Security Analyst – Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH

Toronto business owner loses $14K to technical glitch at mobile payment company.
https://www.cbc.ca/news/canada/toronto/mobile-payment-glitch-1.5300313

You may remember the post a few months ago that may be related…

https://www.cbc.ca/news/canada/nova-scotia/spotify-charges-debit-account-unauthorized-withdrawals-1.5206053

If you are a security operations analyst, your job just got a whole lot harder.

Lock all your doors and keep your children inside; this one is hard to find…

https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-9DImIrXueu1lqriAutG6sA&epi=TnL5HPStwNw-9DImIrXueu1lqriAutG6sA&irgwc=1&OCID=AID2000142_aff_7593_1243925&tduid=(ir__3nzqlj9gs9kfr1erkk0sohzn0m2xg16uu6zqpcyr00)(7593)(1243925)(TnL5HPStwNw-9DImIrXueu1lqriAutG6sA)()&irclickid=_3nzqlj9gs9kfr1erkk0sohzn0m2xg16uu6zqpcyr00

If you have ever visited a webpage that took a really long time to load or was filled with ads all over the site, you may have already heard that you need an ad blocker. If you were not sure of which one to use, you might be a victim of a knock off; a piece of software that is created with a similar name to the original but one that can monetize you use of it and put you at risk.

Learn about how many Google Chrome users were tricked into installing fake extensions and why you need to be sure of the names which extensions you trust.

https://cyware.com/news/over-1-million-google-chrome-users-affected-by-cookie-stuffing-from-two-popular-adblockers-5bd6dbcc

If you are a software developer (and not living in a cave) you may already know about vulnerabilities but did you know that there is a list of the 25 most dangerous put out by Mitre?

Well they have released the new 2019 list and some of these might surprise you…

https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html

For those of you in the software industry, you may be shocked to learn that contributor reputation trumps good old fashioned peer review when it comes to committing code in your project in a study on open source projects. I suspect this might mirror the real world where tight deadlines and outsourced labor are regular parts of the workload.

https://fossbytes.com/quality-of-code-doesnt-matter-open-source-contributions/#

Culture is more important than money (but I do need to pay my bills).

If you are not lucky enough to work for a company that you value or one that values you, learn about a bold approach to employment where they only want the best and try to tell yourself that you wouldn’t want to work there…

Looks like the fine folks running the Kubernetes core have the results from an audit they did. As many of the infrastructure teams look to use this code to help manage clusters of computing resources, we would all benefit from learning what could possibly go wrong 😊.

Many of the recommendations in the report involve code clean-up, adding further testing and documentation, and making defaults more security conscious.

These basic recommendations would make it easier to patch and resolve problems when they are found.

It is important to note that there were five “high severity” findings that included problems with access control, authentication, timing, and data validation.

Here is a look at the big ones…

• An access control bypass of PodSecurityPolicy
• K8s does not facilitate certificate revocation
• HTTPS connections are not authenticated
• Time of check, time of use problem with moving PID
• Improperly patched directory traversal in kubectl cp

Keep in mind that some of these have already been resolved if you are already using 1.15 branches.

The report is definitely worth a read and can be found here.

Imagine, shipping a disposable package to someone at the office in order to gain access to a phone, test lab or even the corporate wifi network?

It is now a reality and can be done for less than $100 bucks (shipping charges may apply)

https://www.forbes.com/sites/jeanbaptiste/2019/08/08/black-hat-usa-2019-ibm-x-force-red-reveals-new-warshipping-hack-to-infiltrate-corporate-networks/#45012d38604f

In one of the largest breaches that affects over 6 million Canadians and potentially 100 million US customers, Capital One has revealed that it lost customer data and it was related to Security Misconfiguration. A suspect has been arrested, charged with computer fraud and abuse.

https://globalnews.ca/news/5700226/capital-one-data-breach-canada/amp/

Now that IBM has thrown its hat in the cloud with the $34B purchase of Redhat, you should expect more innovation. This article from another WordPress site helps answer the question of why running docker is not necessary to have containerized solutions. You can minimize the attack surface and remove docker by using open source tools available to use today. https://zwischenzugs.com/2019/07/27/goodbye-docker-purging-is-such-sweet-sorrow/amp/