The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Trump approved cyber-strikes against Iran’s missile systems (The Washington Post, Jun 24 2019)
Operation comes as the administration tells industry to be on alert for Iranian cyberattacks.
2. Google launches new Chrome protection from bad URLs (Naked Security – Sophos, Jun 20 2019)
Google on Tuesday launched two new security features to protect Chrome users from deceptive sites: an extension that offers an easy way to report suspicious sites, and a new warning to flag sites with deceptive URLs.
3. Millions of Devices Exposed to Attacks Due to Flaw in PC-Doctor Software (SecurityWeek, Jun 21 2019)
More than 100 million computers from Dell and other vendors may have been exposed to hacker attacks due to a serious vulnerability in software made by hardware diagnostic tools provider PC-Doctor.
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Backdoor Built into Android Firmware (Schneier on Security, Jun 21 2019)
In 2017, some Android phones came with a backdoor pre-installed: Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers, Google researchers confirmed on Thursday.
5. A Likely Chinese Hacker Crew Targeted 10 Phone Carriers to Steal Metadata (Wired, Jun 24 2019)
In one case, they stole the location and call record data of 20 specific individuals.
6. 3 steps to gain business value from AI (Google Cloud Blog, Jun 14 2019)
Step 1: Align AI projects with business priorities and find a good sponsor.
Step 2: Plan for explainable ML in models, dashboards and displays.
Step 3: Broaden expertise within the organization on data analytics and data engineering.
*Cloud Security, DevOps, AppSec*
7. AWS CISO Talks Risk Reduction, Development, Recruitment (Dark Reading, Jun 25 2019)
Steve Schmidt says limiting access to data has dramatically changed the security posture across Amazon Web Services.
8. 1 in 10 open source components downloaded in 2018 had a known security vulnerability (Help Net Security, Jun 26 2019)
Adversaries are increasingly targeting open source components
71% increase in open source related breaches over the past five years
24% of organisations confirmed or suspected an OSS related breach
15 events highlighting a new attack pattern for malicious code injection within open source software supply chains
9. AWS Security Hub Now Generally Available (AWS News Blog, Jun 24 2019)
“When systems enable frequent deploys and remove gatekeepers for experimentation, sometimes a non-compliant resource is going to sneak by. That’s why I love tools like AWS Security Hub, a service that enables automated compliance checks and aggregated insights from a variety of services. With guardrails like these in place to make sure things stay on track, I can experiment more confidently. And with a single place to view compliance findings from multiple systems, infosec feels better about letting me self-serve.”
*Identity Mgt & Web Fraud*
10. NSA Improperly Collected U.S. Phone Records a Second Time (WSJ, Jun 26 2019)
The National Security Agency collected data about calls and texts it wasn’t authorized to obtain last year in a second such incident, renewing concerns about its phone surveillance.
11. US CERT Warns of DHS Phishing Scam (Infosecurity Magazine, Jun 20 2019)
Victims are lured into downloading malware via an email pretending to be from the US’s DHS.
12. FIDO Alliance to Tackle Identity Verification and IoT Authentication (Dark Reading, Jun 26 2019)
Standards group forms two new working groups to develop new open specifications.
13. Western intelligence hacked ‘Russia’s Google’ Yandex to spy on accounts (Reuters, Jun 28 2019)
Hackers working for Western intelligence agencies broke into Russian internet search company Yandex in late 2018, deploying a rare type of malware in an attempt to spy on user accounts, four people with knowledge of the matter told Reuters.
14. U.S. Struck Iranian Military Computers This Week (SecurityWeek, Jun 23 2019)
U.S. military cyber forces launched a strike against Iranian military computer systems on Thursday as President Donald Trump backed away from plans for a more conventional military strike in response to Iran’s downing of a U.S. surveillance drone, U.S. officials said Saturday.
15. GOP senators nix vote on Election Security Act, similar bills wend their way through Congress (SC Magazine, Jun 26 2019)
Republicans in the Senate rebuffed an attempt by presidential candidate Sen. Amy Klobuchar, D-Minn., ranking member of the Senate Rules Committee, to bring the Election Security Act to a vote Tuesday.