15 Bullet Friday – The Best Security News of the Week – 2019.09.27

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. CookieMiner malware targets Macs, steals passwords and SMS messages, mines for cryptocurrency (Graham Cluley, Sep 18 2019)
the macOS-based malware can steal browser cookies from users’ Google Chrome and Apple Safari browsers. Specifically, cookies associated with the following cryptocurrency exchanges…The cookies are grabbed from the infected user’s browser, zipped up and then uploaded to a remote server under the control of the criminals.

2. Hotel websites infected with skimmer via supply chain attack (SC Magazine, Sep 18 2019)
A Magecart card-skimming campaign this month sabotaged the mobile websites of two hotel chains by executing a supply chain attack on a third-party partner, researchers have reported. The third party in both instances was Roomleader, a Barcelona-based provider of digital marketing and web development services. One of the ways Roomleader helps hospitality companies build out their online booking functionality is through a library module called “viewedHotels,” which saves viewed hotel information in visitors’ browser cookies.

3. WeWork’s Wi-Fi Exposed Files, Credentials, Emails (Dark Reading, Sep 20 2019)
For years, sensitive documents and corporate data have been easily viewable on the coworking space’s open network.


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn


*AI, IoT, & Mobile Security*
4. What security and privacy enhancements has iOS 13 brought? (Help Net Security, Sep 23 2019)
With the release of iPhone 11 and its two Pro variants, Apple has released iOS 13, a substantial functional update of its popular mobile operating system. But while many users are happy to finally get a complete Dark Mode for the device or a better phone camera, some are more interested in security and privacy enhancements.

5. Verizon Makes SIM Swapping Hard. Why Doesn’t AT&T, Sprint, and T-Mobile? (VICE, Sep 19 2019)
Verizon employs different security procedures when porting a phone number to a different SIM card than the other carriers. This is making SIM swapping attacks harder to perform against Verizon customers.

6. Huawei Suspended From Global Forum Aimed at Combating Cybersecurity Breaches (WSJ, Sep 18 2019)
A group formed to respond quickly to hacks and other cyber threats has temporarily expelled the Chinese company after legal advice

*Cloud Security, DevOps, AppSec*
7. DevSecOps: Recreating Cybersecurity Culture (Dark Reading, Sep 18 2019)
Bringing developers and security teams together guided by a common goal requires some risk-taking. With patience and confidence, it will pay off. Here’s how.

8. How data breaches forced Amazon to update S3 bucket security (Help Net Security, Sep 23 2019)
Amazon launched its Simple Storage Service (better known as S3) back in 2006 as a platform for storing just about any type of data under the sun…Amazon took this issue head on in November 2018, when they added an option to block all public access globally to every S3 bucket in an account.

9. Older vulnerabilities and those with lower severity scores still being exploited by ransomware (Help Net Security, Sep 25 2019)
Almost 65% of top vulnerabilities used in enterprise ransomware attacks targeted high-value assets like servers, close to 55% had CVSS v2 scores lower than 8, nearly 35% were old (from 2015 or earlier), and the vulnerabilities used in WannaCry are still being used today, according to RiskSense.

*Identity Mgt & Web Fraud*
10. Russian national confesses to biggest bank hack in US history (Ars Technica, Sep 23 2019)
In all, defendant stole more than 100 million records stole, prosecutors say.

11. Google Wins EU Fight Against Worldwide ‘Right to be Forgotten’ (SecurityWeek, Sep 24 2019)
Google is not required to apply an EU “right to be forgotten” to its search engine domains outside Europe, the EU’s top court ruled Tuesday in a landmark decision.

12. Millions of YouTube accounts hijacked through phishing and compromised 2FA (SC Magazine, Sep 24 2019)
Cybersecurity executives blamed YouTube’s continued use of multifactor authentication and relying on user credentials instead of more advanced forms authentication as the reasons behind why millions of accounts were hijacked over the last few days.

*CISO View*
13. How The U.S. Hacked ISIS (NPR, Sep 26 2019)
In 2016, the U.S. launched a classified military cyberattack against ISIS to bring down its media operation. NPR interviewed nearly a dozen people who lived it.

14. Women in Cybersecurity: Where We Are and Where We’re Going (Scientific American, Sep 23 2019)
Here’s how to bring gender equality to a thoroughly male-dominated field

15. How Google Changed the Secretive Market for the Most Dangerous Hacks in the World (VICE, Sep 23 2019)
For five years, Google has funded Project Zero, a team of hackers with the sole mission of finding bugs in whatever software they wanted to research, be it Google’s or somebody else’s. Are they making the internet safer?

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn