The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Iranian Hackers Targeted Presidential Campaign, Microsoft Says (The New York Times, Oct 04 2019)
Microsoft said in a security report Friday that journalists and other government officials were also targeted. It did not name the campaign.

2. Casbaneiro: Dangerous cooking with a secret ingredient (WeLiveSecurity, Oct 03 2019)
Número dois in our series demystifying Latin American banking trojans

3. New Research into Russian Malware (Schneier on Security, Oct 02 2019)
“There’s some interesting new research about Russian APT malware: The Russian government has fostered competition among the three agencies, which operate independently from one another, and compete for funds. This, in turn, has resulted in each group developing and hoarding its tools, rather than sharing toolkits with their counterparts, a common sight among Chinese and North Korean state-sponsored hackers.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. Decades-Old Code Is Putting Millions of Critical Devices at Risk (Wired, Oct 01 2019)
Nearly two decades ago, a company called Interpeak created a network protocol that became an industry standard. It also had severe bugs that are only now coming to light.

5. New Unpatchable iPhone Exploit Allows Jailbreaking (Schneier on Security, Oct 08 2019)
-Checkm8 requires physical access to the phone. It can’t be remotely executed, even if combined with other exploits.
-The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
-Checkm8 doesn’t bypass the protections offered by the Secure Enclave and Touch ID.
-All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances. The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don’t have the unlock PIN, to access the data stored on it.
-Checkm8 is going to benefit researchers, hobbyists, and hackers by providing a way not seen in almost a decade to access the lowest levels of iDevices.

6. Inside New York City’s Partnership With Israeli iPhone Hacking Company Cellebrite (Medium, Oct 08 2019)
Documents reveal the Manhattan DA subscribes to a program that lets authorities break into iPhones in-house

*Cloud Security, DevOps, AppSec*
7. macOS Catalina: Security and privacy improvements (Help Net Security, Oct 08 2019)
First things first: starting with Catalina, the system runs on its own dedicated, read-only APFS volume and – Apple claims – “nothing can accidentally overwrite critical operating system files.” Another big change that starts with Catalina is the deprecation of kernel extensions (“kexts”).

8. Global Study Finds Orgs Are Failing to Protect Data in the Cloud (Infosecurity Magazine, Oct 08 2019)
Just 32% of orgs think securing data in the cloud is their own responsibility

9. Google Cloud Worth $225 Billion, Deutsche Bank Says (IT Pro, Oct 03 2019)
The value ascribed by Deutsche Bank to Google Cloud is nearly twice the market value of IBM.

*Identity Mgt & Web Fraud*
10. Twitter Took Phone Numbers for Security and Used Them for Advertising (VICE, Oct 08 2019)
This could make people think twice about using a phone number to secure their account at all.

11. 2019 Global Password Security Report (LastPass, Oct 08 2019)
57% of businesses globally are using multifactor authentication, compared to 45% last year.
13x is how often an employee reuses a password, on average.
23% of employees access their password vault on a smartphone.

12. FBI’s Use of Surveillance Database Violated Americans’ Privacy Rights, Court Found (WSJ, Oct 09 2019)
Some of the FBI’s electronic surveillance activities violated the constitutional privacy rights of Americans swept up in a controversial foreign intelligence program, a surveillance court has ruled.

*CISO View*
13. The Same Old Encryption Debate Has a New Target: Facebook (Wired, Oct 03 2019)
Attorney general William Barr seems eager to reignite the encryption wars, starting with the social media giant.

14. Russian Secret Weapon Against U.S. 2020 Election Revealed In New Cyberwarfare Report (Forbes, Oct 08 2019)
A terrifying​ new report maps out Russia’s full cyberwarfare ecosystem, an attack structure designed​ to be “almost impossible” to defend against.

15. Credit Info Exposed in TransUnion Data Security Incident (BleepingComputer, Oct 10 2019)
Using a credential stuffing attack, an unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files.