December 13, 2016

πŸŽ„ Cloud Security Weekly #44 πŸŽ„

In this final Cloud Security Weekly for 2016 we look at PwC's handling of a vulnerability, learn how infosec professionals do attribution, watch a great talk from a Coinbase security guru, dive into a Yahoo bug, and gasp at the estimate of 1.6 Billion records leaked this year. Happy Holidays and Merry Christmas to all - I hope your pager/phone stays silent! πŸŽ„

PwC sends 'cease and desist' letters to researchers who found critical flaw

A security research firm has released details of a "critical" flaw in a security tool developed by auditing and tax giant PwC, despite being threatened with legal threats. Munich-based ESNC published a security advisory last week detailing how a remotely exploitable bug in a security tool could allow an attacker to gain unauthorized access to an affected SAP system. After giving PwC three months - during which time they received multiple cease and desist letters - they announced the vulnerability. In my opinion PwC's response to this situation is a great example of how not to handle security incidents.

How & Why Do Security Professionals Study Threat Actors

In this blog post Lesley Carhart, perhaps better known by her twitter handle @hacks4pancakes, gives insight into how infosec professionals go about attributing the source of attackers behind security incidents. In short: the how is by having a lot of experience and knowing what signs to look for in network logs and hard disks, and the why is because it can help inform better defensive strategies.

Watch: "Audit Your AWS Account Against Industry Best Practices"

Rob Witoff, Director of Infrastructure at Coinbase, gave a talk at this years' AWS re:Invent on security. If you're responsible for securing your stack within an AWS environment it's well worth the half hour of your time. He goes through how to achieve the top 5 recommendations from the US' Center for Internet Security: maintaining an inventory of continuously audited and secured devices and software, with controlled administrative privileges.

Bug writeup: XSS in Yahoo! Mail

Security researcher Jouko PynnΓΆnen found a stored cross-site scripting vulnerability in Yahoo's online mail client. An attacker would be able to send a simple email to a victim containing a "broken" youtube HTML element containing the XSS, and when Yahoo tried to render a shareable preview window it'd execute the malicious javascript. The attacker could go on to steal the contents of their inbox. Yahoo awarded them $10,000 through their bug bounty program.

1.6 billion records leaked in 2016

Lewis Morgan has been keeping count of all the breaches this year, and is up to 1.6 billion records leaked. In 2015 he came to a total of only 480 million. This year's total also excludes the 500 million leaked in the Yahoo breach, because although it came to light this year the attack occurred in 2014. Doing a quick scroll through his list and it's clear to see how prevalent this attack scenario has become. It was top of the list in Verizon's DBIR 2016, so I wonder what the 2017 report will bring!

In Brief

If you have time over the holidays, why not read through Ars Technica's "Beginner’s guide to beefing up your privacy and security online". You might even be able to help a family member or two improve their security!


If you want to get this news delivered weekly to you inbox sign up here:
Sign Up For Cloud Security Weekly

The future of authentication

Today I’m excited to announce a deal that we have been working on for the past few months and how that will impact the future of contextual ...

Introducing custom security rules

For the past few years we’ve been working hard to create a plug and play adaptive risk engine. We designed our core service using a mix of b ...