#security (2020-1)

Archive: https://archive.sweetops.com/security/

2020-01-30

Erik Osterman avatar
Erik Osterman
Severe ‘Perfect 10.0’ Microsoft Flaw Confirmed: ‘This Is A Cloud Security Nightmare’ attachment image

This patched critical flaw is the first remote code execution threat to a major cloud platform, undermining the security layers that isolate shared resources.

Erik Osterman avatar
Erik Osterman

Scary a.f.

Erik Osterman avatar
Erik Osterman


his team found the first remote code execution (RCE) exploit on a major cloud platform. One user could break the cloud isolation separating themselves and others, intercepting code, manipulating programs.

kskewes avatar
kskewes

Makes you wonder what the isolation mechanism is at Azure for faas. Shows how important firecracker, gvisor, and others are… And that cold start isn’t going away because we need these things and these things take time to start.

2020-01-29

Joe Presley avatar
Joe Presley

Not sure if I should ask this here or in #terraform . Does anyone have experience with https://github.com/eerkunt/terraform-compliance? I’m curious if Sentinel is the only available way to check Terraform code for compliance with security rules.

eerkunt/terraform-compliance

a lightweight, security focused, BDD test framework against terraform. - eerkunt/terraform-compliance

Erik Osterman avatar
Erik Osterman

@Joe Presley similar discussion came up recently

:--1:1
Erik Osterman avatar
Erik Osterman

let me find it.

Joe Presley avatar
Joe Presley

Thank you

Erik Osterman avatar
Erik Osterman
Terraform

Policy-based control for cloud native environments

Erik Osterman avatar
Erik Osterman

see the conversation surrounding this post

Joe Presley avatar
Joe Presley

Thanks for the heads up. That was one of the solutions the client pointed me to.

Erik Osterman avatar
Erik Osterman

Also, if you check out last week’s “office hours” we talk a little bit about using the Open Policy Agent with terraform

Erik Osterman avatar
Erik Osterman

also @marcinw has a SaaS product that implements OPA

marcinw avatar
marcinw

That’s right @Joe Presley - https://spacelift.io - let me know if you’d like to give it a golang

:--1:1
marcinw avatar
marcinw
12:23:24 AM

@marcinw has joined the channel

Joe Presley avatar
Joe Presley

Awesome. Thanks a lot. That’s a huge help.

2020-01-27

Alex Siegman avatar
Alex Siegman

There an equivalent to something like teleport for ssh / kubectl access, but for access to SQL servers like Postgres and MySql?

Erik Osterman avatar
Erik Osterman

That would be cool, but not really

Erik Osterman avatar
Erik Osterman

Phpmyadmin doesn’t count :-)

Erik Osterman avatar
Erik Osterman

(Ironically phone autocorrects that to “phony admin”)

troll2
1
Alex Siegman avatar
Alex Siegman

If a web ui was what the interested parties needed, you could secure that up internally, put it behind SSO, etc. Was more hoping for a dynamic/audited tunnel for PSQL or other tools

Erik Osterman avatar
Erik Osterman
shellhub-io/shellhub

ShellHub enables teams to easily access any Linux device behind firewall and NAT. - shellhub-io/shellhub

Erik Osterman avatar
Erik Osterman
Erik Osterman avatar
Erik Osterman

(via digital ocean)

2020-01-24

Erik Osterman avatar
Erik Osterman
Store and manage sensitive data with Secret Manager | Google Cloud Blog attachment image

Secret Manager is a new GCP product that securely and conveniently stores API keys, passwords, certificates, and other sensitive data.

2020-01-15

Erik Osterman avatar
Erik Osterman
Security architecture anti-patterns

Six design patterns to avoid when designing computer systems.

:--1:2

2020-01-14

loren avatar
loren

Yeah that’s really bad

2020-01-13

Erik Osterman avatar
Erik Osterman
<https://news.google.com/articles/CBMieWh0dHBzOi8vYXJzdGVjaG5pY2EuY29tL2luZm9ybWF0aW9uLXRlY2hub2xvZ3kvMjAyMC8wMS9leHBsb2l0LXRoYXQtZ2l2ZXMtcmVtb3RlLWFjY2Vzcy1hZmZlY3RzLTIwMC1taWxsaW9uLWNhYmxlLW1vZGVtcy_SAX9odHRwczovL2Fyc3RlY2huaWNhLmNvbS9pbmZvcm1hdGlvbi10ZWNobm9sb2d5LzIwMjAvMDEvZXhwbG9pdC10aGF0LWdpdmVzLXJlbW90ZS1hY2Nlc3MtYWZmZWN0cy0yMDAtbWlsbGlvbi1jYWJsZS1tb2RlbXMvP2FtcD0x?hl=en-US&gl=US&ceid=US%3Aen https://news.google.com/articles/CBMieWh0dHBzOi8vYXJzdGVjaG5pY2EuY29tL2luZm9ybWF0aW9uLXRlY2hub2xvZ3kvMjAyMC8wMS9leHBsb2l0LXRoYXQtZ2l2ZXMtcmVtb3RlLWFjY2Vzcy1hZmZlY3RzLTIwMC1taWxsaW9uLWNhYmxlLW1vZGVtcy_SAX9odHRwczovL2Fyc3RlY2huaWNhLmNvbS9pbmZvcm1hdGlvbi10ZWNobm9sb2d5LzIwMjAvMDEvZXhwbG9pdC10aGF0LWdpdmVzLXJlbW90ZS1hY2Nlc3MtYWZmZWN0cy0yMDAtbWlsbGlvbi1jYWJsZS1tb2RlbXMvP2FtcD0x?hl=en-US&gl=US&ceid=US%3Aen>
Exploit that gives remote access affects ~200 million cable modems attachment image

Cable Haunt lets attackers take complete control when targets visit booby-trapped sites.

Erik Osterman avatar
Erik Osterman

This is pretty scary. With the ability to overwrite DNS settings remotely, an attacker can easily setup phishing sites on any domain they choose.

    keyboard_arrow_up