A Review of the Best News of the Week on AI, IoT, & Mobile Security
Walgreens Discloses Data Breach Related to Mobile App (SecurityWeek, Mar 02 2020)
Pharmacy store chain Walgreens has started informing some users of its mobile application that their personal and health-related information may have been seen by other customers.
FCC to propose $200 million fines for U.S. cellphone carriers over consumer data disclosures (Reuters, Feb 28 2020)
The U.S. Federal Communications Commission is set to propose fining four major U.S. mobile phone companies at least $200 million in total for improperly disclosing some consumer real-time location data, two people briefed on the matter said on Thursday.
Newly Declassified Study Demonstrates Uselessness of NSA’s Phone Metadata Program (Schneier on Security, Feb 26 2020)
The New York Times is reporting on the NSA’s phone metadata program, which the NSA shut down last year: A National Security Agency system that analyzed logs of Americans’ domestic phone calls and text messages cost $100 million from 2015 to 2019, but yielded only a single significant investigation, according to a newly declassified study.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Gmail Is Catching More Malicious Attachments With Deep Learning (Wired, Feb 25 2020)
Users of Gmail get 300 billion attachments each week. To separate legitimate documents from harmful ones, Google turned to AI—and it’s working.
US DoD Adopts Ethical AI Principles (Infosecurity Magazine, Feb 26 2020)
America’s Department of Defense has adopted a set of ethical principles for the use of artificial intelligence
Machine learning log analysis platforms – the new wing man to SIEM? (SC Magazine, Feb 27 2020)
SIEM vendors claim to provide machine learning functionalities in their solutions. Gartner recently covered the growing arena of Machine Learning Log Analysis, and how it is being positioned as a complement to SIEM. What do CISOs and security directors need to look for to effectively navigate ML in their security platform?
RSA 2020 – Is your machine learning/quantum computer lying to you? (WeLiveSecurity, Mar 02 2020)
And how would you know if the algorithm was tampered with?
Huge flaw found in how facial features are measured from images (Naked Security – Sophos, Mar 03 2020)
It has to do with optics: faces appear to flatten out as we get further away. Our brains compensate, but AI-run facial recognition doesn’t.
Harman CISO: AI-based ‘cyber analysts’ can fix false alarm problem in EDR solutions (SC Magazine, Mar 02 2020)
Automated and AI-based endpoint, detection and response (EDR) solutions are adept at finding anomalies across your network, but not without a major pain point: Too often, they lack the context to understand when an anomaly is a perfectly acceptable sanctioned event
What is driving the machine identity crisis? (Help Net Security, Feb 26 2020)
Every machine needs a unique identity in order to authenticate itself and communicate securely with other machines. This requirement is radically changing the definition of machines—from traditional physical devices, like laptops and servers, to virtual machines, containers, microservices, IoT devices and AI algorithms.
#RSAC: Methodologies and Methods to Improve IoT Security (Infosecurity Magazine, Feb 26 2020)
Building a model to determine the traits and security of IoT
Mixed-signal circuits can stop side-channel attacks against IoT devices (Help Net Security, Feb 26 2020)
Purdue University innovators have unveiled technology that is 100 times more resilient to electromagnetic and power attacks, to stop side-channel attacks against IoT devices.
How 5G Mobile Networks Will Change IoT Security (DevOps, Feb 26 2020)
Some cybersecurity experts suggest that new vulnerabilities are versions of problems not entirely flushed out from 4G and even 3G networks. This article will attempt to explore some problems and opportunities that IoT security experts need to be aware of, and how savvy enterprises can be proactive about security in the age of 5G.
Securing the Internet of Things through Class-Action Lawsuits (Schneier on Security, Feb 27 2020)
“Basically, the article postulates that (1) market realities will produce insecure IoT devices, and (2) political failures will leave that industry unregulated. Result: insecure IoT.”
Ultrasonic Waves Can Make Siri Share Your Secrets (VICE, Mar 02 2020)
Voice assistant programs listen to a frequency far wider than the human voice is capable of producing, and thus can be fed ultrasonic waves that will be interpreted as voice commands.
Deep Learning to Find Malicious Email Attachments (Schneier on Security, Feb 28 2020)
Google presented its system of using deep-learning techniques to identify malicious email attachments: At the RSA security conference in San Francisco on Tuesday, Google’s security and anti-abuse research lead Elie Bursztein will present findings on how the new deep-learning scanner for documents is faring against the 300 billion attachments it has to process each week.
Android 11 to clamp down on background location access (Naked Security – Sophos, Feb 25 2020)
Is Android finally about to get on top of the issue of apps that quietly suck up location data?
Stalkerware and Adware Top Smartphone Threat List (Infosecurity Magazine, Feb 26 2020)
Malware study finds smartphone users were most at risk from stalkerware and adware last year
Apple’s iOS pasteboard leaks location data to spy apps (Naked Security – Sophos, Feb 26 2020)
A developer has discovered that malicious apps could exploit the pasteboard to work out a user’s location.
Orgs that sacrifice mobile security are twice as likely to suffer a compromise (Help Net Security, Mar 02 2020)
The percentage of companies admitting to suffering a mobile-related compromise has grown (39%, when compared to last years’ 33%) despite a higher percentage of organizations deciding not to sacrifice the security of mobile and IoT devices to meet business targets, Verizon has revealed in its third annual Mobile Security Index report