The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. What can merchants do to avoid falling victim to large-scale ATO attacks? (Help Net Security, May 21 2020)
The most common approach to prevent ATOs is two-factor authentication for login attempts (62%), which can frustrate legitimate customers and increase cart abandonment.
Many merchants also require complex passwords to increase security, with 73% reporting that account passwords must contain a mix of characters, numbers, symbols and uppercase and lowercase letters.
This can help security, but it also increases friction and does little for customers who reuse passwords, meaning that store accounts are at risk through data breaches on other sites. That’s a real concern, as 47% of customers admit to using the same password for two or more online stores.
2. The ransomware that attacks you from inside a virtual machine (Naked Security – Sophos, May 22 2020)
In a recent attack, Ragnar Locker ransomware was seen encrypting victim’s files while shielded from security software inside a virtual machine.
3. Netwalker ransomware actors go fileless to make attacks untraceable (SC Media, May 18 2020)
Malicious actors have been spotted using an especially sneaky fileless malware technique — reflective dynamic-link library (DLL) injection — to infect victims with Netwalker ransomware in hopes of making the attacks untraceable while frustrating security analysts.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Hackers Just Dropped a Jailbreak They Say Works for All iPhones (VICE, May 23 2020)
The new unc0ver jailbreak relies on a vulnerability that the researcher who found it says Apple is unaware of.
5. Samsung Unveils New Security Chip for Mobile Devices (SecurityWeek, May 26 2020)
Samsung on Tuesday unveiled a new security solution — composed of a secure element (SE) chip and security software — designed to enhance data protection on mobile devices.
6. How iPhone Hackers Got Their Hands on the New iOS Months Before Its Release (VICE, May 22 2020)
Several people, including security researchers, hackers, and bloggers, have had access to an early version of the new iOS 14 for months.
*Cloud Security, DevOps, AppSec*
7. How secure are open source libraries? (Help Net Security, May 21 2020)
Seven in 10 applications have a security flaw in an open source library, highlighting how use of open source can introduce flaws, increase risk, and add to security debt, a Veracode research reveals. Nearly all modern applications, including those sold commercially, are built using some open source components. A single flaw in one library can cascade to all applications that leverage that code.
8. Application threats and security trends you need to know about (Help Net Security, May 27 2020)
Applications are a gateway to valuable data, so it’s no wonder they are one of attackers’ preferred targets. And since modern applications aren’t a monolithic whole but consist of many separate components “glued together” over networks, attackers have at their disposal many “doors” through which they can attempt access to the data.
9. Cloud WAF Comparison, Part 2 (Medium, May 20 2020)
In this follow-up article we’ll have a look at how three additional cloud WAFs perform against the services tested in our first comparison.
*Identity Mgt & Web Fraud*
10. Riding the State Unemployment Fraud ‘Wave’ (Krebs on Security, May 23 2020)
“When a reliable method of scamming money out of people, companies or governments becomes widely known, underground forums and chat networks tend to light up with activity as more fraudsters pile on to claim their share. And that’s exactly what appears to be going on right now as multiple U.S. states struggle to combat a tsunami of phony Pandemic Unemployment Assistance (PUA) claims. Meanwhile, a number of U.S. states are possibly making it easier for crooks by leaking their citizens’ personal data from the very websites the unemployment scammers are using to file bogus claims.”
11. COVID-19 Tracing Apps & Measuring the Impact of Government Overreach (Wickr, May 21 2020)
As the COVID-19 crisis continues, government oversight and information gathering is at an all-time high.
12. GDPR enforcement over the past two years (Help Net Security, May 27 2020)
Two years after the GDPR went into effect, official data show that Data Protection Authorities (DPAs), crippled by a lack of resources, tight budgets, and administrative hurdles, have not yet been able to create adequate GDPR enforcement. Worse, some public authorities have grossly misused the GDPR to undermine other fundamental rights such as the right to free expression and freedom of the press, Access Now reveals.
13. Maintaining the SOC in the age of limited resources (Help Net Security, May 27 2020)
With COVID-19, a variety of new cyber risks have made their way into organizations as a result of remote working and increasingly sophisticated, opportunistic threats. As such, efficiency in the security operations center (SOC) is more critical than ever, as organizations have to deal with limited SOC resources.
14. Cisco takes aim at supporting SASE (Network World Security, May 28 2020)
Cisco will upgrade and integrate access-control, networking and security products to address the goals of secure access service edge
15. Virtual Black Hat USA Offers Unparalleled Access to Expert Security Insights (Dark Reading, May 27 2020)
Attendees can look forward to the same high-quality Briefings and Trainings from the comfort of their own desk.