What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-06-07 17:18:48 | Windows Container Malware Targets Kubernetes Clusters (lien direct) | “Siloscape”, the first malware to target Windows containers, breaks out of Kubernetes clusters to plant backdoors and raid nodes for credentials. | Malware | Uber | |
 |
2021-06-07 17:06:15 | \'Siloscape\' Malware Targets Windows Server Containers (lien direct) | A newly identified piece of malware that targets Windows Server containers can execute code on the underlying node and then spread in the Kubernetes cluster, according to a warning from security researchers at Palo Alto Networks. | Malware | Uber | |
 |
2021-06-07 10:00:00 | Siloscape: this new malware targets Windows containers to access Kubernetes clusters (lien direct) | Researchers say this is the first malware strain they know of that specifically targets Windows containers. | Malware | Uber | |
 |
2021-06-07 08:30:00 | Siloscape malware a risk to Windows containers, Kubernetes (lien direct) | Researchers say this is the first malware strain they know of that specifically targets Windows containers. | Malware | Uber | |
 |
2021-06-07 07:52:27 | Researchers Discover First Known Malware Targeting Windows Containers (lien direct) | Security researchers have discovered the first known malware, dubbed "Siloscope," targeting Windows Server containers to infect Kubernetes clusters in cloud environments.
"Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers," said Unit 42 researcher Daniel Prizmant. "Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in |
Malware | Uber | |
 |
2021-06-07 06:51:59 | New Kubernetes malware backdoors clusters via Windows containers (lien direct) | New malware active for more than a year is compromising Windows containers to compromise Kubernetes clusters with the end goal of backdooring them and paving the way for attackers to abuse them in other malicious activities. [...] | Malware | Uber | |
 |
2021-06-04 10:00:59 | Experts React: White House Open Letter To Companies Re Ransomware (lien direct) | BACKGROUND: Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, has issued an open letter to corporate executives and business leaders on… | Ransomware Guideline | Uber | |
|
2021-06-03 09:56:30 | White House urges businesses to "take ransomware crime seriously" (lien direct) | The White House has urged business leaders and corporate executives to "take ransomware crime seriously" in a letter issued by Anne Neuberger, the National Security Council's chief cybersecurity adviser. [...] | Ransomware Guideline | Uber | |
 |
2021-06-02 16:15:10 | CVE-2021-3499 (lien direct) | A vulnerability was found in OVN Kubernetes in versions up to and including 0.3.0 where the Egress Firewall does not reliably apply firewall rules when there is multiple DNS rules. It could lead to potentially lose of confidentiality, integrity or availability of a service. | Vulnerability Guideline | Uber | |
|
2021-06-02 14:15:09 | CVE-2020-35514 (lien direct) | An insecure modification flaw in the /etc/kubernetes/kubeconfig file was found in OpenShift. This flaw allows an attacker with access to a running container which mounts /etc/kubernetes or has local access to the node, to copy this kubeconfig file and attempt to add their own node to the OpenShift cluster. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects versions before openshift4/ose-machine-config-operator v4.7.0-202105111858.p0. | Vulnerability Threat | Uber | |
 |
2021-05-27 15:39:47 | Uber\'s Union Deal in the UK Doesn\'t Mean Its Battles Are Over (lien direct) | The company's first-ever union agreement could distract from more changes that need to happen, both within the gig economy and governments. | Uber | ||
 |
2021-05-26 21:29:00 | Nearly 50,000 IPs compromised in Kubernetes clusters by TeamTNT (lien direct) | Researchers discovered about 50,000 IPs across multiple Kubernetes clusters that were compromised by the TeamTNT.threat actors. Researchers from Trend Micro reported that about 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by TeamTNT group. Kubernetes is an open-source container-orchestration system for automating computer application deployment, scaling, and management. It aims to […] | Uber | ||
 |
2021-05-21 12:55:49 | The first SUSE version of Rancher Kubernetes is on its way (lien direct) | SUSE is letting the tech world know that it means to be taken seriously as a Kubernetes distro power with its Rancher 2.6 release. | Uber | ||
 |
2021-05-21 12:06:56 | Live From RSAC: Anne Neuberger Addresses President Biden\'s Executive Order on Cybersecurity (lien direct) |  Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, addressed President Biden???s executive order at the virtual RSA Conference this week. The executive order, announced on May 12, 2021, aims to safeguard U.S. cybersecurity and modernize cybersecurity defenses.
