Equifax was just reprimanded by Congress in the recently published congressional report that detailed the Equifax breach that disclosed PII of nearly 150 million people. The report is lengthy, but contains some valuable lessons. Every Cxx should read it.

Maybe the biggest takeaway is the clandestine mode in which the cybersecurity industry seems to be operating. Brian Krebs did a review of some 100 top company’s web sites. Very close to none those companies listed a CISO or CIO on their web sites… ie, clandestine.

What do you think; do you perceive cybersecurity as clandestine? Is this by cybersecurity’s choice? Is that the way it should be? Is it really corporate neglect? Or just simply corporate unwillingness to invest in their customer’s privacy? Please comment below.

Keywords: cybersecurityrecap equifax congressional report broken breach vulnerability

Google’s Project Zero has called-out Microsoft for white-listing the auto-run of Flash by site.  This allowed specific sites to run Flash without users approving/denying the action. This is seen by many as a mechanism for future vulnerabilities. Microsoft appeared to want to hide this capability as the web sites are listed in a .bin file as hashes rather the more traditional .txt plain-text configuration file. After the call-out out about 90 days ago, Microsoft paired back the white-list to just two entries. Both entries are for Facebook sites. The hash file is at
C:Windowssystem32edgehtmlpluginpolicy.bin
The record layout is
sha256 hash (domain name) followed by a permission mask.

SOURCE

Google Project Zero

Keywords: flash auto-run bypass