The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Five strategies to stop Magecart (SC Magazine, Aug 26 2019)
The success of these Magecart campaigns comes from attackers picking the weakest link of a web supply chain: infecting third-party code suppliers rather than infecting target companies’ own code. With this methodology, attackers breach a small company with lesser security and inject their malicious code into a script that is sourced to multiple other companies.
3. Attackers are targeting vulnerable Fortigate and Pulse Secure SSL VPNs (Help Net Security, Aug 26 2019)
Attackers are taking advantage of recently released vulnerability details and PoC exploit code to extract private keys and user passwords from vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations.
3. NotPetya Ushered In a New Era of Malware (VICE, Aug 26 2019)
EternalBlue and NotPetya through the eyes of influence. In the summer of 2017, a software update for a popular Ukrainian accounting software pushed malware onto systems of companies doing business in Ukraine. The attack stopped life in Ukraine and crippled the Western logistics supply chain, hitting shipping giant Maersk, postal company FedEx, and the Port of Rotterdam. That was just the beginning effect of a chain reaction, masterminded by the Kremlin.
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. First‑of‑its‑kind spyware sneaks into Google Play (WeLiveSecurity, Aug 22 2019)
ESET analysis breaks down the first known spyware that is built on the AhMyth open-source espionage tool and has appeared on Google Play – twice
5. Security Researchers Find Several Bugs in Nest Security Cameras (VICE, Aug 21 2019)
Cisco Talos researchers report finding eight security vulnerabilities in the Nest Cam IQ that can allow attackers to take over the camera, prevent its use or allow code execution.
6. Tesla gets stolen with keyfob hack on camera in seconds — here’s how to prevent it (Electrek, Aug 26 2019)
In response to those attacks, Tesla started rolling out extra layers of security with “improved cryptography” key fob and optional “PIN to Drive” feature. If an owner activates the “PIN to Drive” function (go to Controls > Safety and Security > PIN to Drive), anyone entering the car will have to know your PIN in order to be able to drive away.
*Cloud Security, DevOps, AppSec*
7. Cybersecurity Firm Imperva Discloses Breach (Krebs on Security, Aug 27 2019)
“Imperva, a leading provider of Internet firewall services that help Web sites block malicious cyberattacks, alerted customers on Tuesday that a recent data breach exposed email addresses, scrambled passwords, API keys and SSL certificates for a subset of its firewall users.”
8. Nine AWS Security Hub best practices (AWS Security Blog, Aug 23 2019)
AWS Security Hub is a security and compliance service that became generally available on June 25, 2019. It provides you with extensive visibility into your security and compliance status across multiple AWS accounts, in a single dashboard per region. The service helps you monitor critical settings to ensure that your AWS accounts remain secure, allowing you to notice and react quickly to any changes in your environment.
9. Kubernetes Patches Recent HTTP/2 Vulnerabilities (SecurityWeek, Aug 23 2019)
Software updates released by Kubernetes this week address HTTP/2 implementation vulnerabilities that were disclosed earlier this month.
*Identity Mgt & Web Fraud*
10. The spy in your wallet: Credit cards have a privacy problem (WAPO, Aug 27 2019)
In our latest privacy experiment, we bought one banana with the new Apple Card — and another with the Amazon Prime Rewards Visa from Chase. Here’s who tracked, mined and shared our data.
11. Inside the Black Market for Bots That Buy Designer Clothes Before They Sell Out (VICE, Aug 26 2019)
Hacker finalphoenix kept getting beaten by bots buying designer clothes. So she built her own, but stumbled into a massive ecosystem of shady resellers.
12. Instagram phishing scam uses fake 2FA code to appear trustworthy (SC Magazine, Aug 27 2019)
Researchers recently spotted a sneaky phishing scam that uses a phony two-factor authentication request to trick email recipients into entering their Instagram login credentials. “Someone tried to log in to your Instagram account. If this wasn’t you, please use the following code to confirm your identity,” according to the fraudulent email.
13. The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks (ProPublica, Aug 28 2019)
Even when public agencies and companies hit by ransomware could recover their files on their own, insurers prefer to pay the ransom. Why? The attacks are good for business.
14. U.S. Cyberattack Hurt Iran’s Ability to Target Oil Tankers, Officials Say (The New York Times, Aug 29 2019)
The strike came on the same day that President Trump called off a retaliatory airstrike against Iran after it shot down an American drone.
15. Low Budgets, Limited Expertise Plague SMB Cybersecurity (SecurityWeek, Aug 27 2019)
Untangle queried 300 SMBs, with the most common staff level between 25 and 300 personnel, for its 2019 SMB IT security report. It found that 29% of these companies have an annual security budget of less than $1,000 per year. Fifty-two percent have no dedicated security professional on staff, and instead distribute the responsibility across multiple other roles.