The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Taking Advantage of Network Segmentation in 2019 (Infosec Island, Jan 16 2019)
Here’s how organizations can get started with network segmentation – including some potential issues to plan for and successfully avoid.
2. Windows 10 October 2018 Update is at last being pushed automatically (Ars Technica, Jan 17 2019)
The update is still rolling out at a snail’s pace.
3. 43% of businesses are still running Windows 7, security threats remain (Help Net Security, Jan 15 2019)
With one year to go until Microsoft ends support for its ten-year-old operating system Windows 7, as many as 43% of enterprises are still running the outdated platform. Kollective’s research found that nearly a fifth (17%) of IT departments don’t know when the end of support deadline is, while 6% are aware of the end of support but are yet to start planning for their migration away from Windows 7.
Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Google Play malware used phones’ motion sensors to conceal itself (Ars Technica, Jan 17 2019)
To elude emulators, banking trojan would trigger only when infected devices moved.
5. Researcher shows how popular app ES File Explorer exposes Android device data (TechCrunch, Jan 16 2019)
Why is one of the most popular Android apps running a hidden web server in the background? ES File Explorer claims it has more than 500 million downloads under its belt since 2014, making it one of the most used apps to date. Its simplicity makes it what it is: a simple file explorer that lets you browse through your Android phone or tablet’s file system for files, data, documents and more.
6. Researchers discover state actor’s mobile malware efforts because of YOLO OPSEC (Ars Technica, Jan 22 2019)
A nation-state’s hacking operations were exposed by WhatsApp and other communications uploaded from their own phones during malware testing, Lookout researchers revealed on January 19 at the Shmoocon security conference in Washington, DC.
*Cloud Security, DevOps, AppSec*
7. Online casino group leaks information on 108 million bets, user details (ZDNet, Jan 23 2019)
Server is now down but is unclear if the cloud provider took it down and if the parent company knows it leaked users details in the first place.
8. Protecting privileged access in DevOps and cloud environments (Help Net Security, Jan 18 2019)
While security strategies should address privileged access and the risk of unsecured secrets and credentials, they should also closely align with DevOps culture and methods to avoid negatively impacting developer velocity and slowing the release of new services.
9. Microsoft launches Azure DevOps bug bounty program (Help Net Security, Jan 21 2019)
Microsoft has launched yet another bug bounty program and is urging security researchers to look into the security of Azure DevOps, its cloud service for collaborating on code development.
*Identity Mgt & Web Fraud*
10. Bomb Threat, Spammers Abused Weakness at GoDaddy.com (Krebs on Security, Jan 22 2019)
“Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.”
11. Facebook Shuts Hundreds of Russia-Linked Pages, Accounts for Disinformation (Dark Reading, Jan 17 2019)
Facebook says the accounts and pages were part of two unrelated disinformation operations aimed at targets outside the US.
12. Google Made a Quiz to See if You Can Identify Phishing Emails (Motherboard, Jan 22 2019)
Google’s Jigsaw has a new quiz to test your ability to distinguish phishing emails from regular, benevolent ones.
13. How the U.S. Govt. Shutdown Harms Security (Krebs on Security, Jan 23 2019)
“The ongoing partial U.S. federal government shutdown is having a tangible, negative impact on cybercrime investigations, according to interviews with federal law enforcement investigators and a report issued this week by a group representing the interests of FBI agents. Even if lawmakers move forward on new proposals to reopen the government, sources say the standoff is likely to have serious repercussions for federal law enforcement agencies for years to come.”
14. Industry reactions to Google’s €50 million GDPR violation fine (Help Net Security, Jan 22 2019)
On 21 January 2019, the French National Data Protection Commission (CNIL) imposed a financial penalty of €50 million against Google, in accordance with the GDPR. This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided and the publicity of the fine are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent. Here are some reactions …
15. The 5 Stages of CISO Success, Past & Future (Dark Reading, Jan 25 2019)
In cybersecurity, as in history, security leaders who forget the lessons of the past will be doomed to repeat them.