*Threats & Defense*
1. Bring Your Own Land (BYOL) – A Novel Red Teaming Technique (FireEye, Jun 20 2018)
One of most significant recent developments in sophisticated offensive operations is the use of “Living off the Land” (LotL) techniques by attackers. These techniques leverage legitimate tools present on the system, such as the PowerShell scripting language, in order to execute attacks.
2. Ransom Demands and Frozen Computers: Hackers Hit Towns Across the U.S. (WSJ, Jun 25 2018)
Hackers are targeting small towns’ computer systems, with public-sector attacks appearing to be rising faster than those in the private sector. Online extortionists demand bitcoin ransom in return for decryption keys.
3. Scaling Network Security: The New Network Security Requirements (Securosis Blog, Jun 22 2018)
So it’s time to reframe the requirements of the new network security. Basically, as we rethink network security, what do we need it to do?
*AI, IoT, & Mobile Security*
4. Bypassing Passcodes in iOS (Schneier on Security, Jun 26 2018)
Last week, a story was going around explaining how to brute-force an iOS password. Basically, the trick was to plug the phone into an external keyboard and trying every PIN at once…
5. Supreme Court: Police Need Warrant for Mobile Location Data (Krebs on Security, Jun 22 2018)
The U.S. Supreme Court today ruled that the government needs to obtain a court-ordered warrant to gather location data on mobile device users. The decision is a major development for privacy rights, but experts say it may have limited bearing on the selling of real-time customer location data by the wireless carriers to third-party companies.
6. Fortnite’s Android Debut Sees Malicious Apps Launched (Infosecurity Magazine, Jun 21 2018)
YouTube videos have been detected claiming to contain downloads for the Android version of Fortnite
*Cloud Security, DevOps, AppSec*
7. Underground vendors reliably obtain code signing certs (Help Net Security, Jun 26 2018)
More and more malware authors are switching to buying new, valid code signing certificates issued by Certificate Authorities instead of using stolen (compromised) ones, researchers have found.
8. Does DevSecOps eliminate the segregation of duties between security and DevOps? (CSO Online, Jun 26 2018)
Yes, some cloud-native application development tools include basic security features. No, that does not mean DevOps should “own” security.
9. Window Snyder Joins Intel as Chief Software Security Officer (SecurityWeek, Jun 26 2018)
Snyder has worked in the cybersecurity industry for two decades, including as senior security strategist at Microsoft, co-founder of Matasano, security chief at Mozilla, and security and privacy product manager at Apple. Prior to joining Intel, she was Fastly’s chief security officer for three years.
*Identity Mgt & Web Fraud*
10. WPA3 Brings New Authentication and Encryption to Wi-Fi (Dark Reading, Jun 25 2018)
The primary enhancement to WPA3 Personal is in the authentication process, where WPA3 makes brute-force dictionary attacks much more difficult and time-consuming for an attacker.
11. The Digital Privacy Wins Keep Coming (Wired, Jun 27 2018)
From *Carpenter v. United States* to a landmark bill in California, privacy advocates sense a shift in what people will accept from Facebook, mobile carriers, and more.
12. Twitter adds support for login verification with USB security key (Help Net Security, Jun 27 2018)
Twitter has some good news for users looking to improve the security of their account: the company has begun rolling out the “login verification with a security key” option.
*CISO View*
13. Is Security Just Too Damn Hard? Is Product+Service The Future? (Gartner Blog Network, Jun 21 2018)
We all remember Dan Geer’s classic quote “Internet security is quite possibly the most intellectually challenging profession on the planet” and most of us doing security read it optimistically (as in “oh yeah, we are pretty damn smart!”)
14. It’s Time You Learned About Quantum Computing (Wired, Jun 25 2018)
A researcher explains quantum computing in terms anyone can understand—even an 8-year-old.
15. Bejtlich on the APT1 Report: No Hack Back (TaoSecurity, Jun 25 2018)
“First, at no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into adversary systems. During my six year tenure, we were publicly and privately a “no hack back” company. I never heard anyone talk about hack back operations. No one ever intimated we had imagery of APT1 actors taken with their own laptop cameras. No one even said that would be a good idea.”