Sign up to save your podcasts
Or
Share Episode 27 - In Bloatware We Trust
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 27 - In Bloatware We Trust
Discussed Articles
1) Out-of-Box Exploitation: A Security Analysis of OEM Updaters
OEM laptop vendors for a long time have included their own bits of software in with retail sales. These bits included update mechanisms which appear to be poorly designed. Duo Security, a 2 factor auth company, looks into the matter and writes down their results.
* https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters
* https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf
2) Typosquatting in Programming Language Package Managers
Nikolai Tschacher, an undergraduate Informatics student from University of Hamburg, released a paper detailing his work at analyzing typos made by programmers when working with package managers. He furthers the work of a few earlier security researchers and his approach to collecting data for his research brings up questions on what is acceptable to collect.
* http://incolumitas.com/2016/06/08/typosquatting-package-managers/
* https://soundsecurity.io/episodes/2015/07/20/a-googol-google-articles/
* https://www.youtube.com/watch?v=gXY3jm34RFU
3) SELinux is beyond saving at this point
Chris Siebenmann writes about SELinux's usability nightmare and how it is beyond saving. When you are too hard headed to listen to your customers, you may be the one who is wrong.
* https://utcc.utoronto.ca/~cks/space/blog/linux/SELinuxBeyondSaving
* https://en.wikipedia.org/wiki/Seccomp
* https://en.wikipedia.org/wiki/Trust_on_first_use
Breach of the Week
Russians Hacking DNC Computers
A group of hackers, presumably Russian at this point-in-time, broke into the Democratic National Committe's (DNC) servers and subsequently released a treasure drove of confidential documents out onto the Internet. What does this mean to folks in a corporate environment? Is APT1 now DNC1? Will we continue asking rhetorical questions you can't answer?
* https://twitter.com/thegrugq/timelines/743231527639621632
* https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html
* http://arstechnica.com/security/2016/06/hackers-invade-dems-servers-steal-entire-trump-opposition-file/
* https://www.schneier.com/blog/archives/2016/06/russians_hackin.html
View all episodes
Discussed Articles
1) Out-of-Box Exploitation: A Security Analysis of OEM Updaters
OEM laptop vendors for a long time have included their own bits of software in with retail sales. These bits included update mechanisms which appear to be poorly designed. Duo Security, a 2 factor auth company, looks into the matter and writes down their results.
* https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters
* https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf
2) Typosquatting in Programming Language Package Managers
Nikolai Tschacher, an undergraduate Informatics student from University of Hamburg, released a paper detailing his work at analyzing typos made by programmers when working with package managers. He furthers the work of a few earlier security researchers and his approach to collecting data for his research brings up questions on what is acceptable to collect.
* http://incolumitas.com/2016/06/08/typosquatting-package-managers/
* https://soundsecurity.io/episodes/2015/07/20/a-googol-google-articles/
* https://www.youtube.com/watch?v=gXY3jm34RFU
3) SELinux is beyond saving at this point
Chris Siebenmann writes about SELinux's usability nightmare and how it is beyond saving. When you are too hard headed to listen to your customers, you may be the one who is wrong.
* https://utcc.utoronto.ca/~cks/space/blog/linux/SELinuxBeyondSaving
* https://en.wikipedia.org/wiki/Seccomp
* https://en.wikipedia.org/wiki/Trust_on_first_use
Breach of the Week
Russians Hacking DNC Computers
A group of hackers, presumably Russian at this point-in-time, broke into the Democratic National Committe's (DNC) servers and subsequently released a treasure drove of confidential documents out onto the Internet. What does this mean to folks in a corporate environment? Is APT1 now DNC1? Will we continue asking rhetorical questions you can't answer?
* https://twitter.com/thegrugq/timelines/743231527639621632
* https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html
* http://arstechnica.com/security/2016/06/hackers-invade-dems-servers-steal-entire-trump-opposition-file/
* https://www.schneier.com/blog/archives/2016/06/russians_hackin.html