BF-SIRT Newsletter 2017-13

The top stories from this week is that Google will be reducing trust in Symantec certificates following numerous slip-ups. Also, VMware’s reported three bugs that probably deserve your urgent attention.

You can also read about the black box discovery of memory corruption RCE on box.com, and the update from Apple that patches a large number of flaws in iOS and macOS.

Top 5 Security Links
Google Reducing Trust in Symantec Certificates Following Numerous Slip-Ups
It’s ESXi time for critical VMware patches
Black box discovery of memory corruption RCE on box.com
Apple Patches Large Number of Flaws in iOS, macOS Updates
IIS 6.0 Vulnerability Leads to Code Execution

BF-SIRT Newsletter 2017-12

The top stories from this week is that US Senate just voted to let ISPs sell your web browsing data without permission. We also have information about the Apple iCloud ransom demands.

You can also read about how hackers are using fake cellphone towers to spread android banking trojan or about the critical Lastpass vulnerability.

Top 5 Security Links
US Senate Just Voted to Let ISPs Sell Your Web Browsing Data Without Permission
Apple iCloud ransom demands: The facts you need to know
Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan
Critical bugs for Lastpass found in Chrome, Firefox add-ons
Easy Way to Hijack Privileged Windows User Session Without Password

Fast innovation starts with automating development workflows

You have to be able to try out new concepts faster in order to dial up the innovation speed. This requires a different way of thinking and a more modern software development method.

“Thanks to OpenShift, developers can concentrate fully on functionality and on writing code.”

You have to be able to try out new concepts faster in order to dial up the innovation speed. But this requires a different way of thinking and a more modern software development method than most companies are used to.

“In an ideal situation, you would be so flexible that you could turn an idea for an app or a new product, for example, into a working prototype that you could offer to a group of customers within a very short time frame,” says Stefan Månsby, Innovation Officer at Basefarm. “This way you would get feedback as quickly as possible, be able to monitor customer behaviour and continuously roll out changes and improvements.”

The problem, however, is that the IT department is often far removed from the business side of things at many companies. IT primarily has a supporting role there. “Take ITIL processes, for example. These are primarily aimed at guaranteeing a stable and high-quality operating environment for the lowest possible costs. Being innovative and experimenting does not fit in to this picture at all.”

Development and seamless administration

Hence, not only does software development need to be faster and more flexible, operational efficiency must also be improved. Månsby: “That is why it is desirable for administrators and developers to cooperate in devops teams and use shared workflows.” Everything that developers produce can then be administered quickly and efficiently.

“Often companies stop before they have even begun, simply because there are too many barriers. But you have to be able to try out new things. You do not want to wait for a server for weeks. And should something not be successful, you should be able to stop doing it immediately without this resulting in consequences.” You do not want to get stuck with expensive, superfluous servers, for example. Everything should just disappear, so that you can start trying out something else.

Workflow automation

You should automate workflows because it is too labour-intensive to manually process sizeable checklists. The open source platform OpenShift was developed especially for setting up and working with workflows. “Thanks to OpenShift developers can concentrate fully on functionality and on writing code, without worrying about the hardware, the operating system or the cloud environment where the application will soon be running,” continues Månsby.

Technologies such as Docker and Kubernetes are used in OpenShift for neatly bundling everything needed to run an application on a specific infrastructure. “Administrators can easily roll out these bundles and know for sure that the correct modules for processes such as monitoring, logging, auditing and passing on of costs will be included automatically.”,

Orchestration

One aspect of a workflow is automatic verification of whether all the required modules that together comprise an application are still able to work together properly and whether no conflicts arise due to a change. Månsby: “Modern software development uses so-called microservices. These are bits of functionality that you can add, adapt and remove quickly and easily, without affecting the remaining functionality.” Any application easily consists of hundreds of microservices that talk to each other through APIs. “This creates many thousands of integration checkpoints that all need to be carefully checked every time. This makes orchestration a very complex and labour-intensive task which is impossible to do manually. OpenShift shoulders the heavy work. It is also possible to visualise the connection between all the components.”

