Uber apparently has been hacked.
There are not many details in the mainstream tech press, as well as there’s no official write up yet, only a tweet about the incident.
However, here’s an interesting Twitter thread about the scope of the attack (the scope is huge!).
If you rather prefer a web page view, here’s the same thread via Unroll app.
The key takeaways from that thread:
- Rely on MFA protected from phishing such as hardware keys
- Pay as much attention to your internal network as to the public facing interfaces
#security
There are not many details in the mainstream tech press, as well as there’s no official write up yet, only a tweet about the incident.
However, here’s an interesting Twitter thread about the scope of the attack (the scope is huge!).
If you rather prefer a web page view, here’s the same thread via Unroll app.
The key takeaways from that thread:
- Rely on MFA protected from phishing such as hardware keys
- Pay as much attention to your internal network as to the public facing interfaces
#security
CNN
Uber investigating ‘cybersecurity incident’ after hacker claims to access internal systems
Uber said Thursday that it was investigating a "cybersecurity incident" after a hacker shared evidence that they had breached the ride-hailing giant's computer systems with journalists and security researchers.
A list of security tools for AWS. It has both defensive and offensive as well as auditing tools.
This list is really huge, so I’m pretty sure that if you’re working on hardening your AWS setup, you’ll find something interesting for you there.
#security #aws
This list is really huge, so I’m pretty sure that if you’re working on hardening your AWS setup, you’ll find something interesting for you there.
#security #aws
GitHub
GitHub - toniblyx/my-arsenal-of-aws-security-tools: List of open source tools for AWS security: defensive, offensive, auditing…
List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. - toniblyx/my-arsenal-of-aws-security-tools
It looks like on Tuesday, Nov 1st, we will need to patch OpenSSL 3.x.x.
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL 3.x.x, hence require an upgrade.
The same news from another source.
#security
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL 3.x.x, hence require an upgrade.
The same news from another source.
#security
ZDNET
OpenSSL warns of critical security vulnerability with upcoming patch
We don't have the details yet, but we can safely say that come Nov. 1, everyone -- and I mean everyone -- will need to patch OpenSSL 3.x.
So, recently I posted about the TLS vulnerability that was patched on the 1st of November.
Here someone gathered the list of affected operation systems and patched version references
Make sure to check if you’re covered!
#security #tls
Here someone gathered the list of affected operation systems and patched version references
Make sure to check if you’re covered!
#security #tls
Telegram
CatOps
It looks like on Tuesday, Nov 1st, we will need to patch OpenSSL 3.x.x.
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL…
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL…
Disk encryption in AWS is close to useless and potentially harmful.
No, it’s not like AWS is going to do anything with your data.
tl;dr: Encryption at rest protects you from cases when someone steals your disk. However, such an attack vector is so hard in a cloud environment that it’s completely worthless for an attacker.
However, the correct implementation of the encryption at rest will take time and effort that you can put into real risk mitigation and security hardening instead.
#security #aws
No, it’s not like AWS is going to do anything with your data.
tl;dr: Encryption at rest protects you from cases when someone steals your disk. However, such an attack vector is so hard in a cloud environment that it’s completely worthless for an attacker.
However, the correct implementation of the encryption at rest will take time and effort that you can put into real risk mitigation and security hardening instead.
#security #aws
Mellow Root
Disk encryption in AWS is close to useless and potentially harmful
Security theater is the practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to...
A couple of days ago I attended a CNCF meetup here in Berlin (full recording is available on YouTube). So, I want to share some things that were presented there.
- NeuVector - an open-source security solution for Kubernetes recently bought by Suse. It has UI, so one can do click-ops if they want, but one can then export all the rules into custom definitions and apply in any other cluster. Obviously, you can configure NeuVector using only YAML as well. Feel free to explore their GitHub. Although, the website has more information about the tool.
- Tetragon - another real-time observability/security tool based on eBPF by the developers of Cilium. It doesn’t do CVE scans like NeuVector, but provides some real-time visibility and rules enforcement. Also, it doesn’t have a fancy UI.
- Cilium service mesh. It’s also based on eBPF. Check it out if you want to have a service mesh, but not sure about heavyweight solutions like Istio.
