The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Malware may have thwarted printing of Southern California newspapers (NBC News, Dec 30 2018)
“Some customers may not have received their paper,” the Los Angeles Times said in a statement.
2. Siren bot uses 10 methods to send DoS attacks (SC Media, Dec 28 2018)
Zscaler ThreatLabZ researchers identified a new DoS bot family named Siren that uses 10 different DoS methods to carry out attacks. The bot is capable of carrying out HTTP, HTTPS, and UDP flooding on any web server location as instructed by the command-and-control (C&C) server, according to a Dec. 21 blog post.
3. Leaked Documents Show How Instagram Polices Stories (Motherboard, Dec 31 2018)
Motherboard has obtained internal documents that show how Instagram moderators grapple to police the service’s popular Stories feature.
Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Amazon Sent 1,700 Alexa Recordings to the Wrong Person (Motherboard, Dec 20 2018)
Home assistants are continuously recording and constantly uploading details of your everyday life, and sometimes, these recordings can end up in the wrong hands.
5. Toxic Data: How ‘Deepfakes’ Threaten Cybersecurity (Dark Reading, Dec 27 2018)
The joining of ‘deep learning’ and ‘fake news’ makes it possible to create audio and video of real people saying words they never spoke or things they never did.
6. We Asked a Hacker Who Spoke to a Guy Through His Nest Cam Why He Did It (Motherboard, Dec 21 2018)
The Anonymous Calgary Hivemind has been systematically hacking into smart home security cameras to warn their owners.
*Cloud Security, DevOps, AppSec*
7. EU to Run Bug Bounty Programs for 14 Free Software Projects (SecurityWeek, Jan 02 2019)
The European Union is offering a total of more than €850,000 – nearly $1 million – for vulnerabilities found in 14 widely used free and open source software projects.
8. Distinguishing Between Cloud Washed and Cloud Native (DevOps, Jan 02 2019)
Cloudwashed solutions are legacy, on-premises software held in a virtualized data center and rebranded as cloud software. Such tools originally were not built for the cloud and do not satisfy the NIST definition of true cloud computing. While non-local hosting can reduce maintenance and server costs, by adopting cloudwashed services you sacrifice the benefits of cloud native.
9. Fuzzing Like It’s 1989 (Trail of Bits Blog, Dec 31 2018)
In this blog post, we are going to find bugs in modern versions of Ubuntu Linux using the exact same tools as described in the original fuzzing papers.
*Identity Mgt & Web Fraud*
10. Massive Ad Fraud Scheme Relied on BGP Hijacking (Schneier on Security, Dec 28 2018)
This is a really interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol: Members of 3ve (pronounced “eve”) used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a thousand servers hosted inside data centers to impersonate real human beings who purportedly “viewed” ads that were hosted on bogus pages run by the scammers themselves — who then received a check from ad networks for these billions of fake ad impressions.
11. Credential Stuffing: Big Breaches Have Bot Attacks Ramping Up Fast (ThreatMetrix, Dec 20 2018)
These login credentials are dishearteningly easy to acquire, too. Leading up to the 2018 holiday season, for instance, stolen customer login credentials for major retailers were for sale on the dark web for between $1.20 to $6.00 each, accounting for 51% of all black market credentials. Social media logins, including instant messaging and dating sites, ranged between $1 to $10. Bank accounts and credit cards were going for $0.50 to $15.50. Once these credentials are harvested, they can be monetized.
12. The Future of Crime-Fighting Is Family Tree Forensics (WIRED, Jan 03 2019)
Genealogy is about to send a lot more people to jail.
13. Hackers Dump Personal Data of Hundreds of German Politicians (Bloomberg, Jan 04 2019)
Data was leaked over the past weeks via a Twitter account calling itself “G0d”.
14. The Dark Overlord Decrypts More 9/11 Insurance Files (Motherboard, Jan 04 2019)
After apparently raising thousands of dollars through a crowdfunding effort, The Dark Overlord have decrypted a set of the 9/11 attack connected litigation documents.
15. The Elite Intel Team Still Fighting Meltdown and Spectre (Wired, Jan 03 2019)
One year after a pair of devastating processor vulnerabilities were first disclosed, Intel’s still dealing with the fallout.