A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Cellebrite Can Break Signal (Schneier on Security, Dec 21 2020)
“Cellebrite announced that it can break Signal. (Note that the company has heavily edited its blog post, but the original — with lots of technical details — was saved by the Wayback Machine.)
The whole story is puzzling. Cellebrite’s details will make it easier for the Signal developers to patch the vulnerability. So either Cellebrite believes it is so good that it can break whatever Signal does, or the original blog post was a mistake.”
Treasury Department’s Senior Leaders Were Targeted by Hacking (The New York Times, Dec 21 2020)
The disclosure was the first acknowledgment of a specific intrusion in the vast cyberattack. At the White House, national security leaders met to assess how to deal with the situation.
7 Infamous Moments in Adobe Flash’s Security History (Dark Reading, Dec 21 2020)
End-of-life is here: Adobe’s support for Flash is gone as of Jan. 1. Here’s what we won’t miss about the multimedia software platform.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Two Malware-Laced Gems Found in RubyGems Repository (SecurityWeek, Dec 17 2020)
Two Ruby gems that were found to pack malware capable of running persistently on infected machines were removed recently from the RubyGems hosting service.
Authentication Bypass Vulnerability Patched in Bouncy Castle Library (SecurityWeek, Dec 18 2020)
A high-severity authentication bypass vulnerability was recently addressed in the Bouncy Castle cryptography library.
Founded in 2000, the project represents a collection of APIs used in cryptography for both Java and C#, with a strong emphasis on standards compliance and adaptability.
Unlocking the mystery of stronger security key management (Cloud Blog, Dec 21 2020)
One of the “classic” data security mistakes involving encryption is encrypting the data and failing to secure the encryption key. To make matters worse, a sadly common issue is leaving the key “close” to data, such as in the same database or on the same system as the encrypted files. Such practices reportedly were a contributing factor for some prominent data breaches.
HBO Max patches its Roku hole six months after launch (Ars Technica, Dec 16 2020)
Adds over 100 million potential users; follows deals for PlayStation 5, Amazon Fire.
Web Page Layout Can Trick Users into Divulging More Info (Infosecurity Magazine, Dec 23 2020)
Successful tactics included asking for relatively non-sensitive info first and then gradually scaling up the requests to more private details. Similarly, by placing information requests on separate but consecutive web pages, the researchers were also able to elicit more personal data from the participants.