The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. The top 10 cyber hygiene issues that lead to a breach: A perimeter in ruins (Darktrace Blog, May 15 2019)
And whereas there is no silver bullet when it comes to securing the enterprise online, patching these holes in the perimeter is nevertheless a critical first step.

2. Another MacOS Bug Lets Hackers Invisibly Click Security Prompts (Wired, Jun 03 2019)
Exploiting a bug in Mojave, Wardle has shown yet again that any piece of automated malware can exploit a feature of MacOS known as “synthetic clicks” to breeze through security prompts, allowing the attacker to gain access to the computer’s camera, microphone, location data, contacts, messages, and even in some cases to alter its kernel, adding malicious code to the deepest part of the operating system.

3. Google Researcher Finds Code Execution Vulnerability in Notepad (SecurityWeek, May 29 2019)
Google Project Zero researcher Tavis Ormandy revealed on Tuesday that he identified a code execution vulnerability in Microsoft’s Notepad text editor.


One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn


*AI, IoT, & Mobile Security*
4. It’s the middle of the night. Do you know who your iPhone is talking to? (WAPO, May 28 2019)
We ran a privacy experiment to see how many hidden trackers are running from the apps on our iPhone. The tally is astounding.

5. Your phone’s sensors could be used as a cookie you can’t delete (Naked Security – Sophos, Jun 03 2019)
Researchers have found that a phone’s gyroscope, accelerometer and other sensors create a unique fingerprint.

6. Facebook Can’t Rely on Artificial Intelligence to Save It From Hate Speech (Barron’s, May 31 2019)
Guy Rosen, vice president of integrity at Facebook, acknowledged during a security update with reporters on Thursday that artificial intelligence is not the best solution to address hate speech, which continues to be the most pervasive content issue at Facebook. The company is leaving that task to more staff in an effort to study the context of posts and the subtlety behind the use of controversial words. What might be a word of endearment or self-deprecation for one person could be interpreted as offensive to another, Rosen said.

*Cloud Security, DevOps, AppSec*
7. Chrome extension devs must drop deceptive install tactics (Help Net Security, May 31 2019)
After announcing its intention to limit third-party developers’ access to Chrome’s webRequest API, which is used by many ad-blocking extensions to filter out content, Google has followed up with announcements for a few more changes meant “to create stronger security, privacy, and performance guarantees”: Chrome extension developers must ditch any deceptive installation tactic they have been using Extensions must only request access to the appropriate data needed to implement their features…

8. LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach (Krebs on Security, Jun 04 2019)
“Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party — the American Medical Collection Agency (AMCA) — also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.”

9. Growing reliance on open source libraries leaves many companies vulnerable (Help Net Security, Jun 03 2019)
Organizations are becoming increasingly dependent on open source libraries (OSLs) to develop code for software and websites. However, Jing Xie, senior threat intelligence researcher for Venafi, warns that the growing reliance on OSLs for software development leaves many companies vulnerable to trust-based attacks. Cybercriminals use trust attacks to maliciously manipulate and insert code into open source libraries, taking advantage of organizations’ dependence on them.

*Identity Mgt & Web Fraud*
10. Sign In With Apple’ Protects You in Ways Google and Facebook Don’t (Wired, Jun 04 2019)
Apple’s new single-sign-on scheme has benefits that its competitors seem unlikely to match.

11. Watchdog says FBI has access to about 640M photographs (WTOP, Jun 04 2019)
A government watchdog says the FBI has access to about 640 million photographs — including from driver’s licenses, passports and mugshots — that can be searched using facial…

12. Facebook lawyer argues you should have ‘no expectation of privacy’ (Graham Cluley, Jun 03 2019)
Next time someone connected to Facebook tries to convince you that it’s now really serious about privacy you know they’re pulling your leg.

*CISO View*
13. Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware (Krebs on Security, Jun 03 2019)
“For almost the past month, key computer systems serving the government of Baltimore, Md. have been held hostage by a ransomware strain known as “Robbinhood.” Media publications have cited sources saying the Robbinhood version that hit Baltimore city computers was powered by “Eternal Blue,” a hacking tool developed by the U.S. National Security Agency (NSA) and leaked online in 2017. But new analysis suggests that while Eternal Blue could have been used to spread the infection, the Robbinhood malware itself contains no traces of it.”

14. Stanford group calls for major overhaul on election security. Here are their recommendations (The Washington Post, Jun 06 2019)
A plan released this week by a Stanford University group that includes former top government and tech industry officials aims to be the equivalent of the 9/11 Commission report for election security.

15. China ‘behind’ huge ANU hack amid fears government employees could be compromised (The Sydney Morning Herald, Jun 07 2019)
China is the key suspect in the theft of huge volumes of highly sensitive personal data from the Australian National University