LayerX Labs reports a sophisticated macOS phishing campaign, evading security measures. Learn how attackers adapt and steal credentials from Mac users.

A recent report by LayerX Labs has revealed a new phishing campaign that was initially designed to deceive Windows users but lately focused on targeting macOS users.

The campaign, which LayerX Labs monitored for several months, originally posed as Microsoft security alerts, aiming to steal user credentials. In the attack, attackers employed deceptive tactics, creating fake security warnings on hacked websites that claimed the user’s computer was “compromised” and “locked.” Victims were encouraged to enter their Windows username and password, while malicious code froze the webpage, mimicking a complete system lockdown.

According to LayerX’s analysis, shared with Hackread.com, several factors contributed to the campaign’s initial effectiveness. Firstly, the phishing pages were hosted on Microsoft’s Windows.net platform, making the fake security warnings appear legitimate.

Also, attackers utilized trusted hosting services, exploiting the fact that traditional anti-phishing defences often rely on top-level domain reputation. Furthermore, they employed randomized, rapidly changing subdomains, making it difficult for security tools to track and block the malicious pages, which themselves were professionally designed, and frequently updated to evade detection. Some even incorporated anti-bot and CAPTCHA technologies to hinder automated web crawlers. 

When Microsoft, along with Chrome and Firefox, introduced new anti-scareware features in early 2025, a dramatic 90% drop in Windows-targeted attacks was noticed. In response, the attackers adapted their strategy, shifting their focus to macOS users, unprotected by these new defences.

Within two weeks, LayerX Labs observed a surge in Mac-based attacks, much similar to the Windows-targeted ones but with slight code adjustments aiming to specifically target macOS and Safari users. Victims were lured to the phishing pages via compromised domain “parking” pages, often after making a typo in a URL.

In one instance, a macOS and Safari user from a LayerX enterprise customer was targeted. Although the organization employed a Secure Web Gateway, the attack bypassed it. However, LayerX’s AI-based detection system, which analyzes web pages using numerous parameters at the browser level, successfully blocked the attack.

Screenshot shows the phishing scam targeting both Windows and macOS users (Credit: LayerX Labs)

This campaign highlights the increasing sophistication of phishing attacks targeting macOS users. Menlo Security’s recent State of Browser Security report further highlights this trend, revealing a dramatic increase in browser-based attacks, especially since the popularity of generative AI.

The report found a whopping 140% increase in browser-based phishing attacks compared to 2023, with a 130% increase specifically in zero-hour phishing attacks and the impersonation of major brands like Facebook, Microsoft, and Netflix.  

Menlo Security’s analysis of over 752,000 browser-based phishing attacks reveals that one in five attacks now employs evasive techniques to bypass traditional security measures.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development stating, “In the past few weeks, we’ve seen an uptick in browser-based phishing attacks that use legitimate hosting services to trick users into falling for the attack and the ruse they use is a fairly old one and quite common.”

“If you ever get an unknown random pop-up saying your computer is compromised, it should be treated as suspicious and ignored,” Thomas warned. “Anti-virus services will never ask you to enter a username and password to remove a threat.”

New Phishing Campaign Targets macOS Users with Fake Security Alerts

**Cary, NC, March 24th, 2025, CyberNewsWire**

INE Security, a global provider of cybersecurity training and certification, today announced its initiative to spotlight the increasing cyber threats targeting healthcare institutions. In recognition of National Physicians Week 2025, the company is drawing attention to new industry data showing a sharp rise in cyberattacks on hospitals and clinics—incidents that have cost the healthcare sector millions and posed significant risks to patient safety and trust.

Recent reports show healthcare has endured a record wave of cyber breaches. In 2023 alone, there were 725 hacking-related breaches reported in U.S. healthcare, according to The HIPPA Journal, exposing over 124 million patient records, the worst year on record​. Healthcare cybersecurity threats and breaches remain the costliest of any industry with the average data breach in a hospital now costing about $10.93 million per incident​. 

**Protecting Patients and Trust Through Training and Education**

Defending against these evolving threats requires more than just technology – it demands well-trained personnel at all levels. Experts note that human error remains a leading cause of breaches in healthcare, yet a significant portion of staff lack adequate cybersecurity awareness. Nearly one-third of healthcare employees have received no cybersecurity training from their employer, even though human mistakes contributed to roughly 33% of healthcare cyber incidents​. 

