Security Roundup - 2016-03-23

Latest stories for you all!

My co-worker Asim mentions that iMessages are open to a MitM attach where attackers can gain enough data and have enough tries to brute force files from Apple’s servers. One of the researchers has posted an in depth description of the problem.

EFF apparently has a secure messaging scorecard, based on factors such as security in transit, security at rest, and whether the code is open and has been audited.

Google has announced they are expanding their certificate transparency project to include a log of certificate chains that are no longer trusted by browsers, or are pending inclusion into browsers. In additional Google security news, they recently announced a new transparency initiative around their own encryption efforts. ~77% of their traffic is now encrypted.

NIST just released a new draft on Cryptographic Standards in the Federal Government.

Uber just started a bug bounty program, and it looks like they are going to try gamification to keep researchers interested in trying to discover problems. Contrast this to the DoD, which started a program requiring researchers to jump through hoops to be ‘allowed’ to look at things. Not on the list? Well, that is apparently what legal threats are for. And finally, this years Pwn2Own has wrapped up, leading to 21 new browser based vulnerabilities being disclosed.

Locky AND hospital security? This appears to be the case for the Methodist Hospital in Kentucky. And for those surprised about finding hospital devices on the internet, ThreatPost has an article on serial servers with dumb defaults…. these being used to attach medical devices to networks.

Krebs also has an interesting article of spam and malware providers abusing open redirect systems on .gov sites to make links more trusted.

Written on March 23, 2016