Issue 43

CCleaner compromised with malware since August

2.7 million users downloaded the malicious version during that time, 730,000 are still on that version. This article looks at the timeline, how the compromise happened and what users need to do.

helpnetsecurity.com

 

PyPI Python repository typosquatting attack

Similar to what happened with NPM a few weeks back, the Python repository had a number of malicious libraries with names very similar to the real ones, like 'crypt' instead of 'crypto'.

sophos.com

 

Looking at software's serious supply-chain security problem

Related to the above two articles, Wired looks at how compromising the software supply chain seems to become more popular as an attack vector.

wired.com

 

Spotify and Google release Google Cloud security toolset called 'Forseti'

It's an open-source project that allows enterprises to monitor security controls and alert on incorrect security settings.

googleblog.com

 

Apache 'Optionsbleed' vulnerability – what you need to know

Good article describing this vulnerability. It's an interesting bug, and does have similarities with Heartbleed, but in practice it's not a huge problem. Patches have been made available.

sophos.com

 

Vevo hacked by the OurMine group, 3.12TB of internal files leaked

Vevo is an online video release service working with some big names, you've probably seen them on Youtube . An employee of theirs was compromised through a LinkedIn phishing attack.

sophos.com

 

Chrome will tag FTP sites as 'Not secure'

They urge developers to use HTTPS instead of FTP for public-facing downloads.

helpnetsecurity.com

 

Google App Engine introduces managed SSL

It's free of charge. All you have to do is hook a verified domain to your app, after which App Engine provisions a certificate and keeps it renewed.

googleblog.com

 

Here's why you should have a CAA DNS record for your HTTPS website

Good article explaining the usefulness of a CAA record. In short: it's a sort of whitelist of which CA's (Certificate Authorities) are allowed to issue certificates for your domain. All CA's are now forced to adhere to it. Worth looking into.

thenewstack.io