The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. New election systems use vulnerable software (AP NEWS, Jul 15 2019)
An Associated Press analysis has found that like many counties in Pennsylvania, the vast majority of 10,000 election jurisdictions nationwide use Windows 7 or an older operating system to create ballots, program voting machines, tally votes and report counts.

2. Apple quietly removes Zoom’s hidden web server from Macs (Naked Security – Sophos, Jul 15 2019)
In the latest twist in the saga of the web-conferencing app, Apple has issued a ‘silent’ update removing Zoom’s hidden web server from Macs.

3. Buhtrap group uses zero‑day in latest espionage campaigns (WeLiveSecurity, Jul 11 2019)
ESET research reveals notorious crime group also conducting espionage campaigns for the past five years. The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia. However, since late 2015, we have witnessed an interesting change in its traditional targets. From a pure criminal group perpetrating cybercrime for financial gain, its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia.


One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn


*AI, IoT, & Mobile Security*
4. Cell Networks Hacked by (Probable) Nation-State Attackers (Schneier on Security, Jul 09 2019)
A sophisticated attacker has successfuly infiltrated cell providers to collect information on specific users: “The hackers have systematically broken in to more than 10 cell networks around the world to date over the past seven years to obtain massive amounts of call records — including times and dates of calls, and their cell-based locations — on at least 20 individuals.”

5. Hey, Google, why are your contractors listening to me? (Naked Security – Sophos, Jul 12 2019)
Humans are listening to our recordings – some made by mistake – to improve speech recognition. But they’re not as anonymous as Google says.

6. German banks to stop using SMS to deliver second authentication/verification factor (Help Net Security, Jul 12 2019)
German banks are moving away from SMS-based customer authentication and transaction verification (called mTAN or SMS-TAN), as the method is deemed to be too insecure.

*Cloud Security, DevOps, AppSec*
7. Magecart compromised 17,000+ sites via unsecured S3 buckets (Help Net Security, Jul 11 2019)
When they find one that is misconfigured to allow anyone to view and edit the files it contains, they search for JavaScript files, download them, add their skimming code to the bottom, and overwrite the script on the bucket.

8. Tesla Awards Researcher $10,000 After Finding XSS Vulnerability (SecurityWeek, Jul 15 2019)
A researcher has earned $10,000 from Tesla after discovering a stored cross-site scripting (XSS) vulnerability that could have been exploited to obtain — and possibly modify — vehicle information.

9. New Analysis by Alcide Finds 89% of Kubernetes Deployments Not Leveraging Secrets Resources (Container Journal, Jul 15 2019)
To keep multi-cluster Kubernetes safe, Alcide announces its Alcide Advisor integration with Azure DevOps, automating Kubernetes hygiene drift detection and prevention for Azure customers

*Identity Mgt & Web Fraud*
10. The Window to Rein In Facial Recognition Is Closing (Wired, Jul 10 2019)
As Congress continues to punt on facial recognition, advocacy groups have redoubled their efforts.

11. Dust Identity secures $10M Series A to identify objects with diamond dust (TechCrunch, Jul 17 2019)
The idea behind Dust Identity was originally born in an MIT lab where the founders developed the base technology for uniquely identifying objects using diamond dust. Since then, the startup has been working to create a commercial application for the advanced technology, and today it announced a $10 million Series A round led by Kleiner Perkins, which also led its $2.3 million seed round last year.

The company has an unusual idea of applying a thin layer of diamond dust to an object with the goal of proving that that object has not been tampered with. “Once the diamonds fall on the surface of a polymer epoxy, and that polymer cures, the diamonds are fixed in their position, fixed in their orientation, and it’s actually the orientation of those diamonds that we developed a technology that allows us to read those angles very quickly.”

12. FaceApp Isn’t Creepy Because It’s Russian, It’s Creepy Because It’s Capitalist (VICE, Jul 17 2019)
FaceApp’s privacy policy is bad. Its policy isn’t uniquely bad because it’s a Russian company.

*CISO View*
13. Perspective | I found your data. It’s for sale. (Washington Post, Jul 18 2019)
As many as 4 million people have Web browser extensions that sell their every click. And that’s just the tip of the iceberg.

14. FBI Publishes GandCrab Decryption Keys (Dark Reading, Jul 16 2019)
Publishing the keys should render existing versions of the ransomware far less dangerous for victims.

15. Facebook Set For Record $5bn FTC Fine (Infosecurity Magazine, Jul 15 2019)
Social network penalized after Cambridge Analytica scandal