The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Hackers Breach (WSJ, Oct 22 2018)
The Affordable Care Act’s federal exchange system for insurance was breached and about 75,000 consumer files compromised, the Trump administration said Friday.

2. Serious SSH bug lets crooks log in just by asking nicely… (Naked Security – Sophos, Oct 17 2018)
A serious bug in libssh could allow crooks to connect to your server – with no password requested or required. Here’s what you need to know.

3. Facebook Finds Hack Was Done by Spammers, Not Foreign State (WSJ, Oct 22 2018)
The company believes the hackers who accessed 30 million accounts masqueraded as a digital marketing firm and were driven by greed, not ideology.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

*AI, IoT, & Mobile Security*
4. Android Protected Confirmation: transaction security to the next level (Google, Oct 19 2018)
The first major mobile OS API that leverages a hardware protected user interface (Trusted UI) to perform critical transactions completely outside the main mobile operating system.

5. West Virginia’s voting experiment stirs security fears (Politico, Oct 19 2018)
Overseas residents will be able to cast ballots via mobile app on Election Day, using the same tech that underlies Bitcoin. But is that a wise idea?

6. Network Anomaly Detection Track Record in Real Life? (Anton Chuvakin – Gartner, Oct 22 2018)
“my long-held impression is that no true anomaly-based network IDS (NIDS) has ever been successful commercially and/or operationally. There were some bits of success, to be sure (“OMG WE CAN DETECT PORTSCANS!!!”), but in total, they (IMHO) don’t quite measure up to SUCCESS of the approach. In light of this opinion, here is a fun question: do you think the current generation of machine learning (ML) – and “AI”-based (why is AI in quotes?) systems will work better?”

*Cloud Security, DevOps, AppSec*
7. How S3 Buckets Become Public, and the Fastest Way to Find Yours (Disrupt:Ops, Oct 22 2018)
Eight (Yes, Eight) Ways Amazon S3 Data Becomes Public…The interplay between these can be a little confusing so we’ll walk through the interactions after we list them out.

8. In a tweet Monday Andy Jassy, CEO of Amazon Web Services…Bloomberg should retract it’s story… (Twitter, Oct 23 2018)
“@tim_cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract.”

9. “Davos in the Desert” website hack highlights Saudi terror links (Quartz, Oct 23 2018)
Screenshots show that the hack of the Future of Investment Initiative site also called out Saudi complicity in Jamal Khashoggi’s murder.

*Identity Mgt & Web Fraud*
10. 10 Fraud Myths: The fraudiest country is…Mauritania! (Sift Science, Oct 23 2018)
We took a magnifying glass to 165 billion recent transactions and events among our data set and uncovered 10 surprising insights about how fraud happens. These findings illustrate the kinds of patterns that might be invisible to your business, without the right technology to uncover them.

11. Uber drivers are getting fleeced by con artists (CNET, Oct 25 2018)
On that Wednesday, the LA driver did what that caller told him to do. He pulled over and canceled the trip. The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he’d be receiving shortly via text. The driver told him the code once he got the text. This was the two-factor authentication needed to get into the driver’s Uber account.

12. New York Attorney General Expands Inquiry Into Net Neutrality Comments (The New York Times, Oct 25 2018)
Most strikingly, many comments on net neutrality were falsely submitted under the names of real people, in what amounted to mass acts of virtual identity theft. Some comments used the name of dead people. Ms. Underwood’s investigators have estimated that almost half of all of the comments — more than nine million — used stolen identities.

*CISO View*
13. Yahoo to Pay $50M, Other Costs for Massive Security Breach (SecurityWeek, Oct 24 2018)
Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose email addresses and other personal information were stolen as part of the biggest security breach in history.

14. The Rise of The Virtual Security Officer (SecurityWeek, Oct 23 2018)
The market for virtual security officers is growing. We’ve had virtual chief information security officers for a few years (vCISOs), and we can expect to see virtual data protection officers (vDPOs) in the next few. The demand for both is higher than it has ever been, and it is likely to grow.

15. Facebook Fined £500K for Cambridge Analytica Failings (Infosecurity Magazine, Oct 25 2018)
The Information Commissioner’s Office (ICO) has issued a rare maximum fine of £500,000 to Facebook for data protection mistakes that led to the Cambridge Analytica scandal.