Date: 10 August 2012
Click here for printable version
From a purely nerdy perspective the landing of Curiosity on Mars
was an exciting way to start the week. Security-wise, Wired ran an
interesting story on the affects of our increasing reliance on
technology and interconnectedness.
In brief, Mat Honan described how less than ideal security practices
by Amazon and Apple combined with linked email and internet
accounts led to pretty much his entire online identity being
compromised along with the loss of family photos (and everything
else) on his iPhone, iPad, and MacBook.
A positve outcome from the incident is that Amazon have since changed
their policy so that customers can not change account information simply
by providing a name, email, and mailing address. According to the
article Apple have claimed their "internal policies" were not followed
completely. However, it is not clear whether this would have provided
any additional security.
Rather than relying on business policies, security must be a combined
effort. At this point many of you should be wondering what can be done
at an indvidual level to avoid a similar situation. Here are some
suggestions rehashed and revamped from the Wired article and nicely
plonked in the one spot:
Backup your data to an offline location, e.g. an external hard disk.
Setup two factor authentication where possible, e.g. Gmail gives you
the option of setting up a mobile phone for additional account authentication.
Use a different nickname for your accounts e.g. firstname.lastname@example.org,
email@example.com, https://twitter.com/jdoe = bad!
Now onto the top 5 bulletins for the week:
1) ESB-2012.0746 - ALERT [Appliance] Siemens Synco OZW Web Server: Administrator compromise - Remote/unauthenticated
The ye olde default password trick. The Siemens Synco OZW Web Server,
used for building automation systems, does not prompt to change the
default administrator password.
2) ESB-2012.0743 - [RedHat] kernel: Denial of service - Remote/unauthenticated
The most critical update for Red Hat this week was a denial of service
vulnerability affecting the kernel.
3) ESB-2012.0752 - HP Arcsight Logger & Connector: Multiple vulnerabilities
I have listed this bulletin as one to keep an eye on as there is no
patch available and HP have not published an advisory as yet. This is
the bulletin as published by US-CERT.
4) ESB-2012.0729.2 - UPDATE [Debian] isc-dhcp: Multiple Vulnerabilities
Debian has updated this bulletin as the source package previously
provided did not actually include the patched code. Oops.
5) ASB-2012.0112 - [Win][UNIX/Linux] Google Chrome: Denial of service - Remote/unauthenticated
Google has released another update this week, just two vulnerabilities
this time however no user interaction required to exploit.