The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Typeform Reports Data Breach That Impacts Users of Survey Platform (eWEEK, Jul 02 2018)
The breach at Typeform is the second breach in June that once again exposed third-party vendor supply chain risks.

2. The Next Big Cyber-Attack Vector: APIs (SecurityWeek, Jun 28 2018)
The data breach at Panera Bread is a good example. The bakery-café chain left an unauthenticated API endpoint exposed on its website, allowing anyone to view customer information such as username, email address, phone number, last four digits of the credit card, birthdate, etc.

3. Scaling Network Security: The Scaled Network Security Architecture (Securosis, Jul 01 2018)
“You can start small, maybe implementing a SDN technology in front of your egress security controls to apply the policies we’ve discussed. Or possibly introducing a packet broker in front of a key application to make sure that appropriate security controls are not overwhelmed if a flood of traffic happens. You could start thinking about starting with micro-segmentation in your virtualized data center and map those capabilities to any new applications being deployed in IaaS (infrastructure as a service).”

*AI, IoT, & Mobile Security*
4. Where have all the AI flowers gone? (Gartner Blog Network, Jun 29 2018)
“Have you put a real killer application that exploits AI into volume production use? I didn’t think so. As of last year, only 4 (that’s FOUR) percent of 3,182 CIOs world-wide report they’ve put an AI-related application into production (or planned to do so within the next 12 months.)”

5. Traffic Analysis of the LTE Mobile Standard (Schneier on Security, Jul 02 2018)
Interesting research in using traffic analysis to learn things about encrypted traffic. It’s hard to know how critical these vulnerabilities are. They’re very hard to close without wasting a huge amount of bandwidth. The active attacks are more interesting.

6. Google Expands Android’s Compiler-Based Mitigations (SecurityWeek, Jun 29 2018)
Google this week announced expanded compiler-based mitigations in Android P, in an attempt to make bugs harder to exploit and prevent specific types of issues from becoming vulnerabilities.

*Cloud Security, DevOps, AppSec*
7. Google introduces Endpoint Verification (Google Cloud Platform Blog, Jul 03 2018)
“Having that inventory of what computers employees are using provides valuable information which the enterprise can use to maintain security. Available to all Google Cloud Platform (GCP), Cloud Identity, G Suite Business, and G Suite Enterprise customers, Endpoint Verification consists of a Chrome extension and native app and is available for ChromeOS, macOS, and Windows devices.”

8. How to access secrets across AWS accounts by attaching resource-based policies (AWS Security Blog, Jun 27 2018)
You can use AWS Secrets Manager to rotate, manage, and retrieve secrets such as database credentials and API keys throughout their lifecycle. And you can now use these secrets across AWS accounts by attaching resource-based policies to secrets.

9. Linux distro hacked on GitHub, “all code considered compromised” (Naked Security – Sophos, Jun 29 2018)
Gentoo, a popular distribution of Linux, has had its GitHub repository hacked. Hacked, as in “totally pwned”, taken over, and modified; so far, no one seems to be sure quite how or why.

*Identity Mgt & Web Fraud*
10. Preparing for a BeyondCorp world at your company (Google, Jul 03 2018)
“Since then, we received lots of great feedback, including many who asked, “How do I start?” They’re looking for step-by-step help in applying these context-based access practices in their particular organizations, so we’ve created a series about some of our best practices at Google.”

11. Facebook quizzes may have exposed 120 million users personal information (SC Magazine, Jun 29 2018)
Facebook’s data privacy woes continue to grow as a security researcher uncovered the social media’s popular “tests“ not only told users which Disney princess they were, but also exposed the private data of about 120 million people who took the test.

12. While no one was looking, California passed its own GDPR (Network World Security, Jul 05 2018)
The California Consumer Privacy Act of 2018 is similar to the EU’s GDPR. Companies that hold data on more than 50,000 people and do business in California must comply.

*CISO View*
13. Gartner Identifies the Top Six Security and Risk Management Trends (Gartner, Jul 03 2018)
Security leaders should harness this increased support and take advantage of six emerging trends, to improve their organization’s resilience while elevating their own standing.

14. Weak Admin Password Enabled Gentoo GitHub Breach (Dark Reading, Jul 05 2018)
Had the attacker been quieter, breach may not have been discovered immediately maintainers of popular Linux distribution said.

15. Disgruntled programmer accused of trying to sell his firm’s iPhone spyware for $50 million (Graham Cluley, Jul 06 2018)
…the firm was considering terminating his employment. Documents filed with an Israeli court claim that the company’s spyware and additional information was downloaded onto an external device immediately following the meeting. The defendant is then alleged to have approached a potential third-party buyer, posing as a member of a hacking group that had broken into NSO Group’s servers.