Down The Security Rabbithole

In this episode...   Pros examine mossack-fonseca breach: Wordpress plugin, Drupal likely suspects Plug-ins seem to be a universal weakness Many companies have this type of 3rd party security issue The broader enterprise implications - how do you find these sites? http://www.scmagazine.com/pros-examine-mossack-fonseca-breach-wordpress-plugin-drupal-likely-suspects/article/488697/ WordPress pushes free https encryption for all hosted sites What's the problem we're trying to solve? 2 separate issues, trust vs. authentication - know which you're solving http://www.securityweek.com/wordpresscom-pushes-free-https-all-hosted-sites If you can't break crypto, break the client Bishop-Fox researcher finds webkit bug in iMessage JavaScript in iMessage, sure, why not Same-Origin-Policy (SOP) not enforced since it's a desktop app http://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/ Executives - "We're not responsible for cyber security" Raf: This is sq