The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. More Attacks against Computer Automatic Update Systems (Schneier on Security, May 16 2019)
Last month, Kaspersky discovered that Asus’s live update system was infected with malware, an operation it called Operation Shadowhammer. Now we learn that six other companies were targeted in the same operation.
2. Cisco Patches Critical Vulnerabilities in Prime Infrastructure (PI) Software (SecurityWeek, May 16 2019)
Cisco has released patches for numerous vulnerabilities affecting its products, including Critical flaws in the Cisco Prime Infrastructure (PI) Software that could allow remote code execution.
3. On the path to Zero Trust security: Time to get started (Help Net Security, May 20 2019)
This article is more about how to get from where you are today to a Zero Trust security posture. As with most things worthwhile, they don’t happen overnight. Zero Trust is a journey. But if you don’t start, you are never going to finish. In this article, we will share five best practices businesses should think about when moving towards a Zero Trust security model.
8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Trump’s Sanctions on China Are Making Huawei Phones Less Secure (VICE, May 20 2019)
Google is shutting down its business relationship with Huawei. What does this mean for the security of your Huawei devices?
5. Chinese-made drones could transmit flight data back to makers, gov’t, DHS CISA warns (SC Magazine, May 21 2019)
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned in a Monday alert that drones made in China might be transmitting flight data back to their makers that the Chinese government can access.
6. How Hackers Broke WhatsApp With Just a Phone Call (Wired, May 14 2019)
All it took to compromise a smartphone was a single phone call over WhatsApp. The user didn’t even have to pick up the phone.
*Cloud Security, DevOps, AppSec*
7. Google Has Stored Some Passwords in Plaintext Since 2005 (Wired, May 21 2019)
On the heels of embarrassing disclosures from Facebook and Twitter, Google reveals its own password bugs—one of which lasted 14 years.
8. Fifth of Docker Containers Have No Root Passwords (Infosecurity Magazine, May 21 2019)
Security oversight could expose them to exploitation
9. Slack Flaw Allows Hackers to Steal, Manipulate Downloads (SecurityWeek, May 17 2019)
A recently patched vulnerability in the Slack desktop application for Windows can be exploited by malicious actors to steal and manipulate a targeted user’s downloaded files.
*Identity Mgt & Web Fraud*
10. Fingerprinting iPhones (Schneier on Security, May 22 2019)
This clever attack allows someone to uniquely identify a phone when you visit a website, based on data from the accelerometer, gyroscope, and magnetometer sensors.
11. Amazon Shareholders Support Selling Face Recognition Tech to Police (SecurityWeek, May 22 2019)
Amazon on Wednesday confirmed that shareholders rejected proposals to prohibit sales of facial recognition technology to governments and study how it might threaten privacy or civil rights.
12. OMB releases replacement to M-04-04 (OMB, May 21 2019)
M-19-17, Enabling Mission Delivery through Improved Identity, Credential, and Access Management
13. Equifax just became the first company to have its outlook downgraded for a cyber attack (CNBC, May 22 2019)
A Moody’s spokesperson said the downgrade is significant because “it is the first time that cyber has been a named factor in an outlook change.” Equifax’s breach in 2017 will have a lasting effect on the company’s security spend and infrastructure costs, Moody’s said.
14. Huawei given 90-day reprieve from Entity List (SC Magazine, May 22 2019)
The U.S. Commerce Department has temporarily relieved Chinese manufacturer Huawei of its inclusion on the federal Entity List, allowing the company to continue to do operate with its business partners for 90 days.
15. Half of companies missed GDPR deadline, 70% admit systems won’t scale (Help Net Security, May 17 2019)
Even if given two years notice to achieve GDPR compliance, only half of companies self-reported as compliant by May 25, 2018, a DataGrail survey reveals.