The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Supply Chain Security 101: An Expert’s View (Krebs on Security, Oct 12 2018)
“Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.”

2. Flaws Exposed Tinder, Shopify, Yelp Users to XSS Attacks (SecurityWeek, Oct 15 2018)
Hundreds of millions of users may have been exposed to cross-site scripting (XSS) attacks due to a vulnerability present in, a service used by Tinder, Shopify, Yelp and many others.

3. Facebook downgrades victim count, details data accessed in breach (WeLiveSecurity, Oct 15 2018)
While the number of victims is lower than previously thought, the data accessed for millions of them is more sensitive than originally believed.

MITRE ATT&CKcon is next week
Sign up to receive the web links to watch all the action LIVE from MITRE ATT&CKcon on October 23-24, as they share best practices for using ATT&CK to demystify the complexity that cyber attackers hide behind. Watch Live Stream on Oct. 23rd and Oct. 24th at 8:55 a.m. EST.

*AI, IoT, & Mobile Security*
4. How a WhatsApp call could have taken over your phone (Naked Security – Sophos, Oct 10 2018)
A WhatsApp buffer overflow that crashed your phone due to audio data sent by a caller meant that just answering a call could spell trouble.

5. Cryptomining attacks against Apple devices increase sharply (Help Net Security, Oct 16 2018)
Check Point has published its latest Global Threat Index for September 2018, revealing a near-400% increase in cryptomining malware attacks against Apple iPhones. These attacks are using the Coinhive mining malware, which continues to occupy the top position in the Index that it has held since December 2017.

6. Naming & Shaming Web Polluters: Xiongmai (Krebs on Security, Oct 09 2018)
“What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras.”

*Cloud Security, DevOps, AppSec*
7. What Security Managers Need to Know About Amazon S3 Exposures (Disrupt:OPS, Oct 11 2018)
(1/2) The accidental (or deliberate) exposure of sensitive data on Amazon S3 is one of those deceptively complex issues. On the surface it seems entirely simple to avoid, yet despite wide awareness we see a constant stream of public exposures and embarrassments, combined with a healthy dollop of misunderstanding and victim blaming.

8. Apple, Google, Microsoft, and Mozilla come together to end TLS 1.0 (Ars Technica, Oct 16 2018)
Almost everyone has now migrated to TLS 1.2, and a few have moved to TLS 1.3.

9. AWS Security Auditing tools comparison (Scott Piper, Oct 16 2018)
“I put all of the checks of PacBot, Security Monkey, and Prowler into a table, and then compared them to Trusted Advisor, Managed AWS Config Rules, and CloudMapper. Not all checks of the latter 3 tools are listed.

*Identity Mgt & Web Fraud*
10. Is this the simple solution to password re-use? (Naked Security – Sophos, Oct 17 2018)
…answer that’s been hiding in plain sight for years – set policies that mandate longer and more complicated passwords.

11. How DNA Databases Violate Everyone’s Privacy (Schneier on Security, Oct 15 2018)
If you’re an American of European descent, there’s a 60% chance you can be uniquely identified by public information in DNA databases. This is not information that you have made public; this is information your relatives have made public.

12. Millions of Voter Records Found for Sale on the Dark Web (Dark Reading, Oct 15 2018)
Voter registration databases from 19 US states are being hawked in an underground hacking forum, researchers say.

*CISO View*
13. The Language and Nature of Fileless Attacks Over Time (Lenny Zeltser, Oct 12 2018)
I traced the origins of “fileless” to 2001, when Eugene Kaspersky (of Kaskersky Labs) used it in reference to Code Red worm’s ability to exist solely in memory. Two years later, Peter Szor defined this term in a patent for Symantec, explaining that this form of malware doesn’t reside in a file, but instead “appends itself to an active process in memory.”

14. Anthem will pay $16 million to settle HIPAA violation due to 2015 breach (Help Net Security, Oct 16 2018)
…after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.

15. 60% of IT Security Professionals Looking to Leave Current Job (Mondo, Oct 19 2018)
According to the survey, other top reasons why IT security experts leave a job are: unhealthy work environment (53%); lack of IT security prioritization from C-level or upper management (46%); unclear job expectations (37%) and lack of mentorship (30%).