The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Facebook Security Bug Affects 90M Users (Krebs on Security, Sep 28 2018)
“Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles.”

2. How 50 Million Facebook Users Were Hacked (Motherboard, Sep 28 2018)
Facebook revealed more details about how hackers exploited three distinct bugs to get the ability to control up to 50 million users’ accounts.

3. Russian Cyberspies Use UEFI Rootkit in Attacks (SecurityWeek, Sep 27 2018)
Russian cyber-espionage group Fancy Bear is the first threat actor to have used a Unified Extensible Firmware Interface (UEFI) rootkit in a malicious campaign.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

*AI, IoT, & Mobile Security*
4. Lock screen bypass already discovered for Apple’s iOS 12 (Naked Security-Sophos, Oct 02 2018)
Apple’s iOS 12 is barely out of the gates and already someone has found a way to beat its lock screen security to access a device’s contents.

5. California Enacts First-in-Nation IoT Security Law (Dark Reading, Oct 01 2018)
The new law requires some form of authentication for most connected devices.

6. Security Flaw Found in Apple Mobile Device Enrollment Program (Dark Reading, Sep 27 2018)
Authentication weakness in Apple’s DEP could open a window of opportunity for attackers.

*Cloud Security, DevOps, AppSec*
7. Facebook: No Evidence Hackers Accessed Third-Party Apps (Infosecurity Magazine, Oct 03 2018)
Social network’s claims seem to limit impact of breach

8. Latest Building Security In Maturity Model reflects software security initiatives of 120 firms (Help Net Security, Oct 03 2018)
Synopsys released BSIMM9, the latest version of the Building Security In Maturity Model (BSIMM) designed to help organizations plan, execute, and measure their software security initiatives (SSIs). The ninth iteration of BSIMM reflects data collected over a 10-year study of real-world SSIs across 120 firms.

9. What each cloud company could bring to the Pentagon’s $10 B JEDI cloud contract (TechCrunch, Sep 29 2018)
The RFP process closes on October 12th and the winner is expected to be chosen next April.

*Identity Mgt & Web Fraud*
10. Suspect forced to unlock iPhone with his face (Naked Security – Sophos, Oct 02 2018)
The order so far hasn’t raised Fifth Amendment objections either, your face being something you are, rather than something you know.

11. Voice Phishing Scams Are Getting More Clever (Krebs on Security, Oct 01 2018)
“Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out.”

12. Facebook Admits Phone Numbers May be Used to Target Ads (SecurityWeek, Sep 28 2018)
Facebook on Thursday confirmed that advertisers were privy to phone numbers given by members of the social network for enhanced security.

*CISO View*
13. China Used Tiny Chip in Hack That Infiltrated Amazon, Apple (Bloomberg, Oct 04 2018)
In one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached, according to one person who saw pictures of the chips. That generation of chips was smaller than a sharpened pencil tip, the person says.

14. Security Staffing Low in Midsized and Large Orgs (Infosecurity Magazine, Sep 28 2018)
Large organizations have only one security staff for every 1,488 employees, says ProtectWise.

15. Making an Impact with Security Awareness Training: Quick Wins and Sustained Impact (Securosis, Sep 27 2018)
It’s a balance between being overly heavy-handed against the importance of training users to defend themselves. You need to ensure employees know about the ongoing testing program, and that they’ll be testing periodically. That’s the continuous part of the approach – it’s not a one-time thing.