Sign up to save your podcasts
Or
Share The Security Box, podcast 195: What Are .env Files and why should I care?
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Security Box, podcast 195: What Are .env Files and why should I care?
Hello folks, welcome to podcast 195 of the security box. Let's start off with a set of questions that came out of something we did not cover as part of last week's box. If you listen via the podcast, please submit your guesses before the answers are revealed. I'll personally give you credit where credit is due, and we can work out what you will get upon correct answers. The questions are: What 8 companies, 1 of which was part of the big ticket master breach were attacked? What small time actor group took responsibility for these 8 company attacks?which two companies disputed the hack? Finally, what was the most recent company that came out with confirming they were part of the actors fiasco? We also are going to cover the news, the landscape, Lastpass' recent fiasco that can happen to anyone and more. Our topic this week will be the talking about environment files that are used to store secrets including keys, usernames and passwords. Apparently these files, known as .env files are wide open and can be taken for use. Enjoy the program and thanks so much for listening!
Our Scam of the Week
Kelly, formerly Kelly Services has been targeting users who know the JRN's work. Kelly informed the JRN that this scam has been going around in this form for at least 5 months. The first report came from TSB's participant, Preston Gaylor. The second came from another subscriber who assists me in another capacity. Please read this blog post titled New scam from work provider, Kelly (formerly Kelly Services) for complete details on this. We link to the official web site where you too, can alert them about this scam. The representative informed me that they have over 500 copies of this and asked about the version that is going around. We'll be discussing this as part of the program, don't worry!
Our Question
If you intend to play, please do not look at the answers given below. We also are linking to sources of further reading too.
Our Question
What 8 companies, 1 of which was part of the big ticket master breach were attacked? What small time actor group took responsibility for these 8 company attacks?which two companies disputed the hack? Finally, what was the most recent company that came out with confirming they were part of the actors fiasco?
The Answer: Skip if you intend to participate and win
Answer: Snowflake, Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts. Progressive and Mitsubishi disputed the threat actor’s claims while Advance Auto Parts recently came out with details of their breach.
Sources from the blog:
The links lead to our blog, where you can read more.
Lastpass needs a break here, this can happen to anyone
This can happen to anyone. While people want to jump ship because of this most recent outage, I don't blame them. It turns out, it was because of their chrome extension that somehow went completely ape and could have sent a DDOS attack. I don't want to go that far, but it was a 12-hour outage if not longer. I recently had to sign in and I was successful, and this happened on Thursday, June 6, 2024.
View all episodes
By Jared RimerHello folks, welcome to podcast 195 of the security box. Let's start off with a set of questions that came out of something we did not cover as part of last week's box. If you listen via the podcast, please submit your guesses before the answers are revealed. I'll personally give you credit where credit is due, and we can work out what you will get upon correct answers. The questions are: What 8 companies, 1 of which was part of the big ticket master breach were attacked? What small time actor group took responsibility for these 8 company attacks?which two companies disputed the hack? Finally, what was the most recent company that came out with confirming they were part of the actors fiasco? We also are going to cover the news, the landscape, Lastpass' recent fiasco that can happen to anyone and more. Our topic this week will be the talking about environment files that are used to store secrets including keys, usernames and passwords. Apparently these files, known as .env files are wide open and can be taken for use. Enjoy the program and thanks so much for listening!
Our Scam of the Week
Kelly, formerly Kelly Services has been targeting users who know the JRN's work. Kelly informed the JRN that this scam has been going around in this form for at least 5 months. The first report came from TSB's participant, Preston Gaylor. The second came from another subscriber who assists me in another capacity. Please read this blog post titled New scam from work provider, Kelly (formerly Kelly Services) for complete details on this. We link to the official web site where you too, can alert them about this scam. The representative informed me that they have over 500 copies of this and asked about the version that is going around. We'll be discussing this as part of the program, don't worry!
Our Question
If you intend to play, please do not look at the answers given below. We also are linking to sources of further reading too.
Our Question
What 8 companies, 1 of which was part of the big ticket master breach were attacked? What small time actor group took responsibility for these 8 company attacks?which two companies disputed the hack? Finally, what was the most recent company that came out with confirming they were part of the actors fiasco?
The Answer: Skip if you intend to participate and win
Answer: Snowflake, Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts. Progressive and Mitsubishi disputed the threat actor’s claims while Advance Auto Parts recently came out with details of their breach.
Sources from the blog:
The links lead to our blog, where you can read more.
Lastpass needs a break here, this can happen to anyone
This can happen to anyone. While people want to jump ship because of this most recent outage, I don't blame them. It turns out, it was because of their chrome extension that somehow went completely ape and could have sent a DDOS attack. I don't want to go that far, but it was a 12-hour outage if not longer. I recently had to sign in and I was successful, and this happened on Thursday, June 6, 2024.