A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Bug Bounty Programs Are Being Used to Buy Silence (Schneier on Security, Apr 03 2020)
Investigative report on how commercial bug-bounty programs like HackerOne, Bugcrowd, and SynAck are being used to silence researchers

Bugs that let sites hijack Mac and iPhone cameras fetch $75k bounty (Ars Technica, Apr 03 2020)
Here’s how one researcher bypassed stringent restrictions Apple puts on webcam access.

Tampering with Zoom’s Anti-Tampering Library (Sycall, Apr 06 2020)
This quick blog post highlights some of the flaws found in the Zoom application when attempting to do integrity checking, these checks verify that the DLLs inside the folder are signed by Zoom and also that no 3rd party DLLs are loaded at runtime. We can trivially disable this DLL, by replacing it with our own or simply unloading it from the process.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Want to Improve Cloud Security? It Starts with Logging (Dark Reading, Apr 03 2020)
Remedying the “garbage in, garbage out” problem requires an understanding of what is causing the problem in the first place.

Key Ring App Data Leak Exposes 44 Million Images (Infosecurity Magazine, Apr 02 2020)
Researchers find user data of 14 million Key Ring app users on five unsecured Amazon Buckets

Docker Users Targeted with Crypto Malware Via Exposed APIs (Infosecurity Magazine, Apr 06 2020)
Password-free installations allow hackers to profit

Misconfigured Containers Again Targeted by Cryptominer Malware (Dark Reading, Apr 06 2020)
An attack group is searching for insecure containers exposing the Docker API and then installing a program that attempts to mine cryptocurrency. It’s not the first time.

Network Security for the Cloud and Mobile Workforce (Cloud Security Alliance, Apr 08 2020)
An increasing number of enterprises today have made large-scale shifts to cloud-based IT resources by putting their applications in the cloud, subscribing to ready-to-use software-as-a-service (SaaS) applications, and supporting an expanding remote and mobile workforce. However, these practices strain the capabilities of legacy networks built around site-centric connectivity and security stacks.

Detect large-scale cryptocurrency mining attack against Kubernetes clusters (Microsoft Azure Blog, Apr 08 2020)
Azure Security Center’s threat protection enables you to detect and prevent threats across a wide variety of services from Infrastructure as a Service (IaaS) layer to Platform as a Service (PaaS) resources in Azure, such as IoT, App Service, and on-premises virtual machines.

Happy developers more likely to build secure apps (Help Net Security, Apr 08 2020)
There’s an intrinsic link between developer happiness and application security hygiene, and an alarming level of application breaches, according to Sonatype. For the first time ever, the findings prove the correlation between developer happiness and application security hygiene, with happy developers 3.6x less likely to neglect security when it comes to code quality. Happy developers are also 2.3x more likely to have automated security tools in place, and 1.3x more likely to follow open source …

Filling the Skills Gap for Effective DevSecOps (DevOps, Apr 03 2020)
With the rise of DevSecOps comes a whole new need for training and upskilling. It isn’t a secret that the cybersecurity skills gap will only continue to grow. The security skills gap combined with the rise of DevSecOps has introduced hidden challenges organizations must address.  

Full-time bug hunting: Pros and cons of an emerging career (Help Net Security, Apr 07 2020)
Being a bug hunter who discloses their discoveries to vendors (as opposed to selling the information to the highest bidder) has been and is an ambition of many ethical hackers. Before vendors started paying for the info, the best they could hope for was a lucrative job offer, though an entry in the company’s Hall of Fame was a good enough incentive for most.

A client-side perspective on web security (Help Net Security, Apr 07 2020)
Threats to web security are explained in this first of a three-part article series, and client-side security is shown to address a commonly missed class of cyber attack exemplified by Magecart.

CoinMiner found in third-party Zoom download (SC Media, Apr 06 2020)
The bad news for Zoom keeps coming rolling in with Trend Micro researchers finding CoinMiner being bundled with a legitimate installer of the video conferencing software. The good news is the installer, Zoom installer version, is not from the company’s official download center, but likely from a fraudulent third-party store…