The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Marriott Sheds New Light on Massive Breach (Dark Reading, Jan 04 2019)
New information on the Starwood breach shows that the overall breach was somewhat smaller than originally announced, but the news for passport holders is worse.

2. Researchers Fool ReCAPTCHA With Google’s Own Speech-To-Text Service (Motherboard, Jan 04 2019)
The new method has a 90 percent success rate at tricking the robot into thinking it’s human.

3. One of the West’s biggest cybersecurity vulnerabilities is our idiotic habit of sending servers full of sensitive information to foreign countries (Business Insider, Jan 06 2019)
Western companies routinely sell their old tech hardware to private companies in foreign countries, without wiping the sensitive data on them first.

Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. You Can Now Get $1 Million For Hacking WhatsApp and iMessage (Motherboard, Jan 07 2019)
Companies that buy and sell exploits, or zero-days, are now willing to offer six figures for hacks that allow spies and cops to steal WhatsApp, iMessage and other chat app messages.

5. A photo will unlock many Android phones using facial recognition (Naked Security – Sophos, Jan 08 2019)
How easy is it to bypass the average smartphone’s facial recognition security? In the case of Android, a lot easier than owners may think.

6. Machine Learning to Detect Software Vulnerabilities (Schneier on Security, Jan 08 2019)
“No one doubts that artificial intelligence (AI) and machine learning (ML) will transform cybersecurity. We just don’t know how, or when. While the literature generally focuses on the different uses of AI by attackers and defenders ­ and the resultant arms race between the two ­ I want to talk about software vulnerabilities.”

*Cloud Security, DevOps, AppSec*
7. The State of Web Application Vulnerabilities in 2018 (Imperva, Jan 09 2019)
“As we did last year, we took a look back at 2018 to understand the changes and trends in web application security over the past year…The dominant category this year was by far injections, with 19% (3,294) out of the total vulnerabilities of 2018, which is also a 588% increase from last year. When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injections. When drilling down the data, however, we saw remote command execution (RCE) emerge as the bigger issue, with 1,980 vulnerabilities (11.5%), compared to 1,354 vulnerabilities (8%) for SQLi.”

8. Rise of DevOps exposes organizations to risk via container vulnerabilities (Help Net Security, Jan 08 2019)
60 percent of respondents to a Tripwire and Dimensional Research study reported their organizations have experienced container security incidents in the past year. Yet, of the 269 respondents who currently have containers in production, 47 percent said they deployed containers known to have vulnerabilities, while 46 percent admitted they deployed containers without knowing whether or not they had vulnerabilities.

9. GitHub Free users now get unlimited private repositories (TechCrunch, Jan 07 2019)
If you’re a GitHub user, but you don’t pay, this is a good week. Historically, GitHub always offered free accounts but the caveat was that your code had to be public. To get private repositories, you had to pay. Starting tomorrow, that limitation is gone. Free GitHub users now get unlimited private projects with up […]

*Identity Mgt & Web Fraud*
10. I Gave a Bounty Hunter $300. Then He Located Our Phone (Motherboard, Jan 08 2019)
T-Mobile, Sprint, and AT&T are selling access to their customers’ location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country.

11. A YubiKey for iOS Will Soon Free Your iPhone From Passwords (Wired, Jan 08 2019)
Yubico has finally gotten the green light from Apple to make a hardware authentication token that works on iPhones and iPads.

12. Managing identity and access management in uncertain times (CSO Online Identity Management, Jan 07 2019)
Emerging standards and frameworks such as Gartner CARTA, Zero Trust, NIST SP 800 and IDSA provide guidelines, but how organizations manage identity and access management in 2019 is what matters most.

*CISO View*
13. Credential stuffing attack prompts Reddit to force password reset (SC Magazine, Jan 10 2019)
Some Reddit users found themselves locked out of their own accounts earlier this week after an apparent credential stuffing attack compelled the popular website to invoke password security measures. An admin post published on Reddit’s Help subreddit this past Wednesday advises users that a “large group of accounts were locked down” due to anomalous activity…

14. Magecart Mayhem Continues in OXO Breach (Dark Reading, Jan 09 2019)
The home goods company confirmed users’ data may have been compromised during multiple time frames over a two-year period.

15. House Democrats’ first bill aims big on election security (Washington Post, Jan 07 2019)
House Democrats came out swinging on election security in their first bill of the new Congress on Friday, promising at least $120 million for new voting machines — so long as they use paper ballots rather than digital ones.