The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. The phone went dark, then $1m was sucked out in SIM-swap crypto-heist (Naked Security – Sophos, Nov 26 2018)
A Silicon Valley exec lost $1m in cryptocoin savings when a 21-year-old allegedly SIM-swapped his phone.

2. Rowhammer Data Hacks Are More Dangerous Than Anyone Feared (Wired, Nov 21 2018)
Rowhammer attacks are fiendishly technical. They involve strategically executing a program over and over on a “row” of transistors in a computer’s memory chip. The idea is to “hammer” that row, until it leaks some electricity into the adjacent row. That leakage can cause a bit in the target row to “flip” from one position to another, slightly altering the data stored in memory. A skilled Rowhammer attacker can then start to exploit these tiny data changes to gain more system access. See? It’s pretty bonkers.

3. More on Threat Hunting (TaoSecurity, Nov 24 2018)
Earlier this week hellor00t asked via Twitter: Where would you place your security researchers/hunt team? I replied: For me, “hunt” is just a form of detection. I don’t see the need to build a “hunt” team. IR teams detect intruders using two major modes: matching and hunting. Junior people spend more time matching. Senior people spend more time hunting. Both can and should do both functions.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

*AI, IoT, & Mobile Security*
4. U.S. Mulls Curbs on Artificial Intelligence Exports (SecurityWeek, Nov 20 2018)
The administration of US President Donald Trump is exploring curbing exports of sensitive technologies including artificial intelligence for national security reasons, according to a proposal this week.

5. Mobile and IoT attacks – SophosLabs 2019 Threat Report (Naked Security – Sophos, Nov 23 2018)
As internet users migrate from desktop and laptop computers to mobile and Internet of Things (IoT) platforms, cybercriminals are too.

6. More details on One Planet York app vulnerability don’t paint council in a good light (Graham Cluley, Nov 27 2018)
the curious story of how a vulnerability was found in the City of York council’s recycling app, and the council’s response to being told about the data-spilling flaw.

*Cloud Security, DevOps, AppSec*
7. Announcing the First AWS Security Conference: re:Inforce 2019 (AWS Blog, Nov 26 2018)
The inaugural AWS re:Inforce, a hands-on gathering of like-minded security professionals, will take place in Boston, MA on June 25th and 26th, 2019 at the Boston Exhibit and Conference Center. The cost for a full conference pass will be $1,099.

8. Amazon Low-Key Reveals Breach of Some Customer Data (Dark Reading, Nov 21 2018)
Some Amazon customers have reported receiving a vague email from the company alerting them that the website had exposed their names and email addresses.

9. Distributing Malware By Becoming an Admin on an Open-Source Project (Schneier on Security, Nov 28 2018)
The module “event-stream” was infected with malware by an anonymous someone who became an admin on the project.

*Identity Mgt & Web Fraud*
10. Black Mirror episode with the social ratings? It’s live in China. (Sophos, Nov 26 2018)
Not picking up after your dog will cost you 10 points, for example, in China’s Black Mirror-esque plan to socially score citizens.

11. Microsoft’s multi-factor authentication service goes down for second week in a row (ZDNet, Nov 28 2018)
Another Microsoft’s Azure Active Directory multi-factor authentication service outage is causing problems for a number of Office 365 users.

12. FBI Takes Down a Massive Advertising Fraud Ring (Schneier on Security, Nov 29 2018)
“The FBI announced that it dismantled a large Internet advertising fraud network, and arrested eight people…It looks like an impressive piece of police work. Details of the forensics that led to the arrests.”

*CISO View*
13. Marriott: Data on 500 Million Guests Stolen in 4-Year Breach (Krebs on Security, Nov 30 2018)
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.

14. First Round of MITRE ATT&CK Evaluations Released – MITRE ATT&CK (Medium, Nov 30 2018)
“We have just published the first seven MITRE ATT&CK™ evaluations on our new website. We have created an open and transparent methodology…”

15. Propaganda and the Weakening of Trust in Government (Schneier on Security, Nov 27 2018)
“we need to start thinking more systematically about the relationship between democracy and information. Our paper provides one way to do this, highlighting the vulnerabilities of democracy against certain kinds of information attack. More generally, we need to build levees against flooding while shoring up public confidence in voting and other public information systems that are necessary to democracy.”