The Top 15 Security Posts – Vetted & Curated

*Threats & Defense* 1. Cyber-security incident at US power grid entity linked to unpatched firewalls (ZDNet, Sep 09 2019) Hackers used a DoS flaw to reboot firewalls at an electric power grid operator for hours.

2. Cisco Releases Guides for Analyzing Compromised Devices (SecurityWeek, Sep 03 2019) Cisco has released new guides to help first responders collect forensic evidence from potentially compromised or tampered with IOS, IOS XE, ASA, and Firepower Threat Defense (FTD) devices.

3. Chinese Group Built Advanced Trojan by Reverse Engineering NSA Attack Tool (Dark Reading:, Sep 06 2019) APT3 quietly monitored an NSA attack on its systems and used the information to build a weapon of its own.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*

4. 120 Million Workers Need To Be Retrained Because Of AI (Forbes, Sep 10 2019) In the next three years, as many as 120 million workers in the world’s 12 largest economies may need to be retrained or reskilled as a result of AI and intelligent automation; only 41% of CEOs surveyed say that they have the people, skills and resources required to execute their business strategies; the time it takes to close a skills gap through training has increased from 3 days on average in 2014 to 36 days in 2018 [IBM]

5. Cybercriminals Impersonate Chief Exec’s Voice with AI Software (Dark Reading, Sep 03 2019) Scammers leveraged artificial intelligence software to mimic the voice of a chief executive and successfully request $243,000.

6. Apple Disputes Google’s Claims of a Devastating iPhone Hack (VICE, Sep 06 2019) Apple says that Google oversold the nature of the hack and that it quickly fixed the vulnerability.

*Cloud Security, DevOps, AppSec*

7. Wikipedia fights off huge DDoS attack (Naked Security – Sophos, Sep 11 2019) Wikipedia has suffered what appears to be the most disruptive Distributed Denial of Service (DDoS) attack in recent memory.

8. Court Rules That ‘Scraping’ Public Website Data Isn’t Hacking (VICE, Sep 11 2019) The Ninth Circuit Court of Appeals shot down LinkedIn’s claim that a company that was using its public facing data was violating the Computer Fraud and Abuse Act.

9. Chrome bumps ineffective EV certificates off the omnibar (Naked Security – Sophos, Sep 10 2019) Ever notice a missing company name next to the URL address bar? Ever change behavior because of it? Likely not, so bye-bye, useless badge.

*Identity Mgt & Web Fraud*

10. DMVs Are Selling Your Data to Private Investigators (VICE, Sep 06 2019) You gave them your data in exchange for a driver’s license. DMVs are making tens of millions of dollars selling it, documents obtained by Motherboard show.

11. Google’s differential privacy library can now be used by anyone (Help Net Security, Sep 06 2019) Google has open-sourced a differential privacy library that helps power some of its core products. What it differential privacy? Differential privacy is a method for analyzing data contained in a database and providing helpful insight from it, without disclosing the actual information contained in the data to the analysts. It’s meant to keep sensitive information usable but thoroughly anonymized.

12. NY Payroll Company Vanishes With $35 Million (Krebs on Security, Sep 11 2019) “MyPayrollHR, a now defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations this past week after stiffing employees at thousands of companies. The ongoing debacle, which allegedly involves malfeasance on the part of the payroll company’s CEO, resulted in countless people having money drained from their bank accounts and has left nearly $35 million worth of payroll and tax payments in legal limbo.”

*CISO View*

13. New NSA cyber lead says agency must share more info about digital threats (Washington Post, Sep 05 2019) The NSA is the U.S. government’s premier digital spying agency and it has a well-earned reputation for keeping secrets. But the agency needs to stop keeping so many things confidential and classified if it wants to protect the nation from cyberattacks.

14. #GartnerSEC: Maersk CISO Outlines Lessons Learned From NotPetya Attack (Infosecurity Magazine, Sep 10 2019) We were the collateral victim of a state-sponsored attack and look what it did, so if you are trying to build a company to stop 100% of state-sponsored weapons, forget it. If you adopt a strategy around that, you will fail.

15. On Cybersecurity Insurance (Schneier on Security, Sep 10 2019) Good paper on cybersecurity insurance: both the history and the promise for the future. From the conclusion: Policy makers have long held high hopes for cyber insurance as a tool for improving security. Unfortunately, the available evidence so far should give policymakers pause. Cyber insurance appears to be a weak form of governance at present.