The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Hacker Unlocks ‘God Mode’ and Shares the ‘Key’ (Dark Reading, Aug 13 2018)
A researcher proves that it’s possible to break the most fundamental security on some CPUs.

2. In-flight satellite comms vulnerable to remote attack, researcher finds (Naked Security – Sophos, Aug 13 2018)
On a journey between Madrid and Copenhagen, researcher Ruben Santamarta decided to use Wireshark to study the aircraft’s in-flight Wi-Fi.

3. How to protect your infrastructure from DNS cache poisoning (Network World Security, Aug 16 2018)
When your company’s internet access, VoIP and email all depend on DNS, you have to ensure your DNS server is protected against DNS spoofing attacks. One solution: DNSSEC.


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.


*AI, IoT, & Mobile Security*
4. How to Stop Google From Tracking Your Location (Wired, Aug 13 2018)
A new report shows that Google still tracks your location even if you thought you opted out.

5. Siri is listening to you, but she’s NOT spying, says Apple (Naked Security – Sophos, Aug 13 2018)
…Siri is not eavesdropping…iPhones can respond to voice commands without actually eavesdropping. It has to do with locally stored, short buffers that only wake up Siri if there’s a high probability that what it hears is the “Hey, Siri” cue.

6. Fake America great again (MIT Technology Review, Aug 18 2018)
Inside the race to catch the worryingly real fakes that can be made using artificial intelligence.

*Cloud Security, DevOps, AppSec*
7. A Microsoft DevSecOps SAST Exercise (Microsoft DevOps Blog, Aug 17 2018)
Static Application Security Testing (SAST) is a critical DevSecOps practice. As engineering organizations accelerate continuous delivery to impressive levels, it’s important to ensure that continuous security validation keeps up. To do so most effectively requires a multi-dimensional application of static analysis tools. The more customizable the tool, the better you can shape it to your actual security risk.

8. Chrome 69 will take the next step to killing Flash, roll out new design (Ars Technica, Aug 21 2018)
Flash will have to be enabled every time a site tries to use it.

9. Deploy only what you trust: introducing Binary Authorization for Google Kubernetes Engine (Cloud Blog, Aug 20 2018)
Google introduced Binary Authorization in beta so you can be more confident that only trusted workloads are deployed to Google Kubernetes Engine. Integrated into the Kubernetes Engine deployment API, Binary Authorization is a container security feature that provides a policy enforcement chokepoint to ensure only signed and authorized images are deployed in your environment.

*Identity Mgt & Web Fraud*
10. Alleged SIM Swapper Arrested in California (Krebs on Security, Aug 22 2018)
“Authorities in Santa Clara, Calif. have arrested and charged a 19-year-old area man on suspicion hijacking mobile phone numbers as part of a scheme to steal large sums of bitcoin and other cryptocurrencies. The arrest is the third known law enforcement action this month targeting “SIM swappers,” individuals who specialize in stealing wireless phone numbers and hijacking online financial and social media accounts tied to those numbers.”

11. ID.me Becomes First Identity Provider to Be Approved as NIST 800-63-3 Conformant (Business Wire, Aug 21 2018)
ID.me, the next generation identity platform, is announcing today that it has been granted Approval by the Kantara Initiative’s Board of Directors as

12. Facebook purges hundreds of pages, accounts for ‘coordinated, inauthentic activity’ (SC Magazine, Aug 22 2018)
Many of the pages, groups and accounts originated in Russia and Iran and targeted persons in the U.S., U.K., Middle East and Latin America.

*CISO View*
13. Why the DNC Thought a Phishing Test Was a Real Attack (Wired, Aug 23 2018)
The Democratic National Committee now says a fraudulent voter data website it found was evidence of an unauthorized test organized by Michigan Democrats.

14. T-Mobile Data Breach Hits Over 2 Million Customers (SecurityWeek, Aug 24 2018)
T-Mobile revealed late on Thursday that the personal details of “a small percentage” of customers were exposed after hackers gained access to its systems.

15. Experts Urge Rapid Patching of ‘Struts’ Bug (Krebs on Security, Aug 23 2018)
“In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw — in a Web component known as Apache Struts — led to a breach that exposed personal data on 147 million Americans. Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside.”