December 30, 2016
UNM4SK3D: PHPMailer, OpenStack, and Amazon
December 30, 2016
If there was a book of critical vulnerabilities across the Internet, it'd be longer than the Bible. The latest discovered in PHPMailer by Polish researcher David Golunski, is one that affects multiple popular, open-source web applications.
Probably one of the biggest vulnerabilities to be recognized in recent news, PHPMailer, an open-source PHP mailer used by over 9 million people worldwide to send emails. Aka, we'd let them sit at the cool kids table. Of the effected open-source web applications we mentioned, the list includes, WordPress, Drupal, and Joomla. Also at the cool kids table. Perhaps made cooler by showing their sensitive side? Not so much.
This vulnerability would allow an attacker to implement random code in the context of the web server from a remote location and endanger the target web application. Luckily, Golunski rightfully reported his discovery to the developers, who have patched the vulnerability in a new release, PHPMailer 5.2.18. Don't worry though, you can still find exploit code across the web, which means we're holding our breaths until we see how the masses could re-engineer that code in the future.
To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails -Golunski of Legal Hackers
While PHP is one of the most versatile languages in recent history for web applications, sites and services, like us, it has its' issues. Read 'A Cautionary Tale About PHP Secure Coding Techniques' before we have to add your mistake to the book of vulnerabilities.
#badbusinessHere's two names that usually receive a golfer's clap at their mention: OpenStack and GitHub. We'll call this one a duff, after some not so hot news surrounding both of these companies surfaced.
In the world of OpenStack, the open-source cloud framework, skies may be darkening. Recently, OpenStack lost two of its major corporate backers, Hewlett Packard Enterprises and Cisco Systems who decided to minimize their public cloud efforts. Some say the bad state of OpenStack's business is being exaggerated despite this loss and their inherent competition in the cloud space against Microsoft, AWS and Google. Others, who see a silver lining in the darkening cloud, believe the support of RedHat and Walmart is more than enough.
Meanwhile, in another realm of the internet, GitHub, despite $95 million in revenue during the fiscal year that ended January 2016, also lost approximately $66 million in that time. The cause? Perhaps the somewhat erratic spending, sending employees to jet set Europe, and adding even more employees to its army, now totaling about 600. This isn't to say 'theHub' is on the outs, although untamed spending is no good for any unicorn. They've hired Mike Taylor, former treasurer and vice president of finance at Tesla Motors Inc. to manage expenses, so hopefully they'll get rein it in soon.
There are more than 20 public cloud providers running OpenStack in 60 data centers around the world -Mark Collier, COO, the OpenStack Foundation
Change analysis focuses on new and changing business models. Watch 'Risk Business Change Analysis' for an in-depth look.
If you never thought you'd have a big brother named Alexa, think again. The Amazon Echo of an alleged murderer, James Andrew Bates, is being cited in a warrant.
The warrant, which also contained multiple other 'smart' devices, police hope will grant access to a recording, or at least parts of one, taken during the murder. The Amazon device responds to the name 'Alexa' and when triggered, records things that are then sent to an Amazon cloud. A speech-recognition network moves snippets along until a response is sent back to the device, where it obeys a user’s commands. So, if activated, it's always listening.
And, once the recordings are sent to the cloud, the data is stored there. You can sigh in relief for now though, as Amazon refused requests from law enforcement twice already. But, if they eventually give in or are forced to, it can open a critical debate about the use of smart devices as evidence to prosecute someone. Remember, you can't choose your siblings, but you can choose your devices.
Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to over broad or otherwise inappropriate demands as a matter of course -Amazon rep in a statement to Engadget
Lesson learned, if you're going to commit a crime, don't do it in front of a smart device. (Kidding! Just don't commit one at all). Instead watch 'Digital Evidence' to learn about the Rules of Evidence and what constitutes a federal regulation for how evidence is defined.
#skillcertspotlightWith OpenStack and the Amazon cloud receiving multiple mentions this issue, it only makes sense to focus on Cloud Security.The goal of the Intermediate Cloud Security certification is to provide a closer look at the core concepts cloud computing. Ideally, you will be able to assess risks in moving to the cloud, identify common best practices, be able to remediate vulnerabilities known in cloud based platforms, and feel confident as a practitioner in the cloud security. Concepts include application security, data migration, and infrastructure architecture of cloud based systems. Such concepts are necessary for security professionals to tackle in today's ever expanding cloud enabled systems. The target audience for this course is data system owners, and custodians. Each target audience can expect to identify technology enabled for securing mission critical cloud-based assets under the scope of all policies, processes and compliance considerations that go along with this increasing trend in technology adoption.
33%: The percentage of IT professionals who say cloud security is their biggest skill shortage -The Cipher Brief, 'A National Issue'Whether you're currently in the field, or use the cloud for personal data storage, an understanding of cloud security is beyond critical. Take the Intermediate Cloud Security Skill Certification Course to prove your head IS in the clouds.