> Healthcare leaders are urged to treat ongoing cyber education as mandatory continuing education, akin to medical training, to ingrain a culture of security mindfulness. “Every member of a healthcare team – from physicians to IT personnel – plays a role in cybersecurity,” said Dara Warn, CEO of INE Security. “Continuous training ensures that protecting patient data and systems becomes as second nature as protecting patients’ physical health.”

Importantly, robust cybersecurity isn’t just about technical prevention—it’s also about preserving patient trust. Patients expect their sensitive health information to be guarded with the same care as their medical treatment. Breaches undermine that confidence: about 66% of patients say they would switch healthcare providers if a breach compromised their personal data due to poor security practices​. 

Ongoing training and certification of healthcare cybersecurity teams help maintain that trust by demonstrating a visible commitment to data protection and privacy. When providers proactively train staff and tighten defenses, patients can feel safer knowing their hospital is staying ahead of threats.

**Industry-Leading Certifications Validate Critical Skills**

One way healthcare organizations are bolstering their security posture is by having their IT and security staff earn industry-recognized cybersecurity certifications. Certifications serve as a benchmark for broad and deep knowledge, assuring that professionals can effectively prevent, detect, and respond to attacks. Some of the leading cybersecurity certifications being pursued in the healthcare sector include:

*   **CISSP (Certified Information Systems Security Professional)** – a globally respected credential covering security architecture, risk management, and governance.
*   **CompTIA Security+** – an entry-to-intermediate level certification establishing core security skills and knowledge, often a baseline for IT staff.
*   **eWPTX** **–** a highly respected certification that is 100% practical and validates the advanced skills necessary to conduct in-depth penetration tests on modern web applications.
*   **eJPT** **–** a hands-on, entry-level Red Team certification that simulates skills utilized during real-world engagements.

**INE Security’s Training Programs Empower Healthcare Heroes**

INE Security, a global leader in cybersecurity training, certifications, and certification preparation, is at the forefront of helping healthcare organizations fortify their cyber defenses through education. INE Security’s comprehensive cybersecurity training platform offers on-demand courses, interactive labs, and instructor-led trainings that cover the full spectrum of security domains – from fundamental cyber hygiene for general staff to advanced incident response and penetration testing for IT professionals. These programs are aligned with the requirements of top industry certifications, enabling hospital IT teams and security analysts to earn credentials like CISSP, CeJPT, and others as they build their skill sets.

Through INE Security’s hands-on training modules, healthcare professionals learn how to address the exact threats plaguing the sector today. For example, network defense and malware analysis labs show engineers how to contain ransomware outbreaks. Governance and compliance lessons ensure administrators understand frameworks like HIPAA and can integrate security into hospital operations. By continuously upskilling their workforce, healthcare providers can significantly reduce the likelihood of a breach and mitigate damage if it occurs. 

As National Physicians Week 2025 highlights the dedication of doctors to healing patients, INE Security emphasizes that protecting the systems and data those physicians rely on is equally essential to patient well-being. The healthcare industry’s cyber threats are continual and evolving, but with rigorous training, education, and certification of cybersecurity professionals, hospitals and clinics can stay one step ahead. Ongoing cybersecurity training is now fundamental to sustaining patient care and trust in our digitally driven healthcare system. This week and beyond, INE Security is proud to partner with healthcare organizations to ensure that those who save lives are backed by networks and data systems that are safe, secure, and resilient against cyber attacks.

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

Cyber Guardians: INE Security Champions Cybersecurity Training During National Physicians Week 2025

Microsoft on Monday announced a new feature called inline data protection for its enterprise-focused Edge for Business web browser.
The native data security control is designed to prevent employees from sharing sensitive company-related data into consumer generative artificial intelligence (GenAI) apps like OpenAI ChatGPT, Google Gemini, and DeepSeek. The list will be expanded over time to

Microsoft Adds Inline Data Protection to Edge for Business to Block GenAI Data Leaks

Cloak ransomware group claims attack on Virginia attorney general's office, demands ransom for stolen data. Investigation underway. Find out the impact and what's being done.

