The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Avast breached by hackers who wanted to compromise CCleaner again (Help Net Security, Oct 21 2019)
Czech security software maker Avast has suffered another malicious intrusion into their networks, but the attackers didn’t accomplish what they apparently wanted: compromise releases of the popular CCleaner utility.
2. NordVPN confirms it was hacked (TechCrunch, Oct 21 2019)
NordVPN told TechCrunch that one of its data centers was accessed in March 2018. “One of the data centers in Finland we are renting our servers from was accessed with no authorization,” said NordVPN spokesperson Laura Tyrell. The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the data center provider, which NordVPN said it was unaware that such a system existed.
3. Connecting the dots: Exposing the arsenal and methods of the Winnti Group (WeLiveSecurity, Oct 21 2019)
ESET researchers describe updates to the malware arsenal and campaigns of the Winnti Group known for its supply-chain attacks.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. About that “Any fingerprint can unlock your Galaxy S10” report (Graham Cluley, Oct 17 2019)
Sound-based fingerprint sensors send an ultrasonic bounce against the finger pressed against the phone, and listen to the sound print based upon how the pulse bounces back from the ridges of your finger. However, if you register your fingerprint on an ultrasonic fingerprint sensor which is behind the wrong type of screen protector that might – in the worst cases – be little better than trying to read a fingerprint through rubber gloves! Ultrasonic fingerprint scanners can have problems with some screen protectors, as they may register the sound of a “fingerprint” which is bounced back off the screen protector rather than the actual fingerprint’s ridges.
5. Alexa and Google Home abused to eavesdrop and phish passwords (Ars Technica, Oct 20 2019)
Amazon- and Google-approved apps turned both voice-controlled devices into “smart spies.”
6. Using Machine Learning to Detect IP Hijacking (Schneier on Security, Oct 17 2019)
To better pinpoint serial attacks, the group first pulled data from several years’ worth of network operator mailing lists, as well as historical BGP data taken every five minutes from the global routing table. From that, they observed particular qualities of malicious actors and then trained a machine-learning model to automatically identify such behaviors.
*Cloud Security, DevOps, AppSec*
7. Microsoft Launches ElectionGuard Bug Bounty Program (SecurityWeek, Oct 22 2019)
Microsoft last week announced the launch of a new bug bounty program covering the ElectionGuard open source software development kit (SDK).
8. Autoclerk Database Spills 179GB of Customer, US Government Data (Dark Reading, Oct 22 2019)
An open Elasticsearch database exposed hundreds of thousands of hotel booking reservations, compromising data from full names to room numbers.
9. Top cloud security controls you should be using (CSO Online Cloud Security, Oct 21 2019)
Here’s a look at why misconfiguration continues to be a common challenge with cloud services, followed by seven cloud security controls you should be using to minimize the risks.
*Identity Mgt & Web Fraud*
10. Best Phishing Tactic Is to Make You Think You’ve Been Hacked (Infosec. Mag., Oct 21 2019)
Study finds email subject lines referencing online security are the most clicked on
11. In a First, FTC Bans Company From Selling ‘Stalkerware’ (VICE, Oct 22 2019)
The FTC’s move comes after Motherboard revealed a hacker had repeatedly breached Retina-X and gained access to sensitive user data.
12. Under digital surveillance: how American schools spy on millions of kids (the Guardian, Oct 22 2019)
Fueled by fears of school shootings, the market has grown rapidly for technologies that monitor students through official school emails and chats
13. Court doc: Equifax allegedly used insecure password ‘admin’ to protect portal (SC Magazine, Oct 21 2019)
Failing to patch a critical vulnerability in its Apache Struts software was not the only major security oversight committed by Equifax in the lead-up to a highly damaging data breach in 2017, according to a document filed as part of a securities fraud class-action lawsuit filed earlier this year.
14. AWS Left Reeling After Eight-Hour DDoS (Infosecurity Magazine, Oct 24 2019)
US East Coast region particularly badly affected
15. Girl Scouts of USA Launch First National Cybersecurity Challenge (Infosecurity Magazine, Oct 18 2019)
Over 3,000 girls will take on America’s first Girl Scouts National Cyber Challenge