With OpenShift you can ensure that you remain compliant and optimally prepare yourself for audits. “You can carry out the necessary controls and generate the needed reports with the platform.” Code is packaged and provided with checksums in such a way that it is impossible to tamper with the software, guaranteed. “You always have 100% certainty that what is in production is correct and that no one messed with it somewhere along the line.”

Adaptation and customisation

OpenShift takes a great deal of work out of developers’ hands by providing a comprehensive framework for setting up and using workflows in a cost-effective manner. Månsby does, however, issue a caveat: the platform is not a ‘miracle cure’ that will resolve everything for you right out of the box. “OpenShift entails an enormous amount of functionality,” he explains. “Usually you only need a part of it. It will be an enormous help if you involve a party who will assist you in finding the right way to get the best possible use out of the platform. You can try to discover everything yourself, but that takes a lot of time and there is a big chance that you will not even use the platform in an optimal manner afterwards. And why would you want to reinvent the wheel anyway?”

You should also examine how OpenShift and the workflows fit best with your organisation. There will be a need to adapt existing workflows in certain aspects if you want to get the greatest benefit from OpenShift. “It’s important to realise that a digital transformation is needed. The goal is to decrease time to market, increase innovation speed, accelerate software development and improve operational efficiency. And this will not be possible if you want to keep doing things exactly as you’ve always done them before.”

BF-SIRT Newsletter 2017-11

The top stories from this week is that Microsoft finally patches Windows critical publicly exploited vulnerabilities. We also have stories about Check Point discloses vulnerability that allowed hackers to take over WhatsApp and Telegram accounts.

You can also read about how researches conclude that 24% of latest Docker images have significant vulnerabilities or using the ELK Stack and Python in penetration testing workflow.

Top 5 Security Links
VMWare Copy/Paste Exploit Fixed (out-of-bounds memory access vulnerability)
Certain Ubiquity Equipment Vulnerable to CSRF/Code Execution
Four Men Charged With Hacking 500M Yahoo Accounts
Check Point discloses vulnerability that allowed hackers to take over WhatsApp and Telegram accounts
Microsoft finally patches Windows critical publicly exploited vulnerabilities

BF-SIRT Newsletter 2017-10

The top stories from this week mainly revolve around the “Wikileaks CIA Leak”, so we have gathered a few of those down on the link list for you. We also have stories about Spammergate: The Fall of an Empire and how a proposed bill would legally allow cyber crime victims to Hack Back.

Top 5 Security Links
Spammergate: The Fall of an Empire
Proposed Bill Would Legally Allow Cyber Crime Victims to Hack Back
Attacks Under Way Against Easily Exploitable Apache Struts Flaw
New Fileless Malware Uses DNS Queries To Receive PowerShell Commands
Hacker Selling Over 1 Million Decrypted Gmail and Yahoo Passwords On Dark Web

CIA Leak
10 Things You Need To Know About “Wikileaks CIA Leak”
WikiLeaks Dumps Docs on CIA’s Hacking Tools
WikiLeaks: We’ll Work With Software Makers on Zero-Days
That CIA exploit list in full: The good, the bad, and the very ugly
WikiLeaks dump shows CIA can use IoT to hack “anything, anywhere”

BF-SIRT Newsletter 2017-09

The top stories from this week consist of stories about Yahoo Revealing ANOTHER 32 Million Accounts Were Hacked Using ‘Cookie Forging Attack’ and Google’s Project Zero reveals another Microsoft flaw in IE and Edge.

You can also read about the process Detectify when through to create an exploit stealing your private Slack tokens or how webpages can turn kids’ stuffed toys into creepy audio bugs.

Top 5 Security Links
Yahoo Revealing 32 Million Accounts Were Hacked Using ‘Cookie Forging Attack’
Google’s Project Zero reveals another Microsoft flaw in IE and Edge
Hacking Slack using postMessage and WebSocket-reconnect
Webpages can turn kids’ stuffed toys into creepy audio bugs
Critical Flaw in ESET Antivirus Exposes Mac Users to Remote Hacking