UNM4SK3D: PHPMailer, OpenStack, and Amazon

Join Cybrary

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

< Back to Blog Posts

UNM4SK3D: PHPMailer, OpenStack, and Amazon

Published: December 30, 2016 | By: Olivia | Views: 2940
save

 

unm4sk3d_blog

#criticalvulnerabilities

If there was a book of critical vulnerabilities across the Internet, it’d be longer than the Bible. The latest discovered in PHPMailer by Polish researcher David Golunski, is one that affects multiple popular, open-source web applications.

Probably one of the biggest vulnerabilities to be recognized in recent news, PHPMailer, an open-source PHP mailer used by over 9 million people worldwide to send emails. Aka, we’d let them sit at the cool kids table. Of the effected open-source web applications we mentioned, the list includes, WordPress, Drupal, and Joomla. Also at the cool kids table. Perhaps made cooler by showing their sensitive side? Not so much.

This vulnerability would allow an attacker to implement random code in the context of the web server from a remote location and endanger the target web application. Luckily, Golunski rightfully reported his discovery to the developers, who have patched the vulnerability in a new release, PHPMailer 5.2.18. Don’t worry though, you can still find exploit code across the web, which means we’re holding our breaths until we see how the masses could re-engineer that code in the future.

To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails  -Golunski of Legal Hackers

While PHP is one of the most versatile languages in recent history for web applications, sites and services, like us, it has its’ issues. Read ‘A Cautionary Tale About PHP Secure Coding Techniques’ before we have to add your mistake to the book of vulnerabilities.

#badbusiness

Here’s two names that usually receive a golfer’s clap at their mention: OpenStack and GitHub. We’ll call this one a duff, after some not so hot news surrounding both of these companies surfaced.

In the world of OpenStack, the open-source cloud framework, skies may be darkening. Recently, OpenStack lost two of its major corporate backers, Hewlett Packard Enterprises and Cisco Systems who decided to minimize their public cloud efforts. Some say the bad state of OpenStack’s business is being exaggerated despite this loss and their inherent competition in the cloud space against Microsoft, AWS and Google. Others, who see a silver lining in the darkening cloud, believe the support of RedHat and Walmart is more than enough.

Meanwhile, in another realm of the internet, GitHub, despite $95 million in revenue during the fiscal year that ended January 2016, also lost approximately $66 million in that time. The cause? Perhaps the somewhat erratic spending, sending employees to jet set Europe, and adding even more employees to its army, now totaling about 600. This isn’t to say ‘theHub’ is on the outs, although untamed spending is no good for any unicorn. They’ve hired Mike Taylor, former treasurer and vice president of finance at Tesla Motors Inc. to manage expenses, so hopefully they’ll get rein it in soon.

There are more than 20 public cloud providers running OpenStack in 60 data centers around the world -Mark Collier, COO, the OpenStack Foundation

Change analysis focuses on new and changing business models. Watch ‘Risk Business Change Analysis’ for an in-depth look.

#smartdevices

If you never thought you’d have a big brother named Alexa, think again. The Amazon Echo of an alleged murderer, James Andrew Bates, is being cited in a warrant. 

The warrant, which also contained multiple other ‘smart’ devices, police hope will grant access to a recording, or at least parts of one, taken during the murder. The Amazon device responds to the name ‘Alexa’ and when triggered, records things that are then sent to an Amazon cloud. A speech-recognition network moves snippets along until a response is sent back to the device, where it obeys a user’s commands. So, if activated, it’s always listening.

And, once the recordings are sent to the cloud, the data is stored there. You can sigh in relief for now though, as Amazon refused requests from law enforcement twice already. But, if they eventually give in or are forced to, it can open a critical debate about the use of smart devices as evidence to prosecute someone. Remember, you can’t choose your siblings, but you can choose your devices.

Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to over broad or otherwise inappropriate demands as a matter of course -Amazon rep in a statement to Engadget

Lesson learned, if you’re going to commit a crime, don’t do it in front of a smart device. (Kidding! Just don’t commit one at all). Instead watch ‘Digital Evidence’ to learn about the Rules of Evidence and what constitutes a federal regulation for how evidence is defined.

#skillcertspotlight

With OpenStack and the Amazon cloud receiving multiple mentions this issue, it only makes sense to focus on Cloud Security.

The goal of the Intermediate Cloud Security certification is to provide a closer look at the core concepts cloud computing. Ideally, you will be able to assess risks in moving to the cloud, identify common best practices, be able to remediate vulnerabilities known in cloud based platforms, and feel confident as a practitioner in the cloud security. Concepts include application security, data migration, and infrastructure architecture of cloud based systems. Such concepts are necessary for security professionals to tackle in today’s ever expanding cloud enabled systems. The target audience for this course is data system owners, and custodians. Each target audience can expect to identify technology enabled for securing mission critical cloud-based assets under the scope of all policies, processes and compliance considerations that go along with this increasing trend in technology adoption.

33%: The percentage of IT professionals who say cloud security is their biggest skill shortage -The Cipher Brief, ‘A National Issue’

Whether you’re currently in the field, or use the cloud for personal data storage, an understanding of cloud security is beyond critical. Take the Intermediate Cloud Security Skill Certification Course to prove your head IS in the clouds. Use code OBLOG50 for half off your next test.

oliviaOlivia Lynch is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

Now Reading Very Good Lives by J.K. Rowling

 

 

< Back to Blog Posts
Enjoy this blog post? Want more Cybytes?
Invite a Friend
and share now
Facebook Twitter Google+ LinkedIn Email
Join Cybrary
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel