15 Bullet Friday – The Best Security News of the Week – 2019.07.12

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. New MacOS Malware Discovered (Dark Reading, Jul 02 2019)
The newest attack code for the Mac includes three pieces of malware found in June — a zero-day exploit, a package that includes sophisticated anti-detection and obfuscation routines, and a family of malware that uses the Safari browser as an attack surface.

2. US Military Warns Companies to Look Out for Iranian Outlook Exploits (Dark Reading, Jul 03 2019)
Microsoft patched a serious vulnerability in the Microsoft Outlook client in 2017, but an Iranian group continues to exploit the flaw.

3. Magecart Blitz Stuns 962 E-commerce Sites in 24 Hours (Infosecurity Magazine, Jul 08 2019)
New automated campaign is claimed to be largest to date


One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn


*AI, IoT, & Mobile Security*
4. Zoom – any malicious website could enable camera (Jonathan Leitschuh – Medium, Jul 8 2019)
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

5. D-Link agrees to new security monitoring to settle FTC charges (Ars Technica, Jul 02 2019)
Agreement settles charges D-Link left users open to critical and widespread threats.

6. Huawei staff CVs reveal alleged links to Chinese intelligence agencies (The Telegraph, Jul 08 2019)
Huawei staff admitted to having worked with Chinese intelligence agencies in a “mass trove” of employment records leaked online, according to an analysis of the files.

*Cloud Security, DevOps, AppSec*
7. Malicious Code Planted in ‘strong_password’ Ruby Gem (SecurityWeek, Jul 08 2019)
A developer discovered that an update released for the ‘strong_password’ Ruby gem contained malicious code that allowed an attacker to remotely execute arbitrary code.

8. Canonical GitHub Account Hijacked (SecurityWeek, Jul 08 2019)
Canonical, the company behind the Ubuntu operating system, confirmed over the weekend that one of its GitHub accounts was hacked.

9. At the AWS Security Conference, Experts Address Cloud Concerns (IT Pro, Jul 05 2019)
The new AWS security conference brought together experts across the industry to reflect on challenges and best practices in securing public and multi-cloud environments. AWS has used canaries for years now, Shinn said. “Once you state the security intent of how something should or shouldn’t exist in production, we have a set of canaries around making sure that state doesn’t change.”

*Identity Mgt & Web Fraud*
10. Your Pa$$word doesn’t matter (Alex Weinert – Microsoft, Jul 10 2019)
“Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords – “never use a password that has ever been seen in a breach,” “use really long passwords”, “passphrases-will-save-us”, and so on – is inconsistent with our research and with the reality our team sees as we defend against 100s of millions of password-based attacks every day. Focusing on password rules, rather than things that can really help – like multi-factor authentication (MFA), or great threat detection – is just a distraction. Because here’s the thing: When it comes to composition and length, your password (mostly) doesn’t matter.”

11. Privacy and security risks as Sign In with Apple tweaks Open ID protocol (Naked Security – Sophos, Jul 08 2019)
An open letter from the OpenID Foundation says that Apple introduced potential risks when it diverged from the OpenID Connect protocol.

12. I’m a Journalist but I Didn’t Fully Realize the Terrible Power of U.S. Border Officials Until They Violated My Rights and Privacy (The Intercept, Jul 05 2019)
I complacently assumed that CBP’s horrendous treatment of migrants wouldn’t affect me directly, least of all in Austin, the city where I was born.

*CISO View*
13. Details of the Cloud Hopper Attacks (Schneier on Security, Jul 10 2019)
“Reuters has a long article on the Chinese government APT attack called Cloud Hopper. It was much bigger than originally reported.’The hacking campaign, known as “Cloud Hopper,” was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM.'”

14. Chinese Antivirus Companies Don’t Flag Chinese Border Malware (VICE, Jul 12 2019)
After a joint investigation found China installing malware on tourists’ phones, several antivirus companies started flagging the app. Several Chinese companies did not, however.

15. FEC: Campaigns Can Use Discounted Cybersecurity Services (Krebs on Security, Jul 11 2019)
“The U.S. Federal Election Commission (FEC) said today political campaigns can accept discounted cybersecurity services from companies without running afoul of existing campaign finance laws, provided those companies already do the same for other non-political entities. The decision comes amid much jostling on Capitol Hill over election security at the state level, and fresh warnings from U.S. intelligence agencies about impending cyber attacks targeting candidates in the lead up to the 2020 election.”

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn