The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Attackers exploit an iTunes zeroday to install ransomware (Ars Technica, Oct 10 2019)
Apple patches actively exploited flaw that let ransomware crooks evade AV protection.
2. McAfee, IBM join forces for global open source cybersecurity initiative (Tech Republic, Oct 10 2019)
IBM, McAfee and international consortium OASIS are coming together to offer the world a way to develop open source security technologies.
3. FBI: Phishing Can Defeat Two-Factor Authentication (Dark Reading, Oct 11 2019)
A recent Privacy Industry Notification points to two new hacker tools that can turn a victim’s browser into a credential-stealing zombie.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. A hacker’s paradise? 5G and cyber security (Financial Times, Oct 14 2019)
The problem is unlikely to be the security of 5G technology itself. Despite researchers uncovering apparent flaws in 5G’s security — such as the ability for attackers to use fake mobile base stations to steal information — 5G’s stronger encryption of data and better verification of network users are widely considered to be a significant improvement on 4G. Experts say that the weak link in 5G’s security is likely to be communication between devices connected to the internet…These devices, known as the Internet of Things (IoT)…
5. Activists’ phones targeted by one of the world’s most advanced spyware apps (Ars Technica, Oct 12 2019)
“Pegasus,” developed by Israel-based NSO Group, stalks 2 Moroccan, researchers say.
6. EU warns of cyber‑risks as 5G looms (WeLiveSecurity, Oct 11 2019)
What are the scenarios that may prove to be challenging to manage in the 5G world?
*Cloud Security, DevOps, AppSec*
7. Stolen Cloud API Key to Blame for Imperva Breach (Infosecurity Magazine, Oct 14 2019)
A security breach which led to the compromise of customer data at Imperva was caused by a stolen API key for one of its Amazon Web Services (AWS) accounts, the firm has revealed. The firm was notified of the incident, which affected a subset of its Cloud WAF customers, by a third party at the end August.
8. Stay in control of your security with new product enhancements in Google Cloud (Google Cloud Blog, Oct 16 2019)
“we’re excited to announce the beta of Security Health Analytics, a security product that integrates into Cloud Security Command Center (Cloud SCC). Security Health Analytics helps you identify misconfigurations and compliance violations in your Google Cloud Platform (GCP) resources and take action.”
9. Facebook Sweetens Deal for Hackers to Catch Security Bugs (Wired, Oct 15 2019)
The company is turbocharging its bug bounty to try to stop the next data leak before it happens.
*Identity Mgt & Web Fraud*
10. Wi-Fi Hotspot Tracking – Schneier on Security (Schneier on Security, Oct 15 2019)
Free Wi-Fi hotspots can track your location, even if you don’t connect to them. This is because your phone or computer broadcasts a unique MAC address.
11. Student tracking, secret scores: How college admissions offices rank prospects before they apply (Washington Post, Oct 15 2019)
Before many schools even look at an application, they comb through prospective students’ personal data, such as web-browsing habits and financial history
12. Best practices for password management, 2019 edition (Google Cloud Blog, Oct 10 2019)
Two new whitepapers to help you navigate password security:
– Modern password security for users provides pragmatic and human-centric advice for end users to help improve your authentication security habits.
– Modern password security for system designers is the first paper’s technical counterpart, outlining the latest advice on password interfaces and data handling.
13. U.S. carried out secret cyber strike on Iran in wake of Saudi oil attack: officials (Reuters, Oct 16 2019)
The United States carried out a secret cyber operation against Iran in the wake of the Sept. 14 attacks on Saudi Arabia’s oil facilities, which Washington and Riyadh blame on Tehran, two U.S. officials have told Reuters.
14. Inside Olympic Destroyer, the Most Deceptive Hack in History (Wired, Oct 18 2019)
The untold story of how digital detectives unraveled the mystery of Olympic Destroyer—and why the next big cyberattack will be even harder to crack.
15. Buyout firm Thoma Bravo adds Sophos to cybersecurity chest in $3.8 billion deal (Reuters, Oct 14 2019)
U.S. private equity firm Thoma Bravo is adding Sophos Group (SOPH.L) to its cybersecurity stable, announcing on Monday a buyout deal that values the British maker of antivirus and encryption products at about $3.8 billion.