The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Another Attack Against Driverless Cars (Schneier on Security, Jul 31 2019)
“In this piece of research, attackers successfully attack a driverless car system — Renault Captur’s “Level 0″ autopilot (Level 0 systems advise human drivers but do not directly operate cars) — by following them with drones that project images of fake road signs in 100ms bursts. The time is too short for human perception, but long enough to fool the autopilot’s sensors.”
2. DHS Warns About Security Flaws in Small Airplanes (Dark Reading, Jul 30 2019)
Rapid7 researchers found holes in CAN bus networks that an attacker could exploit to sabotage its operation.
3. 94% of attacks hitting financial services use one of four methods (Help Net Security, Aug 01 2019)
Akamai’s findings revealed that 94% of observed attacks against the financial services sector came from one of four methods: SQL Injection (SQLi), Local File Inclusion (LFI), Cross-Site Scripting (XSS), and OGNL Java Injection (which accounted for more than 8 million attempts during this reporting period)
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Facebook Plans on Backdooring WhatsApp (Schneier on Security, Aug 01 2019)
“This article points out that Facebook’s planned content moderation scheme will result in an encryption backdoor into WhatsApp”
5. Google and Apple suspend contractor access to voice recordings (Naked Security – Sophos, Aug 05 2019)
Apple and Google have announced that they will limit the way audio recorded by their voice assistants, Siri and Google Assistant, are accessed internally by contractors.
6. Why the Network Is Central to IoT Security (Dark Reading, Jul 31 2019)
In a large school district, there was a digital sign for a snack area that no one had thought about for months. Eventually, the snack area was removed, yet the sign was still plugged into the district’s network. For months, it turns out, the sign had been compromised by attackers and was communicating with 100 different countries.
*Cloud Security, DevOps, AppSec*
7. Bug Bounties- Deep Testing & Less for Traditional Flaws (Infosecurity Magazine, Aug 01 2019)
Bugcrowd also said that the average payout for critical vulnerabilities reached $2,669.92, a 27% increase over the last year. However, it claims that “researchers are no longer going after things like XSS, CSRF, and SSI as those are fairly easy to find by many scanners out there today” and are now doing deep testing, leading to the top five vulnerabilities
8. Three Weeks After Closing the Red Hat Deal, IBM Rolls Out New Cloud Offerings (IT Pro, Aug 02 2019)
Managed services and software optimized for Red Hat OpenShift and Linux aimed at helping enterprises move to the cloud.
9. Back to square one: The Capital One breach proved we must rethink cloud security (Darktrace Blog, Aug 05 2019)
The path forward is to use artificial intelligence to understand how users behave within a company’s perimeter walls.
*Identity Mgt & Web Fraud*
10. The Risk of Weak Online Banking Passwords (Krebs on Security, Aug 05 2019)
“If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. This story is about how crooks increasingly are abusing third-party financial aggregation services like Mint, Plaid, Yodlee, YNAB and others to surveil and drain consumer accounts online.”
11. Demystifying New FIDO Standards & Innovations (Dark Reading, Aug 01 2019)
Staying on top of the latest cybersecurity risks and preferred attack methods can feel impossible, but standards like FIDO2 are designed to help relieve the burden.
12. How Privacy Laws Hurt Defendants (Schneier on Security, Aug 02 2019)
“Rebecca Wexler has an interesting op-ed about an inadvertent harm that privacy laws can cause: while law enforcement can often access third-party data to aid in prosecution, the accused don’t have the same level of access to aid in their defense”
13. DARPA to Bring its Smart Ballot Boxes to DEF CON for Hacking (Dark Reading, Aug 01 2019)
The agency this week will share the source code and hardware specifications for the secure voting system prototypes.
14. What We Can Learn from the Capital One Hack (Krebs on Security, Aug 02 2019)
“a former Amazon employee was arrested and charged with stealing more than 100 million consumer applications for credit from Capital One. Since then, many have speculated the breach was perhaps the result of a previously unknown “zero-day” flaw, or an “insider” attack in which the accused took advantage of access surreptitiously obtained from her former employer. But new information indicates the methods she deployed have been well understood for years.”
15. Cloudflare Boots 8chan as a Customer (VICE, Aug 04 2019)
Cloudflare’s move comes after multiple mass shooters have posted so-called manifestos to the anonymous message board.