SANS Institute

Five Essential Reads to Understand the Meltdown and Spectre Processor Flaws

There has been plenty of (digital) ink spilled in recent days about widespread processor flaws known as “Meltdown” and “Spectre.” We round up five articles that will help you understand these security vulnerabilities, how they were discovered and their likely impact. 

A Right to Repair the Internet of Things? Spear Phishing Detection and Nonstop Attacks on DVRs

In-brief: In the latest Security Ledger podcast we talk about pending right to repair laws and their impact on the Internet of Things. Also:  Facebook’s Internet Defense Prize went to a better method for spear phishing detection. We talk to a member of the winning team. And, Johannes Ullrich of The Internet Storm Center joins us to talk about a study he did to measure the frequency of attacks on a common IoT device: digital video recorders.

Ghost Vulnerability Replays Third Party Code Woes

In-brief: The security firm Qualys is warning of a serious and remotely exploitable vulnerability in a function of the GNU C Library (glibc) known as gethostbyname. The security hole raises more questions about dangers lurking in legacy, open source software. 

BioCircuit0-600x300

Wellness Apps & Wearables Put You up for Sale | SANS Institute

  The SANS Institute’s Securing the Human blog has a nice, contributed article by Kelli Tarala of Enclave Security on the security and privacy implications of wearable technology. Among Tarala’s conclusions: health and so-called “quantified self” products do much more than gather health data like pulse and blood pressure. Rather: they are omnivores, gobbling up all manner of metadata from users that can be used to buttress health data. That includes who you exercise with, favorite walking- and jogging routes and the times you prefer to work out. Of course, social media activity is also subject to monitoring by these health apps, which often integrate with platforms like Facebook, Twitter and Pinterest to share workout information. [Read more Security Ledger coverage of wearable technology here.] All of this could spell trouble for consumers. To quote Tarala: “there are companies interested in your Quantified Self, but their goals may not be to health related.” […]

Obama Uses Executive Order To Push Chip and Pin

Add data security to the long list of issues on which U.S. President Barack Obama has resorted to unilateral action in order to push the government forward on a crucial matter. On Friday, President Obama signed an Executive Order directing the government to require the use of so-called “chip and PIN” technology for any newly issued or existing government debit and credit cards. The Order was intended to make the federal government “lead by example in securing transactions and sensitive data,” the White House said in a statement. The new BuySecure Initiative will provide consumers with more tools to secure their financial future by assisting victims of identity theft, improving the Government’s payment security as a customer and a provider, and accelerating the transition to stronger security technologies and the development of next-generation payment security tools. The Order launches a new initiative dubbed “BuySecure” intended to “drive the market towards more secure payment systems” […]