15 Bullet Friday – The Best Security News of the Week – 2018.11.09

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Who’s In Your Online Shopping Cart? (Krebs on Security, Nov 04 2018)
“Crooks who hack online merchants to steal payment card data are constantly coming up with crafty ways to hide their malicious code on Web sites. In Internet ages past, this often meant obfuscating it as giant blobs of gibberish text that was obvious even to the untrained eye. These days, a compromised e-commerce site is more likely to be seeded with a tiny snippet of code that invokes a hostile domain which appears harmless or that is virtually indistinguishable from the hacked site’s own domain.”

2. The CIA’s communications suffered a catastrophic compromise. It started in Iran. (Yahoo, Nov 02 2018)
A new take on an older story: From around 2009 to 2013, the U.S. intelligence community experienced crippling intelligence failures related to the secret internet-based communications system, a key means for remote messaging between CIA officers and their sources.

3. Georgia Secretary of State Brian Kemp Accuses Georgia Democrats of Hacking (Wired, Nov 04 2018)
While anything is possible, Kemp’s claims seem unlikely on their face, especially when you parse what little information his team has provided.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

*AI, IoT, & Mobile Security*
4. Vulnerabilities’ CVSS scores soon to be assigned by AI (Help Net Security, Nov 05 2018)
The National Institute of Standards and Technology (NIST) is planning to use IBM’s Watson to evaluate how critical publicly reported computer vulnerabilities are and assign an appropriate severity score.

5. Malware Targeting Smartphones via Three DSP Providers (Infosecurity Magazine, Oct 30 2018)
Three global demand side platform (DSP) providers were the recent targets of a malicious campaign involving third party code that enables smart malware delivery. The bad actor behind the campaign has been seen in millions of page views within the past three weeks.

6. Your Smartphone’s Location Data Is Worth Big Money to Wall Street (WSJ, Nov 02 2018)
They know where you are shopping. “Thasos says it can count the phone-carrying shoppers who ditch their regular grocers when a new Whole Foods opens, or gauge drilling activity by sizing up the crowds at oil-patch bars. By identifying the census block where each phone spends the night, Thasos algorithms estimate how far customers travel to malls and shoppers’ incomes.”

*Cloud Security, DevOps, AppSec*
7. Protecting What Matters: Data Guardrails & Behavioral Analytics (Disrupt:Ops, Nov 06 2018)
The easiest way to understand the difference between data guardrails and data behavioral analytics is that guardrails rely on pre-built deterministic rules (which can be as simple as “if this then that”), while analytics rely on AI, machine learning, and other heuristic technologies which look at patterns and deviations.

8. Thoma Bravo Buys Veracode From Broadcom for $950 Million (SecurityWeek, Nov 05 2018)
Private equity investment firm Thoma Bravo on Monday announced that it has entered an agreement to acquire application security testing company Veracode from Broadcom.

9. DevOps and security: How to make disjointed security and DevOps teams work effectively (Help Net Security, Nov 07 2018)
What’s the answer? How do we get an effective and efficient software factory running that turns out applications out on time and on budget while also minimizing security risk?

*Identity Mgt & Web Fraud*
10. Busting SIM Swappers and SIM Swap Myths (Krebs on Security, Nov 07 2018)
“KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. Snippets from that fascinating conversation are recounted, and punctuated by accounts from a recent victim who lost more than $100,000 after his mobile phone number was hijacked.”

11. Here’s Why [Insert Thing Here] Is Not a Password Killer (Troy Hunt, Nov 05 2018)
Despite its many flaws, the one thing that the humble password has going for it over technically superior alternatives is that everyone understands how to use it. Everyone.

12. SMS Phishing + Cardless ATM = Profit (Krebs on Security, Nov 02 2018)
“Thieves are combining SMS-based phishing attacks with new “cardless” ATMs to rapidly convert phished bank account credentials into cash. Recent arrests in Ohio shed light on how this scam works.”

*CISO View*
13. U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service (Krebs on Security, Nov 08 2018)
“A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert…”

14. U.S. Cyber Command Shares Malware via VirusTotal (SecurityWeek, Nov 08 2018)
The U.S. Cyber Command (USCYBERCOM) this week started sharing malware samples with the cybersecurity industry via Chronicle’s VirusTotal intelligence service.

15. Sue Gordon: Silicon Valley Should Work With the Government (Wired, Nov 09 2018)
“One of the key things about Google is I think it’s adorable that they have morals now when they’re using technology that the department built for them. That’s cute,” she says, “But we’ve always done this together.”

Share on facebook
Share on twitter
Share on linkedin