issues. The vulnerabilities relate to bypassing authentication credentials and file transfers using privilege escalation. – DIGITAL DEFENSE BLOG

  • Email gray
  • Permalink gray

New product

PolySwarm claims to be the first decentralized marketplace allowing security experts to build anti-malware engines that compete to protect consumers. PolySwarm provides incentives using Nectar-based crypto-tokens to reward threats and bugs detected.

  • Email gray
  • Permalink gray

The Docket

Rasheeda Johnson Turner, 37, was arrested last month on federal charges that she tried to hire a hitman to kill her boyfriend so she could get her hands on his life insurance payout. Fortunately, the hitman turned out to working for the FBI. My colleague Lisa Vaas has other sordid details of this case. – NAKED SECURITY

  • Email gray
  • Permalink gray

Tools

Academic researchers have constructed a new tool called the Mcity Threat Identification Module that can be used to evaluate autonomous automotive cyber security issues. They claim it is the first of its kind. -- UNIVERSITY OF MICHIGAN PAPER

  • Email gray
  • Permalink gray

Here is an excellent post on some very practical suggestions to harden your email security. There are numerous steps and tools to use to protect your communications, and most of them are easy to implement. For example, “Take a second out to search your emails for words such as password, login, code, account number, pdf, xlsx – hopefully you’ll be the first person to do this and see that it is for the best.” – THE ANTI-SOCIAL ENGINEER

  • Email gray
  • Permalink gray

Last year AWS announced new tools called GuardDuty that can be used to evaluate the security posture of your VMs on the cloud provider. GuardDuty gathers data from multiple streams, including threat intelligence feeds, and creates a data set that can be compared against DNS logs, VPC flow logs and CloudTrail events. This allows Amazon to report on numerous types of suspicious behavior. This post goes into detail on how they can be deployed.  -- TRIPWIRE

  • Email gray
  • Permalink gray

Just for fun

If you have already seen the latest Star Wars movie, you are safe to read and enjoy this piece about security lessons learned from running the rebel alliance. Otherwise, spoilers ahead. – NAKED SECURITY

  • Email gray
  • Permalink gray

Many thanks to Inside Security's corporate supporters.  Please go check them out!

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 
   
   

Gain cybersecurity expertise from Harvard's VPAL in 8 weeks. Learn More.

HackerOne is the #1 hacker-powered security platform for finding critical vulnerabilities.

 

[YOUR LOGO HERE – click for details]

Subscribe to Inside Security

MORE NEWSLETTERS

Digging into the Trump Presidency, issue by issue

Inside Trump

Digging into the Trump Presidency, issue by issue

DAILY
Digging into the Trump Presidency, issue by issue

Inside Trump

DAILY

SUBSCRIBED!

Share via

News, updates, reviews and analysis of industry and consumer trends in the world of streaming

Inside Streaming

News, updates, reviews and analysis of industry and consumer trends in the world of streaming

WEEKLY
News, updates, reviews and analysis of industry and consumer trends in the world of streaming

Inside Streaming

WEEKLY

SUBSCRIBED!

Share via

A thoughtful roundup of news and links for developers

Inside Dev

A thoughtful roundup of news and links for developers

DAILY
A thoughtful roundup of news and links for developers

Inside Dev

DAILY

SUBSCRIBED!

Share via

Fascinating, curious and amazing journalism, all in one link.

ReadThisThing

Fascinating, curious and amazing journalism, all in one link.

DAILY
Fascinating, curious and amazing journalism, all in one link.

ReadThisThing

DAILY

SUBSCRIBED!

Share via