Week5 Links
Cybercrime
Update on Yahoo’s security incident (also see 10K filing):
As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack … since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.
Cryptography
Lifetimes of cryptographic hash functions
Application Security
Soon after we were playing with cookies and session management in class – using my Google account! – this happened. This definitely affected my mobile GMail app.
No change to report from the last update. We’re still actively working to resolve issues with Identity/Authentication. Future updates will follow when there is significant progress to report.
To summarize; some long-lived OAuth tokens have inadvertently been invalidated. This may affect the following Cloud services and will manifest as authentication errors:
Cloud APIs using OAuth tokens, and related services that use them gcloud SDK Cloud Storage gsutil Cloud Dataflow Note: not all customers are affected by this.
The CloudFlare incident has caused a lot of back-and-forth between CloudFlare and Google’s Project Zero (see Twitter for more)
- Cloudflare Reverse Proxies are Dumping Uninitialized Memory
- Incident report on memory leak caused by Cloudflare parser bug
- Quantifying the Impact of “Cloudbleed”
Project Zero also released a Microsoft browser vulnerability that went unpatched.
Password Manager Vulnerabilities
At first sight, the requirements for a password manager application seem simple: Storing the passwords of a user centralized in a secure and confidential way. However, how is the reality on mobile, password manger applications, especially on Android? … Despite the vendors’ claims, is it nevertheless possible to obtain access to the stored credentials?
Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages
Here it is:
— Troy Hunt (@troyhunt) February 27, 2017
- Toy captured kids voices
- Data exposed via MongoDB
- 2.2m recordings
- DB ransom'd
- And much more…https://t.co/HvePnZleXR
Other
BadThingsDaily – not so fictional worst-case drills, every day!
Via a classmate, Cybersecurity Suffers from Talent Shortage. Related, there may be some other cybersecurity folks entering the private job market.