The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Zero-Day IE Bug is Being Exploited in the Wild (Infosecurity Magazine, Jan 21 2020)
CISA and Microsoft sound the alarm but no patch as yet
2. DHS Warns of Increasing Emotet Risk (Dark Reading, Jan 23 2020)
Emotet is considered one of the most damaging banking Trojans, primarily through its ability to carry other malware into an organization.
3. Trend Micro anti-virus zero-day exploited in attack on Mitsubishi Electric (Graham Cluley, Jan 26 2020)
There is some egg on the face of Trend Micro after it is revealed their anti-virus software was exploited to steal data from Mitsubishi Electric, but they aren’t the real villains of the story.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Bezos Hack Report Puzzles Cyberexperts (WSJ, Jan 27 2020)
A report concluding Saudi Arabia likely hacked into Jeff Bezos’ phone has spurred questions among cybersecurity experts, who say the audit left several major technical questions unexplained and in need of more examination.
5. Prosecutors Have Evidence Bezos’ Girlfriend Gave Texts to Brother Who Leaked to National Enquirer (WSJ, Jan 27 2020)
Manhattan federal prosecutors have evidence indicating the Amazon CEO’s girlfriend provided text messages to her brother that he then sold to the publisher for its article about Jeff Bezos’ affair.
6. Government Report Reveals Its Favorite Way to Hack iPhones, Without Backdoors (VICE, Jan 28 2020)
Feds are once again demanding encryption backdoors, but its own data shows it can extract data from phones without them.
*Cloud Security, DevOps, AppSec*
7. NSA Offers Guidance on Mitigating Cloud Flaws (Dark Reading, Jan 23 2020)
A new document separates cloud vulnerabilities into four classes and offers mitigations to help businesses protect cloud resources.
8. Mozilla has banned nearly 200 malicious Firefox add-ons over the last two weeks (ZDNet, Jan 27 2020)
Mozilla’s security staff is cracking down on malicious Firefox add-ons.
9. Prevent security misconfigurations in a multi-cloud environment (Cloud Security Alliance, Jan 20 2020)
Here are some of the common ways a cloud can be misconfigured:
– Lack of access restrictions – unsecured AWS S3 storage buckets are perhaps the most frequently breached resources
– Lack of data protection – personal information (PII, PCI, social security numbers) uploaded in plain-text form in the cloud
– Lack of audit and validation – no regular audits of resources and configurations can lead to a security flaw ready to be pounced upon by malicious exploiters
– Lack of logging and monitoring – timely checking of data and access logs is vital to identify and flag security-related events
– Over entitlement of access to users – user access should be restricted to only the applications and data that he is permitted to use
*Identity Mgt & Web Fraud*
10. Modern Mass Surveillance: Identify, Correlate, Discriminate (Schneier, Jan 27 2020)
“These efforts are well-intentioned, but facial recognition bans are the wrong way to fight against modern surveillance. Focusing on one particular identification method misconstrues the nature of the surveillance society we’re in the process of building.”
11. Facial recognition firm sued for scraping 3 billion faceprints (Naked Security – Sophos, Jan 28 2020)
A potential class action says Clearview AI is breaking biometrics privacy law by ransacking social media so police can match photos with IDs.
12. Leaked Documents Expose the Secretive Market for Your Web Browsing Data (VICE, Jan 27 2020)
An Avast antivirus subsidiary sells ‘Every search. Every click. Every buy. On every site.’ Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey.
13. Huawei and Supply Chain Security – The Great Geopolitical Debate (SecurityWeek, Jan 27 2020)
With No Proof That China’s Huawei is Malicious, The Potential for Abuse Remains
14. Vulnerability Reward Program: 2019 Year in Review (Google Online Security Blog, Jan 29 2020)
“2019 has been another record-breaking year for us, thanks to our researchers! We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year.”
15. RSA Conference announces finalists for Innovation Sandbox Contest 2020 (Help Net Security, Jan 29 2020)
RSA Conference announced the 10 finalists for its Innovation Sandbox Contest 2020. The competition calls on the most promising young companies in cybersecurity to showcase their transformative technologies to a panel of judges and live audience at RSA Conference 2020 in San Francisco.