The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Google: Software is never going to be able to fix Spectre-type bugs (Ars Technica, Feb 23 2019)
Researchers also devise a Spectre-like attack with no known mitigation.
2. To Mitigate Advanced Threats, Put People Ahead of Tech (Dark Reading, Feb 22 2019)
Preventative technologies are only part of the picture and often come at the expense of the humans behind them.
3. Critical Drupal Vulnerability Allows Remote Code Execution (SecurityWeek, Feb 21 2019)
Security updates released on Wednesday for the Drupal content management system (CMS) patch a “highly critical” vulnerability that can be exploited for remote code execution.
8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Reverse Location Search Warrants (Schneier on Security, Feb 21 2019)
The police are increasingly getting search warrants for information about all cell phones in a certain location at a certain time: Police departments across the country have been knocking at Google’s door for at least the last two years with warrants to tap into the company’s extensive stores of cellphone location data. Known as “reverse location search warrants,” these legal mandates allow law enforcement to sweep up the coordinates and movements of every cellphone in a broad area.
5. Facebook apps secretly sending sensitive data back to the mothership (Naked Security – Sophos, Feb 26 2019)
New York governor Andrew Cuomo has ordered an investigation into how Facebook is still allowing blabby apps to violate its privacy policies.
6. Android Is Helping Make Passwords Obsolete on a Billion Devices (Wired, Feb 25 2019)
By officially embracing the FIDO2 standard, Android will soon let you log into sites and services without having to remember a password.
*Cloud Security, DevOps, AppSec*
7. Hackers Can Slip Invisible Malware into ‘Bare Metal’ Cloud Computers (Wired, Feb 26 2019)
Researchers point a tough-to-fix in some cloud computing setups: hackable firmware.
8. Experts Find Serious Problems With Switzerland’s Online Voting System (Motherboard, Feb 22 2019)
The public penetration test doesn’t begin until next week, but experts who examined leaked code for the Swiss internet voting system say it’s poorly designed and makes it difficult to audit the code for security and configure it to operate securely.
9. Flash “security bypass” list hidden in Microsoft Edge browser (Naked Security – Sophos, Feb 22 2019)
Until this month, the Edge browser could bypass its own warnings about Flash content on 58 websites, thanks to a hidden list.
*Identity Mgt & Web Fraud*
10. As 5G Technology Expands, So Do Concerns Over Privacy (WSJ, Feb 28 2019)
“Because 5G doesn’t penetrate walls very well, you’re going to see a lot more indoor towers,” Steve Bellovin, a professor of computer science at Columbia University who previously worked at Bell Labs and AT&T Labs Research, tells WSJ. Location tracking will be more precise, he said.
11. Researchers Propose New Approach to Address Online Password-Guessing Attacks (Dark Reading, Feb 21 2019)
Both attackers and legitimate users can a fail a login attempt. “However, legit users fail maybe 5% or so of the time, while an attacker who is guessing fails [over] 99% of the time,” he says.
12. Attacking Soldiers on Social Media (Schneier on Security, Feb 26 2019)
This is the future of warfare. It’s one of the reasons China stole all of that data from the Office of Personal Management. If indeed a country’s intelligence service was behind the Equifax attack, this is why they did it.
13. DNC issues cybersecurity guidance for 2020 election (SC Magazine, Feb 25 2019)
“The checklist is exactly that: a list of steps you can complete and then check off,” DNC CSO Bob Lord said in a blog post. “The goal is to print it out, and run through it line by line.”
14. ICANN calls for wholesale DNSSEC deployment (Help Net Security, Feb 25 2019)
In light of the recent DNS hijacking attacks, the Internet Corporation for Assigned Names and Numbers (ICANN) is urging domain owners and DNS services to implement DNSSEC post-haste.
15. Former Russian Cybersecurity Chief Sentenced to 22 Years in Prison (Krebs on Security, Feb 26 2019)
“A Russian court has handed down lengthy prison terms for two men convicted on treason charges for allegedly sharing information about Russian cybercriminals with U.S. law enforcement officials. The men — a former Russian cyber intelligence official and an executive at Russian security firm Kaspersky Lab — were reportedly prosecuted for their part in an investigation into Pavel Vrublevsky, a convicted cybercriminal who ran one of the world’s biggest spam networks and was a major focus of my 2014 book, Spam Nation.”