15 Bullet Friday – The Best Security News of the Week – 2018.08.17

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Invisible Mouse Clicks Let Hackers Burrow Deep into MacOS (Wired, Aug 12 2018)
A former NSA hacker finds a new way malware can take control of a Mac’s mouse for a powerful intrusion technique.

2. Macs in Enterprise Can Be Hacked on First Boot (SecurityWeek, Aug 10 2018)
Researchers have demonstrated that brand new Mac computers used in enterprise environments can be hacked by sophisticated threat actors on the first boot through Apple’s mobile device management (MDM) protocol.

3. Fax Machines Are Still Everywhere, and Wildly Insecure (Wired, Aug 12 2018)
Researchers have demonstrated that sending a single malicious fax is all it takes to break into a network.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

*AI, IoT, & Mobile Security*
4. Millions of Android Devices Are Vulnerable Out of the Box (Wired, Aug 10 2018)
Android smartphones from Asus, LG, Essential, and ZTE are the focus of a new analysis about risks from firmware bugs introduced by manufacturers and carriers.

5. AI for cybersecurity is a hot new thing—and a dangerous gamble (MIT Technology Review, Aug 13 2018)
Machine learning and artificial intelligence can help guard against cyberattacks, but hackers can foil security algorithms by targeting the data they train on and the warning flags they look for.

6. DARPA takes aim at deepfake forgeries (Naked Security – Sophos, Aug 09 2018)
DARPA’s MediaFor project has come up with tools it says can spot AI-created fakes.

*Cloud Security, DevOps, AppSec*
7. Is it Time to Replace Pen Testing with Crowdsourced security? (Infosecurity Magazine, Aug 14 2018)
As crowdsourced security emerges, are we ready to throw away pen testing as a methodology?

8. Comcast Xfinity web flaws exposed customer data (Naked Security – Sophos, Aug 10 2018)
#1: The HTTP header used to “identify” the user contained their public-facing Comcast IP address – data that isn’t suitable to use as a secret identifier. #2: After entering a valid address, an attacker could cycle through all 10,000 four-digit numbers (0000-9999) until one of them turned out to be the four digits that matched the customer’s SSN – there was no limit on the number of guesses or the speed at which they could be tried.

9. Could deliberately adding security bugs make software more secure? (Naked Security – Sophos, Aug 08 2018)
A new study argues that bogging black hats down in fake flaws might be better approach to security.

*Identity Mgt & Web Fraud*
10. AT&T sued for enabling SIM swap fraud (Help Net Security, Aug 16 2018)
He is asking the US District Court for the Central District of California to find in his favor and award him $24 million of compensatory damages and over $200 million of punitive damages.

11. Why Facebook Enlisted This Research Lab to Track Its Trolls (Wired, Aug 15 2018)
What can the 14-person Digital Forensics Research Lab discover about fake news on Facebook that the billion-dollar company doesn’t already know?

12. FBI Warns of ‘Unlimited’ ATM Cashout Blitz (Krebs on Security, Aug 12 2018)
“The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an “ATM cash-out,” in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.”

*CISO View*
13. NIST Small Business Cybersecurity Act Becomes Law (SecurityWeek, Aug 16 2018)
It requires NIST to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.”

14. Trump, Seeking to Relax Rules on U.S. Cyberattacks, Reverses Obama Directive (WSJ, Aug 16 2018)
President Trump has reversed an Obama-era memorandum governing how and when the U.S. government can deploy cyberweapons against its adversaries, in an effort to loosen restrictions on such operations, according to people familiar with the action.

15. Apple gets cored: 90GB of ‘secure files’ stolen by high schooler (Naked Security – Sophos, Aug 17 2018)
An Aussie high schooler pleaded guilty on Thursday to hacking Apple servers multiple times.

Share on facebook
Share on twitter
Share on linkedin