Apple has addressed their “logic error” surrounding credentials. Please patch your MacOS High Sierra deployments as soon as possible.
Month: November 2017
Apple Works to Fix Serious Mac Security Bug
If you are a Mac user or have Mac users you support, please take time to mitigate this problem by setting the root password by following the instructions provided by Apple and referenced in these articles. Hopefully a patch is coming soon.
https://www.infosecurity-magazine.com/news/apple-works-to-fix-serious-mac/
Who Was the NSA Contractor Arrested for Leaking the ‘Shadow Brokers’ Hacking Tools?
This is a fantastic read for anyone who has followed the saga of the NSA and The Shadow Brokers. Mr. Krebs is doing a tremendous job running these leads to ground.
Federal Websites Still Lack Basic Security
This is yet another Federal example of “Do as I say…not as I do.” There is no excuse for the Federal government not following and meeting or exceeding the standards it sets for websites and website security.
https://www.infosecurity-magazine.com/news/federal-websites-still-lack-basic/
Sophos Weekly Recap
Uber Shock: Firm Hid Breach of 57 Million Users
Here is a little bit of warm and fuzzy reading for all as we enter into a huge travel season. Uber was breached. Bad! Uber paid the bad guys to cover it up. Worse! Ultimately, the expense was passed along to a trusting consumer. Worst and sadly typical!
I think it might be time to shift to Lyft or maybe even go back to supporting all the hard working taxi drivers out there. Bad form Uber. Bad form!
https://www.infosecurity-magazine.com/news/uber-shock-firm-hid-breach-57/
Amazon Creates Classified US Cloud
The thread responses in this post from Bruce Schneier are almost as entertaining as the linked content from the Washington Post. If you ever doubted that the cloud movement was unstoppable, it is time to reconsider.
On a lighter note, the arguments many will have with HIPAA and PCI consultants over cloud storage of sensitive data should get more entertaining. “But Uncle Sam gets to do it…why can’t I?”
https://www.schneier.com/blog/archives/2017/11/amazon_creates_.html
Google collects Android users’ locations even when location services are disabled
I honestly do not know where to begin with this article. I believe the most logical place to start is I have no doubt similar problems may exist within devices from other mobile operating systems. I doubt this is exclusively an Android or Google problem. That said, it is deeply concerning, especially given the data collection and sharing process going on in the absence of even an active SIM card.
I am not advocating for the mass production of tin foil hats, but I will say this. If you have your smartphone with you, you are most certainly never alone.
Sophos Weekly Recap
Shadow Brokers cause ongoing headache for NSA
This is a nice recap of where the NSA vs. ShadowBrokers stands at the moment. I do find it mildly intriguing how damaged the NSA finds itself amidst this constant trickle feed of compromised data and formerly secret exploits. One telling line in the article references the NSA (and I am paraphrasing) as one of the premier world wide agencies for breaking into computer systems and yet they could not protect their own house.
I do have to agree with Bruce Schneier and others who point to a whistleblower or other insider theory on the breach. ShadowBrokers wants the NSA to suffer, both functionally and in terms of reputation.
https://nakedsecurity.sophos.com/2017/11/15/shadow-brokers-cause-ongoing-headache-for-nsa/
Virtual Sweater Vest 