VSHN.timer

VSHN.timer #76: The Age of Insecurity

18. Jan 2021

Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.

This week we’re going to talk about the most notable security incidents, breaches, tools, and exploits that made the headlines in the past few months.

1. The popularity of Linux in organizations of all sizes comes with a price: attackers are now creating Linux versions of their ransomware. This one in particular, called RansomEXX, targeted businesses and government organizations in the United States and Brazil. A painful reminder that we must keep our defenses high and brace for impact at any time.

2. Speaking about Linux vulnerabilities, the GitHub Security Lab published a step-by-step explanation of a very easy privilege escalation exploit in desktop Ubuntu. We do not know if to be worried about its simplicity, or to marvel at the imagination of the discoverers that found it. At least it didn’t involve kids typing like crazy on a keyboard to make the screen saver crash or something like that. (Say again?)

https://securitylab.github.com/research/Ubuntu-gdm3-accountsservice-LPE

3. In the troubled political times we’re living in, not even DevOps practices are free from risks. Thus we learn that JetBrains‘ TeamCity CI/CD tool was allegedly used as a backdoor in a major supply chain cyberattack targeting American companies and the government. This attack is named „SolarWinds“ after the name of the network management company whose systems were initially compromised. JetBrains later posted a rebuttal of any implication in this scandal, and even if at this point it is very hard to know what’s going on, new details emerge each and every day.

https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html

4. If not broken, it seems like all software is, at least, breakable. Take iOS, for example. Apple is very proud to brag about its security and privacy features, yet up until a few months ago, you just needed a malformed wi-fi packet to access all the photos of any device, without any restriction. Spooky yet fascinating. It makes us wonder how many other vulnerabilities are yet to be discovered in the devices in our pockets… and how many are being exploited without our knowledge.

https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/

5. File this one in the category „Pick Your Jaw Back From The Floor“. This little tool written in Python is able to reverse-engineer pixelated passwords in screenshots, and… yes, you guessed it; just like in the movies, it’s able to recover the text. Add a new item to your honest website security checklist: „never pixelate actual passwords in your screenshots“.

https://github.com/beurtschipper/Depix

Have you suffered a major intrusion or attack in your infrastructure? Which platforms are the most vulnerable to attacks in your experience? Do you pixelate real passwords in the screenshots of your website? Get in touch with us through the form at the bottom of this page, and see you next week for another edition of VSHN.timer.

PS: would you like to receive VSHN.timer every Monday in your inbox? Sign up for our weekly VSHN.timer newsletter.

PS2: would you like to watch VSHN.timer on YouTube? Subscribe to our channel vshn.tv and give a „thumbs up“ to our videos.

PS3: check out our previous VSHN.timer editions about security: #8#17#22#27#32#44#54 and #62.

Adrian Kosmaczewski

Adrian Kosmaczewski is in charge of Developer Relations at VSHN. He is a software developer since 1996, a trainer, and a published author. Adrian holds a Master in Information Technology from the University of Liverpool.

Contact us

Our team of experts is available for you. In case of emergency also 24/7.

Contact us