As Neuberger explains, this executive order couldn???t come at a more critical time. The Biden administration was challenged with two cybersecurity incidents in the first 100 days ??? SolarWinds and Microsoft Exchange. Note that the session must have been pre-recorded because she didn???t even mention a third attack that disrupted the Colonial Pipeline.
The incidents proved three major lessons:
Adversaries will look for any opening to attack, including the government???s suppliers.
Partnerships are critical. The government needs the private sector, and the private sector needs the government.
The government needs to modernize cybersecurity defenses.
???[These lessons prove that] we need to shift our mindset from incident response to prevention,??? said Neuberger. ???We simply cannot let waiting for the next shoe to drop be the status quo under which we operate.???
In the software development world, we call this being stuck in a ???break/fix??? mentality. It is better to build a software development process that causes less ???breaks.??? That enables you to deliver more software with less failures. We are starting to see cybersecurity learn from software development principals, shifting our cybersecurity problems to the left.
Breaches are more detrimental than most organizations realize. Neuberger noted two staggering statistics. In 2019, Accenture reported an average company spends $13 million per breach. And CIS and McAfee reported that cybercrime cost 1 percent of global GDP in 2018. Organizations are far better off spending the money to secure their applications, including demanding better from their vendors, than waiting for a breach. How many small businesses, schools, hospitals, or government agencies have an extra $13 million to spend on an unexpected breach?
What Neuberger didn???t mention is that that same study from Accenture cited an increase of 67 percent in cyberattacks over the past five years. And if cyberattacks continue at this velocity, Accenture calculates a total value at risk of $5.2 trillion globally over the next five years.
The president???s approach is proactive and includes modernizing cyber defenses, returning to a more active role in cybersecurity internationally, and ensuring that America has a better posture to compete. It was the SolarWinds breach that opened our eyes to the fact that we don???t have modern cyber defenses in place. Software supply chain security is of particular concern.
???The current model of build, sell, and maybe patch means that the products the federal government buys often have defects and vulnerabilities that developers are accepting as the norm with the expectation that they can patch later. Or perhaps they ship software with defects and vulnerabilities that they don???t think merit fixes ??ヲ. That???s not acceptable,??? said Neuberger. ???Security has to be a basic design consideration.??? ツ?ツ?
Neuberger hinted that the executive order might require federal vendors to build software in a secure development environment. And that software leveraged by the federal government should include strong authentication, encryption and limit privileges. As for preexisting critical infrastructure that was built before the Internet, the orde |
Ransomware | Uber | |
|
2021-05-20 17:34:42 | Live From RSAC: AppSec\'s Future and the Rise of the Chief Product Security Officer (lien direct) |  Chris Wysopal, Co-Founder and CTO at Veracode, and Joshua Corman, Chief Strategist of Healthcare and COVID at CISA, presented at the 2021 RSA Conference on AppSec???s future and the need for a new Chief Product Security Officer (CPSO) role.
Wysopal started by quoting entrepreneur Marc Andreessen saying, ???Software is eating the world,??? to express just how much we rely on technology. From our iPhones and laptops to our cars and even our refrigerators ??ヲ software is everywhere.
If we look back at the rise of software, it was largely used originally to automate manual processes in the back office of businesses, like banking software for a teller. But now, we are using software to deliver products to a customer, like a mobile banking application. So as Wysopal stated, ???There???s not just more software. There are different kinds of software.???
And this software that???s being released as products to customers has added risk. Using the mobile banking application as an example, Wysopal noted that it???s riskier to use a customer-facing application to conduct your banking than it is to go to the bank and have a teller use the back-end software. More people have access to the mobile banking application, and anyone in the world could connect to the APIs.
And the risk associated with software products is only going to continue to grow. Consider the way we are creating apps now: APIs are the bloodstream. Each microservice, serverless, container, or public API is more attack surface. Applications that connect with social networking create more attack surface. Migrating to new software and forgetting to retire legacy software leads to more attack surface.
And there is risk with new software trends as well. For example, ubiquitous connectivity is the standard mode for any product now. Abstraction and componentization are also big trends. Instead of writing code, we now frequently use a library or write a script to instruct something else to be built. It???s great to build applications quickly, but it changes the way you have to think about security and supply chain.
