A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Government Sites Across World Leaked User Data, Russia Firm Says (Bloomberg, Dec 17 2018)
At least 40,000 civilian and military users of government websites in the U.S. and more than 30 other countries have had their credentials leaked online, exposing them to potential criminal attacks, according to Group-IB, a Russian cyber-forensics firm.

Exploring container security: Let Google do the patching with new managed base images (Cloud Blog, Dec 19 2018)
“With managed base images, we’ll provide base images for these common OSes, and patch them automatically. As long as the FROM field in your Dockerfile points to `$distro:latest` from Cloud Marketplace, you know that these images have been remediated with the most recently available patches from upstream.”

Firestarter: Invent Security Review (Securosis Blog, Dec 18 2018)
“It’s that time of year again. The time when Amazon takes over our lives. No, not the holiday shopping season but the annual re:Invent conference where Amazon Web Services takes over Las Vegas (really, all of it) and dumps a firehouse of updates on the world. Listen in to hear our take on new services like Transit Hub, Security Hub, and Control Tower.”


Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


Supermicro: We told you the tampering claims were false (Naked Security – Sophos, Dec 13 2018)
Computer manufacturer Supermicro is still trying to lay to rest reports that the Chinese government tempered with its equipment to spy on Western cloud users.

Oracle is suing the US government over $10B Pentagon JEDI cloud contract process (TechCrunch, Dec 12 2018)
Oracle filed suit in federal court last week alleging yet again that the decade-long $10 billion Pentagon JEDI contract with its single-vendor award is unfair and illegal.

Tigera raises $30M Series B for its Kubernetes security and compliance platform (TechCrunch, Dec 12 2018)
Tigera, a startup that offers security and compliance solutions for Kubernetes container deployments, today announced that it has raised a $30 million Series B round led by Insight Venture Partners. Existing investors Madrona, NEA and Wing also participated in this round.

New podcast: VP of Security answers your compliance and data privacy questions (AWS Security Blog, Dec 12 2018)
“Does AWS comply with X program? How about GDPR? What about after Brexit? And what happens with machine learning data? In the latest AWS Security & Compliance Podcast, we sit down with VP of Security Chad Woolf, who answers your compliance and data privacy questions.”

Kubernetes Security Flaw Raises IT Operations Concerns (Container Journal, Dec 07 2018)
Banjot Chanana, vice president of product for Docker Inc., says the issue this and other potential security flaw raises is the need for a Long-Term Release (LTR) of Kubernetes that IT organizations can rely. Kubernetes is updated on a quarterly cadence. But many IT organizations find it challenging to absorb that rate of change. Updates to Kubernetes that require IT organizations to update applications are viewed as being even more problematic.

Facebook: Photo API Bug Exposed 6.8M User Photos (Dark Reading, Dec 17 2018)
The flaw let developers access images that users may not have shared publicly, including those they started to upload but didn’t post.

Facebook Paid Out $1.1 Million in Bug Bounties in 2018 (SecurityWeek, Dec 14 2018)
Facebook announced on Thursday that it has paid out more than $1.1 million through its bug bounty program in 2018, which brings the total paid by the social media giant since the launch of its program in 2011 to roughly $7.5 million.

Twitter API Bug Exposes Users’ Country Codes (Infosecurity Magazine, Dec 18 2018)
Phone number info could allow governments to track dissidents

Apache Misconfig Leaks Data on 120 Million Brazilians (Infosecurity Magazine, Dec 13 2018)
Half the country has ID numbers exposed

53 Bugs in 50 Days: Researchers Fuzz Adobe Reader (Dark Reading, Dec 17 2018)
Automatic vulnerability finding tools detect more than 50 CVEs in Adobe Reader and Adobe Pro during a 50-day experiment.

PewDiePie Hackers Deface Wall Street Journal (Infosecurity Magazine, Dec 18 2018)
Supporters continue with unconventional publicity campaign

SQLite creator fires back at Tencent’s bug hunters (Naked Security – Sophos, Dec 19 2018)
The creator of SQLite has downplayed reports of a bug that could lead to remote code execution.