The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. US and UK Governments Back Denial of Supermicro Story (Infosecurity Magazine, Oct 08 2018)
The United States and UK authorities have joined Amazon and Apple in contesting a blockbuster story last week that Chinese spies implanted tiny chips onto supply chain components used in the tech giants’ products.

2. What Businessweek got wrong about Apple (Apple Newsroom, Oct 06 2018)
Apple issued this statement: “The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.”

3. Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It? (Krebs on Security, Oct 05 2018)
“There aren’t any corroborating accounts of this scoop so far, but it is both fascinating and terrifying to look at why threats to the global technology supply chain can be so difficult to detect, verify and counter.”

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

*AI, IoT, & Mobile Security*
4. Intra Gives Older Versions of Android Important DNS Protections (Wired, Oct 03 2018)
In Android 9, also known as Android Pie, Google has added a feature called Private DNS to start encrypting DNS on mobile. But for all the Android devices that won’t get an OS upgrade for awhile—or ever—the Alphabet subsidiary Jigsaw is releasing a free mobile app called Intra that can offer that additional layer of web protection to billions of mobile browsers around the world.

5. Conspiracy Theories Around the “Presidential Alert” (Schneier on Security, Oct 04 2018)
Noted conspiracy theorist John McAfee tweeted: “…The “Presidential alerts”: they are capable of accessing the E911 chip in your phones…” This is, of course, ridiculous. I don’t even know what an “E911 chip” is. And — honestly — if the NSA wanted in your phone, they would be a lot more subtle than this.

6. California’s ban on weak default passwords isn’t going to fix IoT security (Graham Cluley, Oct 09 2018)
“Legislation which demands manufacturers adopt unique passwords, rather than hardcoded defaults still too commonly-seen today, may help prevent the problem of dictionary-based attacks and hackers attempting to gain entry by using databases of common passwords – but it doesn’t mean there won’t be any IoT devices using Telnet anymore. It also won’t address other problems such as IoT devices with weak or non-existent encryption, or internet-enabled technology which has no updating infrastructure if a vulnerability is found in the future.”

*Cloud Security, DevOps, AppSec*
7. DevOps & digital transformation are creating insecure apps (Help Net Security, Oct 08 2018)
Not unlike last year’s findings, the top four most likely DAST vulnerabilities to be discovered remain:
Information leakage (45 percent)
Content spoofing (40 percent)
Cross site scripting (38 percent)
Insufficient transport layer protection (23 percent).

8. Microsoft shows off government cloud services with JEDI due date imminent (TechCrunch, Oct 09 2018)
Just a day after Google decided to drop out of the Pentagon’s massive $10 billion, 10-year JEDI cloud contract bidding, Microsoft announced increased support services for government clients. In a long blog post, the company laid out its government focused cloud services.

9. Lessons Learned from the Facebook Breach: Why Logic Errors Are So Hard to Catch (Dark Reading, Oct 09 2018)
In practice, that means three stages of review: At the DevOps level, use automated tools to find the low-hanging fruit and developers who code with security in mind. Use quality assurance (QA) teams that have deep knowledge of how your application should work. Lastly, beef up your bug bounty program to ensure an external review of your application from talented and experienced security researchers.

*Identity Mgt & Web Fraud*
10. Google+ chose not to go public about bug that exposed users (Graham Cluley, Oct 08 2018)
The really big news today is not that Google is shutting down Google Plus (who cares?), but rather that Google knew months ago that user data had been exposed and kept the fact quiet.

11. Centrify Spins Out IDaaS into new Vendor Idaptive (Infosecurity Magazine, Oct 09 2018)
Centrify has spun out its Identity-as-a-Service (IDaaS) service into a new company, which it has named Idaptive

12. For $14.71, You Can Buy A Passport Scan on the Dark Web (Dark Reading, Oct 04 2018)
That’s the average price of a digital passport scan, and it goes up with proof of identification, a new study finds.

*CISO View*
13. The US National Cyber Strategy (Schneier on Security, Oct 09 2018)
In a New York Times op-ed, Josephine Wolff argues that this new strategy, together with the more-detailed Department of Defense cyber strategy and the classified National Security Presidential Memorandum 13, represent a dangerous shift of US cybersecurity posture from defensive to offensive…

14. New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom (Bloomberg, Oct 10 2018)
Bloomberg has another story..The discovery shows that China continues to sabotage critical technology components bound for America.

15. The Apollo Breach Included Billions of Data Points (Wired, Oct 05 2018)
Apollo is a data aggregator and analytics service aimed at helping sales teams know who to contact, when, and with what message to make the most deals.