The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. DHS Issues Emergency Directive on DNS Security (Dark Reading, Jan 23 2019)
All government domain owners are instructed to take immediate steps to strengthen the security of their DNS servers following a successful hacking campaign.
2. After Eight Years, Metasploit Gets Its First Major Update (Dark Reading, Jan 24 2019)
Metasploit 5.0 offers a host of service-oriented features, along with a new commitment from Rapid7 for regular releases.
3. Hacking the GCHQ Backdoor (Schneier on Security, Jan 25 2019)
“Last week, I evaluated the security of a recent GCHQ backdoor proposal for communications systems. Furthering the debate, Nate Cardozo and Seth Schoen of EFF explain how this sort of backdoor can be detected:”
8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. FaceTime bug allows you to listen remotely – Group Facetime Disabled (The Verge, Jan 29 2019)
If the recipient dismisses, it will also share video without answering
5. Hacker Demos Jailbreak of iOS on iPhone X (Infosecurity Magazine, Jan 23 2019)
A Qihoo360 researcher reveals the PoC of a bug used to jailbreak latest version of the iOS system.
6. Hacking Construction Cranes – Schneier on Security (Schneier on Security, Jan 25 2019)
The core of the problem lies in how, instead of depending on wireless, standard technologies, these industrial remote controllers rely on proprietary RF protocols, which are decades old and are primarily focused on safety at the expense of security. It wasn’t until the arrival of Industry 4.0, as well as the continuing adoption of the industrial internet of things (IIoT), that industries began to acknowledge the pressing need for security.
*Cloud Security, DevOps, AppSec*
7. Millions of bank loan and mortgage documents have leaked online (TechCrunch, Jan 30 2019)
A trove of more than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S., has been found online after a server security lapse.
8. Massive mortgage and loan data leak gets worse as original documents also exposed (TechCrunch, Jan 30 2019)
It turns out that data was exposed again — but this time, it was the original documents. Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see — and download — the files stored inside.
9. Aligning to the NIST Cybersecurity Framework in the AWS Cloud (AWS Security Blog, Jan 24 2019)
The updated guide, NIST Cybersecurity Framework (CSF): Aligning to the NIST CSF in the AWS Cloud, is designed to help commercial and public sector entities of any size and in any part of the world align with the CSF by leveraging AWS services and resources.
*Identity Mgt & Web Fraud*
10. Facebook pays teens to install VPN that spies on them (TechCrunch, Jan 29 2019)
Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August.
11. Taxpayers Demand HMRC Deletes Voice IDs (Infosecurity Magazine, Jan 28 2019)
Over 160,000 UK taxpayers have demanded that the HMRC delete biometric voice recordings collected without their informed consent.
12. Internet Society Publishes Privacy Code of Conduct (SecurityWeek, Jan 30 2019)
The Internet Society published on Monday (International Privacy Day) its Privacy Code of Conduct (PDF) — nine steps that all companies should take to ensure data privacy.
13. Ex-NSA cyberspies reveal how they helped hack foes of UAE (Reuters, Jan 30 2019)
Reuters reveals how a UAE surveillance operation, staffed by former U.S. cyber-agents, spied on dissidents, rivals and Americans. Inside ‘Project Raven.’
14. Where To Begin With MITRE ATT&CK Matrix (SecurityWeek, Jan 28 2019)
To take advantage of ATT&CK, you must accept and prioritize the importance of visibility within your security operation. Visibility is a word we hear commonly in security, and for good reason. You don’t find what you can’t look for.
15. Google says sorry for pulling a Facebook with monitoring program (Naked Security – Sophos, Feb 01 2019)
It was using the same Apple enterprise back door as Facebook to get its market research done, but it owned up and backed off.