A cybercriminal collective, known as Cloak, has confirmed its involvement in an attack targeting the Virginia attorney general’s office in February 2025. This attack has reportedly caused disruption, compelling officials to enact emergency measures.

Chief Deputy Attorney General Steven Popps communicated to staff via email that the majority of the office’s IT resources, which included vital systems such as email, virtual private network access, internet connectivity, and the attorney general’s website were rendered inoperative, as reported by the Washington Post.

The disruption also forced employees to revert to traditional paper-based documentation processes. In response, the attorney general’s office promptly notified the Virginia State Police, the Federal Bureau of Investigation (FBI), and the Virginia Information Technologies Agency, and investigations were initiated into the incident.

On 20 March, Cloak publicly listed the Virginia attorney general’s website on their Tor-based data leak platform, accompanied by a message stating, “The waiting period has expired. Compromised data can be downloaded from the leak page.”

This statement suggests that negotiations between the ransomware group and the attorney general’s office have reached a deadlock, with the latter refusing to meet the ransom demands. Cloak has released images alleged to be documents stolen from the attorney general’s systems to substantiate their claims.  

However, the Virginia attorney general’s office has yet to officially acknowledge or confirm Cloak’s claims. At this stage, critical details remain undisclosed, including whether a ransom was paid, the amount demanded by Cloak, the nature and extent of the compromised data, and the specific methods used by the attackers to breach the attorney general’s network. We are also awaiting the official response from the attorney general’s office regarding the latest development.

For your information, Cloak is a ransomware group that emerged in 2022 and gained prominence in 2023. The group mainly targets small to medium-sized businesses in Europe and Asia, particularly Germany. It also employs malware designed to both exfiltrate data and encrypt computer systems, thereby compelling victims to pay a ransom.

Victims who refuse to pay face their stolen data published on Cloak’s data leak site for free download. The group’s payment rate is surprisingly high at 91-96%, showing how effectively it forces its victims.

Cloak Ransom Note (Source: Halcyonai)

Since its emergence, Cloak has claimed responsibility for 13 confirmed ransomware attacks, including attacks on the Canadian town of Ponoka and the German municipality of Gemeinde Kaisersbach in 2024, and 54 unconfirmed attacks (where targeted organizations did not acknowledge the intrusions). The attack on the Virginia attorney general marks Cloak’s first confirmed operation in 2025.

Top/Featured Image via Consumer Financial Services Law Monitor

Cloak Ransomware Hits Virginia Attorney General’s Office, Disrupts IT Systems

A vulnerability was found in GetmeUK ContentTools up to 1.6.16. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Image Handler. The manipulation of the argument onload leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-4f2v-2gpq-qhjg: GetmeUK ContentTools Cross-Site Scripting (XSS)

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

GHSA-88m2-j94x-v4fx: yiisoft Yii2 Deserialization of Untrusted Data

Companies in the EU are starting to look for ways to ditch Amazon, Google, and Microsoft cloud services amid fears of rising security risks from the US. But cutting ties won’t be easy.

The global backlash against the second Donald Trump administration keeps on growing. Canadians have boycotted US-made products, anti–Elon Musk posters have appeared across London amid widespread Tesla protests, and European officials have drastically increased military spending as US support for Ukraine falters. Dominant US tech services may be the next focus.

There are early signs that some European companies and governments are souring on their use of American cloud services provided by the three so-called hyperscalers. Between them, Google Cloud, Microsoft Azure, and Amazon Web Services (AWS) host vast swathes of the internet and keep thousands of businesses running. However, some organizations appear to be reconsidering their use of these companies’ cloud services—including servers, storage, and databases—citing uncertainties around privacy and data access fears under the Trump administration.

“There’s a huge appetite in Europe to de-risk or decouple the over-dependence on US tech companies, because there is a concern that they could be weaponized against European interests,” says Marietje Schaake, a nonresident fellow at Stanford’s Cyber Policy Center and a former, decade-long member of the European Parliament.

The moves may already be underway. On March 18, politicians in the Netherlands House of Representatives passed eight motions asking the government to reduce reliance on US tech companies and move to European alternatives. Days before, more than 100 organizations signed an open letter to European officials calling for the continent to become “more technologically independent” and saying the status quo creates “security and reliability risks.”

