The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. That Bloomberg Supply-Chain-Hack Story (Schneier on Security, Nov 30 2018)
“Bloomberg has stood by its story — and is still standing by it. I don’t think it’s real. Yes, it’s plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.”

2. Elasticsearch Snafu Exposes Data on 82 Million Americans (Infosecurity Magazine, Nov 29 2018)
Personal info was left publicly accessible for at least two weeks

3. Best practice methodology for industrial network security: SEC-OT (Help Net Security, Dec 03 2018)
Secure Operations Technology (SEC-OT) is a methodology and collection of best practices inspired by a decade of experience working with secure industrial sites. The SEC-OT approach is counter-intuitive to many IT and even industrial control system (ICS) security practitioners. It turns out that secure industrial sites ask different questions and get different answers.

Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! -Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. Someone Is Claiming to Sell a Mass Printer Hijacking Service (Motherboard, Dec 03 2018)
After one hacker bombarded printers with a message urging people to subscribe to PewDiePie, someone is now claiming to offer a mass-printing service across the internet.

5. Someone hacked printers worldwide, urging people to subscribe to PewDiePie (The Verge, Dec 04 2018)
Is your printer secure? The fight over who gets to have the most-subscribed channel on YouTube spilled into the real world months ago when Felix “PewDiePie” Kjellberg fans started campaigning to raise awareness of the Swedish star.

6. How Would NYC’s Anti-AirDrop Dick Pic Law Even Work? (Wired, Dec 03 2018)
The bill’s sponsors want cyber flashers to face the same consequences as their offline counterparts, but there are technical and legal hurdles.

*Cloud Security, DevOps, AppSec*
7. ​Kubernetes’ first major security hole discovered (ZDNet, Dec 05 2018)
There’s now an invisible way to hack into the popular cloud container orchestration system Kubernetes.

8. Quora data breach: 100 million users affected (Help Net Security, Dec 04 2018)
Question-and-answer website Quora has suffered a data breach that may have affected approximately 100 million of its users.

9. AWS is bringing the cloud on prem with Outposts (TechCrunch, Nov 28 2018)
You can now put AWS into your data center with AWS hardware, the same design they use in their own data centers. The two new products are part of AWS Outposts.

*Identity Mgt & Web Fraud*
10. Takedown of the “3ve” ad fraud operation (Google Online Security Blog, Nov 27 2018)
The U.S. Attorney’s Office for the Eastern District of New York announced criminal charges associated with this fraud operation. This takedown marks a major milestone in the industry’s fight against ad fraud, and we’re proud to have been a key contributor.
In partnership with White Ops, we have published a white paper about how we identified this ad fraud operation, the steps we took to protect our clients from being impacted, and the technical work we did to detect patterns across systems in the industry.”

11. Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data (Elie Bursztein – Google , Dec 03 2018)
“Our findings indicate that users readily understand the risk of data breaches and have consistent expectations for technical and non-technical remediation steps. We also find that participants are comfortable with applications that examine leaked data—such as threat sharing or a “hacked or not” service when the application has a direct, tangible security benefit.”

12. Microsoft, Mastercard Aim to Change Identity Management (Dark Reading, Dec 03 2018)
This project, which brings together Microsoft’s identity technology and Mastercard’s digital transaction capabilities, will serve as the foundation for new Mastercard services run on Microsoft Azure, officials explain in a blog post on the news. The two are teaming up with banks, mobile network operators, and government organizations to make the idea reality.

*CISO View*
13. Gartner Identifies Top 10 Trends for Infrastructure, Operations in 2019 (eWEEK, Dec 04 2018)
Gartner analysts on Dec. 4 presented these findings during the Gartner IT Infrastructure, Operations and Cloud Strategies Conference

14. What the Marriott Breach Says About Security (Krebs on Security, Dec 01 2018)
“We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.”

15. Magecart Delivers Malware to 1-800-FLOWERS (Infosecurity Magazine, Dec 05 2018)
1-800-Flowers’ Canadian website is the latest victim in card-skimming malware attacks.