That???s why we need a CPSO role, not just a Chief Information Security Officer (CISO). A CISO is concerned about compliance and protecting the company???s brand, but a CPSO would be responsible for managing product risk. Product risk spans so many departments ??? like engineering, compliance, supplier management, and information risk ??? and will likely span even more departments over the next few years. CISOs have too much on their plate to be able to take on product risk.
Corman mentions that many healthcare organizations have started adding a CPSO-type role to their organizations and others should follow suit. Especially given the increase in software breaches. As mentioned in our blog outlining Anne Neuberger???s RSAC address, cyberattacks have increased by 67 percent in the past five years. And many of these breaches ??? like SolarWinds and Microsoft Exchange ??? are having national security implications. In fact, the Biden administration recently released an executive order to safeguard U.S. cybersecurity. So having a role that is dedicated to managing product risk is not only beneficial but arguably essential.
For more summaries of RSA Conference 2021 sessions, check the Veracode Blog, |
Guideline | Uber | ★★ |
|
2021-05-20 16:59:46 | Live From RSAC: Is Digital Transformation Making AppSec Headless? (lien direct) |  Chris Wysopal, Veracode Co-Founder and CTO, recently sat down with Tom Field, ISMG Senior Vice President of Editorial, for an executive interview at the RSA Conference 2021 to discuss if digital transformations are making application security (AppSec) ???headless.???
Headless AppSec is an interesting concept. AppSec was traditionally part of the security role. But, as companies become increasingly digital, it???s too time-consuming for developers to hand off AppSec scans to security. To combat the hand-off, companies have been moving AppSec scans to the development role. But without the right processes in place and without security knowledge, AppSec scans can be just as laborious in the development phase. The ultimate goal is to make security ???headless??? or managed as part of code instead of a separate task.
The pandemic is definitely expediating this shift to headless AppSec. As Wysopal stated, ???There???s no doubt that Covid-19 has accelerated all the things that companies were doing anyway, but on a much longer path.??? Many companies were in the process of a digital transformation but ??? when the pandemic hit ??? they realized that in order to be competitive in the market, they needed to ramp up their shift to digital and move to the cloud for more flexibility.
The pandemic has also caused organizations to change the way that they???re building software. The market is more competitive than ever. So, to keep up, organizations need to iterate quickly and go to market faster. In fact, many organizations are coming up with a new feature in a day and going to production in a day. ツ?
But this speed is proving the need for headless AppSec. You can no longer have different teams building code, testing code, etc. You need to automate these processes and have them handled by one team. Ideally, the developers should be able to not only write code but also diagnose bugs and put fixes in place. ツ?For example, infrastructure itself is becoming very dynamic and programable. Consider the rise of microservices, container security, and Kubernetes. It???s pushing all the things operations used to do into code so that developers can control it.ツ?
Development and operations aren???t the only two functions that should be on the same team, security should be as well. Security tools should be put in the developer pipeline so they can remediate flaws without having to connect with security personnel.
Wysopal advocates for a security champions program to help train interested developers in security best practices. These developers can act as the voice of security on their scrum teams, eliminating the need for a security hand-off. And all security tools should be automated into the developers existing tools and processes so that they don???t have to spend additional time conducting AppSec scans.
This automation could open the door to machine learning and artificial intelligence. Machine learning thrives off data sets from automation. It can evaluate scan data and code that was previously remediated to come up with rules for auto-remediation. If AppSec scans are automated and remediation is automated, that would be the ultimate form of headless AppSec. According to Wysopal, auto-remediation is a very real possibility and we should be seeing it by the end of the year.
