Security Roundup - 2016-01-15

Posted on  by

Lots of news over the week, so thought I would do a pre-weekend digest.

More and more hardware vulnerability stories:

Critical Flaws Found In Network Management Services

Maybe we should score some companies based on the security of their products? Or at least notify our customers who we know use these products when these things are released?

Trend Micro security software made passwords vulnerable, allowed remote code execution

I mean, seriously, if someone has a product that proved to be a security vulnerability, it makes sense that their security score should be kinda low, right? Especially if it is a security product like a password manager.

Cisco Patches Hardcoded Password, DOS Vulnerabilities In Software, Devices

At least Cisco found these themselves, having launched a code review in the wake of Juniper.

Advantech EKI Vulnerable To Bypass, Possible Backdoor

“Researchers with Rapid 7 pointed out in early December that EKI-1322 was still vulnerable to Shellshock and Heartbleed, bugs that affected machines running Bash, and OpenSSL respectively, in 2014.”

It’s Too Easy To Hack The Hospital

Almost missed this article from November. Hackers stealing data through medical devices! Hospital system honeypots! Hacking devices to do lethal things!

And an assortment of other news:

The CIA Secret To CyberSecurity That No One Seems To Get

“As Ajay Arora, CEO of file security company Vera, notes, there is no perimeter anymore.”

Password Storage In A Highly Parallel World

From compute-hard passwords to memory-hard passwords.

Papers Please

Interesting article on how one organization audits their SSH usage.

Hacking Team Leak Helped Find 0-Day Vulnerability

A tale of white hat turning black hat. Hackers being hacked. Monitoring for vulnerabilities based on coding style/reuse.

The Dragnet

How one con divined the existence of the Stringray

Google’s Creepy Plan To Kill The Password

Using a combination of biometrics, the way you walk, your keystroke patterns, your speech patterns, your face, etc to build a ‘trust score’ that unlocks your device. Unsure what happens if you totally mess up one of those algorithms by breaking your leg or something. And, I mean, something is going to be storing all that data.