Daily Archives: February 4, 2020

The problem with mobile and app voting

It's the day after the 2020 Iowa caucuses, and the Iowa Democratic Party has yet to announce the winner. The app that precinct leaders were supposed to use to report final tallies recorded inconsistent results. Party leaders blamed a "coding issue" within the app, not a hack or attack. Computerworld's Lucas Mearian joins Juliet to discuss the problem with mobile voting and how this snafu may affect the reputation of app voting in the future.

The many faces of SSRF

Server-Side Request Forgery, often shortened to SSRF, is a broad vulnerability class that typically includes coercing a server into making network connections. SSRF commonly, but not always, involves the victim server issuing HTTP(s) requests. The impact can vary greatly, ranging from sensitive information disclosure, to remote code execution or authorization bypasses. The impact is always very contextual. For example, an SSRF vulnerability in software running on AWS EC2 may lead to instance credentials being disclosed via the instance metadata site (more on this later), while the same vulnerability may have little to no security impact if it is running on a temporary Digital Ocean droplet. Any endpoint that allows users to enter hostnames, URIs, or ports is potentially vulnerable, and should always be checked for SSRF exploit scenarios.

Google software glitch sent some users’ videos to strangers

Bug affected users of Google Takeout exporting from Google Photos in late November

Google has said a software bug resulted in some users’ personal videos being emailed to strangers.

The flaw affected users of Google Photos who requested to export their data in late November. For four days the export tool wrongly added videos to unrelated users’ archives.

Continue reading...

NIST Offers Strategies to Help Businesses Secure Their Cyber Supply Chains

Reducing the cybersecurity risk to one of the most vulnerable aspects of commerce — global supply chains — is the goal of a new publication by the National Institute of Standards and Technology (NIST), whose computer security experts have distilled a set of effective risk management techniques into a draft guidebook for businesses. NIST is seeking public comment on the draft for the next 30 days. Key Practices in Cyber Supply Chain Risk Management (Draft NISTIR 8276) provides a set of strategies to help businesses address the cybersecurity issues posed by modern information and communications