A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Signing into Azure DevOps using your GitHub credentials (Azure DevOps Blog, May 08 2019)
“Today, we are enabling developers to sign in with their existing GitHub account to Microsoft online services, on any Microsoft log in page. Using your GitHub credentials, you can now sign in via OAuth anywhere a personal Microsoft account does, including Azure DevOps and Azure.”

CSS tracking trick can monitor your mouse without JavaScript (Naked Security – Sophos, May 09 2019)
A security researcher has demonstrated a new way to track mouse movements even if users block JavaScript.

Attacks on JavaScript Services Leak Info From Websites (Dark Reading, May 13 2019)
Three marketing tools, including the Best Of The Web security logomark, were compromised in supply chain attacks, allegedly leaving website customers leaking their users’ sensitive information.

8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

IRS extends tax filing deadline following attack on Wolters Kluwer CCH cloud accounting service (Graham Cluley, May 13 2019)
The IRS will waive penalties and interest if your tax filing was delayed due to the CCH outage.

Azure Firewall and network virtual appliances (Microsoft Azure Blog, May 14 2019)
Network security solutions can be delivered as appliances on premises, as Network Virtual Appliances (NVAs) that run in the cloud or as a cloud native offering (known as firewall-as-a-service).

Hard-Coded Credentials Found in Alpine Linux Docker Images (SecurityWeek, May 09 2019)
For the past three years, Alpine Linux Docker images have been shipped with a NULL password for the root user, Cisco’s Talos security researchers have discovered. 

Jenkins Vulnerability Exploited to Deliver ‘Kerberods’ Malware (SecurityWeek, May 08 2019)
A vulnerability disclosed late last year has been exploited by malicious actors to deliver a piece of malware that deploys a Monero cryptocurrency miner and looks for new victims on the internet and the local network.

Sites infected as open source Alpaca Forms and analytics service Picreel compromised (SC Magazine, May 13 2019)
Hackers have breached two services and modified their JavaScript code to infect more than 4,600 websites with malware, according to security researchers.

How to quickly launch encrypted EBS-backed EC2 instances from unencrypted AMIs (AWS Security Blog, May 13 2019)
An Amazon Machine Image (AMI) provides the information that you need to launch an instance (a virtual server) in your AWS environment. There are a number of AMIs on the AWS Marketplace (such as Amazon Linux, Red Hat or Ubuntu) that you can use to launch an Amazon Elastic Compute Cloud (Amazon EC2) instance. When you launch an instance from these AMIs, the resulting volumes are unencrypted. However, for regulatory purposes or internal compliance reasons, you might need to launch instances with encrypted root volumes.

Container Security is Dead (At Least, As You Probably Know It) (Container Journal, May 15 2019)
But most approaches to container security are piecemeal fixes. Make the wrong decisions now, and you’ll be throwing those investments away in a few years when you have a better understanding of the new challenges.

The radio-navigation planes use to land safely is insecure and can be hacked (Ars Technica, May 15 2019)
Radios that sell for $600 can spoof signals planes use to find runways.

Drupal core patches moderately critical vulnerability (SC Magazine, May 13 2019)
Drupal core released a patch for a  moderately critical vulnerability in third-party libraries that could allow the by-passing of protection of Phar Steam Wrapper Interceptor. The vulnerability occurs when untrusted data is used to abuse the logic of the application.