The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. China-linked APT10 Hackers Update Attack Techniques (SecurityWeek, Sep 14 2018)
As part of the new attacks, spear-phishing emails carrying malicious Word documents that attempt to deliver the UPPERCUT backdoor. Known in the security community as ANEL, the malware was apparently in pre-release form (beta or release candidate) until recently, FireEye’s security researchers say.

2. New modification of the old cold boot attack leaves most systems vulnerable (Ars Technica, Sep 13 2018)
Cold boot attacks, used to extract sensitive data such as encryption keys and passwords from system memory, have been given new blood by researchers from F-Secure. First documented in 2008, cold boot attacks depend on the ability of RAM to remember values even across system reboots. In response, systems were modified to wipe their memory early during the boot process—but F-Secure found that, in many PCs, tampering with the firmware settings can force the memory wipe to be skipped, once again making the cold boot attacks possible.

3. Microsoft Office Macros Still No. 1 Malware Delivery (Infosecurity Magazine, Sep 14 2018)
Phishing attacks remain successful by leveraging macros.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

*AI, IoT, & Mobile Security*
4. Facebook’s robot coders step into the future of programming (Naked Security – Sophos, Sep 17 2018)
Like a good junior programmer, Facebook’s AI is cutting its teeth with a bit of bug fixing.

5. California’s Internet of Things cybersecurity bill could lay groundwork for federal action (Washington Post, Sep 18 2018)
California is once again poised to take the lead on important new technology policy. A bill to set cybersecurity standards for Web-connected devices — from thermostats to webcams to cars — is awaiting Gov. Jerry Brown’s (D) signature after cruising through the state legislature late last month. If Brown signs it, California would become the first state to pass legislation to govern security of the Internet of Things…

6. Beyond deep fakes: Transforming video content into another video’s style, automatically (ScienceDaily, Sep 11 2018)
Researchers have devised a way to automatically transform the content of one video into the style of another, making it possible to transfer the facial expressions of comedian John Oliver to those of a cartoon character, or to make a daffodil bloom in much the same way a hibiscus would.

*Cloud Security, DevOps, AppSec*
7. Facebook Broadens Its Bug Bounty to Include Third-Party Apps (Wired, Sep 17 2018)
Starting Monday, Facebook will pay at least $600 to researchers who spot third-party apps behaving badly on its platform.

8. 2018 State of DevOps Report: Practical guidance for your DevOps evolution (Puppet, Sep 12 2018)
“Based on anecdotal evidence, the authors of this year’s report believed that most successful DevOps transformations follow a specific pattern: Starting with grassroots efforts, early successes and proven practices are shared with other teams. Next, the successful patterns are shared with multiple teams throughout a department, and finally, are spread to other departments. Analysis of our survey data showed that this observed pattern is true for highly evolved organizations.”

9. Leaks 14M+ Records (Krebs on Security, Sep 17 2018)
“Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.”

*Identity Mgt & Web Fraud*
10. FBI: Phishing Attacks Aim to Swap Payroll Information (Dark Reading, Sep 19 2018)
Social engineering scams target employees’ payroll credentials so attackers can access and change their bank account data.

11. Beware of Emails Purporting to be from the IRS (Fortinet Blog, Sep 18 2018)
Since individuals are allowed a six-month extension to provide more time to file, the final deadline is October 15th, which is now approaching. Such a campaign is likely to net an unwitting victim who is not aware of such scams, especially if they are a non-resident alien unfamiliar with US laws and procedures.

12. 2018 Federal Identity Forum & Exposition (Afcea, Sep 20 2018)
The conference is next week, but you can access the 2017 slides and other content now.

*CISO View*
13. US military given the power to hack back/defend forward (Naked Security – Sophos, Sep 20 2018)
The new preventative cybersecurity powers include potentially acting against countries considered friendly toward the US – a risky move, some say.

14. Guccifer to Be Extradited to US for Prison Sentence (Dark Reading, Sep 14 2018)
Four-year, four-month term will follow a longer sentence in hacker’s home country of Romania.

15. New Magecart victims ABS-CBN and Newegg are just the tip of the iceberg (Help Net Security, Sep 20 2018)
With the Magecart attackers compromising web shops left and right, online shopping is becoming a risky proposition. After Ticketmaster, British Airways and Feedify, two new Magecart victims have been identified: the broadcasting giant ABS-CBN and online retailer Newegg.