The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Facebook Mistakenly Stored ‘Hundreds of Millions’ of User Passwords as Plaintext (Motherboard, Mar 21 2019)
The social network confirmed a massive mistake that exposed millions of passwords. But, the company said, no passwords were exposed to people outside of Facebook.
2. Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers (Motherboard, Mar 25 2019)
The Taiwan-based tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company’s server and used it to push the malware to machines.
3. Thousands of API and cryptographic keys leaking on GitHub every day (Naked Security – Sophos, Mar 25 2019)
Researchers have found that one of the most popular source code repositories in the world is still housing thousands of publicly accessible user credentials.
8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. An Android Vulnerability Went Unfixed for Over Five Years (Wired, Mar 20 2019)
Older Android devices—of which there are over 100 million still in use—will remain exposed.
5. Triton and the new wave of IIoT security threats (Network World Security, Mar 22 2019)
Triton malware, which can shut down industrial safety systems, causing damage to facilities and threatening human life, targets the industrial internet of things.
6. The privacy risks of pre-installed software on Android devices (Help Net Security, Mar 22 2019)
The study encompasses 82,000 pre-installed apps in more than 1,700 devices manufactured by 214 brands, revealing the existence of a complex ecosystem of manufacturers, mobile operators, app developers and providers, with a wide network of relationships between them. This includes specialized organizations in user monitoring and tracking and in providing Internet advertising.
*Cloud Security, DevOps, AppSec*
7. A cybersecurity strategy to thwart advanced attackers (AWS Security Blog, Mar 21 2019)
AWS has released two new whitepapers to help customers plan and implement a strategy that has helped many organizations protect, detect, and respond to modern-day attacks.
8. Casino Screwup Royale: A tale of “ethical hacking” gone awry (Ars Technica, Mar 26 2019)
“Ethical hackers” tried to disclose problems to a casino software company—it got messy.
9. Best Practices for Implementing a Secure Application Container Architecture (Cloud Security Alliance, Mar 26 2019)
This document serves to identify recommendations and best practices to address the challenges in securing application containers in the engineering of trustworthy secure systems through the lens of the Developer, Operator and Architect.
*Identity Mgt & Web Fraud*
10. Workers Push Back as Companies Gather Fingerprints and Retina Scans (WSJ, Mar 28 2019)
Employees are challenging the increased use of fingerprint and facial scans by companies for security purposes and personnel management.
11. Is your e-commerce site being used to test stolen card data? (Naked Security – Sophos, Mar 28 2019)
If you’re running Magento you should be on the look out for hackers testing stolen card data – it could get your PayPal account suspended.
12. On the Trail of the Robocall King (Wired, Mar 25 2019)
An investigator set out to discover the source of one scammy robocall. Turns out, his target made them by the millions.
13. DLA Piper and its insurers clash over multi-million NotPetya payout (Graham Cluley, Mar 25 2019)
Multinational law firm was hit in the crossfire as Russia-backed ransomware spread, and Hiscox is reportedly declining to pay up citing an “act of war”.
14. Attack Surface Reduction By Dynamic Compilation (Nick Hutton’s Blog, Mar 21 2019)
Lines of code you’ll never use in your environment have no value. Worse than that, they’re just a source of vulnerability. Isn’t it time you evolved?
15. Norsk Hydro May Have Lost $40M in First Week After Cyberattack (SecurityWeek, Mar 26 2019)
Norwegian aluminum giant Norsk Hydro estimates that it may have lost more than $40 million in the first week following the ransomware attack that disrupted its operations.