15 Bullet Friday – The Best Security News of the Week – 2019.10.04

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. German Cops Raid “Cyberbunker 2.0,” Arrest 7 in Child Porn, Dark Web Market Sting (Krebs on Security, Sep 28 2019)
“German authorities said Friday they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker. Incredibly, for at least two of the men accused in the scheme, this was their second bunker-based hosting business that was raided by cops and shut down for courting and supporting illegal activity online.”

2. On Chinese “Spy Trains” (Schneier on Security, Sep 26 2019)
“Part of the reasoning behind this legislation is economic, and stems from worries about Chinese industries undercutting the competition and dominating key global industries. But another part involves fears about national security. News articles talk about “spy trains,” and the possibility that the train cars might surreptitiously monitor their passengers’ faces, movements, conversations or phone calls.”

3. Cybercriminals plan to make L7 routers serve card stealing code (Help Net Security, Sep 26 2019)
One of the Magecart cybercriminal groups is testing a new method for grabbing users’ credit card info: malicious skimming code that can be loaded into files used by L7 routers. L7 routers are commercial grade routers, typically used by airports, hotels, casinos, malls and similar establishments and organizations, to deliver wireless connectivity to a great number of users.


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn


*AI, IoT, & Mobile Security*
4. Why Checkm8 iDevice jailbreak exploit is a game changer (Ars Technica, Sep 28 2019)
Unpatchable vulnerability is a game-changer that even Apple will be unable to stop.

5. Researchers Think They Know How Many Phones Are Vulnerable to ‘SIMjacker’ Attacks (VICE, Sep 27 2019)
They also created a tool to determine whether your phone’s SIM card is vulnerable.

6. Legit-Looking iPhone Lightning Cables That Hack You Will Be Mass Produced and Sold (VICE, Sep 30 2019)
Their creation has been successfully fully outsourced to a factory, the security researcher behind the cables said.

*Cloud Security, DevOps, AppSec*
7. Cisco Webex & Zoom Bug Lets Attackers Spy on Conference Calls (Dark Reading, Oct 01 2019)
The “Prying-Eye” vulnerability could let intruders scan for unprotected meeting IDs and snoop on conference calls.

8. 60% of Major US Firms Have Been Hacked in Cloud: Study (SecurityWeek, Sep 25 2019)
Hackers have penetrated cloud computing networks of some 60 percent of top US companies, with virtually all industry sectors hit, security researchers said Tuesday.

9. Cloud Attacks Prove Effective Across Industries in the First Half of 2019 (Proofpoint, Oct 01 2019)
In a study encompassing the first half of 2019, Proofpoint researchers analyzed data from more than one thousand cloud service tenants with over 20 million user accounts.

*Identity Mgt & Web Fraud*
10. Government to Begin DNA Testing on Detained Immigrants (New York Times, Oct 03 2019)
The Department of Homeland Security said it would begin testing on hundreds of thousands of immigrants in federal detention facilities.

11. Disinformation campaigns cheap and easy to launch: Recorded Future (SC Magazine, Sep 30 2019)
Researchers conducted an experiment to see what it would take for malicious actors to either boost a company’s online stature or tear it down and found both could be accomplished in about 30 days and cost just a few thousand dollars.

12. MyPayrollHR CEO Arrested, Admits to $70M Fraud (Krebs on Security, Sep 27 2019)
“Earlier this month, employees at more than 1,000 companies saw one or two paycheck’s worth of funds deducted from their bank accounts after the CEO of their cloud payroll provider absconded with $35 million in payroll and tax deposits from customers. On Monday, the CEO was arrested and allegedly confessed that the diversion was the last desperate gasp of a financial shell game that earned him $70 million over several years.”

*CISO View*
13. NSA on the Future of National Cybersecurity (Schneier on Security, Oct 01 2019)
Glenn Gerstell, the General Counsel of the NSA, wrote a long and interesting op-ed for the New York Times where he outlined a long list of cyber risks facing the US.

14. China’s New Cybersecurity Program: NO Place to Hide (China Law Blog, Sep 30 2019)
This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government.

15. 38% of the Fortune 500 do not have a CISO (Help Net Security, Oct 01 2019)
38% of the 2019 Fortune 500 do not have a chief information security officer (CISO).
Of this 38%, only 16% have another executive that is listed as responsible for cybersecurity strategy, such as a vice president of security.
Of the 62% that do have a CISO, only 4% have them listed on their company leadership pages.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn