The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Account protections — A Google Perspective (Elie Bursztein, Jan 30 2020)
“This talk provides a data driven analysis of how accounts get compromised. Then it provides an in-depth overview of the defense we found effective at Google to protect users from account compromise. In particular we will cover how to mitigate password reuse, build a risk aware login system, and how to setup an Advanced Protection Program to protect users at risk of targeted attacks.”
2. UN hacked: Attackers got in via SharePoint vulnerability (Help Net Security, Jan 30 2020)
In summer 2019, hackers broke into over 40 (and possibly more) UN servers in offices in Geneva and Vienna and downloaded “sensitive data that could have far-reaching repercussions for staff, individuals, and organizations communicating with and doing business with the UN”…
3. Iowa Will Be the First Test Case for 2020 Election Security (The New York Times, Feb 03 2020)
The good news is that caucuses are inherently safer than traditional elections. But campaigns remain dangerously exposed to hackers, and election systems in many states are still vulnerable.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. NIST tests methods of recovering data from smashed smartphones (Sophos, Feb 04 2020)
Criminals have found to their cost that reducing a device to a pile of rubble means nothing if the internal chips are still in working order.
5. FCC Confirms ‘One or More’ Carriers Broke the Law Selling Location Data (VICE, Jan 31 2020)
One year later, FCC boss Ajit Pai suggests one or more major carriers could be fined.
6. United States Welcomes the EU’s Acknowledgement of the Unacceptable Risks Posed by Untrusted 5G Suppliers (US State Dept, Feb 01 2020)
On January 29, the European Union (EU) Network Information Security Cooperation Group released a toolbox of recommended measures to mitigate security risks in 5G networks. The United States welcomes this initiative from Member States, the Commission, and the EU Cybersecurity Agency.
*Cloud Security, DevOps, AppSec*
7. How industries are evolving their DevOps & security (Help Net Security, Jan 30 2020)
There’s significant variation in DevOps maturation and security integration across the financial services, government, retail, telecom, and technology industries, according to Puppet’s report based on nearly 3,000 responses.
8. State-sponsored actors may have abused Twitter API to de-anonymize users (Help Net Security, Feb 04 2020)
A Twitter API that’s intended to help new account holders find people they may already know on Twitter has been abused by known and unknown actors to tie usernames to phone numbers and potentially de-anonymize certain users.
9. New Azure blueprint for CIS Benchmark (Microsoft Azure Blog, Jan 15 2020)
We’ve released our newest Azure blueprint that maps to another key industry-standard, the Center for Internet Security (CIS) Microsoft Azure Foundations Benchmark. This follows the recent announcement of our Azure blueprint for FedRAMP moderate and adds to the growing list of Azure blueprints for regulatory compliance, which now includes ISO 27001, NIST SP 800-53, PCI-DSS, UK OFFICIAL, UK NHS, and IRS 1075.
*Identity Mgt & Web Fraud*
10. Avast shutters data-selling subsidiary amid user outrage (Ars Technica, Jan 30 2020)
Avast CEO Ondrej Vlcek announced late Thursday the end of the data-selling subsidiary, known as Jumpshot. Writing in an open letter, he said that he and the company’s board “have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.”…Jumpshot took in $36 million in revenues last year.
11. Apple proposes simple security upgrade for SMS 2FA codes (Naked Security – Sophos, Feb 03 2020)
agree on a common text format so their use can be automated without the need for risky user interaction.
12. Google Says It Sent Some People’s Private Videos to Strangers (VICE, Feb 04 2020)
A bug in Google’s Takeout tool sent some users’ content to other accounts.
13. Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security (Krebs on Security, Jan 31 2020)
“On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused…”
14. The Colorado Mystery Drones Weren’t Real (VICE, Jan 29 2020)
“In all of these cases,” Iovinella wrote in this statement, “it is unknown who owns the drone or what their purpose is.”
That’s because the drones never existed.
15. Maze Ransomware Hits Law Firms and French Giant Bouygues (Infosecurity Magazine, Feb 03 2020)
Stolen data already being leaked online to force payment