Developsec: Developing Security Awareness

Newscast - Oct. 20, 2015

Informações:

Synopsis

Hi and welcome to the DevelopSec newscast for October 20th, 2015.  I am James Jardine and I wanted to take a few moments to talk about some recent news stories over the past week.Apple removes several apps that could spy on encrypted traffic - http://arstechnica.com/security/2015/10/apple-removes-several-apps-that-could-spy-on-encrypted-traffic/ , http://www.theregister.co.uk/2015/10/09/apple_borks_adblocking_app_over_privacy_concerns/ Apps installed a root certificate on device.Could allow monitoring of data, even SSL/TLS traffic.Recommended to uninstall the apps, unfortunately it was not made clear which ones they are.com CSRF bug pays security tester $25,000 - http://www.theregister.co.uk/2015/10/09/hotmail_hijack_hole_earns_boffin_25k_double_bug_bounty_trouble/Wesley Wineberg found a Cross-Site Request Forgery flaw in the Microsoft Outlook.com website.Could hijack user sessions.Responsible/Coordinated disclosure allowed flaw to be resolved before publicly disclosed.Medicaid Data Breach, Security Issue at