Two European-based cloud service companies, Exoscale and Elastx, tell WIRED they have seen an uptick in potential customers looking to abandon US cloud providers over the last two weeks—with some already starting to make the jump. Multiple technology advisers say they are having widespread discussions about what it would take to uproot services, data, and systems.

“We have more demand from across Europe,” says Mathias Nöbauer, the CEO of Swiss-based hosting provider Exoscale, adding there has been an increase in new customers seeking to move away from cloud giants. “Some customers were very explicit,” Nöbauer says. “Especially customers from Denmark being very explicit that they want to move away from US hyperscalers because of the US administration and what they said about Greenland.”

“It's a big worry about the uncertainty around everything. And from the Europeans’ perspective—that the US is maybe not on the same team as us any longer,” says Joakim Öhman, the CEO of Swedish cloud provider Elastx. “Those are the drivers that bring people or organizations to look at alternatives.”

Concerns have been raised about the current data-sharing agreement between the EU and US, which is designed to allow information to move between the two continents while protecting people’s rights. Multiple previous versions of the agreement have been struck down by European courts. At the end of January, Trump fired three Democrats from the Privacy and Civil Liberties Oversight Board (PCLOB), which helps manage the current agreement. The move could undermine or increase uncertainty around the agreement. In addition, Öhman says, he has heard concerns from firms about the CLOUD Act, which can allow US law enforcement to subpoena user data from tech companies, potentially including data that is stored in systems outside of the US.

Dave Cottlehuber, the founder of SkunkWerks, a small tech infrastructure firm in Austria, says he has been moving the company’s few servers and databases away from US providers to European services since the start of the year. “First and foremost, it’s about values,” Cottlehuber says. “For me, privacy is a right not a privilege.” Cottlehuber says the decision to move is easier for a small business such as his, but he argues it removes some taxes that are paid to the Trump administration. “The best thing I can do is to remove that small contribution of mine, and also at the same time, make sure that my customers’ privacy is respected and preserved,” Cottlehuber says.

Steffen Schmidt, the CEO of Medicusdata, a company that provides text-to-speech services to doctors and hospitals in Europe, says that having data in Europe has always “been a must,” but his customers have been asking for more in recent weeks. “Since the beginning of 2025, in addition to data residency guarantees, customers have actively asked us to use cloud providers that are natively European companies,” Schmidt says, adding that some of his services have been moved to Nöbauer’s Exoscale.

Harry Staight, a spokesperson for AWS, says it is “not accurate” that customers are moving from AWS to EU alternatives. “Our customers have control over where they store their data and how it is encrypted, and we make the AWS Cloud sovereign-by-design,” Straight says. “AWS services support encryption with customer managed keys that are inaccessible to AWS, which means customers have complete control of who accesses their data.” Staight says the membership of the PCLOB “does not impact” the agreements around EU-US data sharing and that the CLOUD Act has “additional safeguards for cloud content.” Google and Microsoft declined to comment.

The potential shift away from US tech firms is not just linked to cloud providers. Since January 15, visitors to the European Alternatives website increased more than 1,200 percent. The site lists everything from music streaming services to DDoS protection tools, says Marko Saric, a cofounder of European cloud analytics service Plausible. “We can certainly feel that something is going on,” Saric says, claiming that during the first 18 days of March the company has “beaten” the net recurring revenue growth it saw in January and February. “This is organic growth which cannot be explained by any seasonality or our activities,” he says.

While there are signs of movement, the impact is likely to be small—at least for now. Around the world, governments and businesses use multiple cloud services—such as authentication measures, hosting, data storage, and increasingly data centers providing AI processing—from the big three cloud and tech service providers. Cottlehuber says that, for large businesses, it may take many months, if not longer, to consider what needs to be moved, the risks involved, plus actually changing systems. “What happens if you have a hundred petabytes of storage, it's going to take years to move over the internet,” he says.

For years, European companies have struggled to compete with the likes of Google, Microsoft, and Amazon’s cloud services and technical infrastructure, which make billions every year. It may also be difficult to find similar services on the scale of those provided by alternative European cloud firms.

“If you are deep into the hyperscaler cloud ecosystem, you’ll struggle to find equivalent services elsewhere,” says Bert Hubert, an entrepreneur and former government regulator, who says he has heard of multiple new cloud migrations to US firms being put on hold or reconsidered. Hubert has argued that it is no longer “safe” for European governments to be moved to US clouds and that European alternatives can’t properly compete. “We sell a lot of fine wood here in Europe. But not that much furniture,” he says. However, that too could change.

