Uber apparently has been hacked.
There are not many details in the mainstream tech press, as well as there’s no official write up yet, only a tweet about the incident.
However, here’s an interesting Twitter thread about the scope of the attack (the scope is huge!).
If you rather prefer a web page view, here’s the same thread via Unroll app.
The key takeaways from that thread:
- Rely on MFA protected from phishing such as hardware keys
- Pay as much attention to your internal network as to the public facing interfaces
#security
There are not many details in the mainstream tech press, as well as there’s no official write up yet, only a tweet about the incident.
However, here’s an interesting Twitter thread about the scope of the attack (the scope is huge!).
If you rather prefer a web page view, here’s the same thread via Unroll app.
The key takeaways from that thread:
- Rely on MFA protected from phishing such as hardware keys
- Pay as much attention to your internal network as to the public facing interfaces
#security
CNN
Uber investigating ‘cybersecurity incident’ after hacker claims to access internal systems
Uber said Thursday that it was investigating a "cybersecurity incident" after a hacker shared evidence that they had breached the ride-hailing giant's computer systems with journalists and security researchers.
A list of security tools for AWS. It has both defensive and offensive as well as auditing tools.
This list is really huge, so I’m pretty sure that if you’re working on hardening your AWS setup, you’ll find something interesting for you there.
#security #aws
This list is really huge, so I’m pretty sure that if you’re working on hardening your AWS setup, you’ll find something interesting for you there.
#security #aws
GitHub
GitHub - toniblyx/my-arsenal-of-aws-security-tools: List of open source tools for AWS security: defensive, offensive, auditing…
List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. - toniblyx/my-arsenal-of-aws-security-tools
It looks like on Tuesday, Nov 1st, we will need to patch OpenSSL 3.x.x.
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL 3.x.x, hence require an upgrade.
The same news from another source.
#security
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL 3.x.x, hence require an upgrade.
The same news from another source.
#security
ZDNET
OpenSSL warns of critical security vulnerability with upcoming patch
We don't have the details yet, but we can safely say that come Nov. 1, everyone -- and I mean everyone -- will need to patch OpenSSL 3.x.
So, recently I posted about the TLS vulnerability that was patched on the 1st of November.
Here someone gathered the list of affected operation systems and patched version references
Make sure to check if you’re covered!
#security #tls
Here someone gathered the list of affected operation systems and patched version references
Make sure to check if you’re covered!
#security #tls
Telegram
CatOps
It looks like on Tuesday, Nov 1st, we will need to patch OpenSSL 3.x.x.
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL…
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL…
Disk encryption in AWS is close to useless and potentially harmful.
No, it’s not like AWS is going to do anything with your data.
tl;dr: Encryption at rest protects you from cases when someone steals your disk. However, such an attack vector is so hard in a cloud environment that it’s completely worthless for an attacker.
However, the correct implementation of the encryption at rest will take time and effort that you can put into real risk mitigation and security hardening instead.
#security #aws
No, it’s not like AWS is going to do anything with your data.
tl;dr: Encryption at rest protects you from cases when someone steals your disk. However, such an attack vector is so hard in a cloud environment that it’s completely worthless for an attacker.
However, the correct implementation of the encryption at rest will take time and effort that you can put into real risk mitigation and security hardening instead.
#security #aws
Mellow Root
Disk encryption in AWS is close to useless and potentially harmful
Security theater is the practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to...
A couple of days ago I attended a CNCF meetup here in Berlin (full recording is available on YouTube). So, I want to share some things that were presented there.
- NeuVector - an open-source security solution for Kubernetes recently bought by Suse. It has UI, so one can do click-ops if they want, but one can then export all the rules into custom definitions and apply in any other cluster. Obviously, you can configure NeuVector using only YAML as well. Feel free to explore their GitHub. Although, the website has more information about the tool.
- Tetragon - another real-time observability/security tool based on eBPF by the developers of Cilium. It doesn’t do CVE scans like NeuVector, but provides some real-time visibility and rules enforcement. Also, it doesn’t have a fancy UI.
- Cilium service mesh. It’s also based on eBPF. Check it out if you want to have a service mesh, but not sure about heavyweight solutions like Istio.
- Despite that several Cilium-based tools I mentioned before, the second talk was about the Cilium Cluster Mesh. It’s not new, but this solution looks very promising, especially if you’re running multiple clusters for HA or multi-region purposes.
