A Review of the Best News of the Week on Cyber Threats & Defense

Microsoft Patches Windows Vuln Discovered by the NSA (Dark Reading, Jan 14 2020)
The National Security Agency is publicly acknowledged for its finding and reporting of CVE-2020-0601, marking the start of what it says is a new approach to security.

52 hackers participate in ninth U.S. Department of Defense and HackerOne bug bounty program (Help Net Security, Jan 16 2020)
Through partnership with the Defense Digital Service, the U.S. Department of Defense (DoD) and HackerOne, the number one hacker-powered pentesting and bug bounty platform, announced the results of the second Army bug bounty program, ‘Hack the Army 2.0’.

FBI to inform election officials about hacking attempts (Naked Security – Sophos, Jan 20 2020)
The FBI has announced that it will tell local election officials when hackers try to infiltrate their systems.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Critical Windows 10 vulnerability used to Rickroll the NSA and Github (Ars Technica, Jan 15 2020)
Attack demoed less than 24 hours after disclosure of bug-breaking certificate validation.

Facebook Introduces New Login Alerts (SecurityWeek, Jan 16 2020)
Facebook this week introduced a new notification to alert users when their accounts interact with a third-party application using Facebook Login.

Massive Oracle Patch Reverses Company’s Trend Toward Fewer Flaws (Dark Reading, Jan 17 2020)
Following a year that saw the fewest number of vulnerabilities reported since 2015, Oracle’s latest quarterly patch fixes nearly 200 new vulnerabilities.

Researchers find serious flaws in WordPress plugins used on 400k sites (Ars Technica, Jan 17 2020)
Attention users of InfiniteWP, WP Time Capsule, and WP Database Reset: it’s time to patch.

Another reason to hurry with Windows server patches: A new RDP vulnerability (Ars Technica, Jan 16 2020)
Crypto library’s certificate bug isn’t the only reason to hustle with latest Windows patch.

ADP Users Hit with Phishing Scam Ahead of Tax Season (Dark Reading, Jan 17 2020)
Fraudulent emails tell recipients their W-2 forms are ready and prompt them to click malicious links.

Cyber attackers turn to business disruption as primary attack objective (Help Net Security, Jan 15 2020)
Over the course of 2019, 36% of the incidents that CrowdStrike investigated were most often caused by ransomware, destructive malware or denial of service attacks, revealing that business disruption was often the main attack objective of cybercriminals.

A look at cybersecurity for rail systems, building automation and the future of critical infrastructure (Help Net Security, Jan 20 2020)
It is hard to give one answer for such a large, global and diverse market. One of the interesting changes we see is the involvement of enterprise IT teams in OT environments. People have been talking the talk of IT/OT integration for 15 years now, but in the last 1-2 years we see enterprise security teams not just kicking tires, but for the first time starting to act in large numbers. The first big investment many such teams make is in security and network monitoring – extending the reach of the enterprise SOC into operations.

New Internet Explorer zero‑day remains unpatched (WeLiveSecurity, Jan 20 2020)
You may want to implement a workaround or stop using the browser altogether, at least until Microsoft issues a a fix