Schaake, the former member of the European Parliament, says a combination of new investments, a different approach to buying public services, and a Europe-first approach or investing in a European technology stack could help to stimulate any wider moves on the continent. “The dramatic shift of the Trump administration is very tangible,” Schaake says. “The idea that anything could happen and that Europe should fend for itself is clear. Now we need to see the same kind of pace and leadership that we see with defense to actually turn this into meaningful action.”

Trump’s Aggression Sours Europe on US Cloud Giants

Gartner describes infrastructure as code (IaC) as a key way to unlock the potential of the cloud. However,…

Gartner describes infrastructure as code (IaC) as a key way to unlock the potential of the cloud. However, some companies encounter challenges in IaC adoption, especially when it comes to maintaining a secure posture. As adopters automate their infrastructure deployments, they often encounter security issues associated with misconfigurations, code vulnerabilities, configuration shifts, secret management, and access control.

Two of the leading tools used in IaC are Ansible and Terraform. They both have noteworthy security features, and each has its own security issues that DevOps teams need to pay attention to, but is one more secure than the other? 

Let’s evaluate these infrastructure automation tools from a cybersecurity perspective, to gain insights into which might be the better fit for your organization.

****Ansible and Terraform Overview****

Before going into a detailed security comparison of Ansible and Terraform, here’s a quick rundown of their key features. The two have similarities, but they also offer distinct functions with overlapping purposes in infrastructure automation.

Ansible is an open-source automation solution designed to simplify many complex IT tasks involved in infrastructure management, including provisioning, configuration, the deployment of applications, orchestration, as well as compliance enforcement. 

The market leader, Terraform was likewise open source until the summer of 2023, when it switched to a highly restrictive business license model. With IBM’s acquisition of Terraform’s parent company Hashicorp in 2024, there has been much speculation in the tech community regarding the future of the product, especially as the lion’s share of its developer ecosystem has moved on to OpenTofu.

Terraform is notable for being based on “declarative” language, which describes the intended state of the infrastructure, as opposed to Ansible, which works on an “imperative” basis, whereby the code indicates steps or commands.

With both tools’ support for multi-cloud and on-premises environments, Ansible and Terraform are highly suitable for DevOps workflows. There are major differences in their security models, though.

****Ansible Security Pros and Cons****

One of the strongest security features of Ansible is its agentless architecture, significantly minimizing the potential attack surface. Agents can be exploited to expose hardcoded credentials, take advantage of misconfigurations, and stage supply chain attacks through compromised modules, plugins, and templates.

Additionally, Ansible comes with standard security functions, particularly the encryption of secrets and access controls. The Ansible Vault encrypts passwords, API keys, and other sensitive data. Ansible has a role-based access control (RBAC) system that is baked into the Ansible Automation Platform, specifically the Ansible Tower. 

It also provides pre-built security compliance playbacks that ascertain the enforcement of security policies. However, Ansible still leaves the possibility open for security vulnerabilities in the following areas: the use of unencrypted credentials in playbooks, reliance on SSH for remote execution, and the risk of privilege escalation. 

When configured incorrectly, Ansible Vault has been known to expose credentials in plain text during execution, which can expose sensitive data in YAML files. Meanwhile, misconfigurations in Sudo privileges can make for privilege escalation risks, allowing unauthorized users to execute privileged commands.

****Terraform Security Pros and Cons****

Terraform addresses some of the security challenges in Ansible. In particular, its combination of immutable infrastructure and declarative language makes configuration inconsistency and drift less likely. This immutability enables reproducibility, which means the consistent enforcement of security policies and easier validation of security configurations.

When it comes to secret management, Terraform integrates natively with Hashicorp Vault, but it can also work with AWS Secrets Manager and other security solutions. It can manage secrets via “providers.” This means flexibility in managing sensitive data.

Terraform enforces the principle of least privilege with its Identity and Access Management (IAM) policies. It is designed to only provide the permission required to undertake a specific operation.