For more updates on the RSA Conference 2021, check out the Veracode Blog, daily. |
Uber | ★★★★ | |
|
2021-05-19 20:24:50 | Can Nanotech Secure IoT Devices From the Inside-Out? (lien direct) | Work's being done with uber-lightweight nanoagents on every IoT device to stop malicious behavior, such as a scourge of botnet attacks, among other threats. | Uber | ||
 |
2021-05-18 17:52:00 | #RSAC: Anne Neuberger Sets Out Biden Administration\'s Plan to Modernize US Cyber-defenses (lien direct) | Anne Neuberger outlines three areas of focus for the Biden administration to enhance the US's cybersecurity | Uber | ||
|
2021-05-13 17:47:50 | Loft Labs introduces and open sources virtual Kubernetes clusters (lien direct) | Want a lightweight way to quickly spin up Kubernetes clusters? Check out virtual clusters from Loft Labs. | Uber | ||
|
2021-05-11 23:56:55 | Biden Makes a Deal With Uber and Lyft in the Name of Vaccines (lien direct) | Despite his unease with the ride-hail business model, the president needs help getting more Americans to vaccination sites to meet his July 4 deadline. | Uber Uber | ||
|
2021-05-05 13:41:32 | Red Hat Open-Sourcing StackRox Security Technology (lien direct) | Red Hat this week announced that it's taking the first steps towards open-sourcing the StackRox container security product for Kubernetes. | Uber | ||
 |
2021-04-29 20:02:06 | Uber, Lyft stocks plunge after Biden official says drivers are employees (lien direct) | Uber and Lyft argue treating drivers as employees would wreck their business. | Uber Uber | ||
|
2021-04-29 15:20:23 | Executive Order on Cybersecurity Is Imminent: It\'s Been a Long Time Coming (lien direct) |  Following President Biden???s address to Congress last night in which he referenced cybersecurity as a priority twice, news is circulating today that the executive order on cybersecurity is imminent. This news comes as a much awaited and long overdue step towards creating standardization and structure around cybersecurity.
Anne Neuberger, the deputy national security advisor for cyber and emerging technology, says the order will be like the National Transportation Safety Board, or NTSB, for cyber. ???What can we learn with regard to how we get advance warning of such incidents,??? she recently told reporters. She also notes that this executive order will be a starting point that should eventually trickle down to the consumer market as well. ???If we start incentivizing security, then companies, [and] the market will then inherently prioritize it because more people will buy the product,??? she says.
From my perspective, I am happy that this topic is finally coming full circle. In 2013, Chris Wysopal addressed this very topic in a keynote at RVASec where he discussed ???The Future of Government Sharing.???ツ?
In fact, Chris started creating awareness with the federal government 23 years ago when he and some colleagues from hacker thinktank the L0pht testified to Congress in efforts to expose the risks and threats of cybersecurity. Eight years later, I joined Chris when he launched Veracode to actually start solving the critical problem of software security ??? together we focused on helping developers and security teams on not just finding but also fixing vulnerabilities in their software (developed in-house, open source or third-party purchased).
Just last month on International Women???s Day, I sat down with The New York Times cybersecurity reporter Nicole Perlroth and OWASP board member Vandana Verma to discuss this topic at an RSA Conference Podcast ??? sharing that Veracode???s recent research revealed that 66 percent of applications fail to meet the OWASP Top 10 standards, meaning they have a major vulnerability. This highlights that there is work to be done and we must embed security testing into the software development lifecycle so, as developers write code, they write securely. In that discussion, Perlroth said, ???We can???t be trying to band-aid on these fixes after vulnerable code has already made its way to users, but also into critical infrastructure ??ヲ We need to think about security and security design from the start. We have to start bringing in security engineers from the very beginning.???
Part of making software more secure involves integrating security into the software development lifecycle and training developers. We should not expect secure code if we haven???t established clarity on what good looks like, equipped developers with the right guidance, the right knowledge, and the right tools.
