15 Bullet Friday – The Best Security News of the Week – 2018.09.14

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Verizon details breaches they were called in to investigate (Help Net Security, Sep 10 2018)
Each story is told from a different perspective, and from a different business sector. Each of them details the lessons learned and offers advice on detection, response, mitigation and prevention. Some tell the by-now familiar stories of a business losing money to BEC scammers and social engineering attacks hitting the IT help desk. Other studies deal with cyberespionage, cryptojacking, PoS intrusions, ICS attacks, complex identity theft scenarios, and more.

2. Apple Removes Top Security Tool for Secretly Stealing Data (Infosecurity Magazine, Sep 10 2018)
Apple has been forced to remove one of the most popular security apps on its Mac App Store after it was found to be secretly exfiltrating browser data to China.

3. Oracle Products Affected by Exploited Apache Struts Flaw (SecurityWeek, Sep 04 2018)
Oracle informed customers over the weekend that some of the company’s products are affected by a critical Apache Struts 2 vulnerability that has been exploited in the wild.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

*AI, IoT, & Mobile Security*
4. Using Hacked IoT Devices to Disrupt the Power Grid (Schneier on Security, Sep 11 2018)
“BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid”: Abstract: We demonstrate that an Internet of Things (IoT) botnet of high wattage devices — such as air conditioners and heaters — gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid. In particular, we reveal a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a botnet in order to manipulate the power demand in the grid.

5. IoT Botnets Target Apache Struts, SonicWall GMS (SecurityWeek, Sep 10 2018)
The infamous Mirai and Gafgyt Internet of Things (IoT) botnets are targeting vulnerabilities in Apache Struts and the SonicWall Global Management System (GMS), Palo Alto Networks has discovered.

6. Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob (Wired, Sep 10 2018)
Weak encryption in the cars’ key fobs allows all-too-easy theft, but you can set a PIN code on your Tesla to protect it.

*Cloud Security, DevOps, AppSec*
7. British Airways breach was effected by Magecart attackers (Help Net Security, Sep 11 2018)
The group has been compromising online shops left and right for years and its most recent known target before British Airways was Ticketmaster. They use the stolen information to perform card-not-present fraud and employ mules to reship thusly bought high-priced goods to addresses in Eastern Europe.

8. The Effectiveness of Publicly Shaming Bad Security (Troy Hunt, Sep 11 2018)
Here’s how it normally plays out: It all begins when a company pops up online and makes some sort of ludicrous statement related to their security posture, often as part of a discussion on a public social media platform such as Twitter. Shortly thereafter, the masses descend on said organisation

9. TLS 1.3 Won’t Break Everything (Dark Reading, Sep 07 2018)
One of the important benefits touted for TLS 1.3 is improved performance, much of which comes because of a simplified “handshake” process between client and server when establishing a session. There are several technical reasons this is possible, but one of them is that a single negotiation — that of which encryption algorithm to use — is eliminated.

*Identity Mgt & Web Fraud*
10. U.S. Mobile Giants Want to be Your Online Identity (Krebs on Security, Sep 12 2018)
“The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device. Here’s a look at what’s coming, and the potential security and privacy trade-offs of trusting the carriers to handle online authentication on your behalf.”

11. In a Few Days, Credit Freezes Will Be Fee-Free (Krebs on Security, Sep 10 2018)
“all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents.”

12. Get In-App Autofill with LastPass and iOS 12 (The LastPass Blog, Sep 12 2018)
In addition to in-app autofill, you will also be able to autofill in mobile sites in Safari with fewer taps.Thanks to iOS 12, Apple has caught up to Android which already offers autofill functionality.

*CISO View*
13. A Security Expert Tied to WikiLeaks Vanishes, and the Internet Is Abuzz (The New York Times, Sep 07 2018)
Arjen Kamphuis was last seen on Aug. 20 in a remote Arctic town in Norway. Online theories range from C.I.A. abduction to a secret mission for Julian Assange.

14. ‘Only paper ballots by 2020!’ call experts after election tampering (Naked Security – Sophos, Sep 10 2018)
The National Academy of Sciences says the US election system uses insecure technology and is fighting off attempts to destabilize it.

15. Georgia says switching back to all-paper voting is logistically impossible (Ars Technica, Sep 12 2018)
In Curling v. Kemp, both sides are set to duke it out in court.

Share on facebook
Share on twitter
Share on linkedin