Moreover, Terraform now supports encryption for state files, a crucial component in infrastructure management. This file contains the details of the current state of a managed infrastructure, serving as a link between the infrastructure configuration and real-world resources. The problem with state file encryption, however, is that it is not automatic. If the state file is exposed without encryption, sensitive data such as API keys and credentials can be compromised. 

It is also worth noting that, unlike Ansible, Terraform lacks a native RBAC system. Its enforcement of access control is through external cloud provider policies. Additionally, managing dependencies can be quite complex with Terraform. It is crucial to properly define dependencies to avoid insecure configurations as well as the unintended deletion of resources.

****Which Platform Is More Secure?****

Both Ansible and Terraform offer strong security capabilities, but they have their respective limitations. Users can overcome these limitations by mastering proper configuration and enforcing security best practices. There is no definite answer as to which infrastructure automation tool is better from a security perspective.

Ansible is generally more suitable for secure configuration management in existing systems, as well as for compliance enforcement, because of its agentless execution and robust native RBAC. It is a good choice for handling legacy infrastructure management.

Meanwhile, Terraform has some key advantages for secure infrastructure provisioning because of its declarative language and immutability. It excels at provisioning new infrastructure built from scratch. Terraform is great at creating identical predictable environments, which makes it the preferred choice for those who repetitively set up development, testing, and production environments.

This is not to say that Ansible cannot be a good tool for scenarios where Terraform is deemed preferable and vice versa. They both offer a degree of flexibility, making them valid infrastructure automation solutions for various use cases. Ansible’s automation capabilities go beyond configuration management, while Terraform’s modular design enables code reuse and scalable infrastructure configurations.

****Can Ansible and Terraform Be Used Together?****

It is not necessary to only choose one between Ansible and Terraform – they can actually be used together in modern infrastructure management. Terraform handles the provisioning of the underlying infrastructure, while Ansible configures the operating system and the installation and deployment of applications. 

For example, your team might use Terraform to provision a set of EC2 instances on AWS, while preferring Ansible for the installation and configuration of a web server in the same set of EC2 instances.

Ansible and Terraform can be a great duo for infrastructure automation, as they complement each other’s strengths. They can be great tools for accelerating cloud-based development processes. However, if the goal is only to prevent configuration drift, Terraform alone is already enough. In the same vein, if the main concern is continuous compliance and software deployment, Ansible alone suffices.

****In Conclusion****

Ansible and Terraform are excellent tools for secure infrastructure automation. They can be used individually or together to maximize the benefits. Using both of them may not be cost-efficient, though. In deciding which one to use, it is important to carefully examine the operational goals and your DevOps team’s security workflows.

Image by Gerd Altmann from Pixabay

Ansible vs Terraform: Which is More Secure for Infrastructure Automation?

This week on the Lock and Code podcast, we speak with Carey Parker about what Google Chrome knows about you.

_This week on the Lock and Code podcast…_

Google Chrome is, by far, the most popular web browser in the world.

According to several metrics, Chrome accounts for anywhere between 52% and 66% of the current global market share for web browser use. At that higher estimate, that means that, if the 5.5 billion internet users around the world were to open up a web browser right now, 3.6 billion of them would open up Google Chrome.

And because the browser is the most common portal to our daily universe of online activity—searching for answers to questions, looking up recipes, applying for jobs, posting on forums, accessing cloud applications, reading the news, comparing prices, recording Lock and Code, buying concert tickets, signing up for newsletters—then the company that controls that browser likely knows a lot about its users.

In the case of Google Chrome, that’s entirely true.

Google Chrome knows the websites you visit, the searches you make (through Google), the links you click, and the device model you use, along with the version of Chrome you run. That may sound benign, but when collected over long periods of time, and when coupled with the mountains of data that other Google products collect about you, this wealth of data can paint a deeply intimate portrait of your life.

Today, on the Lock and Code podcast with host David Ruiz, we speak with author, podcast host, and privacy advocate Carey Parker about what Google Chrome knows about you, why that data is sensitive, what “Incognito mode” really does, and what you can do in response.

We also explain exactly why Google would want this money, and that’s to help it run as an ad company.

> “That’s what \[Google is\]. Full stop. Google is an ad company who just happens to make a web browser, and a search engine, and an email app, and a whole lot more than that.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 What Google Chrome knows about you, with Carey Parker (Lock and Code S06E06) 

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.

The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message
This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

Tag

#web