- Despite that several Cilium-based tools I mentioned before, the second talk was about the Cilium Cluster Mesh. It’s not new, but this solution looks very promising, especially if you’re running multiple clusters for HA or multi-region purposes.
#Kubernetes #security #networking
- NeuVector - an open-source security solution for Kubernetes recently bought by Suse. It has UI, so one can do click-ops if they want, but one can then export all the rules into custom definitions and apply in any other cluster. Obviously, you can configure NeuVector using only YAML as well. Feel free to explore their GitHub. Although, the website has more information about the tool.
- Tetragon - another real-time observability/security tool based on eBPF by the developers of Cilium. It doesn’t do CVE scans like NeuVector, but provides some real-time visibility and rules enforcement. Also, it doesn’t have a fancy UI.
- Cilium service mesh. It’s also based on eBPF. Check it out if you want to have a service mesh, but not sure about heavyweight solutions like Istio.
- Despite that several Cilium-based tools I mentioned before, the second talk was about the Cilium Cluster Mesh. It’s not new, but this solution looks very promising, especially if you’re running multiple clusters for HA or multi-region purposes.
#Kubernetes #security #networking
YouTube
Kubernetes & Cloud Native Berlin Meetup New Year Edition
Welcome to the live stream of the Kubernetes & Cloud Native Berlin Meetup - Jan 2023. Doors open for the in person meet up at 5 pm. The talks will begin at 6 pm, so stay tuned.
Find more information here: https://www.meetup.com/berlin-kubernetes-meetup…
Find more information here: https://www.meetup.com/berlin-kubernetes-meetup…
Your SSO session can be stolen.
At least Grammarly, with their white partner prepared an internal phishing attack and get access to their OTP SSO session.
As a result, they choose to move to FIDO2, to prevent the possibility of that attack vector.
More about the attack and why choose FIDO2 in Part 1.
About implementation and problems - in Part 2.
#security
At least Grammarly, with their white partner prepared an internal phishing attack and get access to their OTP SSO session.
As a result, they choose to move to FIDO2, to prevent the possibility of that attack vector.
More about the attack and why choose FIDO2 in Part 1.
About implementation and problems - in Part 2.
#security
I posted about S3 encryption not being a panacea back in a day.
Here’s another article about why AWS S3 encryption by default won’t solve security for you and why you still have to pay attention to the bucket settings.
#aws #security
Here’s another article about why AWS S3 encryption by default won’t solve security for you and why you still have to pay attention to the bucket settings.
#aws #security
Last Week in AWS
S3 Encryption at Rest Does NOT Solve for Bucket Negligence
Amazon S3 encrypting new objects by default is a nice feature, but it's not the panacea for data breaches that commentators make it out to be.
This is an unplanned post for today, but still.
A critical vulnerability was discovered in MacOS and iOS. That allegedly allows an arbitrary code to be executed with kernel privileges.
Please, make sure to update your OS on Apple devices if you have any. Also, make sure that your IT department is aware of this in case you have Apple devices as work machines.
Patched versions:
- MacOS: 13.2.1
- iOS: 16.3.1
The official statement doesn’t have much info. There is more in this Twitter thread.
#security
A critical vulnerability was discovered in MacOS and iOS. That allegedly allows an arbitrary code to be executed with kernel privileges.
Please, make sure to update your OS on Apple devices if you have any. Also, make sure that your IT department is aware of this in case you have Apple devices as work machines.
Patched versions:
- MacOS: 13.2.1
- iOS: 16.3.1
The official statement doesn’t have much info. There is more in this Twitter thread.
#security
Apple Support
About the security content of iOS 16.3.1 and iPadOS 16.3.1
This document describes the security content of iOS 16.3.1 and iPadOS 16.3.1.
As you may have heard, LastPass had a breach recently.
And it looks like things are more complex comparing to the initial “some encrypted data was retrieved”.
According to this article, organizations need to re-onboard their users with SSO provider (if they used any) to ensure that their data is secure in LastPass.
Reddit discussion.
#security
And it looks like things are more complex comparing to the initial “some encrypted data was retrieved”.
According to this article, organizations need to re-onboard their users with SSO provider (if they used any) to ensure that their data is secure in LastPass.
