The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Thangrycat: A Serious Cisco Vulnerability (Schneier on Security, May 23 2019)
Thrangrycat only works once you have administrative access to the device. You need a two-step attack in order to get Thrangrycat working. Attack #1 gets you remote administrative access, Attack #2 is Thrangrycat. Attack #2 can’t happen without Attack #1. Cisco can protect you from Attack #1 by sending out a software update. If your I.T. people have your systems well secured and are applying updates and patches consistently and you’re not a regular target of nation-state actors, you’re relatively safe from Attack #1, and therefore, pretty safe from Thrangrycat.

2. In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc (The New York Times, May 25 2019)
American cities are being hijacked with an N.S.A. cyberweapon that has already done billions of dollars in damage overseas. The N.S.A. will say nothing.

3. Magecart POS skimmer adds iframe injection technique (SC Magazine, May 21 2019)
A new online POS skimmer used by one of the Magecart groups has been spotted injecting an iframe into retailer websites that asks for payment card information. Malwarebytes came across the new technique being used on a Magento powered e-commerce platform.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. To Fight Deepfakes, Researchers Built a Smarter Camera (Wired, May 28 2019)
One way to tell if an image has been faked? Bake the tamper-proofing into the camera itself.

5. Google-protected mobile browsers were open to phishing for over a year (Naked Security – Sophos, May 28 2019)
Researchers revealed a massive hole in Google Safe Browsing’s mobile browser protection that existed for over a year.

6. US May Ban Chinese Surveillance Camera Companies (Infosecurity Magazine, May 22 2019)
Several of China’s surveillance camera companies may be added to the US Entity List.

*Cloud Security, DevOps, AppSec*
7. First American Financial Leaked Hundreds of Millions Records (KrebsonSecurity, May 24 2019)
“The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.”

8. GitHub introduces Dependabot-powered automated security fixes (Help Net Security, May 28 2019)
“With the help of Dependabot, GitHub will monitor your dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version,” Justin Hutchings, Senior Product Manager at GitHub, explained…

9. Millions of Canva users’ data stolen as GnosticPlayers strikes again (Naked Security – Sophos, May 28 2019)
The initial breach notification was topped with marketing fluff: an unfortunate choice, given what could be the resulting glazed eyeballs.

*Identity Mgt & Web Fraud*
10. Should Failing Phish Tests Be a Fireable Offense? (Krebs on Security, May 29 2019)
“Would your average Internet user be any more vigilant against phishing scams if he or she faced the real possibility of losing their job after falling for one too many of these emails? Recently, I met someone at a conference who said his employer had in fact terminated employees for such repeated infractions. As this was the first time I’d ever heard of an organization actually doing this, I asked some phishing experts what they thought (spoiler alert: they’re not fans of this particular teaching approach).”

11. Facial Recognition Technology Is Facing A Huge Backlash In The US. But Some Of The World’s Biggest Tech Companies Are Trying To Sell It In The Gulf. (BuzzFeed News, May 30 2019)
Face recognition has been banned in San Francisco and linked by Alexandria Ocasio-Cortez to a rise in global fascism. But it’s being marketed in Dubai, which has spied on hundreds of dissidents, by American and Chinese tech giants.

12. Facebook took action against 2.19B fake accounts in first three months of 2019 (SC Magazine, May 24 2019)
The newly released third edition of Facebook’s Community Standards Enforcement report found that five percent of monthly active accounts registered on the social media website between October 2017 and March 2019 were fake. This represents a one-to-two percentage point increase in fake account “prevalence” since the second edition of the transparency report was published last…

*CISO View*
13. NY Investigates Exposure of 885 Million Mortgage Documents (Krebs on Security, May 31 2019)
“New York regulators are investigating a weakness that exposed 885 million mortgage records at First American Financial Corp. [NYSE:FAF] as the first test of the state’s strict new cybersecurity regulation. That measure, which went into effect in March 2019 and is considered among the toughest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.”

14. Alex Stamos on Content Moderation and Security (Schneier on Security, May 29 2019)
Really interesting talk by former Facebook CISO Alex Stamos about the problems inherent in content moderation by social media platforms. Well worth watching….

15. Security pros divided over NSA’s responsibility for Baltimore hack (The Washington Post, May 28 2019)
Many security researchers, however, say the real problem isn’t with the NSA. They say that hacking victims like Baltimore still haven’t taken sufficient measures against EternalBlue two years after it first leaked — and aren’t using a software patch released by Microsoft to to protect themselves