The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Crypto Mining Service Coinhive to Call it Quits (Krebs on Security, Feb 27 2019)
“Roughly one year ago, KrebsOnSecurity published a lengthy investigation into the individuals behind Coinhive[.]com, a cryptocurrency mining service that has been heavily abused to force hacked Web sites to mine virtual currency. On Tuesday, Coinhive announced plans to pull the plug on the project early next month.”
2. A third of 2018’s vulnerabilities have public exploits, 50% can be exploited remotely (Help Net Security, Mar 04 2019)
Over 22,000 new vulnerabilities were disclosed during 2018, according to Risk Based Security’s 2018 Year End Vulnerability QuickView Report. While approximately 33% of published vulnerabilities received a CVSSv2 score of 7 or above, the number of vulnerabilities scoring 9 or above declined for the third year in a row.
3. Commerce Department’s pitch at RSA: Companies should publish ‘ingredients’ for their technology (Washington Post, Mar 04 2019)
The government wants to sell industry on software transparency.
8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. China’s Huawei has big ambitions to weaken the US grip on AI leadership (MIT, Mar 05 2019)
In spite of tensions with the US and its allies, Huawei is rapidly building a suite of AI offerings unmatched by any other company on the planet.
5. 1 Million Apps Patched in Android Security Improvement Program (Infosec Island, Mar 01 2019)
Over its five-year lifetime, the Android Application Security Improvement Program helped over 300,000 developers to fix more than 1,000,000 apps on Google Play, Google says.
6. DOD’s AI Strategy Aims to Preserve America’s Strategic Edge (WashingtonExec, Mar 05 2019)
“Failure to adopt AI will result in legacy systems irrelevant to the defense of our people, eroding cohesion among allies and partners, reduced access to markets that will contribute to a decline in our prosperity and standard of living, and growing challenges to societies that have been built upon individual freedoms,” it says.
*Cloud Security, DevOps, AppSec*
7. The patterns of elite DevSecOps practices (Help Net Security, Mar 05 2019)
– DevOps automation – Elite DevSecOps practices are 350% more likely to have fully integrated and automated security practices across the DevOps pipeline. They also have increased feedback loops that enable security issues to be identified directly from tools.
– Open source controls – 62% of respondents with elite programs have an open source governance policy in place where automation improves adhere to it, compared to just 25% of those without DevOps practices.
– Container controls – 51% of respondents with elite practices say they leverage automated security products to identify vulnerabilities in containers, while only 16% of those without said the same thing.
– Training – Organizations with elite DevSecOps practices are 3x more likely to provide application security training to developers than those organizations without DevOps practices.
– Preparedness – 81% of those with elite practices have a cybersecurity response plan in place compared to 62% of those without DevOps practices.
8. Two White Hats Earn Over $1 Million via Bug Bounty Programs (SecurityWeek, Mar 01 2019)
Bug bounty platform HackerOne says two of its members have each earned more than $1 million by helping organizations find and fix vulnerabilities in their systems. (Note: Go back to the MIT Review report from Jan 15, which said “The top seven participants in the Facebook program studied made just $34,255 per year from an average of 0.87 bugs per month, while from the HackerOne dataset it was estimated that they made just $16,544 from 1.17 bugs per month.”)
9. Google reveals BuggyCow macOS security flaw (Naked Security – Sophos, Mar 06 2019)
Google’s Project Zero researchers have revealed a “high severity” macOS security flaw nicknamed ‘BuggyCow’ that Apple appears to be in no rush to patch.
*Identity Mgt & Web Fraud*
10. Trust, or Lack of It, Is a Key Theme on RSAC Keynote Stage (Dark Reading, Mar 05 2019)
Neither machines nor humans might be entirely trustworthy, but the cooperation of the two might be the answer to issues of misinformation, deep fake videos, and other issues of trust, say security leaders.
11. Facebook isn’t letting you opt-out of having people search for you by your phone number (Graham Cluley, Mar 04 2019)
If you really must use Facebook, don’t give it your phone number – not even for 2FA.
12. NSA might shut down phone snooping program, whatever that means (Naked Security – Sophos, Mar 07 2019)
We’ve heard this tale before. This time, it was mentioned by a congressional aide. Also, the NSA released Ghidra, a free reverse-engineering tool.
13. Huawei Sues US Government Over Ban (Infosecurity Magazine, Mar 07 2019)
Chinese telecoms kit maker brings out the big guns in escalating battle
14. As Trump and Kim Met, North Korean Hackers Hit Over 100 Targets in U.S. and Ally Nations (The New York Times, Mar 04 2019)
McAfee researchers watched, in real time, as the North Koreans attacked the networks of companies in the United States and around the globe.
15. Alphabet aims for Splunk in security startup’s coming-out party (MarketWatch, Mar 05 2019)
Alphabet Inc. announced its biggest thrust into the cybersecurity space Monday, as the Google parent company’s internal security startup, Chronicle, detailed a new big-data software offering similar to Splunk Inc.