The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. French Hotel Giant Leaks 1TB+ of Client Data (Infosecurity Magazine, Nov 22 2019)
Unsecured Elasticsearch database once again to blame
2. Web Skimmers Use Phishing Tactics to Steal Data (Infosecurity Magazine, Nov 25 2019)
“This skimmer is interesting because it looks like a phishing page copied from an official template for CommWeb, a payments acceptance service offered by Australia’s Commonwealth Bank,” he explained. “The attackers have crafted it specifically for an Australian store running the PrestaShop Content Management System (CMS), exploiting the fact that it accepts payments via the Commonwealth Bank.” The fake payments page even alerts users if any fields they fill in are invalid.
3. Cloudflare Open-Sources Network Vulnerability Scanner (SecurityWeek, Nov 22 2019)
Security and web performance services provider Cloudflare this week announced the open source availability of Flan Scan, its lightweight network vulnerability scanner.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Google Offering Up to $1.5 Million for Pixel Titan M Exploits (SecurityWeek, Nov 21 2019)
Google on Thursday announced that it’s expanding its Android bug bounty program, and certain types of exploits can now earn researchers up to $1.5 million
5. Data breach compromises T-Mobile prepaid accounts (SC Magazine, Nov 22 2019)
Wireless communications company T-Mobile has disclosed a data breach incident that impacts certain customers with pre-paid service accounts. “Our cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account.
6. The U.S. is racking up tactical victories in Huawei fight (Washington Post, Nov 25 2019)
Only a handful of nations, meanwhile, have followed the U.S. push for a full Huawei ban including Australia, New Zealand and Japan. Britain previously decided to limit Hauwei contracts to the periphery of its 5G networks rather than core systems, but U.S. officials have argued that still gives the company far too much access.
*Cloud Security, DevOps, AppSec*
7. How to get started with security response automation on AWS (AWS Security Blog, Nov 26 2019)
Security response automation is a planned and programmed action taken to achieve a desired state for an application or resource based on a condition or event. When you implement security response automation, you should adopt an approach that draws from existing security frameworks. Frameworks are published materials which consist of standards, guidelines, and best practices in order help organizations manage cybersecurity-related risk. Using frameworks helps you achieve consistency and scalability and enables you to focus more on the strategic aspects of your security program.
8. The Likely Reason Disney\+ Accounts Are Getting ‘Hacked’ (Wired, Nov 20 2019)
Credential stuffing, where names and passwords leaked in previous breaches are reused, strikes again.
9. Developers worry about security, still half of teams lack an expert (Help Net Security, Nov 25 2019)
While nearly 75% of developers worry about the security of their applications and 85% rank security as very important in the coding and development process, nearly half of their teams lack a dedicated cybersecurity expert, according to WhiteHat Security.
*Identity Mgt & Web Fraud*
10. The CA DMV Is Making $50M a Year Selling Drivers’ Personal Info (Vice, Nov 25 2019)
A document obtained by Motherboard shows how DMVs sell people’s names, addresses, and other personal information to generate revenue.
11. NYPD fingerprint database touched by ransomware (SC Magazine, Nov 25 2019)
The New York City Police Department’s fingerprint database was hit with ransomware in October 2018, a local newspaper learned. The attack was brought in by a third-party vendor who was installing video equipment at the NYPD’s police academy when it connected its infected computer to the police network, according to the New York Post.
12. Healthcare Execs Charged in $1Bn Fraud Scheme (Infosecurity Magazine, Nov 27 2019)
According to the Department of Justice, the group sold pharmaceuticals clients ad inventory that they didn’t have, and under-delivered on ad campaigns, before falsifying performance data and patient engagement metrics.
13. Google Shares Data on State-Sponsored Hacking Attempts (SecurityWeek, Nov 27 2019)
Google’s Threat Analysis Group (TAG) this week shared some data on government-backed hacking and disinformation attempts targteting its customers
14. Champagne, shotguns, and surveillance at spyware’s grand bazaar (MIT Technology Review, Nov 26 2019)
The world’s leading surveillance and spyware companies gathered in Paris to meet growing demand from governments around the world.
15. Five Years Later, Who Really Hacked Sony? (The Hollywood Reporter, Nov 27 2019)
The massive cyberattack just before Thanksgiving 2014 crippled a studio, embarrassed executives and reshaped Hollywood. The FBI blamed a North Korea scheme to retaliate for the comedy ‘The Interview,’ but many whose lives were upended have doubts. Says Seth Rogen: “The fact that [co-director Evan Goldberg and I] were never really specifically targeted always raised suspicions in my head.”