The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. How Cloudflare Uses Lava Lamps to Guard Against Hackers (Wired, Jul 29 2018)
Inside Cloudflare’s San Francisco office, 100 units of Edward Craven Walker’s groovy hardware help guard the internet.
2. State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China (Krebs on Security, Jul 27 2018)
“Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned.”
3. Sen. McCaskill reportedly identified as Russian hacking target as mid-term elections approach (SC Magazine, Jul 27 2018)
Sen. Claire McCaskill, D-Mo., an incumbent facing a tight race in the 2018 U.S. mid-term elections, has affirmed that Russian hackers are attempting to interfere with her reelection campaign, following an independent forensic analysis identifying her as a target.
Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. What’s in the secret sauce?
*AI, IoT, & Mobile Security*
4. BurnBox Makes Hidden Files Look Like You’ve Deleted Them (Wired, Jul 31 2018)
Cryptographers have developed a new technology designed to protect your secrets at the border.
5. Robots, immune to fear or favour, are making China’s foreign policy (South China Morning Post, Jul 30 2018)
The programme draws on a huge amount of data, with information ranging from cocktail-party gossip to images taken by spy satellites, to contribute to strategies in Chinese diplomacy
6. Is Google poised to own global IoT endpoints? (Gartner Blog Network, Jul 25 2018)
Google announced TPUs for edge devices. Announced at Google Next 2018, this Edge TPU comes as a discrete, packaged chip device. A collaboration with NXP was announced which (surprisingly considering my above rant about ISAs) implements four instances of and ARM-based pipeline. My guess is that eventually, this design will be licensed/integrated by other silicon partners.
*Cloud Security, DevOps, AppSec*
7. Pentagon Reveals “Do Not Buy” Software List (Infosecurity Magazine, Jul 31 2018)
Russian and Chinese firms targeted in attempt to improve cybersecurity
8. Google Cloud introduces shielded virtual machines for additional security (TechCrunch, Jul 25 2018)
These specialized VMs run on GCP and come with a set of partner security controls to defend against things like rootkits and bootkits, according to Google. There are a whole bunch of things that happen even before an application launches inside a VM, and each step in that process is vulnerable to attack.
9. Best Practices for Entering into Cloud Service Agreements (SC Magazine, Jul 31 2018)
Cloud service agreements often present customers with more questions than answers about security, data protection, IP rights and more.
*Identity Mgt & Web Fraud*
10. Reddit Breach Highlights Limits of SMS-Based AuthN (Krebs on Security, Aug 01 2018)
“Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.”
11. Cisco to acquire Duo Security in a $2.35 billion deal (SC Magazine, Aug 02 2018)
Cisco will acquire Duo Security in a $2.35 billion deal designed boost Cisco’s ability to increase security between for its customers as they access more content from the cloud.
12. Feds Accuse Three Hackers of Stealing 15 Million Credit Cards in 100 Security Breaches (Motherboard, Aug 01 2018)
The US Department of Justice announced the indictment of three alleged members of the infamous financial hacking group known as Carbanak or FIN7.
*CISO View*
13. The Year Targeted Phishing Went Mainstream (Krebs on Security, Aug 02 2018)
“It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale.”
14. The National Risk Management Center Will Combat Critical Infrastructure Hacks (Wired, Jul 31 2018)
The National Risk Management Center will give critical infrastructure companies much needed-support when under cyberattack.
15. r/announcements – We had a security incident. Here’s what you need to know. (reddit, Aug 01 2018)
TL;DR: A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.