In this final Cloud Security Weekly for 2016 we look at PwC's handling of a vulnerability, learn how infosec professionals do attribution, watch a great talk from a Coinbase security guru, dive into a Yahoo bug, and gasp at the estimate of 1.6 Billion records leaked this year. Happy Holidays and Merry Christmas to all - I hope your pager/phone stays silent! 🎄
A security research firm has released details of a "critical" flaw in a security tool developed by auditing and tax giant PwC, despite being threatened with legal threats. Munich-based ESNC published a security advisory last week detailing how a remotely exploitable bug in a security tool could allow an attacker to gain unauthorized access to an affected SAP system. After giving PwC three months - during which time they received multiple cease and desist letters - they announced the vulnerability. In my opinion PwC's response to this situation is a great example of how not to handle security incidents.
In this blog post Lesley Carhart, perhaps better known by her twitter handle @hacks4pancakes, gives insight into how infosec professionals go about attributing the source of attackers behind security incidents. In short: the how is by having a lot of experience and knowing what signs to look for in network logs and hard disks, and the why is because it can help inform better defensive strategies.
Rob Witoff, Director of Infrastructure at Coinbase, gave a talk at this years' AWS re:Invent on security. If you're responsible for securing your stack within an AWS environment it's well worth the half hour of your time. He goes through how to achieve the top 5 recommendations from the US' Center for Internet Security: maintaining an inventory of continuously audited and secured devices and software, with controlled administrative privileges.
Lewis Morgan has been keeping count of all the breaches this year, and is up to 1.6 billion records leaked. In 2015 he came to a total of only 480 million. This year's total also excludes the 500 million leaked in the Yahoo breach, because although it came to light this year the attack occurred in 2014. Doing a quick scroll through his list and it's clear to see how prevalent this attack scenario has become. It was top of the list in Verizon's DBIR 2016, so I wonder what the 2017 report will bring!
- Account takeover is a major concern for 55% of executives at the top 40 banks in the U.S., and a critical issue for 17% of those
- Multiple Netgear routers are vulnerable to an RCE - if you've got one, read this!
- iOS 10.2 fixes 12 vulnerabilities and introduces new emoji
- Troy Hunt has released metadata on his 1.4B Have I Been Pwned records
If you have time over the holidays, why not read through Ars Technica's "Beginner’s guide to beefing up your privacy and security online". You might even be able to help a family member or two improve their security!
Sign Up For Cloud Security Weekly