The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Credit Freezes are Free: Let the Ice Age Begin (Krebs on Security, Sep 21 2018)
“It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.”

2. New Xbash Malware a Cocktail of Malicious Functions (Dark Reading, Sep 17 2018)
The new malware tool targeting Windows and Linux systems combines cryptomining, ransomware, botnet, and self-propagation capabilities.

3. Security Vulnerability in ESS ExpressVote Touchscreen Voting Computer (Schneier on Security, Sep 20 2018)
This particular vulnerability is particularly interesting because it’s the result of a security mistake in the design process. Someone didn’t think the security through, and the result is a voter-verifiable paper audit trail that doesn’t provide the security it promises.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

*AI, IoT, & Mobile Security*
4. IoT Threats Triple Since 2017 (Dark Reading, Sep 18 2018)
The report shows that simple, brute-force attacks on passwords were still the most commonly used techniques to breach IoT security, making up at least part of 93% of the attacks seen. Those attacks compromised a wide variety of devices, which were then used for malicious cryptocurrency mining, DDoS attacks, the inclusion of devices in botnet threats, and more. While 60% of the devices used to hit the Kaspersky Labs honeypots were routers, DVRs, printers — and even 33 washing machines — were in the mix.

5. Pegasus Spyware Used in 45 Countries – Schneier on Security (Schneier on Security, Sep 24 2018)
The malware can operate on both Android and iOS devices, albeit it’s been mostly spotted in campaigns targeting iPhone users primarily. On infected devices, Pegasus is a powerful spyware that can do many things, such as record conversations, steal private messages, exfiltrate photos, and much much more.

6. China’s leaders are softening their stance on AI (MIT Technology Review, Sep 25 2018)
A year after announcing an aggressive plan to dominate artificial intelligence, China’s vice premier has called for international collaboration.

*Cloud Security, DevOps, AppSec*
7. U.S. General Service Administration Launches Bug Bounty Program (SecurityWeek, Sep 24 2018)
The United States General Service Administration’s (GSA) Technology Transformation Service (TTS) has launched a bug bounty program on HackerOne, the hacker-powered security platform announced on Friday.

8. In Quiet Change, Google Now Automatically Logging Users Into Chrome (Dark Reading, Sep 24 2018)
The change is a complete departure from Google’s previous practice of keeping sign-in for Chrome separate from sign-ins to any Google service.

9. App developers are STILL allowed to read your Gmails (Naked Security – Sophos, Sep 24 2018)
Google is still allowing third-party developers access to access its users’ Gmail data, it said in a letter to Senators last week.

*Identity Mgt & Web Fraud*
10. Google to Stop Automatically Logging Users into Chrome (Dark Reading, Sep 27 2018)
The decision comes days after security researcher had blasted company for jeopardizing user privacy with browser update.

11. A Small Google Chrome Change Stirs a Big Privacy Controversy (Wired, Sep 24 2018)
The latest update to Google’s browser has riled privacy advocates by appearing to log people in without their explicit permission.

12. AdGuard adblocker resets passwords after credential-stuffing attack (Naked Security – Sophos, Sep 25 2018)
AdGuard has taken the decision to reset all user accounts after suffering a credential-stuffing and brute-force password attack.

*CISO View*
13. Uber Fined $148m for Breach Cover-Up (Infosecurity Magazine, Sep 27 2018)
A heavy price tag for Uber’s data breach mismanagement

14. 14 years prison for man who helped hackers evade detection by anti-virus software (Graham Cluley, Sep 25 2018)
Bondars (also known by his online nickname of “Borland”) worked in conjunction with co-conspirator Jurijs “Garrik” Martisevs on the notorious Scan4You website. Scan4You allowed criminals – for a monthly fee – to upload their latest malware to receive a report on whether any of a wide range of anti-virus products would detect it as malicious.

15. Domain flub leaves 30 million customers high and dry (Naked Security – Sophos, Sep 26 2018)
Zoho’s CEO begged for help on Twitter after his domain registrar effectively took the company offline, stranding millions of users.