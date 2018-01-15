Security: Updates, Secure Contexts, RubyMiner, ZAP, Transmission, AMD
Security updates for Monday
Secure Contexts Everywhere
Since Let’s Encrypt launched, the Secure Contexts specification has become much more mature. We have witnessed the successful restriction of existing, as well as new features to secure contexts. The W3C TAG is about to drastically raise the bar to ship features on insecure contexts. All the building blocks are now in place to quicken the adoption of HTTPS and secure contexts, and follow through on our intent to deprecate non-secure HTTP.
Linux and Windows Servers Targeted with RubyMiner Malware
Security researchers have spotted a new strain of malware being deployed online. Named RubyMiner, this malware is a cryptocurrency miner spotted going after outdated web servers.
According to research published by Check Point and Certego, and information received by Bleeping Computer from Ixia, attacks started on January 9-10, last week.
Virtual currency miners target web servers with malware
ZAP provides automated security tests in continuous integration pipelines
Commonly, a mixture of open source and expensive proprietary tools are shoehorned into a pipeline to perform tests on nightly as well as ad hoc builds. However, anyone who has used such tests soon realizes that the maturity of a smaller number of time-honored tests is sometimes much more valuable than the extra detail you get by shoehorning too many tests into the pipe then waiting three hours for a nightly build to complete. The maturity of your battle-hardened tests is key.
BitTorrent users beware: Flaw lets hackers control your computer
There's a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users' computers. That's according to a researcher with Google's Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible.
Among the things an attacker can do is change the Torrent download directory to the user's home directory. The attacker could then command Transmission to download a Torrent called ".bashrc" which would automatically be executed the next time the user opened a bash shell. Attackers could also remotely reconfigure Transmission to run any command of their choosing after a download has completed. Ormandy said the exploit is of "relatively low complexity, which is why I'm eager to make sure everyone is patched."
AMD Releases Linux and Windows Patches for Two Variants of Spectre Vulnerability
AMD has published a press announcement on Thursday to inform its customers that it released patches for two variants of the Spectre security vulnerability disclosed to the public earlier this month.
'Shift Left': Codifying Intuition into Secure DevOps
Continuous delivery (CD) is becoming the cornerstone of modern software development, enabling organizations to ship — in small increments — new features and functionality to customers faster to meet market demands. CD is achieved by applying DevOps practices and principles (continuous integration and continuous deployment) from development to operations. There is no continuous delivery without implementing DevOps practices and principles. By that, I mean strong communication and collaboration across teams, and automation across testing, build, and deployment pipelines. But often achieving continuous delivery to meet market demands presents numerous challenges for security.
