PARETO: The most sophisticated CTV botnet ever found...and disrupted

https://www.humansecurity.com/pareto

Announcing Windows 10 Insider Preview Build 21364 | Windows Insider Blog
https://blogs.windows.com/windows-insider/2021/04/21/announcing-windows-10-insider-preview-build-21364/

Facebook has a new mega-leak on its hands

https://arstechnica.com/gadgets/2021/04/tool-links-email-addresses-to-facebook-accounts-at-scale/

The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with “–auth-gen-token” or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in Windows installers

https://openvpn.net/community-downloads/

PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop

Evolving Kubernetes networking with the Gateway API
https://kubernetes.io/blog/2021/04/22/evolving-kubernetes-networking-with-the-gateway-api/

GitHub - microsoft/wslg: Enabling the Windows Subsystem for Linux to include support for Wayland and X server related scenarios
https://github.com/microsoft/wslg

GitLab 13.11 released with Kubernetes Agent and Pipeline Compliance | GitLab
https://about.gitlab.com/releases/2021/04/22/gitlab-13-11-released/

Tor-Based Botnet Malware Targets Linux Systems, Abuses Cloud Management Tools
https://www.trendmicro.com/en_us/research/21/d/tor-based-botnet-malware-targets-linux-systems-abuses-cloud-management-tools.html

Detecting Secrets to Reduce Attack Surface

В настоящее время нет (или мало) публично доступных инструментов с открытым исходным кодом для обнаружения секретов в образах контейнеров. Авторы рассказывают про инструмент с открытым исходным кодом SecretScanner который предназначен для обнаружения секретов, которые хранятся в образах непреднамеренно или по ошибке дизайна образа

Примеры секретов:
- пароли пользователей
- автоматически сгенерированные пароли
- пароли от БД
- SSH ключи
- API ключи
- авторизационные ключи
- токены
- SSL сертификаты

https://medium.com/deepfence-cloud-native-security/detecting-secrets-to-reduce-attack-surface-3405ee6329b5

About the security content of iOS 14.5 and iPadOS 14.5 - Apple Support

Довольно много патчей от Apple устраняющих достаточное количество уязвимостей

https://support.apple.com/en-us/HT212317

Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol - SentinelLabs

https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop/

Linux Security Module Usage

https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/index.html

…

KubeArmor

https://github.com/accuknox/KubeArmor#getting-started

Управление рисками цепочек поставок от NIST/CISA

Агентство по кибербезопасности и инфраструктурной безопасности (CISA) и Национальный институт стандартов и технологий (NIST) предоставляют информацию об атаках на цепочку поставок программного обеспечения, связанных с ними рисках и о том, как организации могут эти риски могут смягчить

https://csrc.nist.gov/projects/cyber-supply-chain-risk-management

Fedora Linux 34 is officially here! - Fedora Magazine

https://fedoramagazine.org/announcing-fedora-34/

What's new in Fedora:

https://fedoramagazine.org/whats-new-fedora-34-workstation/

SSHing to my Raspberry Pi 400 from a browser, with Cloudflare Tunnel and Auditable Terminal
https://blog.cloudflare.com/ssh-raspberry-pi-400-cloudflare-tunnel-auditable-terminal/

The NGINX Handbook
https://www.freecodecamp.org/news/the-nginx-handbook/amp/