The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. IBM’s Warshipping Attacks Wi-Fi Networks From Afar (Infosecurity Magazine, Aug 07 2019)
You’ve heard about wardriving, but what about warshipping? Researchers at IBM X-Force Red have detailed a new tactic that they say can break into victims’ Wi-Fi networks from far.
2. Election systems by leading vendor connected to internet in some states, researchers find (SC Magazine, Aug 09 2019)
Despite claims by voting machine makers and election officials that election systems are immune to hackers because they’re not connected to the internet, the Election Systems & Software voting systems in 10 states, some of them swing states, were found to be just that – connected, a team of security researchers found.
3. Vulnerability Has Been Lurking in Avaya Phones for 10 Years (SecurityWeek, Aug 09 2019)
A security vulnerability discovered and patched 10 years ago has remained unaddressed in various Avaya phones until recently, McAfee security researchers have discovered.
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Who Owns Your Wireless Service? Crooks Do. (Krebs on Security, Aug 07 2019)
“Incessantly annoying and fraudulent robocalls. Corrupt wireless company employees taking hundreds of thousands of dollars in bribes to unlock and hijack mobile phone service. Wireless providers selling real-time customer location data, despite repeated promises to the contrary. A noticeable uptick in SIM-swapping attacks that lead to multi-million dollar cyberheists.”
5. Google Hackers Found 10 Ways to Hack an iPhone Without Touching It (VICE, Aug 12 2019)
Many of the vulnerabilities relied on using iMessage to own the rest of the phone, Google’s Project Zero said.
6. More than 2m AT&T phones illegally unlocked by bribed insiders (Naked Security – Sophos, Aug 08 2019)
The alleged, now indicted ringleader paid more than $1m in bribes to insiders who planted malware and hardware for remote unlocking.
*Cloud Security, DevOps, AppSec*
7. Apple Offers Up to $1 Million in Public Bug Bounty Program (SecurityWeek, Aug 12 2019)
Apple last week announced that it’s making some significant changes to its bug bounty program, making it public and expanding the list of covered products.
8. The Fundamentals of Developing Effective DevSecOps (SecurityWeek, Aug 07 2019)
The argument for including security within DevOps has largely been won. It is the basis of security by design, and the most effective way of minimizing dormant app vulnerabilities from the huge number of software developments generated in the modern containerized cloud world.
9. How Apple Pay Buttons Can Make Websites Less Safe (Wired, Aug 08 2019)
Apple Pay itself is safe. But the way websites implement it can cause serious problems….the connection between a site and the Apple Pay infrastructure, and the validation mechanism meant to broker this connection, can be established in a number of different ways, all at the host site’s discretion. An attacker could swap the URL a target site uses to talk to Apple Pay, for instance, with a malicious URL that can send queries or commands to the target site’s infrastructure.
*Identity Mgt & Web Fraud*
10. Biometrics Flaws Uncovered To Bypass Apple FaceID (Threatpost, Aug 15 2019)
Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim’s FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim’s face the researchers demonstrated how they could bypass Apple’s FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.
11. Huge database found leaking biometric, personal info of millions (Help Net Security, Aug 14 2019)
While working on a web-mapping project, vpnMentor researchers Noam Rotem and Ran Locar discovered a publicly accessible database containing fingerprint records of over 1 million users, facial recognition information, personal information and much more.
12. Kaspersky Makes Changes After Products Raise Privacy Concerns (SecurityWeek, Aug 15 2019)
Kaspersky has made some changes to the way its products check web pages for malicious activity after a researcher discovered an issue that could have been exploited to track users online.
13. #BHUSA: Five Years of Google Project Zero Should Influence Similar Groups (Infosecurity Magazine, Aug 08 2019)
He explained that the research includes: 54% manual review, 37% fuzzing, and 8% other types of testing. He also said that part of performing vulnerability research is what new methodologies you can create that the researchers did not have access to previously, and by “writing an exploit, you’re walking in the shoes of an attacker.” The development of an exploit requires five steps
14. Symantec sells its name and enterprise security business to Broadcom (Help Net Security, Aug 09 2019)
Symantec announced it has entered into a definitive agreement to sell its Enterprise Security assets, which include the Symantec name, to semiconductor giant Broadcom, for $10.7 billion in cash.
15. ‘NULL’ license plate gets security researcher $12K in tickets (Naked Security – Sophos, Aug 15 2019)
The vanity plate sounded good in theory: maybe it would make his plate invisible to ALPR systems?!