The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. A Deep Dive on the Recent Widespread DNS Hijacking Attacks (Krebs on Security, Feb 18 2019)
“The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy. This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.”

2. Forcing the Adversary to Pursue Insider Theft (TaoSecurity, Feb 09 2019)
We sought to make digital intrusions more expensive than physical intrusions. In other words, we wanted to make it easier for the adversary to accomplish his mission using insiders. We wanted to make it more difficult for the adversary to accomplish his mission using our network. In a cynical sense, this makes security someone else’s problem. Suddenly the physical security team is dealing with the worst of the worst! This is a win for everyone, however.

3. Winning Systems & Security Practitioners 7. Attack Surface Reduction (Nick Hutton’s Blog, Feb 17 2019)
“This post is about is about minimising your attack surface. In it I explain what this means and why it may be our best hope for reducing vulnerability in practice. Finally I’ll tell you what the world might look like if we took this winning system to its ultimate logical conclusion. “

8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. China Facial Recognition Database Leak Sparks Fears (Forbes, Feb 19 2019)
The news is a concern – and not just for the millions affected in China. Chinese surveillance isn’t like anything we have seen in the Western World: the country has a social credit score system and it’s using facial recognition for everything from policing to tracking people’s movements to predict crime, as seen in the film Minority Report.

5. Apple App Store stuffed with hardcore porn and gambling apps (Naked Security – Sophos, Feb 14 2019)
The apps, which violate content policies, got in there via the same Enterprise Certificate program that Facebook and Google exploited.

6. How we fought bad apps and malicious developers in 2018 (Android Developers Blog, Feb 19 2019)
“In 2018, we introduced a series of new policies to protect users from new abuse trends, detected and removed malicious developers faster, and stopped more malicious apps from entering the Google Play Store than ever before. The number of rejected app submissions increased by more than 55 percent, and we increased app suspensions by more than 66 percent.”

*Cloud Security, DevOps, AppSec*
7. Apple fighting pirate app developers, will insist on 2FA for coders (Sophos, Feb 15 2019)
Are you an Apple developer? Care about security? Using 2FA? You will be soon…

8. Switzerland offers cash for finding security holes in its e-voting system (WeLiveSecurity, Feb 19 2019)
The ‘public intrusion test’ is starting on February 25 and will run until March 24, when the would-be ballot box will be decrypted and opened, according to this announcement on the blog of Swiss Post, which operates the system.

9. Chef Habitat and the runC vulnerability (CVE-2019-5736) (Chef Blog, Feb 13 2019)
“An article was shared yesterday detailing a runC vulnerability that affects Docker and Kubernetes where a malicious container can overwrite a host system’s runC binary, thus allowing root-level code execution on the host. This is an operations nightmare and it made me think of how Chef Habitat can help in these situations. I’d like to give a high-level overview of how to apply defense-in-depth philosophy with Habitat and help you prevent or address these kinds of vulnerabilities in the future.”

*Identity Mgt & Web Fraud*
10. Account security – a divided user perception (Elie Bursztein, Feb 18 2019)
This post considers the perception clash that exists between what users perceive to be their most valuable accounts (email and social networks) and those they think they should protect the most (online banking).

11. Mega-crackers back with nearly 100 million new stolen data records (Naked Security – Sophos, Feb 18 2019)
Sounds like the crooks who tried to sell more than 600 million records last week are back with nearly 100 million more…

12. US Facebook Fine Over Privacy Could Be in Billions: Reports (SecurityWeek, Feb 18 2019)
A US investigation into privacy violations by Facebook could result in a record fine running to billions of dollars, media reports said Friday.

*CISO View*
13. Russian Hackers Go From Foothold to Full-On Breach in 19 Minutes (Wired, Feb 19 2019)
A new ranking of nation-state hacker speed puts Russia on top by a span of hours.

14. Australia’s major political parties hacked in ‘sophisticated’ attack ahead of election (The Sydney Morning Herald, Feb 19 2019)
Prime Minister Scott Morrison has revealed that major political parties were hacked alongside the parliamentary computer network several weeks ago by a “sophisticated state actor”.

15. New Breed of Fuel Pump Skimmer Uses SMS and Bluetooth (Krebs on Security, Feb 21 2019)
“Fraud investigators say they’ve uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message. KrebsOnSecurity has since learned those claims simply don’t hold water.”