Netflix has announced Stethoscope, a device security awareness tool designed to empower users to make informed decisions to improve their security.
The tool takes an educational, user-focused approach to device security. Instead of simply being an admin tool to enact changes on devices, Stethoscope tracks security-critical device configurations like disk encryption and software versions, then provides the user with actionable information to fix problems.
Focusing on education gives the user the information they need to keep non-work devices secure, and even give their friends useful security tips. The effect is to improve corporate security on the front-line while allowing users more autonomy.
If you’re interested in trying it out or contributing, you can check it out here on GitHub.
Cryptographic hash functions are one of the basic building blocks in information security. Whether used within larger cryptographic schemes, or simply to verify downloaded files, they’re everywhere. But as MD5 has taught us, no single hash function is good forever. Now that Google has found a collision, it’s SHA-1’s turn to be put out to pasture. More good reading on that here.
In practice, a secure cryptographic hash function should never produce collisions. So the ability to craft two different files that produce the same digest demonstrates that the hash function is broken.
That may sound academic, but SHA-1 hashes are used in Git source control, OpenPGP, and to sign many SSL certificates. The OpenPGP issue is particularly concerning. While the industry has already been moving away from SHA-1 in critical applications like SSL certificates, this attack demonstrates that using stronger hash functions should be a priority. The attack will only become easier and will have far-reaching consequences.
Here are some things you can do to help:
Everyone’s favorite web nuisance has made a bit of a comeback. While browsers have been blocking annoying popups for years, an interesting new attack may bring them back. The trick allows an attacker to open an infinite number of popup dialogs without allowing the user to block further dialogs. Think of the pranking you can do *cough* we mean, this can actually become a serious problem!
Thankfully, this issue only affects IE11. If you’re using IE11, you can always close the tab hosting the malicious code, but it may not be possible to even tell if a tab has become a zombie like this. Now is a good time to upgrade to Edge, or consider using other browsers, such as Google Chrome.
Real-time chat software is no stranger to the workplace. Since the dawn of the instant messenger, tools like AIM and IRC have been standard issue for workers everywhere. The latest iteration are products like HipChat and Slack, cloud-hosted chat software with very impressive UI and features, originally meant to replace email.
But the cloud convenience often comes at a privacy cost. Many services store users’ chat logs by design to provide conversation history, and to make using multiple devices easier. However, this can also leave them vulnerable to attackers that compromise the service. Depending on the organization and the conversation, this could mean a PR nightmare or legal disaster.
There are a few things that can be done to limit this risk: