Paco HopeSo I want to beat a particular #cybersecurity drum that drives me crazy. If you read this year-old paper on abandoned S3 buckets, consider all the things that can go wrong. Then reflect on the fact that at all times, every bit of data could have been “encrypted at rest” and “encrypted in transit.” Those 2 security controls amount to very little in the cloud. Encrypt at rest on my phone? My laptop? Of course. The physical theft is a major possibility. Contents of an S3 bucket? Not making any difference.
Think about TLS in this case. The malicious payloads would all come from a valid HTTPS endpoint running state of the art TLS done the right way. You will definitely get exactly the malicious payload that was intended, with minimal chance that a different bad actor could MitM your malware download and cause you to download different malware than the malware you were trying to download.
Encryption in the cloud (at rest or in transit) is not access control.
8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur
Surprise surprise, we've done it again. We've demonstrated an ability to compromise significantly sensitive networks, including governments, militaries, space agencies, cyber security companies, supply chains, software development systems and environments, and more. “Ugh, won’t they just stick to creating poor-quality memes?” we hear you moan. Maybe we should, maybe
Sam H (he/him)