Hello and welcome to TSD, your weekly blog post with top of mind security issues. TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
- TechCrunch has a story about how a Tesla employee was allegedly offered $1 million to install ransomware on the network of a Gigafactory. The ransomware also had the feature of exfiltrating data before encryption. This is becoming common now as the ransomware controllers will threaten to publish data if the ransom isn’t paid. The news broke via a Justice Department press release without naming Tesla, but Elon Musk later confirmed it in a Tweet.
- If you’re using Bridgefy for safe and or private communication, you may want to think twice according to researchers from the University of London. ArsTechnica has the full rundown including deanonymizing users, building social graphs, decrypting messages and more! Please don’t use this as the security flaws are trivial to exploit. The app maker did say they plan on fixing the issues, but are so deep ingrained, they need to start over.
- Following up on TSD-23, Vice talked to private investigators about the lax controls around requesting information from state DMVs. Also according to Vice, the Arizona DMV is selling driver’s photos and SSNs! The Washington Post reported last year about how the FBI and ICE are already using driver’s photos for facial recognition searches.
Owl fun and facts:
Owl pellets are “compact mass of fur and bones…The pellet will contain a near-perfect skeleton of the devoured rodent and a treasure trove of data for researchers, providing insights on the owl, its prey and the environment in which it lives.” Read more about the owl pellet economy of the Pacific Northwest.
A Shout Out:
Krane is a “simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition.”
This is another great use of policy as code and security as code in practice. Check it out today if you’re running K8s!
That’s owl for now!