Microsoft purges malicious SolarWinds presence and highlights a threat model around their source code, the tl;drsec crew provides a hardening guide for Kubernetes, Apples provides a user guide for hardening accounts, Firefox provides a new storage system to defeat side channel abuse.
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Microsoft searches for supply chain fallout from SolarWinds, cleans out malicious binaries, and finds a compromised account accessed source code -- but their threat models already considered an attacker's knowledge of source. Plus, with the ability to reverse engineer binary security patches, how important is source code anyway?
Even if you're not maintaining your own Kubernetes clusters, this is a good example of building up a threat model to assess the risk of a system and take steps towards hardening it against attacks and misconfigurations.
Apple describes threats to iPhones and Apple IDs for different populations of users in a way that sets aside security jargon and focuses on how to help users make informed decisions. You can download the manual directly from https://manuals.info.apple.com/MANUALS/1000/MA1976/en_US/device-and-data-access-when-personal-safety-is-at-risk.pdf
Firefox takes a security-by-design approach to address the abuse of side channels in browsers, from timing attacks to cache hits. You can read more about Client-Side Storage Partitioning at https://github.com/privacycg/storage-partitioning
While these aren't intended to be prescriptive metrics, the underlying discussion is a step towards the distinction between "What are the consequences of insecure software" and "What ought to be the consequences".
We covered this one year ago on episode 90. So...is Python 2 still part of your CI/CD pipeline? Is it in use in production systems? Did you migrate off it using a process that you'll be able to repeat for the next end-of-life software component?
Breach disclosures from T-Mobile and PayPal, SSRF in Azure services, Google Threat Horizons report, integer overflows and more, Rust in Chromium, ML for web scanning, Top 10 web hacking techniques of 2022
Exposed secrets from CircleCI, web hackers target the auto industry, $100K bounty for making Google smart speakers listen, inspiration from Office Space, AWS making better defaults for S3, resources for learning Rust