The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. As Phishing Kits Evolve, Their Lifespans Shorten (Dark Reading, Oct 30 2019)
Most phishing kits last less than 20 days, a sign defenders are keeping up in the race against cybercrime.
2. The First BlueKeep Mass Hacking Is Finally Here—but Don’t Panic (Wired, Nov 02 2019)
After months of warnings, the first successful attack using Microsoft’s BlueKeep vulnerability has arrived—but isn’t nearly as bad as it could have been.
3. US grounds Chinese-made drones as part of security review (Naked Security – Sophos, Nov 04 2019)
The exception: drones being used in emergencies, such as fighting wildfires, search and rescue, and dealing with natural disasters.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Pentagon publishes AI guidelines (Naked Security – Sophos, Nov 04 2019)
Called AI Principles: Recommendations on the Ethical Use of Artificial Intelligence by the Department of Defense, the missive is an attempt to lay out ground rules for the use of AI early on, giving the military a framework on which to build its AI systems. Frameworks like these are important for the safe rollout of new technologies, it points out, citing civil engineering and nuclear-powered vessels as examples.
5. Hackers Can Use Lasers to ‘Speak’ to Your Amazon Echo or Google Home (Wired, Nov 04 2019)
By sending laser-powered “light commands” to a smart assistant, researchers could force it to unlock cars, open garage doors, and more.
6. MESSAGETAP: Who’s Reading Your Text Messages? (Fire Eye, Oct 31 2019)
Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts. APT41’s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions.
*Cloud Security, DevOps, AppSec*
7. Google Launches OpenTitan Project to Open Source Chip Security (Dark Reading, Nov 05 2019)
OpenTitan is an open source collaboration among Google and technology companies to strengthen root-of-trust chip design.
8. Microsoft Unveils New Security Tools for Azure (SecurityWeek, Nov 04 2019)
…at its Ignite 2019 conference, Microsoft announced a series of tools to expand the security capabilities of its Azure and Microsoft 365 platforms.
9. AWS re:Invent 2019 security guide: sessions, workshops, and chalk talks (AWS Security Blog, Nov 01 2019)
With re:Invent 2019 just weeks away, the excitement is building and we’re looking forward to seeing you all soon! If you’re attending re:Invent with the goal of improving your organization’s cloud security operations, here are some highlights from the re:Invent 2019 session catalog. Reserved seating is now open, so get your seats in advance for your favorite sessions.
*Identity Mgt & Web Fraud*
10. California DMV Leak Spills Data from Thousands of Drivers (Dark Reading, Nov 06 2019)
Federal agencies reportedly had improper access to Social Security data belonging to 3,200 license holders.
11. Accounting Scams Continue to Bilk Businesses (Dark Reading, Nov 06 2019)
Yes, ransomware is plaguing businesses and government organizations, but impersonators inserting themselves into financial workflows – most often via e-mail – continue to enable big paydays.
12. Details of an Airbnb Fraud (Schneier on Security, Nov 06 2019)
“This is a fascinating article about a bait-and-switch Airbnb fraud. The article focuses on one particular group of scammers and how they operate, using the fact that Airbnb as a company doesn’t do much to combat fraud on its platform. But I am more interested in how the fraudsters essentially hacked the complex sociotechnical system that is Airbnb. The whole article is worth reading.”
13. A Military Camera Said ‘Made in U.S.A.’ The Screen Was in Chinese. (The New York Times, Nov 07 2019)
The surveillance equipment was actually manufactured in China, raising concerns that Beijing could have used it for spying, prosecutors said.
14. Tipped off by an NSA breach, researchers discover new APT hacking group (Ars Technica, Nov 05 2019)
With a tip that came from one of the biggest breaches in US National Security Agency history, researchers have discovered a new hacking group that infected targets with a previously unknown piece of advanced malware. Dubbed DarkUniverse, the group is probably tied to ItaDuke, a group that has actively targeted Uyghur and Tibetans since 2013.
15. A Cybersecurity Firm’s Sharp Rise and Stunning Collapse (The New Yorker, Nov 05 2019)
Tiversa dominated an emerging online market—before it was accused of fraud, extortion, and manipulating the federal government.