The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Emotat Malware Causes Physical Damage (Schneier on Security, Apr 06 2020)
“Microsoft is reporting that an Emotat malware infection shut down a network by causing computers to overheat and then crash. The Emotet payload was delivered and executed on the systems of Fabrikam — a fake name Microsoft gave the victim in their case study — five days after the employee’s user credentials were exfiltrated to the attacker’s command and control (C&C) server.”
2. When All Behavior Is Abnormal, How Do We Detect Anomalies? (Dark Reading, Apr 10 2020)
Identifying normal behavior baselines is essential to behavior-based authentication. However, with COVID-19 upending all aspects of life, is it possible to build baselines and measure normal patterns when nothing at all seems normal?
3. Magecart Hackers Continue Improving Skimmers (SecurityWeek, Apr 06 2020)
A Magecart threat actor tracked as “Group 7” has been using a skimmer that creates iframes to steal payment card data, RiskIQ reveals.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Contact Tracing COVID-19 Infections via Smartphone Apps (Schneier on Security, Apr 13 2020)
“Google and Apple have announced a joint project to create a privacy-preserving COVID-19 contact tracing app. (Details, such as we have them, are here.) It’s similar to the app being developed at MIT, and similar to others being described and developed elsewhere. It’s nice seeing the privacy protections; they’re well thought out. I was going to write a long essay…”
5. How Google Plans to Push Its Coronavirus Tracing Feature to Android Phones (VICE, Apr 14 2020)
Android has a notoriously patchy update cycle, so Google is using another method to push a new coronavirus tracing feature to phones without user interaction.
6. 12k+ Android apps contain master passwords, secret access keys, secret commands (ZDNet, Apr 07 2020)
Comprehensive academic study finds hidden backdoor-like behavior in 6,800 Play Store apps, 1,000 apps from third-party app stores, and almost 4,800 apps pre-installed on user devices.
*Cloud Security, DevOps, AppSec*
7. Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000 (VICE, Apr 15 2020)
People who trade in zero-day exploits say there are two Zoom zero-days, one for Windows and one for MacOS, on the market.
8. DoD Inspector General report finds everything was basically hunky-dory with JEDI cloud contract bid (TechCrunch, Apr 15 2020)
While controversy has dogged the $10 billion, decade-long JEDI contract since its earliest days, a report by the DoD’s Inspector General’s Office concluded today that, while there were some funky bits and potential conflicts, overall the contract procurement process was fair and legal…
9. GitHub sharply slashes plan pricing, offers core features for free to all (Ars Technica, Apr 14 2020)
The lowest-tier paid plan is dropping to $4 per seat per month from $9.
*Identity Mgt & Web Fraud*
10. How a 5G coronavirus conspiracy spread across Europe (Ars Technica, Apr 16 2020)
Spate of arson attacks on cell towers fueled by disinformation over pandemic origins.
11. California Needlessly Reduces Privacy During COVID-19 Pandemic (Schneier on Security, Apr 16 2020)
“This one isn’t even related to contact tracing:On March 17, 2020, the federal government relaxed a number of telehealth-related regulatory requirements due to COVID-19. On April 3, 2020, California Governor Gavin Newsom issued Executive Order N-43-20 (the Order), which relaxes various telehealth reporting requirements, penalties, and enforcements otherwise imposed under state laws, including those associated with unauthorized access and disclosure of personal information through telehealth mediums.”
12. New IRS Site Could Make it Easy for Thieves to Intercept Some Stimulus Payments (Krebs on Security, Apr 10 2020)
“The U.S. federal government is now in the process of sending Economic Impact Payments by direct deposit to millions of Americans. Most who are eligible for payments can expect to have funds direct-deposited into the same bank accounts listed on previous years’ tax filings sometime next week. Today, the Internal Revenue Service (IRS) stood up a site to collect bank account information from the many Americans who don’t usually file a tax return. The question is, will those non-filers have a chance to claim their payments before fraudsters do?”
13. Ransomware Now Leaking Stolen Documents (Schneier on Security, Apr 14 2020)
“Originally, ransomware didn’t involve any data theft. Malware would encrypt the data on your computer, and demand a ransom for the encryption key. Now ransomware is increasingly involving both encryption and exfiltration. Brian Krebs wrote about this in December. It’s a further incentive for the victims to pay.”
14. GAO Criticizes Pentagon Over Cyber Hygiene Efforts (SecurityWeek, Apr 15 2020)
A report published this week by the U.S. Government Accountability Office (GAO) shows that the Pentagon’s cyber hygiene initiatives have not been completed and in some cases no one is keeping track of their progress.
15. COVID-19 Has United Cybersecurity Experts, But Will That Unity Survive the Pandemic? (Krebs on Security, Apr 15 2020)
“The Coronavirus has prompted thousands of information security professionals to volunteer their skills in upstart collaborative efforts aimed at frustrating cybercriminals who are seeking to exploit the crisis for financial gain. Whether it’s helping hospitals avoid becoming the next ransomware victim or kneecapping new COVID-19-themed scam websites, these nascent partnerships may well end up saving lives. But can this unprecedented level of collaboration survive the pandemic?”