The executive order has been a long time coming, and I hope it establishes what the right expectations and accountability should be. We must put structure and standardization around cyber and software security, and there are a number of great examples on how this has been done successfully. One of our customers, an educational software vendor, joined the Veracode Verified program in order to provide evidence of its security processes and |
Uber | ||
|
2021-04-28 19:10:05 | In new release, OpenStack Wallaby reaches out to Kubernetes (lien direct) | OpenStack, the popular open-source private cloud, used to be an island unto itself, but moving forward it relies more and more on integration with cloud-native computing programs. | Uber | ||
|
2021-04-28 11:00:00 | He\'s a WWE Pro and a Vtuber. Those Worlds Aren\'t So Different (lien direct) | Brennan Williams wrestles as Mace but streams as an animated character named Jibo. It's all kayfabe, and a little bit not. | Uber | ||
 |
2021-04-28 10:00:00 | What Docker runtime deprecation means for your Kubernetes (lien direct) | This blog was written by an independent guest blogger. On December 8, 2020, Kubernetes released version 1.20—the third and final release of the popular container orchestration platform in 2020. Kubernetes noted in a blog post that the version contained 42 enhancements. Of those enhancements, 16 entered into alpha, while the remainder moved to beta or graduated to stable at 15 and 11, respectively. That’s not all that was in Kubernetes version 1.20, however. The new release also came with the announcement of dockershim’s forthcoming deprecation. This blog post will discuss what this change means to admins and provide some recommendations on how admins can respond. Before we do that, however, we need to cover the basics of how dockershim relates to Kubernetes and why the platform decided to deprecate the component in the first place. An Overview of Dockershim Dockershim is a module used by the kubelet to support Container Runtime Interface (CRI) for Docker. Released back with Kubernetes version 1.5 in 2016, CRI is a plugin that allows the kubelet to use different container runtimes without recompiling. Those Kubernetes-supported software that are responsible for containers include containerd, CRI-O and Docker for the next few months, at least. The issue with dockershim is that this container runtime predates Kubernetes’ release of CRI. As noted in its documentation, Kubernetes’ early releases offered compatibility with just one container runtime: Docker. That changed as time went on and as cluster operators expressed the desire to interact with other container runtimes. Kubernetes created CRI to help those cluster operators, but as its support of Docker came before CRI, the container orchestration platform had to come up with an adaptor component that helped the kubelet interact with the Docker container runtime as if it were a CRI compatible runtime. This led to the emergence of dockershim. Keeping dockershim around ultimately created problems for Kubernetes, however. The issue here is that the kubelet needs to call another component—dockershim—before it can interact with continerd, CRI-O or another supported CRI. It’s a middle man that complicates container runtimes for the platform as a whole. Indeed, in the words of Kubernetes, “that’s not great, because it gives us another thing that has to be maintained and can possibly break.” Dockershim was only meant to be a temporary solution. Acknowledging that fact, the task of maintaining dockershim had become sufficiently problematic by the end of 2020 that it placed “a heavy burden on the Kubernetes maintainers,” according to the platform. Hence Kubernetes’ decision to deprecate the component. Going forward, Kubernetes will inform administrators of this deprecating issue starting in version 1.20. As explained by StackRox in a blog post: If you currently use a managed Kubernetes service or a distribution like OpenShift, your provide | Uber | ||
|
2021-04-19 09:05:28 | DevSecOps in Practice: How to Embed Security into the DevOps Lifecycle (lien direct) |  You???ve heard of DevOps. And by now, you???ve probably also heard of DevSecOps, which extends DevOps principles into the realm of security. In DevSecOps, security breaks out of its ???silo??? and becomes a core part of the DevOps lifecycle.
That, at least, is the theory behind DevSecOps. What???s often more challenging for developers to figure out is how to apply DevSecOps in practice. Which tools and processes actually operationalize DevSecOps? Until you can answer that question, DevSecOps will be just another buzzword.
To help bridge the gap between theory and practice, let???s walk through what DevSecOps means from a practical perspective, and how to go about embedding it into your development workflows.
DevSecOps, defined
If you???re familiar with DevOps (which encourages collaboration between developers and IT operations engineers in order to speed application delivery), then the meaning of DevSecOps is easy enough to understand. DevSecOps adds security operations teams into the equation so that they can collaborate seamlessly with developers and IT engineers.
DevSecOps places a DevOps spin on basic security concepts. Just as DevOps encourages continuous delivery, DevSecOps is all about continuous security ??? meaning the constant and holistic management of security across the software development lifecycle. Similarly, DevSecOps encourages continuous improvement in the realm of security ??? meaning that no matter how secure you believe your environment is, you should always be looking for ways to improve your security posture even further.
DevSecOps in practice
These are all great ideas to talk about, and it???s easy to see why they are valuable. Security postures are indeed stronger when developers, IT engineers, and security engineers work together, rather than working in isolation. It???s much easier to optimize security when developers prioritize security with every line of code they write, and when IT engineers think about the security implications of every deployment they push out, rather than viewing security as something that someone else will handle down the line.
The big question for teams that want to embrace DevSecOps, though, is how to go about putting these ideas into practice. That???s where things can get tougher. There is no simple methodology that allows you to ???do??? DevSecOps. Nor is there a specific tool that you can deploy or a particular role that you can add to your team.