Reddit discussion.
#security
Medium
It’s All Bad News: An update on how the Lastpass breach affects Lastpass SSO
Every week, almost without fail, I come across one thing that confuses, entertains, or most commonly infuriates me. I’ve decided to keep a…
It’s not a security-focus channel, but I post security-related things from time to time.
There is a book bundle related to cybersecurity on sale at Humble Bundle.
I cannot judge the quality of those books since I’m not an expert. Yet, hopefully it may be interesting to some of you.
#security
There is a book bundle related to cybersecurity on sale at Humble Bundle.
I cannot judge the quality of those books since I’m not an expert. Yet, hopefully it may be interesting to some of you.
#security
Humble Bundle
Humble Tech Book Bundle: Cybersecurity by Packt 2023
We’ve teamed up with Packt for our newest bundle. Get books like Hack the Cybersecurity Interview & Cybersecurity Blue Team Strategies. Pay what you want & support charity!
Remember that a couple of years ago GitHub has disabled automatic execution for its Actions?
The idea behind this decision is more or less described in this article - Build Pipeline Security. The problem described in this article is not some sort of a rocket science. Thus, any malicious actor can do something similar.
This brings me to the topic of CI integrations for public repositories. I think on some podcast or in some article I’ve heard an advice for the beginners to create their pet project and configure CI for it. So, you can show that you have some practical experience. Ok, GitHub has you covered, but what about other CIs which are available for public repositories? Thus, I might have been a good advice, if we were living in the world here all the people are kind to each other, which is not the case.
Does it mean that you cannot have a CI for your pet-project? Of course, not! Just be careful with what it actually can execute on each step. The author of the linked article suggests putting deploy scripts into a separate private repository. I think, nowadays any major VCS vendor allows one to have at least one private repository for free.
Yet, I would say that this is not good enough and you should also make sure that you should follow GitHub’s steps and enforce a mandatory approvals for CI runs as well as have some quotas in place for the compute resources available for your CI. Again, GitHub has you covered here, but if you want to use something else, you are on your own.
#cicd #security #github #aws
The idea behind this decision is more or less described in this article - Build Pipeline Security. The problem described in this article is not some sort of a rocket science. Thus, any malicious actor can do something similar.
This brings me to the topic of CI integrations for public repositories. I think on some podcast or in some article I’ve heard an advice for the beginners to create their pet project and configure CI for it. So, you can show that you have some practical experience. Ok, GitHub has you covered, but what about other CIs which are available for public repositories? Thus, I might have been a good advice, if we were living in the world here all the people are kind to each other, which is not the case.
Does it mean that you cannot have a CI for your pet-project? Of course, not! Just be careful with what it actually can execute on each step. The author of the linked article suggests putting deploy scripts into a separate private repository. I think, nowadays any major VCS vendor allows one to have at least one private repository for free.
Yet, I would say that this is not good enough and you should also make sure that you should follow GitHub’s steps and enforce a mandatory approvals for CI runs as well as have some quotas in place for the compute resources available for your CI. Again, GitHub has you covered here, but if you want to use something else, you are on your own.
#cicd #security #github #aws
sprocketfox.io
Build Pipeline Security
Security concerns with PR build systems
A short article on how to infect SSH public keys.
Is it a serious threat - no, not really. However, this article describes a rather unknown feature of SSH as well as serves as a reminder that using keys for SSH access has its flaws.
#security #ssh
Is it a serious threat - no, not really. However, this article describes a rather unknown feature of SSH as well as serves as a reminder that using keys for SSH access has its flaws.
#security #ssh
The Hacker's Choice
Infecting SSH Public Keys with backdoors
In this article, you will learn how to add a backdoor to the SSH Public Key. The backdoor will execute whenever the user logs in. The backdoor hides as an unreadable long hex-string inside ~/.ssh/authorized_keys or ~/.ssh/id_*.pub.
The source is avai...
The source is avai...
I know that y’all want to hear about the cUrl vulnerability. So, here you are: a first hand article from Daniel Stenberg (the author of cUrl) himself.
I haven’t read it yet, tho.
#security #curl
I haven’t read it yet, tho.
#security #curl