The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. ‘Brazen’ nation-state actors behind ‘Sea Turtle’ DNS hijacking campaign (SC Magazine, Apr 18 2019)
Primarily targeting the Middle East and North Africa, the attackers are looking to harvest credentials that grant them access to sensitive networks belonging to national institutions such as intelligence agencies, military units and ministries of foreign affairs, as well as energy organizations. But in order to compromise these victims, the perpetrators typically first compromise their third-party internet and DNS service providers, such as telecommunications firms, ISPs, IT firms, registrars and registries.
2. Hacker Group Exposes Iranian APT Operations and Members (BleepingComputer, Apr 22 2019)
Hackers have revealed details about the inner workings of a cyber-espionage group mostly known in the security community as OilRig, APT34, and HelixKitten, linked to the Iranian government.
3. Cyber-security firm Verint hit by ransomware (ZDNet, Apr 17 2019)
The Israel offices of US cyber-security firm Verint have been hit by ransomware, according to a screenshot taken by a Verint employee that started circulating online earlier today.
8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Thieves Somehow Stole 100 Car2Go Cars in Chicago (Motherboard, Apr 17 2019)
The company says it was not a “hack,” but Chicago police say that some of the carsharing cars may still be unaccounted for.
5. Google will check apps by new developers more thoroughly (Help Net Security, Apr 19 2019)
In an attempt to thwart Android developers who are set to distribute malicious apps through Google Play, Google will be taking more time when reviewing apps by developers with newly minted accounts.
6. Phone fingerprint scanner fooled by chewing gum packet (Naked Security – Sophos, Apr 23 2019)
A video has surfaced claiming to show someone unlocking a Nokia 9 by tapping a gum packet against the fingerprint scanner.
*Cloud Security, DevOps, AppSec*
7. Supply Chain Hackers Snuck Malware Into Videogames (Wired, Apr 23 2019)
…evidence that the same hackers who targeted Asus with that sort of supply chain hack earlier this year have also targeted three different videogame developers—this time aiming even higher upstream, corrupting the programming tools relied on by game developers.
8. Facebook: we logged 100x more Instagram plaintext passwords than we thought (Naked Security – Sophos, Apr 19 2019)
Facebook has updated ‘tens of thousands of plaintext Instagram passwords ended up in logfile’ to say it was more like a million.
9. Hotspot finder app blabs 2 million Wi-Fi network passwords (Naked Security – Sophos, Apr 23 2019)
If you used WiFi Finder, your passwords to both public and private networks have been left online in an unprotected database.
*Identity Mgt & Web Fraud*
10. Facial recognition fail allows laptop access (Graham Cluley, Apr 24 2019)
“So, I was wondering why the battery on my laptop was running down every time I left it at home.Turns out the kids have been using my election leaflets to get through the facial recognition lock…”
11. G7 Comes Out in Favor of Encryption Backdoors (Schneier on Security, Apr 23 2019)
“There is a weird belief amongst policy makers that hacking an encryption system’s key management system is fundamentally different than hacking the system’s encryption algorithm. The difference is only technical; the effect is the same. Both are ways of weakening encryption.”
12. FBI Crime Report Lists Business Email Compromise as Top Scam (eWEEK, Apr 24 2019)
Then, normally when the CEO is on travel, they strike. “There’s usually an urgent email from the CEO or CFO asking for an immediate transfer of funds,”…Because the scammers have been studying the company and its staff for a while, the email will usually contain references that seem to establish legitimacy, such as references to some personal fact or activity. And the tone will resemble language usually used by the senior executive.
13. This is the biggest problem with cybersecurity research (The Washington Post, Apr 18 2019)
Want to know the most effective ways businesses defend themselves against hacking? Good luck.
14. How Not to Acknowledge a Data Breach (Krebs on Security, Apr 17 2019)
“I’m not a huge fan of stories about stories, or those that explore the ins and outs of reporting a breach. But occasionally I feel obligated to publish such accounts when companies respond to a breach report in such a way that it’s crystal clear they wouldn’t know what to do with a data breach if it bit them in the nose, let alone festered unmolested in some dark corner of their operations.”
15. ‘WannaCry Hero’ Marcus Hutchins Pleads Guilty to Making Banking Malware (Motherboard, Apr 19 2019)
The researcher who helped stop the WannaCry ransomware pleaded guilty to two counts of hacking for writing banking malware in 2014.