The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. We Talked to Experts About Iran’s Cyberwar Capabilities (VICE, Jan 03 2020)
Iran lacks the overall cyber capabilities of Russia, China, or the U.S., but its hackers can still do damage.
2. Microsoft Shuts Down 50 Domains Used by North Korean Hacking Group (Dark Reading, Dec 31 2019)
Thallium’ nation-state threat group used the domains to target mostly US victims.
3. Ransomware forces Richmond Community Schools to close (SC Magazine, Jan 03 2020)
The Michigan district was hit on Dec. 27, with district officials informing parents and students on Dec. 31 that the planned Jan. 2 school re-opening would be pushed back.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Facebook Says It Will Ban ‘Deepfakes’ (The New York Times, Jan 07 2020)
The company said it would remove videos altered by artificial intelligence in ways meant to mislead viewers.
5. Burner phones are an eavesdropping risk for international travelers (Help Net Security, Jan 07 2020)
Unfortunately, even savvy travelers who do the right things – disabling Bluetooth, not connecting to unknown networks, never leaving their phone out of sight – are still at risk of conversations being eavesdropped on through their burner phones. But instead of choosing a “dumb” phone or asking users to not bring their phones into critical meetings, security teams have the following options at their disposal for mitigating the risk of high-level conversations being captured.
6. Google shutting down Xiaomi access to Assistant following Nest Hub picking up strangers’ camera feeds (Android Police, Jan 03 2020)
So-called “smart” security cameras have had some pretty dumb security problems recently, but a recent report regarding a Xiaomi camera linked to a Google
*Cloud Security, DevOps, AppSec*
7. Red Hat DevSecOps Strategy Centers on Quay (Container Journal, Jan 06 2020)
Red Hat is moving toward putting the open source Quay container registry at the center of its DevSecOps strategy for securing containers. The latest 3.2 version of Quay adds support for Container Security Operator, which integrates Quay’s image vulnerability scanning capabilities with Kubernetes.
8. Breaking Down the OWASP API Security Top 10 (Part 2) (Checkmarx, Jan 06 2020)
… the first five (5) risks and emphasized some of the possible attack scenarios in the context of the risks. In this article, I will attempt to clarify the last five (5) risks to help organizations understand the dangers associated with deficient API implementations.
9. Google Shifts to 90-Day Bug Disclosures by Default (Infosecurity Magazine, Jan 08 2020)
Project Zero team hopes it will improve thoroughness and adoption of patches
*Identity Mgt & Web Fraud*
10. Why a Steak in California Comes With a Privacy Notice (VICE, Jan 07 2020)
Under California’s new privacy law, even brick and mortar companies have to make it clear you can opt out of having your personal data sold.
11. Facebook Revamps Its Privacy Checkup Feature in Time for CES (Wired, Jan 07 2020)
Forget Portal. This year, Facebook is marketing itself as a privacy crusader.
12. China facial-recognition case puts Big Brother on trial (Yahoo News, Jan 08 2020)
Facial-recognition technology has become embedded in China, from airports to hotels, e-commerce sites and even public toilets, but a law professor had enough when asked to scan his face at a safari park. Guo Bing took the wildlife park to court, raising the temperature in a growing debate about privacy
13. New SHA-1 Attack (Schneier on Security, Jan 08 2020)
“There’s a new, practical, collision attack against SHA-1: In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1”
14. Hackers claiming to be from Iran deface U.S. gov’t website (SC Magazine, Jan 06 2020)
The hackers defaced the Federal Depository Library Program, fdlp.gov, website with a picture of bleeding Trump as he’s being punched in the face
15. The Hidden Cost of Ransomware: Wholesale Password Theft (Krebs on Security, Jan 06 2020)
“Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. But all too often, ransomware victims fail to grasp that the crooks behind these attacks can and frequently do siphon every single password stored on each infected endpoint. The result of this oversight may offer attackers a way back into the affected organization, access to financial and healthcare accounts, or — worse yet — key tools for attacking the victim’s various business partners and clients.”