Hi and welcome to the DevelopSec newscast for October 20th, 2015.  I am James Jardine and I wanted to take a few moments to talk about some recent news stories over the past week.Apple removes several apps that could spy on encrypted traffic - http://arstechnica.com/security/2015/10/apple-removes-several-apps-that-could-spy-on-encrypted-traffic/ , http://www.theregister.co.uk/2015/10/09/apple_borks_adblocking_app_over_privacy_concerns/ Apps installed a root certificate on device.Could allow monitoring of data, even SSL/TLS traffic.Recommended to uninstall the apps, unfortunately it was not made clear which ones they are.com CSRF bug pays security tester $25,000 - http://www.theregister.co.uk/2015/10/09/hotmail_hijack_hole_earns_boffin_25k_double_bug_bounty_trouble/Wesley Wineberg found a Cross-Site Request Forgery flaw in the Microsoft Outlook.com website.Could hijack user sessions.Responsible/Coordinated disclosure allowed flaw to be resolved before publicly disclosed.Medicaid Data Breach, Security Issue at NC and CA Facilities - http://healthitsecurity.com/news/medicaid-data-breach-security-issue-at-nc-and-ca-facilitiesSpreadsheet sent via email unencrypted.Highlights importance of attention to detail. Sometimes the simplest mistakes create a potential risk.Difficult to prove if data was accessed by unauthorized users.What options could be used instead of emailing the attachment?Thumb drive stolen from employees homeData should be encrypted.Ensure policies exist that cover acceptable use of portal storage.Ensure that employees are trained on the policies. Join the conversation on google+ (https://www.google.com/+Developsec) and Twitter (@DevelopSec)Send us a textFor more info go to https://www.developsec.com or follow us on X (@developsec). The DevelopSec podcast is brought to you by Jardine Software Inc.

Ver todos los episodios