The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing (The Intercept, Apr 06 2020)
The video conferencing service can access conversations on its platform.
2. ‘Zoombombing’ Becomes a Dangerous Organized Effort (The New York Times, Apr 06 2020)
Zoom, the videoconferencing app, has become a target for harassment and abuse coordinated in private off-platform chats.
3. Vulnerable VPN appliances at healthcare organizations open doors for ransomware gangs (Help Net Security, Apr 02 2020)
“We’re seeing from signals in Microsoft Threat Protection services (Microsoft Defender ATP, Office 365 ATP, and Azure ATP) that the attackers behind the REvil ransomware are actively scanning the internet for vulnerable systems. Attackers have also been observed using the updater features of VPN clients to deploy malware payloads,” the company shared.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Catching APT41 exploiting a zero-day vulnerability (Darktrace Blog, Apr 02 2020)
This blog looks at how the cyber-criminal group APT41 exploited a zero-day vulnerability, and examines how Darktrace’s AI detected and investigated the threat at machine speed.
5. Google Mobility Reports Show Impact of Lockdown (Infosecurity Magazine, Apr 03 2020)
Google aggregates phone location data to report on how well lockdown rules are being followed
6. States plan to expand mobile voting amid coronavirus pandemic, despite security concerns (Washington Post, Apr 06 2020)
States weigh increasing access to voting during a crisis with cybersecurity risks.
*Cloud Security, DevOps, AppSec*
7. Bug Bounty Programs Are Being Used to Buy Silence (Schneier on Security, Apr 03 2020)
Investigative report on how commercial bug-bounty programs like HackerOne, Bugcrowd, and SynAck are being used to silence researchers
8. Bugs that let sites hijack Mac and iPhone cameras fetch $75k bounty (Ars Technica, Apr 03 2020)
Here’s how one researcher bypassed stringent restrictions Apple puts on webcam access.
9. Tampering with Zoom’s Anti-Tampering Library (Sycall, Apr 06 2020)
This quick blog post highlights some of the flaws found in the Zoom application when attempting to do integrity checking, these checks verify that the DLLs inside the folder are signed by Zoom and also that no 3rd party DLLs are loaded at runtime. We can trivially disable this DLL, by replacing it with our own or simply unloading it from the process.
*Identity Mgt & Web Fraud*
10. Attackers bypass fingerprint auth with an ~80% success (Ars Technica, Apr 08 2020)
Fingerprint-based authentication is fine for most people, but it’s hardly foolproof.
11. Easy-to-pick “smart” locks gush personal data, FTC finds (Ars Technica, Apr 07 2020)
Fancy anti-pry technology? Sure, maybe. Secure in any other way? Not so much.
12. Washington State Legalizes Restricted Use of Facial Recognition Technology (Infosecurity Magazine, Apr 03 2020)
Washington becomes first state to pass law on restricted use of facial recognition technology
13. Cybersecurity During COVID-19 (Schneier on Security, Apr 07 2020)
“Three weeks ago (could it possibly be that long already?), I wrote about the increased risks of working remotely during the COVID-19 pandemic.”…
14. Is NSO Group Using the Pandemic to Expand its Spying Capabilities? (VICE, Apr 10 2020)
In the name of helping governments quell the modern-day plague, the company might just be expanding its questionable business.
15. Citing BGP hijacks and hack attacks, feds want China Telecom out of the US (Ars Technica, Apr 10 2020)
With a history of cyber attacks, Chinese-owned telecom is a threat, officials say.