Instead, operationalizing DevSecOps means building holistic combinations of processes and tools that make it possible to integrate security into DevOps workflows. While the best approach to this will vary from team to team, the following are some general best practices for implementing DevSecOps.
Scanning early and often
One basic step toward implementing DevSecOps is to ensure that you perform security tests and audits at the beginning of the software delivery pipeline. You don???t want to wait until code is written and built to start testing it for flaws (and you certainly don???t want to let it get into production before testing it). Instead, you should be scanning code as it is written, by integrating security tooling directly into your IDEs if possible.
Importantly, security scanning should continue as code ???flows??? down the pipeline. You should scan your test builds and application release candidates before deployment. Security monitoring and auditing should also continue once code is in production.
Automation
Automation is a founding principle of DevOps, and it???s just as important to DevSecOps. Automation not only makes processes faster and more efficient, but also helps reduce friction between the different stakeholders in DevSecOps |
Tool | Uber | ★★★ |
|
2021-04-16 11:41:36 | The largest independent self-driving startup is under a lot of pressure (lien direct) | Aurora more than doubled in size when it acquired Uber's self-driving project. | Uber | ||
|
2021-04-14 20:56:27 | Security Bug Allows Attackers to Brick Kubernetes Clusters (lien direct) | The vulnerability is triggered when a cloud container pulls a malicious image from a registry. | Vulnerability | Uber | |
|
2021-04-13 20:15:20 | CVE-2021-28448 (lien direct) | Visual Studio Code Kubernetes Tools Remote Code Execution Vulnerability | Uber | ||
|
2021-04-09 15:50:00 | Canonical announces enterprise support for Kubernetes 1.21 from the cloud to the edge (lien direct) | Latest update includes support for N-2 releases and extended security maintenance and patching for N-4 releases in the stable release channel. | Patching | Uber | |
|
2021-04-08 18:37:44 | MinIO adds key management tools to its Kubernetes object storage product (lien direct) | The new Operator, Console, and SUBNET Health tools are designed to give administrators more effective ways to use and manage the product. | Uber | ||
|
2021-04-07 19:10:37 | Riders face long waits as Uber and Lyft struggle to recruit drivers (lien direct) | Riders are flooding back to ride-hailing apps. Drivers, not so much. | Uber Uber | ||
 |
2021-04-06 11:05:07 | Phone Cloning Scam (lien direct) | A newspaper in Malaysia is reporting on a cell phone cloning scam. The scammer convinces the victim to lend them their cell phone, and the scammer quickly clones it. What’s clever about this scam is that the victim is an Uber driver and the scammer is the passenger, so the driver is naturally busy and can’t see what the scammer is doing. | Uber Uber | ||
 |
2021-04-05 00:00:00 | Fortinet Adaptive Cloud Security Extends Cloud-native Security and Visibility to Protect Container (lien direct) | Fortinet announced a new cloud native container and Kubernetes security solution, FortiCWP Container Guardian. Learn more.
|
Uber | ||
|
2021-03-22 18:51:15 | YouTuber Patrick (H) Willems has thoughts on movies-lots of thoughts (lien direct) | In this edition of "Personal History," we talk with Willems about his YouTube comments. | Uber | ||
|
2021-03-19 20:23:13 | Why Focusing on Container Runtimes Is the Most Critical Piece of Security for EKS Workloads? (lien direct) | Amazon Elastic Kubernetes Service (EKS), a platform which gives customers the ability to run Kubernetes apps in the AWS cloud or on premises. Organizations are increasingly turning to Kubernetes to manage their containers. In the 2020 Cloud Native Survey, 91% of respondents told the Cloud Native Computing Foundation (CNCF) that they were using Kubernetes-an increase […] | Uber | ||
|
2021-03-18 17:27:13 | Uber concedes UK drivers are workers-some drivers aren\'t satisfied (lien direct) | Uber only wants to pay for "engaged time"-not time waiting for a new customer. | Uber Uber | ||
|
2021-03-17 20:08:53 | Uber Says Its UK Drivers Are \'Workers,\' but Not Employees (lien direct) | The ride-hail giant shifts its stand following a court ruling, part of a global push for a “third category” of workers. | Uber | ||
|
2021-03-16 21:15:10 | CVE-2021-20218 (lien direct) | A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2 | Vulnerability Threat | Uber | |
|
2021-03-16 15:48:59 | Simplifying the mystery: When to use docker, docker-compose, and Kubernetes (lien direct) | Jack Wallen attempts to demystify the difference between three important container technologies with a nod to simplicity. | Uber | ||
|
2021-03-15 11:30:00 | Uber and Lyft Pool Driver Info to Boost Passenger Safety (lien direct) | Program will keep deactivated drivers off the roads | Uber | ||
