New research reveals your browser cache contains a lot more than you might expect, and we’ve got the details on some security issues WordPress doesn’t have a fix for…
Plus: We’ll answer your questions, chat about rolling your own email server, and much much more!
On this week’s TechSNAP
Thanks to:
|
Use our code tech249 to score .COM for $2.49! 35% off your ENTIRE first order just use our code 35off3 until the end of the month! |
 |
Catch episode 144 find out how things stand after her week on Android |
 |
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
Support the Show:
| <a href=”https://flattr.com/thing/525316/chrislas-on-Flattr” target=”_blank”><br /> <img src=”https://api.flattr.com/button/flattr-badge-large.png” alt=”Flattr this” title=”Flattr this” border=”0″ /></a> |
|
Show Notes:
Get TechSNAP on your Android:
Browser Affiliate Extension:
- Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
- Browsers used to never cache any content that was served over HTTPS
- The internet has changed significantly since then and many more sites use HTTPS for entire browsing sessions, including Google and Facebook
- Secure sites are supposed to send special headers instructing the browser which files not to cache, but it seems somes sites do not bother, and some send a non-standard header that only works with Internet Explorer
- Researchers from Independent Security Evaluators in Baltimore conducted a survey of a number of popular financial sites and found rather disappointing results
- “Non-technical users likely believe that if, after visiting a site and viewing personal data, they logout and close their browsers, that their data will be safe. Our findings prove this assumption incorrect in 70% of the cases tested.”
- ADP, Verizon Wireless, Scottrade, Geico, Equifax, PayPal and Allstate were among the websites that saved items such as prescription information, utility bills, check images and credit reports.
- All told 21 of 30 sites checked improperly stored sensitive data in the users’ local cache
- ISE identified 4 different ways to instruct Internet Explorer to not cache sensitive information, only one of which is actually an HTTP Standard
- The correct way to tell a browser to not store sensitive data is to send the header: “Cache-Control: no-store”
- Part of the problem may be that most Online Banking systems were designed in the early 2000s, when Internet Explorer had over 90% market share
- Researchers Report
- An Amazon executive said “If a U.S. entity is serving us with a legally binding subpoena, we contact our customer and work with that customer to fight the subpoena. We will do that proactively and help the customer in any way to comply with the subpoena or fight it.”
- Amazon also recommends that you encrypt all data stored in the cloud
- However, many such orders from US Agencies include a gag order, preventing Amazon from informing the customer that their data is being sought. If Amazon faced a subpoena that required it to keep the order secret, such encryption would be useful to customers. “If the data is encrypted, all we’d be handing over would be the ciphertext,”
- One of Amazon’s main rivals, RackSpace said: “Rackspace reviews any orders to determine that they are lawful and have been issued in accordance with the 4th amendment. We are prohibited from accessing and disclosing customer data stored on their servers or storage devices in our data centers without a properly issued, lawful request from a court with jurisdiction over both Rackspace and the data sought. In the event Rackspace receives a court order for customer data that does not adhere to the 4th amendment, Rackspace will oppose the order.”
- Amazon is also building a $600 million private cloud for the CIA, a contract protested by IBM
- Security researchers at Checkmarx find that 12 of the top 50 wordpress plugins are susceptible to common attacks
- The researchers also found that 7 of the top 10 e-commerce plugins contained flaws
- Many popular plugins are susceptible to SQL injection, Cross-Site Script Injection (XSS), Cross-Site Request Forgery (CSRF), Remote/ Local File Inclusion (RFI/ LFI) and Path Traversal
- “First of all, Web admins think that if they are downloading these plug-ins from a reputable source, then there is an assumption that they are receiving a secure plug-in,”
- Checkmarx started their research in January, at which time 18 of the top 50 wordpress plugins were vulnerable. During a subsequent scan in June, every plugin tested had been updated but only 6 fixed all of the vulnerabilities
- The researchers recommend that you only download plugins from official sources, and that the official sources conduct more intense security scans on plugins before they are listed in the marketplace
- Research Paper
- GCHQ intercepted foreign politicians’ communications at G20 summits
- LinkedIn Outage Due To Possible DNS Hijacking [Update: Fidelity.com Also Affected]
- Network Solutions takes credit for downing Linkedin and others
- Terrorists Live tweet during attack
- Playstation 4 Reportedly Running a Modified FreeBSD 9.0
- Project Loon – Google
- Former President of TigerDirect indicted for money laundering
- 9 reasons your syadmin hates you
- Stanford launches the Cookie Clearing House with Mozilla and Opera
- Bruce Schneier – Evidence that the NSA Is Storing Voice Content
- Richard Betjtlich (the Mandian APT report) on What businesses need to know
- MySQL Man page relicense was a bug, has been fixed
Researchers find that 21 financial sites store sensitive information in your cache
Amazon vows to help you fight government requests for data stored on their cloud
WordPress plugins still a security nightmare
Feedback:
TechSNAP Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