The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. How Microsoft found a Huawei driver that opened systems to attack (Ars Technica, Mar 29 2019)
Monitoring systems were looking for attacks using technique popularized by the NSA.
2. A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach (Krebs on Security, Mar 29 2019)
“On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems at dozens of restaurants, including some locations of its other brands such as Earl of Sandwich and Planet Hollywood.”
3. ASUS pushes out urgent security update after attackers hacked its automatic Live Update tool (Tripwire, Mar 29 2019)
Taiwan-based technology giant ASUS is advising concerned customers to run a newly-created diagnostic tool on their Windows computers after hackers pushed out malware to what some security researchers have estimated to be as many as one million PCs using ASUS’s own Live Update software tool.
8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Google AI Ethics Council Is Falling Apart After a Week (Bloomberg, Apr 01 2019)
Google recently appointed an external ethics council to deal with tricky issues in artificial intelligence. The group is meant to help the company appease critics while still pursuing lucrative cloud computing deals. In less than a week, the council is already falling apart, a development that may jeopardize Google’s chance of winning more military cloud-computing contracts.
5. Researchers Find Google Play Store Apps Were Actually Government Malware (Motherboard, Mar 29 2019)
Security researchers have found a new kind of government malware that was hiding in plain sight within apps on Android’s Play Store. And they appear to have uncovered a case of lawful intercept gone wrong.
6. NIST’s Ron Ross on the state of cyber: ‘We literally are hemorrhaging critical information’ (Fifth Domain, Apr 02 2019)
“So, if you’ve got a whizzbang application and you tell me it’s a trusted application, but it runs on an untrusted operating system, it’s game over. Any AI program that you’re running at the application level is totally going to be bogus information. You can’t trust it if the adversary’s already taken control of your system with a root kit. Now, if you can build a trusted platform and take advantage of artificial intelligence, machine learning, you’ve got a great brave new world there. “
*Cloud Security, DevOps, AppSec*
7. Exploring container security: the shared responsibility model in GKE (Google, Mar 29 2019)
This post is part of our blog post series on container security at Google. As newer infrastructure models emerge, though, it’s not always easy to figure out what you’re responsible for versus what’s the responsibility of the provider. In this blog post, we aim to clarify for Google Kubernetes Engine (GKE) what we do and don’t do—and where to look for resources to lock down the rest.
8. UK Watchdog Criticizes Huawei for Lax Software Security, Development (Dark Reading, Mar 29 2019)
Calling the company’s software development practices chaotic and unsustainable, a UK government oversight group calls on the company to make measurable progress toward more secure and sustainable code.
9. AWS releases new S3 storage for long-term data retention (Help Net Security, Mar 31 2019)
At just $0.00099 per GB-month (less than one-tenth of one cent, or $1 per TB-month), S3 Glacier Deep Archive offers the lowest cost storage in the cloud, at prices significantly lower than storing and maintaining data in on-premises magnetic tape libraries or archiving data off-site.
*Identity Mgt & Web Fraud*
10. Facebook Demanded User Email Passwords (SecurityWeek, Apr 04 2019)
Facebook has been found asking users for their email passwords. A screen form told users that their email address needed to be confirmed in order to update their contact information, and suggested that it could be done via gmx.net. All the user needed do was enter their email account password into the Facebook form.
11. Password checkup: from 0 to 650, 000 users in 20 days (Elie Bursztein with Kurt Thomas, Mar 31 2019)
On February 5th, for Safer Internet Day, our team launched its first public-facing system, called Password Checkup. Password checkup allows users to check, in a privacy-preserving manner, whether their username and password matches one of the more than 4B+ credentials exposed by third-party data breaches of which Google is aware.
12. Okta unveils $50M in-house venture capital fund (TechCrunch, Apr 03 2019)
Okta Ventures wants to fund the next generation of identity, security and privacy startups.
13. Facebook Boss Calls for Greater Internet Regulation (Infosecurity Magazine, Apr 01 2019)
Zuckerberg pre-empts government intervention with his own suggestions
14. Towards better vendor security assessments (Dropbox Tech Blog, Apr 01 2019)
“[W]e’re sharing the results of an experiment to improve vendor security assessments—directly codifying reasonable security requirements into our vendor contracts. We’re also sharing our model security legal terms and making them freely available for anyone to use and modify. We hope that more companies adopting this approach will help incentivize vendors to prioritize security and lead to broader security improvements among vendors. Would Dropbox sign these security terms when we are the vendor in question? Of course! We can only demand our vendors commit to a top-tier security posture if we have done the same ourselves.”
15. Chinese woman arrested with malware-laced thumb drive after illegally entering Mar-a-Lago (SC Magazine, Apr 03 2019)
A Chinese national was arrested after she illegally entered President Trump’s Mar-a-Lago resort in Florida March 30 and was found to be carrying a thumb drive containing malware as well as a laptop, a “hard drive type” device and four cell phones.