The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. SQL Injection Errors No Longer the Top Software Security Issue (Dark Reading, Nov 27 2019)
In newly updated Common Weakness Enumeration (CWE), SQL injection now ranks sixth.
 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
 CWE-20 Improper Input Validation
 CWE-200 Information Exposure
 CWE-125 Out-of-bounds Read
 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
2. Exploit kits are slowly migrating toward fileless attacks (ZDNet, Nov 27 2019)
Three out of the nine exploit kits active today are using fileless attacks to infect victims.
3. A decade of hacking: The most notable cyber-security events of the 2010s (ZDNet, Dec 02 2019)
ZDNet takes a look over the most important data breaches, cyber-attacks, and malware strains of the last decade.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. World-first mobile phone detection cameras rolled out in Australia (the Guardian, Dec 03 2019)
New South Wales hopes to cut fatalities on the state’s roads by a third with devices that operate day and night in all weather
5. Millions of SMS messages exposed in database security lapse (TechCrunch, Dec 02 2019)
The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students. The Austin, Texas-based company says one of the advantages to its service is that recipients can also text back, allowing them to have two-way conversations with brands or businesses.
6. Crooks are exploiting unpatched Android flaw to drain users’ bank accounts (Help Net Security, Dec 03 2019)
Hackers are actively exploiting StrandHogg, a newly revealed Android vulnerability, to steal users’ mobile banking credentials and empty their accounts, a Norwegian app security company has warned. “Promon identified the StrandHogg vulnerability after it was informed by an Eastern European security company for the financial sector (to which Promon supplies app security support) that several banks in the Czech Republic had reported money disappearing from customer accounts.
*Cloud Security, DevOps, AppSec*
7. HackerOne breach lets outsider read customers’ bug reports (Ars Technica, Dec 04 2019)
Company security analyst sent session cookie allowing account take-over.
8. The Next Evolution in AWS Single Sign-On (AWS News Blog, Nov 27 2019)
“Today we announced the next evolution of AWS Single Sign-On, enabling enterprises that use Azure AD to leverage their existing identity store with AWS Single Sign-On. Additionally, automatic synchronization of user identities, and groups, from Azure AD is also supported. Users can now sign into the multiple accounts and applications that make up their AWS environments using their existing Azure AD identity – no need to remember additional usernames and passwords – and they will use the sign-in experience they are familiar with.”
9. Understanding and Selecting RASP 2019: New Paper (Securosis Blog, Nov 19 2019)
“2019 updated research paper from our recent series, Understanding and Selecting RASP (Runtime Application Self-Protection). RASP was part of the discussion on application security in just about every one of the hundreds of calls we have taken, and it’s clear that there is a lot of interest – and confusion – on the subject, so it was time to publish a new take on this category.”
*Identity Mgt & Web Fraud*
10. China introduces mandatory face scans for phone users (Yahoo News , Dec 01 2019)
China will require telecom operators to collect face scans when registering new phone users at offline outlets starting Sunday, according to the country’s information technology authority, as Beijing continues to tighten cyberspace controls.
11. Pressure mounts for federal privacy law with second bill (Naked Security – Sophos, Nov 29 2019)
Pressure is gathering for a federal privacy law in the US with the introduction of a second bill that would protect consumer data.
12. Twitter Promises Increased Transparency With New Privacy Center (SecurityWeek, Dec 03 2019)
Twitter this week announced the launch of a privacy center whose goal is to provide increased transparency on how the social platform handles user information.
13. U.S. Targets Russian ‘Evil Corp’ Hacker Group With Sanctions, Indictments (WSJ, Dec 06 2019)
The Trump administration placed a $5 million bounty on the leader of a Russian hacker group called Evil Corp for his alleged work for Moscow’s intelligence agency, part of what U.S. officials say is a broader reprisal for a Kremlin-directed cyber offensive against the U.S.
14. The fall and rise of a spyware empire (MIT Technology Review, Dec 02 2019)
Human rights abuse and a decimated reputation killed Hacking Team. The new owners want to rebuild.
15. 2020 U.S. census plagued by hacking threats, cost overruns (Reuters, Dec 05 2019)
The Pega-built website was hacked from IP addresses in Russia during 2018 testing of census systems, according to two security sources with direct knowledge of the incident. One of the sources said an intruder bypassed a “firewall” and accessed parts of the system that should have been restricted to census developers.