The Top 6 Security Engineering Stories We Read This Week
Our weekly curated roundup
1. DevOps threat matrix (Microsoft)
Recent high-profile breaches highlight the need for securing DevOps environments. Microsoft has published its DevOps threat matrix as a framework for identifying attack techniques and building defenses. Read more
2. The Complete Guide to SecDataOps and Vulnerability Management on AWS (Lightspin)
This is an impressingly-comprehensive guide bylined by Lightspin CISO Jonatathan Rau. It covers vulnerability terminology, AWS services, data data engineering and architectural considerations, and hands-on guidance for securing applications and services on AWS. Worth a skim at least! Read more (PDF)
3. Opaque IDS: The Ultimate Protection Against Enumeration Attacks (Exact Realty)
This blog explores enumeration attacks, which can disclose sensitive data in various applications. It covers the underlying issues that make such attacks possible and discover how AEAD encryption can be employed against them. The post covers unique IDs, the risks of disclosure, and ways to prevent timing and enumeration attacks. There's also a practical example in TypeScript to showcase secure implementation. Read more
4. Network infrastructure provider CommScope investigating data leak following ransomware attack (The Record)
North Carolina-based network infrastructure provider CommScope fell victim to a ransomware attack in late March, with the company now investigating claims that stolen data has been leaked on the dark web. The notorious Vice Society ransomware group posted sensitive data allegedly taken from CommScope, including information on the company's 30,000+ employees, on its leak site. Read more
5. Remote Code Execution Vulnerability in Google They Are Not Willing To Fix (Giraffe Security)
This article discusses a security vulnerability in Google, where the author was able to run arbitrary code on the computers of over 50 Google employees by exploiting a dependency confusion issue. Despite initially treating the issue as high-severity and awarding a $500 bounty, Google later dismissed it and claimed the software was working as intended. The Python package is still being downloaded by Google employees daily and other vulnerabilities remain in the same GitHub repository. Read more
6. Breaking Voice Recognition Security Protocols Using AI in 5 Minutes (Nicholas Ning on LinkedIn)
In a LinkedIn post, the author claims to have broken through their bank's voice recognition security protocol using AI text-to-speech software. The author points out that voice recognition, used by major banks as a security measure, is no longer secure due to the rapid progress of AI technology. They were able to use an AI text-to-speech software to create a synthetic sample of their voice with just one minute of their own voice recording. Read more