|
2021-03-12 11:38:31 | Uber, Lyft to share data on drivers banned for sexual, physical assault (lien direct) | The measure may stop banned drivers from being able to jump between platforms. | Uber | ||
|
2021-03-10 22:15:12 | CVE-2021-21334 (lien direct) | In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions. | Vulnerability | Uber | |
|
2021-03-05 13:00:00 | Gig Companies Fear a Worker Shortage, Despite a Recession (lien direct) | The pandemic sapped demand for rides from Uber and Lyft, and government aid has cushioned the blow for workers. Execs are feeling the strain. | Uber Uber | ||
|
2021-03-04 11:00:00 | Tips for minimizing security risks in your microservices (lien direct) | This blog was written by an independent guest blogger. Organizations are increasingly turning to microservices to facilitate their ongoing digital transformations. According to ITProPortal, more than three quarters (77%) of software engineers, systems and technical architects, engineers and decision makers said in a 2020 report that their organizations had adopted microservices. Almost all (92%) of those respondents reported a high level of success. (This could explain why 29% of survey participants were planning on migrating the majority of their systems to microservices in the coming years.) Containers played a big part in some of those surveyed organizations’ success stories. Indeed, 49% of respondents who claimed “complete success” with their organizations’ microservices said that they had deployed at least three quarters of those microservices in containers. Similarly, more than half (62%) of the report’s participants said that their organizations were deploying at least some of their microservices using containers. The benefits and challenges of microservices Microservices present numerous opportunities to organizations that adopt them. They are smaller in size, notes Charter Global, which makes it possible to maintain code and add more features in a shorter amount of time. Organizations also have the option of deploying individual microservices independently of one another, thereby feeding a more dynamic release cycle, as well as of scaling these services horizontally. Notwithstanding those benefits, microservices introduce several security challenges. Computer Weekly cited complexity as the main security issue. Without a uniform way of designing them, admins can design microservices in different environments with different communication channels and programming languages. All of this variety introduces complexity that expands the attack surface. So too does the growing number of microservices. As they scale their microservices to fulfill their evolving business needs, organizations need to think about maintaining the configurations for all of those services. Monitoring is one answer, but they can’t rely on manual processes to obtain this level of visibility. Indeed, manual monitoring leaves too much room for human error to increase the level of risk that these services pose to organizations. Kubernetes as an answer Fortunately, Kubernetes can help organizations to address these challenges associated with their microservices architecture. Admins can specifically use the popular container management platform to maintain their microservices architecture by isolating, protecting and controlling workload through the use of Network Policies, security contexts enforced by OPA Gatekeeper and secrets management. Kubernetes network policies According to Kubernetes’ documentation, groups of containers called “pods” are non-isolated by default. They accept traffic from any source in a standard deployment. This is dangerous, as attackers could subsequently leverage the compromise of one pod to move laterally to any other pod within the cluster. Admins can isolate these pods by creating a Network Policy. These components | Uber | ||
|
2021-03-03 20:38:03 | This startup has an intriguing concept for EV battery swaps (lien direct) | The first five stations in the Bay Area will be used by a fleet of electric Ubers. | Uber | ||
|
2021-03-03 19:21:06 | New CISO Hires at Uber, Square, SailPoint (lien direct) | Ride-sharing giant Uber has quietly snapped up veteran security leader Latha Maripuri to be its Chief Information Security Officer (CISO). A formal announcement has not yet been made but Maripuri, a security leader with stints at IBM and NewsCorp, has shared the news on her LinkedIn profile. | Guideline | Uber Uber | ★★★★★ |
|
2021-03-03 17:51:31 | How to quickly validate your Kubernetes configuration files (lien direct) | Your Kubernetes YAML files need validation. Jack Wallen shows you a very easy tool that can drastically simplify that task. | Tool | Uber | |
|
2021-02-25 23:15:16 | CVE-2021-24109 (lien direct) | Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability | Uber | ★★★ |
To see everything:
Our RSS (filtrered)
