The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. A Flaw in Billions of Wi-Fi Chips Let Attackers Decrypt Data (Wired, Feb 27 2020)
Affected devices include iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices, and various Wi-Fi routers.
2. Malicious Documents Emerging Trends: A Gmail Perspective (Elie Bursztein’s – Google, Feb 25 2020)
Everyday Gmail defenses analyze billions of attachments to prevent malicious documents from reaching the inboxes of its users whether they are end-users or corporate ones. This talk provides a comprehensive analysis of the malicious documents that target users and corporate inboxes, an in-depth analysis of the latest evasion tactics used by attackers and what Google is doing about it.
3. Zyxel 0day Affects its Firewall Products, Too (Krebs on Security, Feb 26 2020)
On Monday, networking hardware maker Zyxel released security updates to plug a critical security hole in its network attached storage (NAS) devices that is being actively exploited by crooks who specialize in deploying ransomware. Today, Zyxel acknowledged the same flaw is present in many of its firewall products.”
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Walgreens Discloses Data Breach Related to Mobile App (SecurityWeek, Mar 02 2020)
Pharmacy store chain Walgreens has started informing some users of its mobile application that their personal and health-related information may have been seen by other customers.
5. FCC to propose $200 million fines for U.S. cellphone carriers over consumer data disclosures (Reuters, Feb 28 2020)
The U.S. Federal Communications Commission is set to propose fining four major U.S. mobile phone companies at least $200 million in total for improperly disclosing some consumer real-time location data, two people briefed on the matter said on Thursday.
6. Newly Declassified Study Demonstrates Uselessness of NSA’s Phone Metadata Program (Schneier on Security, Feb 26 2020)
The New York Times is reporting on the NSA’s phone metadata program, which the NSA shut down last year: A National Security Agency system that analyzed logs of Americans’ domestic phone calls and text messages cost $100 million from 2015 to 2019, but yielded only a single significant investigation, according to a newly declassified study.
*Cloud Security, DevOps, AppSec*
7. Let’s Encrypt will revoke 3m+ TLS/SSL certificates (Help Net Security, Mar 04 2020)
Starting with 20:00 UTC (3:00pm US EST), today (March 4), the non-profit certificate authority Let’s Encrypt will begin it’s effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software. Preliminary investigation suggests the bug was introduced on July 25, 2019, but a more detailed investigation is under way – though, for now, it seems that “it’s not likely that there was any significant mis-issuance as a result of this incident.”
8. The Case for Limiting Your Browser Extensions (Krebs on Security, Mar 03 2020)
“Last week, KrebsOnSecurity reported to health insurance provider Blue Shield of California that its Web site was flagged by multiple security products as serving malicious content. Blue Shield quickly removed the unauthorized code. An investigation determined it was injected by a browser extension installed on the computer of a Blue Shield employee who’d edited the Web site in the past month.”
9. Mastering the Journey—Building Network Manageability and Security for your Path (Securosis Blog, Feb 27 2020)
“Learning cloud adoption patterns doesn’t just help us identify key problems and risks – we can use them to guide operational decisions to address the issues they consistently raise. This research focuses on managing networks and network security, but the patterns include broad security and operational implications which cover all facets of your cloud journey.”
*Identity Mgt & Web Fraud*
10. Security of Health Information (Schneier on Security, Mar 05 2020)
“The world is racing to contain the new COVID-19 virus that is spreading around the globe with alarming speed. Right now, pandemic disease experts at the World Health Organization (WHO), the US Centers for Disease Control and Prevention (CDC), and other public-health agencies are gathering information to learn how and where the virus is spreading. To do so, they are using a variety of digital communications and surveillance systems. Like much of the medical infrastructure, these systems are highly vulnerable to hacking and interference.”
11. ICE has run facial-recognition searches on millions of Maryland drivers (Washington Post, Feb 27 2020)
The direct and largely unlimited access granted to immigration-enforcement officials marks an aggressive new step for the federal agency in regard to Americans’ photos and personal data. It also raises the risk that undocumented immigrants who applied for driver’s licenses under the state’s landmark program could have been targeted.
12. Shark Tank’ judge Barbara Corcoran gets her $400,000 back from scammers (CNN, Mar 02 2020)
In a twist of good fortune, she said that the German-based bank the bookkeeper used to wire the money froze the transfer before it was deposited into the scammer’s bank account in China. Corcoran said her bank asked the German bank to freeze the transaction so her team could prove it was a fraud.
13. CrowdStrike Global Threat Report 2020 Reveals Top Adversary Trends (crowdstrike, Mar 03 2020)
The trend toward malware-free tactics accelerated, with malware-free attacks surpassing the volume of malware attacks. In 2019, 51% of attacks used malware-free techniques compared to 40% using malware-free techniques in 2018, underscoring the need to advance beyond traditional antivirus (AV) solutions.
14. French Firms Rocked by Kasbah Hacker? (Krebs on Security, Mar 02 2020)
“A large number of French critical infrastructure firms were hacked as part of an extended malware campaign that appears to have been orchestrated by at least one attacker based in Morocco, KrebsOnSecurity has learned. An individual thought to be involved has earned accolades from the likes of Apple, Dell, and Microsoft for helping to find and fix security vulnerabilities in their products.”
15. Ransomware Attacks Prompt Tough Question for Local Officials: To Pay or Not to Pay? (The Pew Charitable Trusts, Mar 05 2020)
There were at least 113 successful ransomware attacks on state and local governments last year.