A Review of the Best News of the Week on AI, IoT, & Mobile Security
Apple Patches Recent iPhone Jailbreak Zero-Day (SecurityWeek, Jun 02 2020)
Apple on Monday released security patches to address a zero-day vulnerability that had been used to jailbreak iPhones running iOS 13.5.
Walmart employees are out to show its anti-shoplifting AI doesn’t work (Ars Technica, May 31 2020)
The retailer denies there is any widespread issue with the software.
Critical Android flaw lets attackers hijack almost any app, steal data (WeLiveSecurity, May 27 2020)
Left unpatched, the vulnerability could expose almost all Android users to the risk of having their personal data intercepted by attackers
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Microsoft Sponsors 2020 Machine Learning Security Evasion Competition (SecurityWeek, