The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Apple’s ‘Find My’ Feature Uses Some Clever Cryptography (Wired, Jun 05 2019)
Apple says an elaborate rotating key scheme will soon let you track down your stolen laptop, but not let anyone track you. Not even Apple.
2. Warnings of world-wide worm attacks are the real deal, new exploit shows (Ars Technica, Jun 05 2019)
Latest Metasploit module is being kept private, but time is running out.
3. PHA Family Highlights: Triada (Google Online Security Blog, Jun 10 2019)
“The main purpose of Triada apps was to install spam apps on a device that displays ads. The creators of Triada collected revenue from the ads displayed by the spam apps. The methods Triada used were complex and unusual for these types of apps. Triada apps started as rooting trojans, but as Google Play Protect strengthened defenses against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor. However, thanks to OEM cooperation and our outreach efforts, OEMs prepared system images with security updates that removed the Triada infection.”
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. China Telecom Routes European Traffic to Its Network for Two Hours (SecurityWeek, Jun 10 2019)
For two hours last week, a BGP route leak resulted in large portions of European Internet traffic being routed through China Telecom’s network.
5. Adware Hidden in Android Apps Downloaded More Than 440 Million Times (Dark Reading, Jun 04 2019)
The heavily obfuscated adware was found in 238 different apps on Google Play.
6. Outsmarting deep fakes: AI-driven imaging system protects authenticity (ScienceDaily, May 29 2019)
To thwart sophisticated deep fake methods of altering photos and video, researchers have devised a technique to authenticate images throughout the entire pipeline, from acquisition to delivery, using artificial intelligence.
*Cloud Security, DevOps, AppSec*
7. FBI: Don’t Trust HTTPS or Padlock on Websites (Infosecurity Magazine, Jun 12 2019)
Feds warn that hackers are increasingly using certs to ‘secure’ their phishing sites
8. Cross-Site Scripting Errors Continue to Be Most Common Web App Flaw (Dark Reading, Jun 11 2019)
In vulnerability disclosure programs, organizations are paying more in total for XSS issues than any other vulnerability type, HackerOne says.
9. Facebook Quietly Changes Search Tool Used by Investigators, Abused By Companies (VICE, Jun 10 2019)
Facebook’s Graph Search allowed anyone to search a wealth of public data on Facebook in very specific ways, such as searching content for keywords in a particular point in time.
*Identity Mgt & Web Fraud*
10. Apple Flexes Its Privacy Muscles (Securosis Blog, Jun 12 2019)
Regardless of motivations – whether it be altruism, the personal principles of Apple executives, or simply shrewd business strategy – Apple’s stance on privacy is historic and unique in the annals of consumer technology. The real question now isn’t whether they can succeed at a technical level, but whether Apple’s privacy push can withstand the upcoming onslaught from governments, regulators, the courts, and competitors.
11. U.S. Customs and Border Protection says photos of travelers were taken in a data breach (Washington Post, Jun 11 2019)
CBP says photos of travelers have been compromised as part of a “malicious cyber-attack,” raising concerns over how expanding surveillance efforts could imperil privacy.
12. The police demanded he unlock his cellphone. He didn’t — and spent 44 days in jail. (NBC, Jun 07 2019)
“The world should know that what they’re doing out here is crazy,” said a man who refused to share his passcode with police.
13. Get ready for the hacking back debate: Round 2 (The Washington Post, Jun 13 2019)
A bipartisan bill being reintroduced this morning would allow hacked companies to turn the tables and hack back into their attackers’ computer networks. The Active Cyber Defense Certainty Act, sponsored by Reps. Tom Graves (R-Ga.) and Josh Gottheimer (D-N.J.), would allow those hacked companies to only ferret out what happened to their stolen data and gather evidence for police, though — not to destroy anything on the attackers’ computer networks.
14. The Future of Have I Been Pwned (Up for Sale) (Troy Hunt, Jun 11 2019)
Back in 2013, I was beginning to get the sense that data breaches were becoming a big thing. The prevalence of them seemed to be really ramping up as was the impact they were having on those of us that found ourselves in them, myself included….
15. Workshop on the Economics of Information Security (Schneier on Security, Jun 11 2019)
“Last week, I hosted the eighteenth Workshop on the Economics of Information Security at Harvard. Ross Anderson liveblogged the talks….”