WatchGuard Security Week in Review: Episode 55 – SSL/TLS Weakness

Lots of Patches, Celebrity Hacks, and a SSL/TLS Weakness

If you’re anything like the average IT professional, you’re probably too busy putting out proverbial IT helpdesk fires, and installing new business IT solutions to spend much time each week staying on top of the latest security news and threats. That’s where we come in! For a quick recap of the biggest information and network security news from the week, check out the YouTube video below.

In this episode, I cover a ton of software updates from the week (it was Patch Day after all), the latest celebrity hack incident, an ironic breach of a security organization’s web site, and yet another weakness in the SSL/TLS encryption protocol. I even share a tip on how webmasters can learn to recover from web site hacks.

Enjoy the episode, and share your thoughts, suggestions, and questions in the comment section below. You can also find more details about these stories in the Reference section. Thanks for watching, and enjoy your St. Patty’s Day weekend.

(Episode Runtime: 11:00)

Direct YouTube Link: http://www.youtube.com/watch?v=yD6wNDXVsHE

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

9 Responses to “WatchGuard Security Week in Review: Episode 55 – SSL/TLS Weakness”

  1. Thank you, Corey for interesting materials. I’ve thoroughly read two articles of Nir Goldshlager about hacking the Facebook, and couple of thoughts drill my mind (as a conclusion):
    – if only OAuth technology include 2 things: “time-limitation control mechanism” for lifetime of access token (better – session life-time limitation, like tickets in Kerberos) and simple obfuscation technology for the access token value – then this kind of attack would not have had the successful result.
    – Those tricks with “next=%23/xxxx”, “redirect_uri” and sub-domain names can be classified as an “application injection”, “bad games” with Web-app (methods logically similar with SOL-injection).
    As an IT-security expert – what do you think about these two vulnerabilities?

    • I think you are right about the additional OAuth mechanisms. Adding a limited time period and more obfuscation to the token would certainly help.

      Right now, web application attacks, like various injection attacks, are the most exploited online. Injection attacks are the number one attack of the OWASP’s top ten. Developers definitely need to work on writing secure web code. They need to leverage input validation and sanitation on all parameters, and do more to harden the SQL db associated with their web site… for instance, using stored parameterized queries for web applications, to limit what queries the web app can do.

  2. Thanks for sharing this article, its been a really great read. I’ve heard a lot of great things about security Calgary but I’ve never considered how and what they have to go through. I could never do that, I need sleep I literally can’t function if I’m a few hrs short of it. Those people have to work weird hrs.

  3. I leave a response when I appreciate a post on a site or if I have something
    to valuable to contribute to the discussion. It’s triggered by the passion displayed in the post I browsed. And after this post WatchGuard Security Week in Review: Episode 55 – SSL/TLS Weakness | WatchGuard Security Center. I was actually moved enough to drop a thought 😉 I actually do have a few questions for you if it’s okay.
    Could it be simply me or does it look as if like some of these
    remarks look like they are coming from brain dead individuals?
    😛 And, if you are writing at additional social sites, I would like to follow anything new
    you have to post. Could you make a list all of all your social pages like your Facebook page, twitter feed, or
    linkedin profile?

  4. miu miu アウトレット

Trackbacks/Pingbacks

  1. Make Sure to Update Your Apple Devices | WatchGuard Security Center - March 21, 2013

    […] you follow my weekly security video, WatchGuard Security Week in Review, you probably already know that Apple released both an OS X and Safari security update last week. […]

  2. WatchGuard Security Week in Review: Episode 55 – SSL/TLS Weakness | Windstone Technology Services - March 22, 2013

    […] MARCH 15, 2013 BY COREY NACHREINER 2 COMMENTS […]

  3. WatchGuard Security Week in Review: Episode 55 | Wind Stone Technology Services - March 25, 2013

    […] MARCH 15, 2013 BY COREY NACHREINER 3 COMMENTS […]

  4. Make Sure to Update Your Apple Devices - Arlington, Fort Worth, Dallas | Marjen Technology Group - September 29, 2015

    […] you follow my weekly security video, WatchGuard Security Week in Review, you probably already know that Apple released both an OS X and Safari security update last week. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: