A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Companies are leaking sensitive files via Box accounts (ZDNet, Mar 12 2019)
Leaks discovered at Apple, the Discovery Channel, Herbalife, Schneider Electric, and even Box itself.

Gaming industry still in the scope of attackers in Asia (WeLiveSecurity, Mar 11 2019)
Asian game developers again targeted in supply-chain attacks distributing malware in legitimately signed software

Researchers Find Critical Backdoor in Swiss Online Voting System (Motherboard, Mar 12 2019)
Researchers have found a severe issue in the new Swiss internet voting system that they say would let someone alter votes undetected. They say it should put a halt to Switzerland’s plan to roll out the system in real elections this year.

8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

The 12 Worst Serverless Security Risks (Dark Reading, Mar 12 2019)
A new guide from the Cloud Security Alliance offers mitigations, best practices, and a comparison between traditional applications and their serverless counterparts.

Registration for AWS re:Inforce 2019 now open! (AWS Security Blog, Mar 12 2019)
“In late November, I announced AWS re:Inforce, a standalone conference where we will deep dive into the latest approaches to security, identity, and risk management utilizing AWS services, features, and tools. Now, after months of planning, the time has arrived to open registration! Ticket sales begin on March 12th at 10:00am PDT, and you can access the ticket sales website here. We do expect to sell out, so…”

Software-defined perimeter brings trusted access to multi-cloud applications, network resources (Network World Security, Mar 11 2019)
Today’s networks are both elastic and permeable. Software-defined perimeter (SDP) technology enables simpler, trusted, and secure access to applications in public or private cloud.

763M Email Addresses Exposed in Latest Database Misconfiguration Episode (Dark Reading, Mar 11 2019)
MongoDB once again used by database admin who opens unencrypted database to the whole world.

Exploring container security: four takeaways from Container Security Summit 2019 (Google Cloud Blog, Mar 12 2019)
“On February 20, we hosted the fourth annual Container Security Summit at Google’s campus in Seattle. This event aims to help security professionals increase the security of their container deployments and apply the latest in container security research. Here’s what we learned.”

DevSecOps: How to Deliver Security at DevOps Speed (eWEEK, Mar 08 2019)
Martino said DevSecOps is not about a proscriptive set of requirements that are dictated to developers and operations teams. Rather, Cisco is building security as code for the engineering and operations teams that is delivered and consumed, much like a product.

How the Best DevSecOps Teams Make Risk Visible to Developers (Dark Reading, Mar 12 2019)
DevOps-minded CISOs say enterprise security teams need to do a better job scoring and visualizing risk for developers and business executives.

Google plugs Chrome zero-day exploited in the wild (Help Net Security, Mar 06 2019)
Google hasn’t revealed much about CVE-2019-5786: we known that it affects the browser’s FileReader API, that it’s a use-after-free vulnerability, and that it can allow attackers to escape the Chrome sandbox and perform remote code execution on the underlying operating system.

Backdoored GitHub accounts spewed secret sneakerbot software (Naked Security – Sophos, Mar 07 2019)
Researchers have uncovered a network of GitHub accounts containing backdoored versions of legitimate software.

Facebook Messenger bug made it possible for hackers to see who you have been chatting with (Graham Cluley, Mar 08 2019)
A security researcher has revealed details of a flaw in Facebook Messenger that made it possible for “any website to expose who you have been messaging with.”

Hackers Break into System That Houses College Application Data (Dark Reading, Mar 11 2019)
More than 900 colleges and universities use Slate, owned by Technolutions, to collect and manage information on applicants.

Facebook sues app makers over browser extensions that allegedly scraped user data (SC Magazine, Mar 11 2019)
Facebook has filed a lawsuit against two Ukrainian men accused of creating fraudulent quiz applications that tricked users into installing malicious browser extensions. These extensions allegedly scraped information from users’ social media pages and injected unapproved advertisements when users would visit various social networking sites, including Facebook.

GIF Attack on Facebook Messenger Earned Hacker $10,000 (SecurityWeek, Mar 11 2019)
A white hat hacker earned $10,000 from Facebook last year for finding a Messenger vulnerability that apparently could have been exploited to randomly obtain other users’ images.

A world of hurt after GoDaddy, Apple, and Google misissue >1 million certificates (Ars Technica, Mar 12 2019)
Certificates with 63-bit serial numbers touch off mass revocation blitz.

Web Apps Are Becoming Less Secure (Dark Reading, Mar 12 2019)
Security configuration errors—such as default settings, common passwords, full path disclosure, and other information-leak errors—were present in four out of five apps, making this class of vulnerability the most common. Cross-site scripting errors were present in 77% of applications; 74% had authentication-related issues; and more than half (53%) had access control flaws. In most cases, the vulnerabilities stemmed from coding errors and could only be fixed by coding changes.

F5 Networks to Acquire NGINX for $670 Million (SecurityWeek, Mar 12 2019)
Cloud and application security provider F5 Networks is acquiring NGINX, a provider of technologies for application development and delivery, for approximately $670 million.