The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. How 2019’s Worst Corporate Hacks Could Have Been Prevented (Infosecurity Magazine, Jan 13 2020)
The majority of breaches can be avoided. User log-in credentials, customer databases, corporate emails, sensitive enterprise documents, medical and tax information are just a few examples of data that fell into the wrong hands and got publicly exposed.
2. Iranian Hackers Have Been ‘Password-Spraying’ the US Grid (Wired, Jan 09 2020)
A state-sponsored group called Magnallium has been probing American electric utilities for the past year.
3. Phishing for Apples, Bobbing for Links (Krebs on Security, Jan 13 2020)
“Anyone searching for a primer on how to spot clever phishing links need look no further than those targeting customers of Apple, whose brand by many measures remains among the most-targeted. Past stories here have examined how scammers working with organized gangs try to phish iCloud credentials from Apple customers who have a mobile device that is lost or stolen. Today’s piece looks at the well-crafted links used in some of these lures.”
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Barr Asks Apple to Unlock Pensacola Killer’s Phones (The New York Times, Jan 14 2020)
The request set up a collision between law enforcement and big technology firms in the latest battle over privacy and security.
5. Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers (VICE, Jan 10 2020)
SIM swappers have escalated from bribing employees to using remote desktop software to get direct access to internal T-Mobile, AT&T, and Sprint tools.
6. Facebook Says Encrypting Messenger by Default Will Take Years (Wired, Jan 10 2020)
Mark Zuckerberg promised default end-to-end encryption throughout Facebook’s platforms. Nearly a year later, Messenger’s not even close.
*Cloud Security, DevOps, AppSec*
7. In App Development, Does No-Code Mean No Security? (Dark Reading, Jan 08 2020)
No-code and low-code development platforms are part of application development, but there are keys to making sure that they don’t leave security behind with traditional coding.
8. Learning from cryptocurrency mining attack scripts on Linux (Microsoft Azure Blog, Jan 14 2020)
Cryptocurrency mining attacks continue to represent a threat to many of our Azure Linux customers.
9. DevSecOps: 10 Best Practices to Embed Security into DevOps (DevOps, Jan 14 2020)
Steps to a Typical DevSecOps Workflow
– A developer starts by writing code within a version control system.
– Any required change is committed to the version control system.
– Another developer analyzes the code to identify any security defect that may weaken code quality.
– An environment is created to deploy and apply security configurations to the system.
– Next, a test automation suite is executed to evaluate the newly deployed application.
– After it passes the automation test, the application is deployed to a production environment.
– This new production environment is actively monitored for security threats.
*Identity Mgt & Web Fraud*
10. Google: Chrome Will Remove Third-Party Cookies and Tracking (Dark Reading, Jan 14 2020)
It’s “not about blocking” but removing them altogether, the company said.
11. Apple’s new privacy features have further rattled the location-based ad market (Digiday, Jan 15 2020)
People aren’t sharing data with apps thanks to Apple, and that’s left ad tech vendors with less location data to sell. Now, they’re trying to plug the gap with data from IP addresses or a mobile carrier.
12. Google voice Assistant gets new privacy ‘undo’ commands (Naked Security – Sophos, Jan 09 2020)
Google’s controversial voice Assistant is getting a series of new commands designed to work like privacy-centric ‘undo’ buttons.
13. 2017 Data Breach Will Cost Equifax at Least $1.38 Billion (Dark Reading, Jan 15 2020)
Company agrees to set aside a minimum of $380.5 million as breach compensation and spend another $1 billion on transforming its information security over the next five years. The 147 million US consumers affected by the breach have one week from today to file a claim.
14. Fancy Bear’ Targets Ukrainian Oil Firm Burisma in Phishing Attack (Dark Reading, Jan 14 2020)
The oil & gas company is at the heart of the ongoing US presidential impeachment case.
15. A case for establishing a common weakness enumeration for hardware security (Help Net Security, Jan 13 2020)
Due to these missing reference materials for hardware vulnerabilities in the CWE, researchers do not have the same standard taxonomy that would enable them to share information and techniques with one another. If we expect hardware vendors and their partners to collectively deliver more secure solutions, we must have a common language for discussing hardware security vulnerabilities.