The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. APT10 Indictments Show Expansion of MSP Targeting, Cloud Hopper Campaign (Dark Reading, Dec 21 2018)
US brings more indictments against the APT10 cyber espionage group operating in China for its Operation Cloud Hopper campaign against managed service providers, but what will those indictments accomplish?
2. Certifiably Gone Phishing (rud.is, Dec 23 2018)
One popular community tool/resource in this pursuit is PhishTank which is a collaborative clearing house for data and information about phishing on the Internet. Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge. While the PhishTank API is useful for real-time anti-phishing operations the data is also useful for security researchers as we work to understand the ebb, flow and evolution of these attacks.
3. Someone is trying to take entire countries offline and cybersecurity experts say ‘it’s a matter of time because it’s really easy’ (Business Insider, Dec 23 2018)
The West’s biggest security weakness is in the old electronics and sensors that control processes in infrastructure and industry.
Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Drones shut down major international airport (Naked Security – Sophos, Dec 20 2018)
A drone operator has repeatedly flown two (UAVs close to the runway, grounding flights at the airport since last night.
5. In Project Maven’s Wake, the Pentagon Seeks AI Tech Talent (Wired, Dec 21 2018)
The Defense Department wants to use AI in warfare. In the aftermath of Project Maven, it still needs Big Tech’s help.
6. Amazon Slip-Up Shows How Much Alexa Really Knows (Dark Reading, Dec 21 2018)
Amazon mistakenly sent one user’s Alexa recordings to a stranger but neglected to disclose the error.
*Cloud Security, DevOps, AppSec*
7. MD5 and SHA-1 Still Used in 2018 (Schneier on Security, Dec 24 2018)
Last week, the Scientific Working Group on Digital Evidence published a draft document — “SWGDE Position on the Use of MD5 and SHA1 Hash Algorithms in Digital and Multimedia Forensics” — where it accepts the use of MD5 and SHA-1 in digital forensics applications
8. Automating a DevOps-Friendly Security Policy (Dark Reading, Dec 20 2018)
There can be a clash of missions between security and IT Ops teams, but automation can help.
9. Cybercriminals Host Malicious Payloads on Google Cloud Storage (SecurityWeek, Dec 19 2018)
A malicious email campaign targeting employees of banks and financial services companies in the United States and the United Kingdom has been abusing Google Cloud Storage for payload delivery, Menlo Labs security researchers say.
*Identity Mgt & Web Fraud*
10. The bleak picture of 2FA adoption in the wild (Elie Bursztein, Dec 21 2018)
This post looks at two-factor authentication adoption in the wild, highlights the disparity of support between the various categories of websites, and illuminates how fragmented the two factor ecosystem is in terms of standard adoption.
11. Privacy Law Showdown Between Congress and Tech Looms in 2019 (Wired, Dec 27 2018)
Lawmakers spend the better part of 2018 talking tough to tech companies. Now the pressure is on for Congress to act.
12. Dirty dealing in the $175 billion Amazon Marketplace (The Verge, Dec 27 2018)
A rival had framed Plansky for buying five-star reviews, a high crime in the world of Amazon. The funds in his account were immediately frozen, and his listings were shut down. Getting his store back would take him on a surreal weeks-long journey through Amazon’s bureaucracy, one that began with the click of a button at the bottom of his suspension message that read “appeal decision.”
13. US Indicts 2 APT 10 Members for Years-Long Hacking Campaign (Dark Reading, Dec 21 2018)
In an indictment unsealed this morning, the US ties China’s state security agency to a widespread campaign of personal and corporate information theft.
14. The Most-Read Security Stories of 2018 (Wired, Dec 27 2018)
This year saw the most devastating cyberattack in history, a gang of teen hackers, and so much Mueller news.
15. NIST Risk Management Framework 2.0 Updates Cyber-Security Policy (eWEEK, Dec 21 2018)
The final version of the NIST Risk Management Framework 2.0 is now available, providing government agencies and commercial enterprises alike with new guidance that aligns risk, privacy and cyber-security controls.