The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. A New Wormable Windows Vulnerability Has No Patch in Sight (Wired, Mar 12 2020)
The flaw has the potential to unleash the kind of attacks that allowed WannaCry and NotPetya to cripple business networks around the world.
2. Google Releases Tool to Block USB Keystroke Injection Attacks (SecurityWeek, Mar 12 2020)
Google has released a new software tool designed to identify potential USB keystroke injection attacks and block devices they originate from.
3. The federal government may be about to engage in the biggest telework experiment yet. But hacking and other cyber dangers pose serious challengers. (Washington Post, Mar 13 2020)
As coronavirus infections mount, the federal government is preparing for an unprecedented experiment in remote working that brings with it a slew of digital dangers.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. 2020 Unit 42 IoT Threat Report (Unit42, Mar 11 2020)
Unit 42’s new report analyze 1.2 million IoT devices to better understand the current IoT threat landscape and identify the top IoT threats.
5. Our Full Report on the Voatz Mobile Voting Platform (Trail of Bits Blog, Mar 16 2020)
Trail of Bits has performed the first-ever “white-box” security assessment of the platform, with access to the Voatz Core Server and backend software. Our assessment confirmed the issues flagged in previous reports by MIT and others, discovered more, and made recommendations to fix issues and prevent bugs from compromising voting security.
6. iPhone Unlocking Tech GrayKey Went Up in Price Because Hacking iPhones Got Harder (VICE, Mar 17 2020)
The cost of an annual license for the online version of GrayKey increased to $18,000, according to emails obtained by Motherboard.
*Cloud Security, DevOps, AppSec*
7. Intel Security Gap Hard to Exploit Without Physical Data Center Access (IT Pro, Mar 12 2020)
Security researchers say the flaw is “unfixable,” but attackers would need to get inside your data center to use it.
8. The DevOps Sweet Spot: Inserting Security at Pull Requests (Part 2) (DevOps, Mar 17 2020)
In part one of this two-part series, I explored how organizations can more effectively automate security quality decisions and discard doing automation for automation’s sake. I shared why security scans need to be faster, more reliable and comprehensive.
9. Open source bugs have soared in the past year (Naked Security – Sophos, Mar 16 2020)
Open source bugs have skyrocketed, according to a report from WhiteSource, with XSS flaws account for a quarter of those bugs.
*Identity Mgt & Web Fraud*
10. The Value and Ethics of Using Phone Data to Monitor Covid-19 (Wired, Mar 18 2020)
Google and Facebook are discussing plans with the White House to share collective data on people’s movements during the coronavirus pandemic.
11. U.S. government, tech industry discussing ways to use smartphone location data to combat coronavirus (Washington Post, Mar 18 2020)
The U.S. government is in active talks with Facebook, Google and a wide array of tech companies and health experts about how they can use data gleaned from Americans’ phones to combat the novel coronavirus, including tracking whether people are keeping one another at safe distances to stem the outbreak.
12. The Internet is drowning in COVID-19-related malware and phishing scams (Ars Technica, Mar 16 2020)
Emails and websites promise info about the pandemic. In reality, they’re shams.
13. Work-from-Home Security Advice (Schneier on Security, Mar 19 2020)
“SANS has made freely available its “Work-from-Home Awareness Kit.” When I think about how COVID-19’s security measures are affecting organizational networks, I see several interrelated problems:…”
14. Barr: FBI Probing If Foreign Gov’t Behind HHS Cyber Incident (SecurityWeek, Mar 18 2020)
Attorney General William Barr vowed in an interview with The Associated Press on Tuesday that there would be swift and severe action if a foreign government is behind disinformation campaigns aimed at spreading fear in the U.S. amid the coronavirus pandemic or a denial of service attack on the networks of the Department of Health and Human Services.
15. Emergency Surveillance During COVID-19 Crisis (Schneier on Security, Mar 20 2020)
“Israel is using emergency surveillance powers to track people who may have COVID-19, joining China and Iran in using mass surveillance in this way. I believe pressure will increase to leverage existing corporate surveillance infrastructure for these purposes in the US and other countries. With that in mind, the EFF has some good thinking on how to balance public safety with civil liberties”