The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Why you can’t bank on backups to fight ransomware anymore (Ars Technica, Feb 07 2020)
Ransomware operators stealing data before they encrypt means backups are not enough.
2. Google Chrome to start blocking downloads served via HTTP (Naked Security – Sophos, Feb 10 2020)
Google has announced a timetable for phasing out insecure file downloads in the Chrome browser starting with desktop version 81 due next month.
3. Flaws in WhatsApp’s desktop app allowed remote access to files (Ars Technica, Feb 05 2020)
WhatsApp’s desktop was implemented using the Electron software framework, which has had significant security issues of its own in the past. Electron allows developers to create cross-platform applications based on Web and browser technologies but is only as secure as the components developers deploy with their Electron apps.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Twitter Confirms it Will Only Ban “Harmful” Deepfakes (Infosecurity Magazine, Feb 06 2020)
Social site will otherwise allow manipulated content on its site
5. YouTube Issues Deepfake Ban Reminder (Infosecurity Magazine, Feb 05 2020)
YouTube reiterates its ban on deepfake videos ahead of the 2020 US election
6. Shadow’s Cancelled Nevada Caucus App Had Errors, Too (VICE, Feb 07 2020)
An error wouldn’t let users report results in a test version of the app. Shadow confirmed it was fixing some errors at the time.
*Cloud Security, DevOps, AppSec*
7. Facebook’s Bug Bounty Caught a Data-Stealing Spree (Wired, Feb 07 2020)
A few months ago, the company disclosed that apps were siphoning data from up to 9.5 million of its users. It only found out thanks to a bug bounty submission…In 2019, Facebook awarded about $2.2 million in bounties to researchers from more than 60 countries, double the $1.1 million the company paid out in 2018.
8. Cloud Companies Chase Future in Cybersecurity ‘Wild West’ (Bloomberg, Feb 10 2020)
Software makers say enterprise clients will demand products that protect data.
9. 43% of cloud databases are currently unencrypted (Help Net Security, Feb 07 2020)
The Unit 42 Cloud Threat Report: Spring 2020 investigates why cloud misconfigurations happen so frequently. It finds that as organizations move to automate more of their cloud infrastructure build processes, they are adopting and creating new infrastructure as code (IaC) templates.
*Identity Mgt & Web Fraud*
10. FBI: Business Email Compromise Cost Businesses $1.7B in 2019 (Dark Reading, Feb 12 2020)
BEC attacks comprised nearly half of cybercrime losses last year, which totaled $3.5 billion overall as Internet-enabled crimes ramped up.
11. How Big Companies Spy on Your Emails (VICE, Feb 10 2020)
Multiple confidential documents obtained by Motherboard show the sort of companies that want to buy data derived from scraping the contents of your email inbox.
12. Japan’s Lost-and-Found System Is Insanely Good (CityLab, Feb 11 2020)
If you misplace your phone or wallet in Tokyo, chances are very good that you’ll get it back. Here’s why.
13. U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack (Krebs on Security, Feb 10 2020)
“The U.S. Justice Department today unsealed indictments against four Chinese officers of the People’s Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.”
14. The CIA secretly bought a company that sold encryption devices across the world. Then its spies sat back and listened. (Washington Post, Feb 11 2020)
U.S. and German intelligence agencies partnered on a scheme to dupe dozens of nations into buying rigged encryption systems — taking their money and stealing their secrets.
15. Half of cybercrime losses in 2019 were the result of BEC scams (Help Net Security, Feb 12 2020)
Business email compromise (BEC) and email account compromise (EAC) scams are still the most lucrative schemes for cybercriminals: the FBI’s Internet Crime Complaint Center (IC3) has calculated that, in 2019, the average monetary loss per BEC/EAC scam complaint reached $75,000.