In an eventful October, one of the first things to highlight is the OpenSSL vulnerability. Initially announced as a critical vulnerability, it was later downgraded to "high" due to the potential limited impact. It was serious, but not Log4j serious. You can read more from OpenSSL here and an interesting breakdown here.

Another topic that raised eyebrows is the conviction of the former Uber CISO, Joseph Sullivan by the Federal Trade Comission (FTC). The federal jury accused him to have been the driving force behind the scheme whereby Uber paid hackers $100,000 through its bug bounty program to withhold the information and keep quiet about the attack. Which attack you ask? well, just a 2016 breach that lead to the disclosure of 57 million records of riders' and drivers'.

This definitely sends a message to all the other CISO’s: it's more important how you respond to the incident that how you prevent it.

Also, on August 15, the Signal team reported that unknown hackers attacked users of the app. In a supply chain attack, the hackers were able to access the SMS sending system (Twilio) servers and send MFA codes, which then lead to the access of the Signal account. However, the way signal is built, lead to the attackers not being able to read the previous messages and confirming how E2E encryption is important. Kaspersky published an extended explanation of the incident here.

Other articles I read last month

• Liz Truss's personal mobile phone was hacked by agents suspected of working for the Kremlin (Daily Mail)

• How TikTok Tracks You Across the Web, Even If You Don’t Use the App (Consumer reports)

• Software supply chain security is hard (r2c.dev)

• NSA Kubernetes Hardening Guide (Defense.gov)

• Papa John's sued for 'wiretap' spying on website mouse clicks, keystrokes (The Register)

• U.S. Army chooses Google Workspace (Google Blog)

• The State of AWS Security (Datadog)

• Toyota Suffered a Data Breach by Accidentally Exposing A Secret Key Publicly On GitHub (Git Guardian blog)

• Shein owner fined $1.9M for failing to notify 39M users of data breach (TechCrunch)

• Linux Security Hardening and Other Tweaks (vez.mrsk.me)

• Google Has Most of My Email Because It Has All of Yours (mako.cc)

• Where did all the reject buttons come from? (NYOB)

  ---

On Twitter

RapidAPI @Rapid_API

API security best practices 👇 { 1 / 6 }

12:59 PM ∙ Oct 21, 2022

---

6,432Likes1,546Retweets

Always a good idea to follow best practices when setting up your APIs. This guide goes through:

• Authentication

• Input validation

• API Gateways

• Rate limiting

• Data sharing limitation

Definitely worth the read.

Linuxopsys @linuxopsys

Linux command line tools for parsing and analyzing logs 🐧↓

11:05 PM ∙ Oct 7, 2022

---

1,471Likes376Retweets

Want to know how to parse and analyse logs in Linux? This guide gives you a few ideas to better use commands like Grep, Cat, Sort, Uniq or Diff.

Jack Ellis @JackEllis

Warning: If you enable Google Pay as a payment method on Stripe, Google Analytics will be injected into your website when using Stripe.js. This is a huge oversight and puts businesses at risk, especially with data protection authorities pursuing companies that are using GA 🤦🏻‍♂️

10:20 AM ∙ Oct 3, 2022

---

417Likes109Retweets

Well, I’m personally not surprised, as they are all Google Services, but isn’t there a better way from Google to collect usage data without loading the full Analytics.js?

More interesting is that if you scroll down the thread, you’ll see that other equivalent services are doing the same.

Cybersecurity Tips Telegram Channel

Join our Telegram Channel to follow the latest news in Privacy and Cybersecurity.

Telegram Channel