Published: Oct. 20, 2015, 1:30 p.m.
Hi and welcome to the DevelopSec newscast for October 20th, 2015. I am James Jardine and I wanted to take a few moments to talk about some recent news stories over the past week.
- Apps installed a root certificate on device.
- Could allow monitoring of data, even SSL/TLS traffic.
- Recommended to uninstall the apps, unfortunately it was not made clear which ones they are.
- com CSRF bug pays security tester $25,000 - http://www.theregister.co.uk/2015/10/09/hotmail_hijack_hole_earns_boffin_25k_double_bug_bounty_trouble/
- Wesley Wineberg found a Cross-Site Request Forgery flaw in the Microsoft Outlook.com website.
- Could hijack user sessions.
- Responsible/Coordinated disclosure allowed flaw to be resolved before publicly disclosed.
- Medicaid Data Breach, Security Issue at NC and CA Facilities - http://healthitsecurity.com/news/medicaid-data-breach-security-issue-at-nc-and-ca-facilities
- Spreadsheet sent via email unencrypted.
- Highlights importance of attention to detail. Sometimes the simplest mistakes create a potential risk.
- Difficult to prove if data was accessed by unauthorized users.
- What options could be used instead of emailing the attachment?
- Thumb drive stolen from employees home
- Data should be encrypted.
- Ensure policies exist that cover acceptable use of portal storage.
- Ensure that employees are trained on the policies.
Join the conversation on google+ (https://www.google.com/+Developsec) and Twitter (@DevelopSec)