The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. The new ways we could get hacked (and defended) in 2019 (Fast Company, Jan 07 2019)
The new ways we could get hacked (and defended) in 2019 Fast CompanyExperts from the NSA and Darktrace discuss AI, invisible security, and why you really need to change your passwords.
2. US Shutdown Plays into Hackers’ Hands (Infosecurity Magazine, Jan 11 2019)
Expired web certificates expose users to man-in-the-middle attacks
3. Security Vulnerabilities in Cell Phone Systems (Schneier on Security, Jan 10 2019)
“Good essay on the inherent vulnerabilities in the cell phone standards and the market barriers to fixing them. So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks.”
Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. 2019 Mobile Threat Predictions – Smishing (Avast Blog, Jan 15 2019)
Smishing is phishing via SMS with the goal of encouraging victims either into giving up personal information or installing spyware. We now expect smishing to become a major new attack vector when it comes to delivering mobile malware on both iOS and Android operating systems..
5. Some Android apps are secretly sharing your data with Facebook (Naked Security – Sophos, Jan 09 2019)
Apps have been secretly sharing usage data with Facebook, even when users are logged – or don’t have an account at all.
6. Facial and emotional recognition; how one man is advancing artificial intelligence (CBS News, Jan 14 2019)
Scott Pelley reports on the developments in artificial intelligence brought about by venture capitalist Kai-Fu Lee’s investments and China’s effort to dominate the AI field
*Cloud Security, DevOps, AppSec*
7. MIT Report: Fixing a Hole: The Labor Market for Bugs (Infosecurity Magazine, Jan 15 2019)
The top seven participants in the Facebook program studied made just $34,255 per year from an average of 0.87 bugs per month, while from the HackerOne dataset it was estimated that they made just $16,544 from 1.17 bugs per month.
8. More .gov Domains Hit by Government Shutdown (SecurityWeek, Jan 16 2019)
The number of US government domains for which TLS certificates were left to expire due to the government shutdown has now exceeded 130, UK-based cybersecurity solutions provider Netcraft reported on Wednesday.
9. New AWS services launch with HIPAA, PCI, ISO, and SOC – a company first (AWS Security Blog, Jan 10 2019)
“For the first time, we’ve launched new Generally Available services with PCI DSS, ISO 9001/27001/27017/27018, SOC 2, and HIPAA eligibility. That means customers who rely on or require these compliance programs can select from 10 brand new services right away, without having to wait for one or more trailing audit cycles.”
*Identity Mgt & Web Fraud*
10. The 773 Million Record “Collection #1” Data Breach (Troy Hunt, Jan 16 2019)
Many people will land on this page after learning that their email address has appeared in a data breach I’ve called "Collection #1". Most of them won’t have a tech background or be familiar with the concept of credential stuffing so I’m going to write this post for the masses
11. US Judge: Police Can’t Force Biometric Authentication (Dark Reading, Jan 15 2019)
Law enforcement cannot order individuals to unlock devices using facial or fingerprint scans, a California judge says.
12. AT&T says it’ll stop selling location data amid calls for federal investigation (Philly, Jan 11 2019)
AT&T said Thursday that it will stop selling its customers’ location data to third-party service providers after a report this week said the information was winding up in the wrong hands.
13. 773M Password ‘Megabreach’ is Years Old (Krebs on Security, Jan 17 2019)
“…in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.”
14. The American Military Sucks at Cybersecurity (Motherboard, Jan 15 2019)
A new report from US military watchdogs outlines hundreds of cybersecurity vulnerabilities.
15. Prices for Zero-Day Exploits Are Rising (Schneier on Security, Jan 17 2019)
“There is no doubt that the U.S. Government could openly corner the world vulnerability market,” said Geer, “that is, we buy them all and we make them all public. Simply announce ‘Show us a competing bid, and we’ll give you [10 times more].’