The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. China ‘has taken the gloves off’ in its thefts of U.S. technology secrets (LA Times, Nov 18 2018)
It was the great microchip heist — a stunning Chinese-backed effort that pilfered $8.75 billion in secret American technology. But the real secret is it wasn’t unusual. After a lull under President Obama, Chinese economic espionage is soaring again as U.S. relations with Beijing worsen.
2. Using Airport and Hotel Wi-Fi Is Much Safer Than It Used to Be (Wired, Nov 18 2018)
“What’s in it for the adversary? Why would you choose monkeying with the Wi-Fi at the airport or the hotel over some other attack method? When you look at the profitability and the risk, it just doesn’t make sense other than an amateur to be doing it for giggles.”
3. America’s Election Grid Remains a Patchwork of Vulnerabilities (The New York Times, Nov 17 2018)
The midterms showed that there aren’t enough qualified poll workers and that accusations of political manipulation persist. Still, the situation has improved since Bush v. Gore.
Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.
*AI, IoT, & Mobile Security*
4. BlackBerry Doubles Down in $1.4B Acquisition of Cylance (Dark Reading, Nov 16 2018)
BlackBerry aims to bring Cylance artificial intelligence and security tools into its software portfolio.
5. The rare form of machine learning that can spot hackers who have already broken in (MIT Technology Review, Nov 16 2018)
Darktrace’s unsupervised-learning models sound the alarm before intruders can cause serious damage.
6. iPhone X Exploits Earn Hackers Over $100,000 (SecurityWeek, Nov 14 2018)
The Zero Day Initiative’s Pwn2Own Tokyo hacking competition has come to an end, with participants earning over $300,000 for disclosing vulnerabilities affecting iPhone X, Xiaomi Mi 6 and Samsung Galaxy S9 smartphones.
*Cloud Security, DevOps, AppSec*
7. New feature to prevent Amazon S3 bucket misconfiguration (Help Net Security, Nov 19 2018)
This new feature allows account owners/administrators to centrally block existing public access (whether made possible via an ACL or a policy) and to make sure that newly created items aren’t inadvertently granted public access.
8. Instagram accidentally reveals plaintext passwords in URLs (Naked Security – Sophos, Nov 20 2018)
It’s yet another security stumble following the massive Facebook hack in September, and it likely points to shoddy encryption practices.
9. How to manage security governance using DevOps methodologies (AWS Security Blog, Nov 20 2018)
“The approach I’ll demonstrate in this post isn’t a silver bullet, but it’s a method by which you can control some of that inevitable shift in threat evaluations resulting from changes in business and technical operations, such as vulnerability announcements, feature updates, or new requirements.”
*Identity Mgt & Web Fraud*
10. USPS Site Exposed Data on 60 Million Users (Krebs on Security, Nov 21 2018)
“U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.”
11. Creepy or Not, Face Scans Are Speeding up Airport Security (Wired, Nov 21 2018)
Who cares if you hate it? This time- and effort-saving tech is spreading, and fast.
12. LinkedIn cuts off email address exports with new privacy setting (TechCrunch, Nov 21 2018)
A win for privacy on LinkedIn could be a big loss for businesses, recruiters and anyone else expecting to be able to export the email addresses of their connections. LinkedIn just quietly introduced a new privacy setting that defaults to blocking other users from exporting your email address.
*CISO View*
13. 66.1% of vulnerabilities published through Q3 2018 have a documented solution (Help Net Security, Nov 20 2018)
There have been 16,172 vulnerabilities disclosed through October 29th, which is a 7% decrease from the high record reported last year at this time. The 16,172 vulnerabilities cataloged through Q3 2018 by Risk Based Security’s research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by over 4,800. It’s also worth noting that NVD is still significantly behind in vulnerability scoring and creating the automation component.
14. Mixed buyers harvest security targets (Inorganic Growth, Nov 16 2018)
With BlackBerry’s $1.4bn pickup of Cylance, there have now been 15 acquisitions of infosec vendors valued above $250m this year…
15. JPMorgan Invests in Startup Tech That Analyzes Encrypted Data (WSJ, Nov 21 2018)
The bank has invested in Inpher, a startup whose technology can analyze an encrypted dataset without revealing its contents. Samik Chandarana, head of data analytics for the Corporate and Investment Bank division, says the technology could be “materially useful” for the company and its clients.