Category: Security & Privacy

  • Apple raises bug bounty

    Macrumors, among others, reports. A good move in the vulnerability ecosystem.

  • OPA GateKeeper

    Open Policy Agent to manage policy for Kubernetes with GateKeeper.

    Blog: OPA Gatekeeper: Policy and Governance for Kubernetes

  • What We Can Learn from the Capital One Hack

    Capital One

    Earlier this week, it became public that Capital One was victim to a privacy leak, affecting more than 100 million of their customers. News revealed details about the source of the attack, that apparently an individual conducted and bragged about it publicly.

    Now, a few days later and more facts known, the always excellent Krebs on Security blog offers some lessons learned from the incident. It has good statements from Netflix, CloudFlare, DisruptOS and AWS personnel, including citations about the involvement of IAM, EC2 and WAF. In particular, it points out mitigations that AWS recommends in response to Server Side Request Forgery (SSRF).

    Interesting is the conclusion that Rich Mogull comes to, that the industry is facing a major gap in skills, related to this kind of cloud security. Basic skill and availability thereof has always been a major gap in the entire industry. Only with the arrival of cloud it becomes more sparse. Mostly, because corporations maintain both their existing data centers and new cloud infrastructure, leaving out on the opportunity to become more secure in the cloud.

    Source: What We Can Learn from the Capital One Hack

  • Look, No Hands!

    Look, No Hands!

    Black Hat 2019
    Black Hat 2019

    Google’s Project Zero drops a hand full of Zero Day vulnerabilities for the iPhone at Black Hat 2019. Apparently one of them isn’t patched yet. Interaction-less Attack Surface in this context means, it’s wormable, executing code with no human interaction.

    Source: Look, No Hands! — The Remote, Interaction-less Attack Surface of the iPhone

  • #FashionID

    Heute hat der Europäische Gerichtshof in einem Fall von FashionID, des Onlineshop des Modehändlers Peek & Cloppenburg, ein Urteil gesprochen. Es geht darin darum, wie mit der Weitergabe von Benutzerdaten bei der Verwendung von 3rd Party Content umgegangen werden muss. Dass der Einsatz von beispielsweise Facebook Like Buttons

    Unter anderem versucht die Tagesschau aufzuklären. Weil das Urteil durch den EuGH ergangen ist und daher Konsequenzen über Deutschland hinaus haben wird, berichten auch internationale News wie Techcrunch und Yahoo(Reuters).

    Simon Assion von #twobirds, Twitter-aktiver Rechtsanwalt, fasst eben dort einige Stichpunkte zu dem Urteil in einem Thread zusammen.

  • Net Defender CloudFlare Goes Down, Taking Many Websites With It

    The Internet was built with de-centralized infrastructures in mind. To scale globally, network providers like CloudFlare have emerged, to run decentralized infrastructures and offer them as a service. In general, keeping service independent of each others and maintaining heterogeneous networks have a proven track record of resilience, that is not necessarily inherent to the architecture of these providers. Just like Akamai had a bad day in 2004, CloudFlare today suffered from a global outage, that left many obvious collateral problems visible all over the Internet. Bloomberg, among others, reports:

    CloudFlare Inc., an internet service meant to protect websites from going down, faced its own network issues on Tuesday, leading to several prominent sites — like blogging platform Medium and video game chat provider Discord — being unavailable for some time.

    Source: Net Defender CloudFlare Goes Down, Taking Many Websites With It – Bloomberg

  • Gefährdete Website

    WER HAT GESAGT KÜNSTLICHE INTELLIGENZ FUNKTIONIERT NICHT, HABE ICH GEFRAGT?

  • Behavioral advertising efficiency

    Researchers from U Minnesota, UC Irvine and CMU took a look into “behavioural based advertisement”, a segment that requires heavy tracking of users across websites through cookies. A report of their findings is here: Online Tracking and Publishers’ Revenues: An Empirical Analysis. Money quote:

    Empirical analysis of behavioral advertising finds that surveillance makes ads only 4% more profitable for media companies

    They found that despite the 40% “ad-tech” premium charged by behavioral ad companies, the ads only added about 4% the media companies that published them, meaning that behavioral advertising is a losing proposition.

    Source: Boing Boing

  • notepad.exe

    Until recently, notepad.exe was considered safe in terms of security vulnerability, mostly for its lack of features and therefore lack of attack surface. Until Vulnerability researcher at Google, Tavis Ormandy, took a closer look and popped a shell from notepad.exe.

    Awesome.

  • Google stored G Suite passwords in plaintext

    In today’s edition of privacy related topics, it is Google that apparently stored customer passwords in plaintext. Google didn’t disclose which (enterprise) customers have been affected, but was clear that improper access is out of question. With this recent incident, Google joins ranks of Facebook, Instagram, but also Twitter and LinkedIn.

    Google says it discovered a bug that caused some of its enterprise G Suite customers to have their passwords stored in an unhashed form for about 14 years.

    Source: Google stored some G Suite passwords in plaintext for 14 years