15 Bullet Friday – The Best Security News of the Week – 2020.05.15

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. US government plans to urge states to resist ‘high-risk’ internet voting (the Guardian, May 11 2020)
Department of Homeland Security draft guidelines say practice allows attackers to alter votes and imperil integrity of elections

2. U.S. to Accuse China of Trying to Hack Vaccine Data, as Virus Remakes Cyberattacks (The New York Times, May 10 2020)
Iran and other nations are also looking to steal data and exploit the pandemic with attacks on infrastructure, officials say.

3. Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking (Wired, May 10 2020)
The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019.


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn


*AI, IoT, & Mobile Security*
4. Google Authenticator Can Now Transfer 2SV Secrets Between Devices (SecurityWeek, May 08 2020)
The new feature is meant to make it easier for users to manage their Google Authenticator 2SV codes across multiple devices.

5. iOS XML Bug (Schneier on Security, May 07 2020)
“This is a good explanation of an iOS bug that allowed someone to break out of the application sandbox. A summary: What a crazy bug, and Siguza’s explanation is very cogent. Basically, it comes down to this: XML is terrible. iOS uses XML for Plists, and Plists are used everywhere in iOS (and MacOS).”

6. NSO Group Pitched Phone Hacking Tech to American Police (VICE, May 12 2020)
A brochure and emails obtained by Motherboard show how Westbridge, the U.S. arm of NSO, wanted U.S. cops to buy a tool called Phantom.

*Cloud Security, DevOps, AppSec*
7. GitHub Takes Aim at Open Source Software Vulnerabilities (Wired, May 06 2020)
GitHub Advanced Security will help automatically spot potential security problems in the world’s biggest open source platform.

8. AWS Foundational Security Best Practices standard now available in Security Hub (AWS Security Blog, May 07 2020)
“In this post, we will cover:
How to enable the new AWS Foundational Security Best Practices standard.
– An overview of the security controls.
– An explanation of the security control details.
– How to disable and enable specific security controls.
– How to navigate to the remediation instructions for a failed security control.”

9. Admin Essentials: Protecting enterprise credentials with Password Alert (Google Cloud Blog, May 07 2020)
There’s another free feature in Chrome Browser that can help enterprises: Password Alert.
Password Alert helps enterprises:
– Avoid phishing attacks by detecting when an employee enters their corporate credentials into a known phishing or suspicious site
– Prevent reuse of corporate passwords on non-corporate sites

*Identity Mgt & Web Fraud*
10. Am I a Jerk for Refusing to Use a Coronavirus Contact Tracing App? (VICE, May 13 2020)
Is privacy more important the hypothetical chance to save lives or protect yourself from contagion? We asked an expert.

11. Meant to Combat ID Theft, Unemployment Benefits Letter Prompts ID Theft Worries (Krebs on Security, May 08 2020)
Millions of Americans now filing for unemployment will receive benefits via a prepaid card issued by U.S. Bank, a Minnesota-based financial institution that handles unemployment payments for more than a dozen U.S. states. Some of these unemployment applications will trigger an automatic letter from U.S. Bank to the applicant. The letters are intended to prevent identity theft, but many people are mistaking these vague missives for a notification that someone has hijacked their identity.

12. Easily control the naming of individual IAM role sessions (AWS Security Blog, May 12 2020)
AWS Identity and Access Management (IAM) now has a new sts:RoleSessionName condition element for the AWS Security Token Service (AWS STS), that makes it easy for AWS account administrators to control the naming of individual IAM role sessions.

*CISO View*
13. Celeb hackers demanding $42M ransom promise to ‘reveal Trump’s dirty laundry’ (The US Sun, May 15 2020)
Hacker group REvil doubled their original demand for $21million after stealing confidential files on the firm’s A-list clients including Madonna and Mariah Carey.

14. Black Hat USA and DEF CON Cancelled Due to #COVID19 (Infosecurity Magazine, May 11 2020)
Popular cybersecurity conferences will go virtual this year

15. The US Says Chinese Hackers Went Too Far During the Covid-19 Crisis (Wired, May 14 2020)
The FBI and DHS say that Beijing’s hacking “jeopardizes” the delivery of much-needed Covid-19 treatment options.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn