Nightfall’s Cloud Security Newsletter 2/18/20
Stories from Our Blog
Webinar: How to Detect Credentials & Secrets in Code Repositories with Machine Learning
Join us tomorrow, Wednesday February 19 at 11 AM PST for a live webinar on how you can easily determine if your repositories are leaking credentials, API keys, and other secrets while avoiding false positives. You can register here
Announcement: Nightfall Will be Attending BSidesSF & RSA Conferences in February
We're excited to announce that we're sponsoring both BSides San Francisco and RSA 2020. If you're attending, come stop by, we'd love to meet you. If you don't have passes to RSA, learn more about our expo pass offer.
How Data Discovery and Classification Can Help Secure PII
Data discovery provides security teams with data visibility, or the ability to know where sensitive data is and whether its in use. Learn about the most important features in a data discovery tool and how these can be leveraged to secure your data.
Incidents in the Cloud
Google Photos Leak Poses Enterprise Threats
A recent Google Photos data leak underscores the fact that any company is subject to technical issues, software glitches and employee mistakes. Some users were surprised to learn that despite proactively taking strong security measures across its product lines, Google slips up too.
US Education Non-Profit Leaks Data on Thousands of Students
A US education non-profit appears to have unwittingly leaked the personal information of thousands of students after leaving two online MongoDB databases exposed. The privacy snafu was discovered by noted researcher Bob Diachenko and affected the Institute of International Education (IIE), an organization set up to promote educational and cultural exchanges with other countries.
Prison inmates’ sensitive data left exposed on leaky cloud bucket
Researchers at VPNMentor have uncovered a data leak that has exposed prescription records, mugshots, and other sensitive information related to an unknown number of inmates. On January 3, the researchers found that over 36,000 PDF files had been exposed on an unsecured Amazon Web Services S3 bucket (natch) used by JailCore, a cloud-based app used by several US states correctional facilities.
Trello App Exposes Personally Identifiable Information of its Users
Craig Jones, global cybersecurity operations director at Sophos, has discovered that Trello, an app used for organizing personalized to-do lists and coordinating team tasks, exposed the personally identifiable information (PII) data of its users who made their Trello boards “public.”
Amazon Engineer Leaked Private Encryption Keys. Outside Analysts Discovered Them in Minutes
An Amazon Web Services (AWS) engineer last month inadvertently made public almost a gigabytes worth of sensitive data, including their own personal documents as well as passwords and cryptographic keys to various AWS environments.
No big deal, Rogers, your internal source code and keys are only on the open web. Don’t hurry to take it down
Source code, internal user names and passwords, and private keys, for the website and online account systems of Canadian ISP Rogers have been found sitting on the open internet. The leaked software, seemingly uploaded to GitHub by a Rogers engineer before they left the telco, is written in Java and powered the front-end for various parts of Rogers.com.
Strategies for Securing the Cloud
Seven cybersecurity and privacy forecasts for 2020
Learn about seven growing areas of concern within the world of cybersecurity and why they matter for 2020 and beyond.
Why Leaky Clouds Lead to Data Breaches
This past summer, we witnessed yet another massive data breach due to a misconfigured AWS cloud instance, and hundreds of thousands of Capital One’s customers’ Social Security and bank account numbers were exposed as a result. Smaller-scale data breaches like this occur frequently, and unfortunately, we’re bound to see more of these breaches in the future even though they’re easy to avoid.
Deriving best practices from a security-first, cloud native mindset
A security-first mindset, coupled with a cloud native mindset, can provide a great starting point for organisations wanting to migrate to the cloud securely by offering insight into some of the most important best practices for building a robust and securable cloud architecture.
IT Pro Portal
NSA Offers Advice on Securing Clouds
The National Security Agency issued an advisory with technical guidance for procuring and securing systems reliant on cloud service providers amid a push for the government to adopt the technology.