The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. PoC exploit for critical Apache Struts flaw found online (Help Net Security, Aug 27 2018)
The Apache Software Foundation revealed last week the existence of a critical Apache Struts flaw (CVE-2018-11776) similar to the one exploited in the Equifax breach and urged organizations and developers to upgrade their installations to versions 2.3.35 or 2.5.17.

2. Millions of Texas voter records exposed online (TechCrunch, Aug 27 2018)
The data — a single file containing an estimated 14.8 million records — was left on an unsecured server without a password. Texas has 19.3 million registered voters.

3. Future Cyberwar (Schneier on Security, Aug 27 2018)
A report for the Center for Strategic and International Studies looks at surprise and war. One of the report’s cyberwar scenarios is particularly compelling. It doesn’t just map cyber onto today’s tactics, but completely re-imagines future tactics that include a cyber component…

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

*AI, IoT, & Mobile Security*
4. AI Is Now a Pentagon Priority. Will Silicon Valley Help? (The New York Times, Aug 28 2018)
The Defense Department, believing that A.I. research should be a national priority, has called on the White House to “inspire a whole of country effort.”

5. NIST’s New Advice on Medical IoT Devices (SecurityWeek, Aug 27 2018)
NIST has now responded to these concerns by publishing SP 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations.

6. Woman sues US border patrol over data copied from seized iPhone (Naked Security – Sophos, Aug 28 2018)
The Muslim American wants assurances that the data – including photos of her not wearing a hijab – are deleted.

*Cloud Security, DevOps, AppSec*
7. New research: what sets top-performing DevOps teams apart (Google Cloud Blog, Aug 29 2018)
Key takeaway #4: Don’t be too cautious. Failure in software development is a given, and that can lead DevOps teams to deploy new code less frequently while they do more testing and quality checks.

8. Who owns application security? (Help Net Security, Aug 23 2018)
In theory, one would hope that the CISO was the number one answer by far. In reality, the CISO came in fifth place. The top owners of app security were: the CIO/CTO at 26%, Head of Application Development at 21%, and Business Units tying with “no one” at 18%. Surprisingly, CISOs received only 10% of the responses for the application security risk owner. The only choices lower than CISO were Compliance at 5% and Quality Assurance at 1%.

9. Data from 316 million real-world attacks in AWS and Azure environments (Help Net Security, Aug 23 2018)
tCell found that XSS, SQL injection, automated threats, file path traversals and command injection were the most common types of security attacks. These differ from the 2017 OWASP Top 10 list of web application threats and security flaws. The main reason for this difference is that tCell protects applications in-production that reside in the AWS, Azure and Google cloud environments.

*Identity Mgt & Web Fraud*
10. Instagram’s New Security Tools are Welcome Step, But… (Krebs on Security, Aug 29 2018)
“Instagram users should soon have more secure options for protecting their accounts against Internet bad guys. On Tuesday, the Facebook-owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number — an increasingly common crime.”

11. Biometrics scanner catches impostor at U.S. airport on just third day of use (Digital Trends, Aug 24 2018)
Well, that didn’t take long. The US Customs and Border Patrol says that a new biometrics system flagged a man using a fake passport on the third day that a biometrics was in use. The program flagged the man when his biometrics didn’t match the ID he presented — his real ID was found in his shoe.

12. Security Flaws Inadvertently Left T-Mobile And AT&T Customers’ Account PINs Exposed (BuzzFeed, Aug 30 2018)
Mobile account PINs intended to protect T-Mobile and AT&T customers’ accounts were exposed by two security vulnerabilities. After a BuzzFeed News inquiry, the companies fixed the flaws.

*CISO View*
13. Making an Impact with Security Awareness Training: Structuring the Program (Securosis Blog, Aug 30 2018)
“In our new series, Making an Impact with Security Awareness Training, we will put the changes of the last few years into proper context, and lay out our thoughts on how security awareness training needs to evolve to provide sustainable risk reduction.”

14. The secret history of ED011, the obscure computer lab that hacked the world (Ars Technica, Aug 27 2018)
One Romanian campus computer lab both pentested the world and eventually helped protect it.

15. How Cybercriminals Are Using Blockchain to Their Advantage (SecurityWeek, Aug 30 2018)
Blockchain DNS is a decentralized DNS. Blockchain TLDs – including .bit, .bazar and .coin – are not owned by a single central authority. DNS lookup tables are shared over a peer-to-peer network and use a different technology from traditional DNS requests.