Twister

 In ITC's Threat of the Week

As promised last time, this week’s missive is brought to you from Japan, the land of the rising sun, almost as far East as you can go and therefore closest to The Sun itself in a flat earth model.

Unfortunately, the rugby qualifier between England and France (due to be held in Yokohama, near Tokyo) has been cancelled because Tokyo is in the path of one of the biggest Typhoons ever seen, a ‘Super Typhoon’, similar to a category five hurricane, essentially the same thing. Typhoon==Hurricane)

Typhoon Hagibis is all set for landfall on the Japanese capital tomorrow in the afternoon. The attitude in Tokyo seems to swing wildly between nonchalance, fear and desperation. It is very difficult to get a handle on just how risky to life and limb this might be.

Nonchalance is never a good thing and almost certainly ends up leaving the nonchalant red faced, weather beaten or just looking silly.

And so it was this week that none other than Twitter (see what we did there) had to come clean about the fact that the details sold to advertising ‘partners’ included the secret stuff that us, the punters, will have submitted as secret answers to, for instance one’s telephone number, mother’s maiden name, inside leg measurement, name of first gerbil. You get the picture.

Whoopsie. Indeed.

The Twitter confession is at best lacklustre. If this was not done deliberately to make zee monies, only nonchalance can be to blame. Nonchalance around segregation of data and its encryption at rest and in transit is the enemy of secure design, which as the app industry sets the controls for the heart of the sun, will surely come round to bite a business in places the sun don’t shine. That is bite the business, not the tribes, wizards, scrum masters or any other fancy name that is given to a development team to distract them from the scent that they are being used and abused.

While we have the ranting stick out, especially regarding hugely complex environments being built from little understood central libraries, containerisation etc. all at breakneck pace and the like which we have gone on, and on, and on about, this week has seen yet another really very, very serious ‘feature’ which has the potential to render Kubernetes system security as useful as a chocolate teapot.

Hands up if you know what a ‘billion laughs attack’ is? For those who do not know and can’t be bothered or are too paranoid (well done) to click on the link, a billion laughs attack is a denial of service attack aimed at XML parsing.

Turns out that there is a new billion laughs attack which can take down Kubernetes environments easier than huffing and puffing down a house made of straw.

If you run a Kubernetes environment, and you may well be without even knowing it (see tribes, wizard’s sleeves, scrums etc. above) please follow this CVE.

Obviously this week is ‘patch Tuesday’ week. This blog is not in the business of dealing with the details, suffice to say, you should all know what to do by now. The Hacker News crew have a great write up here.

There was a plan to write something about the similarities between Microsoft operating systems (which are multi-platform, obvs) and Android (also multi-platform) contrasted with Apple’s iOS and OSx in terms of the number of vulnerabilities, but given the fact that the power is about to go out, this will have to wait for a less rainy day.

If you would like to truly understand the risks of your rapidly developed containerised environments, we have just the people to assist. Contact us at: [email protected] or call 020 7517 3900.

Author: Kevin Whelan

Recent Posts

Leave a Comment

Tel:
+44 (0) 20 7517 3900