15 Bullet Friday – The Best Security News of the Week – 2019.12.13

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Vulnerabilities Discovered in VPN Used by NASA, Shell, and BT (Infosecurity Magazine, Dec 06 2019)
Weaknesses in the Aviatrix VPN were detected by Immersive Labs researcher and content engineer Alex Seymour on October 7, 2019. The multiple local privilege escalation vulnerabilities Seymour discovered would have allowed an attacker who already had access to a machine to escalate privileges and achieve anything they wanted. With the extra level of privileges, the attacker would have been able to dive into files, folders, and network services that the user would not previously have been able to access.

2. Prevent credential stuffing and account takeover attacks with these expert tips (Help Net Security, Dec 03 2019)
Use multi-factor authentication
Rate limit authentication requests
Flag unrecognized devices
Alert customers about new logins

3. Ransomware at Colorado IT Provider Affects 100+ Dental Offices (Krebs on Security, Dec 07 2019)
“A Colorado company that specializes in providing IT services to dental offices suffered a ransomware attack that is disrupting operations for more than 100 dentistry practices, KrebsOnSecurity has learned.”


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn


*AI, IoT, & Mobile Security*
4. The iPhone 11 Pro’s Location Data Puzzler (Krebs on Security, Dec 03 2019)
“One of the more curious behaviors of Apple’s new iPhone 11 Pro is that it intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company’s own privacy policy.”

5. Apple Explains Mysterious iPhone 11 Location Requests (Krebs on Security, Dec 05 2019)
“KrebsOnSecurity ran a story this week that puzzled over Apple‘s response to inquiries about a potential privacy leak in its new iPhone 11 line, in which the devices appear to intermittently seek the user’s location even when all applications and system services are individually set never to request this data. Today, Apple disclosed that this behavior is tied to the inclusion of a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it.”

6. The RCS Texting Protocol Is Way Too Easy to Hack (Wired, Dec 04 2019)
Rich Communication Services promises to be the new standard for texting. Thanks to sloppy implementation, it’s also a security mess.

*Cloud Security, DevOps, AppSec*
7. Google Releases Open Source Tool for Finding File Access Vulns (SecurityWeek, Dec 09 2019)
Google on Monday announced that it has released the source code of a tool designed to help developers identify vulnerabilities related to file access.

8. Top 11 posts during 2019 (AWS Security Blog, Dec 09 2019)
The top 11 posts during 2019 based on page views
– How to automate SAML federation to multiple AWS accounts from Microsoft Azure Active Directory
– How to securely provide database credentials to Lambda functions by using AWS Secrets Manager
– How to set up an outbound VPC proxy with domain whitelisting and content filtering
– How to centralize and automate IAM policy creation in sandbox, development, and test environments
– Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service
– Simplify DNS management in a multi-account environment with Route 53 Resolver
– How to use service control policies to set permission guardrails across accounts in your AWS Organization
– How to share encrypted AMIs across accounts to launch encrypted EC2 instances
– AWS and the CLOUD Act
– Guidelines for protecting your AWS account while using programmatic access
– How to use AWS Secrets Manager to securely store and rotate SSH key pairs

9. Google Cloud Platform is now FedRAMP High authorized (Google Cloud Blog, Dec 04 2019)
Google Cloud Platform (GCP) has received FedRAMP High authorization to operate (ATO) for 17 products in five cloud regions, and we’ve expanded our existing FedRAMP Moderate authorization to 64 products in 17 cloud regions. This means that public sector agencies now have the ability to run compliant workloads at the highest level of civilian classification.

*Identity Mgt & Web Fraud*
10. Silicon Valley Is Listening to Your Most Intimate Moments (Bloomberg, Dec 11 2019)
How the world’s biggest companies got millions of people to let temps analyse some very sensitive recordings.  

11. Ring’s Hidden Data Let Us Map Amazon’s Sprawling Home Surveillance Network (Gizmodo, Dec 09 2019)
As reporters raced this summer to bring new details of Ring’s law enforcement contracts to light, the home security company, acquired last year by Amazon for a whopping $1 billion, strove to underscore the privacy it had pledged to provide users.

12. Are You One Of Avast’s 400 Million Users? This Is Why It Collects And Sells Your Web Habits. (Forbes, Dec 09 2019)
Avast sells user data but says there’s no privacy risk, according to the newly appointed CEO.

*CISO View*
13. Scaring People into Supporting Backdoors (Schneier on Security, Dec 12 2019)
“We are saying three things. One, that strong encryption is necessary for personal and national security. Two, that weakening encryption does more harm than good. And three, law enforcement has other avenues for criminal investigation than eavesdropping on communications and stored devices…”

14. The Defense Department Says It Needs the Encryption the FBI Wants to Break (VICE, Dec 12 2019)
A bipartisan coalition of lawmakers this week worked overtime to vilify encryption, oblivious to the fact that weakening encryption standards will put the public, and the internet, at risk.

15. Facebook refuses to break end-to-end encryption (Naked Security – Sophos, Dec 12 2019)
Congress on Tuesday told Facebook it must put backdoors into its end-to-end encryption, or it’ll be forced to.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn