CDN badness - Backstop Weekly Roundup - 2018-10-24

Date 2018-10-24 00:00:00 +0000
Share this post:

Hello Backstoppers!

Welcome to this week’s issue of our weekly roundup! This is product updates, security news, and important to know information in one easy to digest email.

The product updates for this week are a bit quieter, as it was a lot of SPF / dmarc / email sending issues. Email design still isn’t our strong suit, but at least everyone should be receiving this email now!

Last week we talked about a few new features.

  • A few of you asked to port scan and get uptime for thousands of IP’s. We now support that, though you’ll need to use the API to add them. We’re still planning a dashboard rev to better handle large amounts.

  • We now (optionally) send a daily reminder email to those GSuite users that don’t have 2-factor authentication turned on. You can turn this on in your Google Authentication check settings. If you want a specific email template to be used for this (instead of our default), contact us and we’ll set that up.

  • We’re also revving our email templates and slack messages so that you get better notifications with larger numbers of hosts. These changes are already rolling out.

  • We’re in the process of adding a minimum number of failed checks before alerting as well (another customer request)!

  • We’ll be publishing a glossary page to help clarify a bunch of devops and security terms that are always thrown around without any explanation.

In security news:

  • In S3 bucket news, both the DoD and a Tea Party PAC lost data due to S3 bucket permissions. This is exactly why Backstop exists….

  • Subresource integrity is back in the news (H/T Corey Quinn). This time, a Twitter share counter script was replaced with malware. The original script was hosted in an s3 bucket that was then shutdown. Someone re-registered the bucket and served a bad script to those still using it. The key point is that there’s a way to protect against that, and it’s called Subresource integrity. Troy Hunt has a a great writeup on using it. Note that browser support is even more widespread then in Troy’s post, so get on implementing it! Contact us if you have questions about how to go about it.

  • BA and Cathay Pacific lost credit card numbers in breaches.

  • Colorado is doing very well, when it comes to election cybersecurity! Local news for the win!

  • Area1 is doing a pay-per-successful-phish model of simulation. Like kids, cars, and boats, this seems like something that will cost more then you think.

That’s all for now, stay safe friends!