#Kubernetes #security #networking
- NeuVector - an open-source security solution for Kubernetes recently bought by Suse. It has UI, so one can do click-ops if they want, but one can then export all the rules into custom definitions and apply in any other cluster. Obviously, you can configure NeuVector using only YAML as well. Feel free to explore their GitHub. Although, the website has more information about the tool.
- Tetragon - another real-time observability/security tool based on eBPF by the developers of Cilium. It doesn’t do CVE scans like NeuVector, but provides some real-time visibility and rules enforcement. Also, it doesn’t have a fancy UI.
- Cilium service mesh. It’s also based on eBPF. Check it out if you want to have a service mesh, but not sure about heavyweight solutions like Istio.
- Despite that several Cilium-based tools I mentioned before, the second talk was about the Cilium Cluster Mesh. It’s not new, but this solution looks very promising, especially if you’re running multiple clusters for HA or multi-region purposes.
#Kubernetes #security #networking
YouTube
Kubernetes & Cloud Native Berlin Meetup New Year Edition
Welcome to the live stream of the Kubernetes & Cloud Native Berlin Meetup - Jan 2023. Doors open for the in person meet up at 5 pm. The talks will begin at 6 pm, so stay tuned.
Find more information here: https://www.meetup.com/berlin-kubernetes-meetup…
Find more information here: https://www.meetup.com/berlin-kubernetes-meetup…
Your SSO session can be stolen.
At least Grammarly, with their white partner prepared an internal phishing attack and get access to their OTP SSO session.
As a result, they choose to move to FIDO2, to prevent the possibility of that attack vector.
More about the attack and why choose FIDO2 in Part 1.
About implementation and problems - in Part 2.
#security
At least Grammarly, with their white partner prepared an internal phishing attack and get access to their OTP SSO session.
As a result, they choose to move to FIDO2, to prevent the possibility of that attack vector.
More about the attack and why choose FIDO2 in Part 1.
About implementation and problems - in Part 2.
#security
I posted about S3 encryption not being a panacea back in a day.
Here’s another article about why AWS S3 encryption by default won’t solve security for you and why you still have to pay attention to the bucket settings.
#aws #security
Here’s another article about why AWS S3 encryption by default won’t solve security for you and why you still have to pay attention to the bucket settings.
#aws #security
Last Week in AWS
S3 Encryption at Rest Does NOT Solve for Bucket Negligence
Amazon S3 encrypting new objects by default is a nice feature, but it's not the panacea for data breaches that commentators make it out to be.
This is an unplanned post for today, but still.
A critical vulnerability was discovered in MacOS and iOS. That allegedly allows an arbitrary code to be executed with kernel privileges.
Please, make sure to update your OS on Apple devices if you have any. Also, make sure that your IT department is aware of this in case you have Apple devices as work machines.
Patched versions:
- MacOS: 13.2.1
- iOS: 16.3.1
The official statement doesn’t have much info. There is more in this Twitter thread.
#security
A critical vulnerability was discovered in MacOS and iOS. That allegedly allows an arbitrary code to be executed with kernel privileges.
Please, make sure to update your OS on Apple devices if you have any. Also, make sure that your IT department is aware of this in case you have Apple devices as work machines.
Patched versions:
- MacOS: 13.2.1
- iOS: 16.3.1
The official statement doesn’t have much info. There is more in this Twitter thread.
#security
Apple Support
About the security content of iOS 16.3.1 and iPadOS 16.3.1
This document describes the security content of iOS 16.3.1 and iPadOS 16.3.1.
As you may have heard, LastPass had a breach recently.
And it looks like things are more complex comparing to the initial “some encrypted data was retrieved”.
According to this article, organizations need to re-onboard their users with SSO provider (if they used any) to ensure that their data is secure in LastPass.
Reddit discussion.
#security
And it looks like things are more complex comparing to the initial “some encrypted data was retrieved”.
According to this article, organizations need to re-onboard their users with SSO provider (if they used any) to ensure that their data is secure in LastPass.
Reddit discussion.
#security
Medium
It’s All Bad News: An update on how the Lastpass breach affects Lastpass SSO
Every week, almost without fail, I come across one thing that confuses, entertains, or most commonly infuriates me. I’ve decided to keep a…