Cloud Technology and Security Alert News Digest – Issue #18

Update 2019: We’ve been busy working on some great training content around security, check out the Cloud Academy library to prepare on all-things cloud security.

Welcome to the Cloud Technology and Security Alert News Digest. This week we’ll discuss vulnerabilities. And more vulnerabilities. Fortunately, each of the current crop of server flaws has an available patch.

More OpenSSL pain

According to ZDNet, If you’re using an operating system that runs OpenSSL 1.0.2 (or 1.0.1, 1.0.0 and 0.9.8, for that matter), then you’re going to want to upgrade to OpenSSL 1.0.2a pretty quickly. Version 1.0.2a includes patches for twelve vulnerabilities, with the most serious of them (ClientHello sigalgs DoS – CVE-2015-0291) capable of exposing servers to full denial of service attacks.

“Windows Live” may be a bit too lively

A curious IT professional in Finland stumbled upon a hole in Windows Live security that “allowed him to automatically receive sensitive certificates from browser-trusted certificate authority Comodo.”

According to Ars Technica, when the fellow contacted both Finish authorities and multiple recipients at Microsoft informing them of the flaw, he was ignored. He only learned that his emails had even been noticed some six weeks later when his entire Live account was frozen.

Internet security is in the safest hands.

And now: WordPress

A serious vulnerability has been discovered in the wildly popular Yoast WordPress plugin (which guides writers through the search engine optimization process). ZDNet reports that the flaw makes it possible “to override existing OAuth2 credentials used by the plugin to pull data from Google Analytics.” An attacker could add script tags that could be executed when a user views the settings page.

Upgrade immediately.

Who needs backdoor access now?

So are you completely overwhelmed by all those digital vulnerabilities? And your front door doesn’t concern you?

The good news: never get locked out of your house again: upload your house key to the cloud. Ars Technica reports on KeyMe, that can cut physical keys from a smartphone photo of the original. Lost your original? Simply head to your local KeyMe kiosk and pick up a replacement. The bad news: while KeyMe kiosks will not print your key without first confirming your identity through fingerprint authentication, one can’t help but worry about the potential for illegal access. Just imagine your key going viral.

Protect your wrists!

Ok. So it won’t do much to protect your house key or your servers, but these six practical tips from David Gewirtz at ZDNet could save your poor, overworked wrists from serious injury. And THAT could make keeping out the bad guys a lot easier. Remember: Cloud Academy cares about you…not just your deployments.

Cloud Academy