Hello and welcome to TSD, your regular blog post with top of mind security issues. TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
Please reach out to us directly, via email@example.com or on Twitter at @dant24 if you have any questions, concerns, tips or anything else!
- KrebsOnSecurity posted a great article on “importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you.” Go check it out ASAP and make sure you already own all of these accounts yourself and be sure to use unique strong passwords/passphrases stored in a password manage.
- Last week was Windows patch Tuesday covering 120 different vulnerabilities “including two newly discovered vulnerabilities that are actively being exploited.” Check out KrebsOnSecurity for the full rundown. KrebsOnSecurity also details how Microsoft finally patched a 2 year old known vulnerability that has been actively exploited. Adobe also has patches out for Acrobat and Reader as well. Patch ASAP if you haven’t already!
- Two major changes are coming to Chrome 86 due out in October. 1) Chrome will be warning users when submitting insecure forms via BleepingComputer. 2) Chrome will be testing domain only URLs in the address bar to help protect against scams via The Verge.
- Finally, in privacy related news, Motherboard has a story out about how The Secret Service is the latest government agency to have bought smartphone location data from a third party without otherwise needing to obtain a warrant. CNET meanwhile digs into a recent Department of Homeland Security report that announces they can pull even more information if they search your phone including “your phone’s location history, social media information, and photos and videos” among others. The report also states that they can hold on this data for 75 years.
Owl fun and facts:
A group of owls is called a parliament. The name actually comes from book written in the 15th century and gives us other fun terms like a murder of crows, a gaggle of geese and more. These are all collectively known as “terms of venery” or hunting. Read more find out what to call tigers, flamingos, monkeys and more here.
A Shout Out:
Scott Piper from Summit Route has just released v1.0.0 of parliament, an AWS IAM linting library. We’re super excited about this project as this yet another awesome way to turn your clicks into code on your way to Security as Code!
It reviews policies looking for problems such as:
- malformed json
- missing required elements
- incorrect prefix and action names
- incorrect resources or conditions for the actions provided
- type mismatches
- bad policy patterns
Since parliament is a library, it has been utilized in all of these awesome projects as well.
- CloudMapper: Has functionality to audit AWS environments and will audit the IAM policies as part of that.
- tf-parliament: Runs Parliament against terraform files
- iam-lint: Github action for linting AWS IAM policy documents
- Paco: Cloud orchestration tool that integrates Parliament as a library to verify a project’s IAM Policies and warns about findings.
That’s owl for now!