Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
IoT Bug Grants Access to Home Video Surveillance
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/8/2019 | 7:04:31 PM
Re: more of the same
@RyanSepe: I have heard from highly regulated entities that they have experiences with cloud vendors with 360-degree auditing -- i.e., that in addition to auditing the vendor, the vendor audits the customer to ensure that they are doing what they need to do to be secure while using their platform. A great example of teamwork -- and it would be a great way to prevent the kind of brand damage AWS has suffered from this kind of thing.

Of course, one of AWS's biggest selling points is its accessibility for even the smallest of businesses/entities -- so that's pretty impractical (at least, at the personalized level) for AWS for its smaller clients.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/2/2019 | 2:52:32 PM
Re: more of the same
Agree 100%. I think its a tragic principle of a lack of education. By that I mean, Amazon does a great job to ensure that they configure their product to be a secure iteration by default. (Not overly stringent, but gets the job done) Unfortunately, it is then handed off to a NON-Amazon entity (corporate IT entity) who may not be overly familiar with how the S3 bucket is set up. By default this will restrict them from performing the function they need to support the business, so what will they do? They will remove the safeguards to allow them to do said function. In the process, removing any secure configuration they may have had. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2018 | 10:46:46 PM
more of the same
Geezalou, another freakin' gross misconfiguration of S3-bucket access. This has been a huge trend over the past couple of years (despite the fact that the default settings tend to be more secure) -- to the point that AWS has had to change their UI a little.

I expect the trend to continue. Stupidity doesn't just end.


Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.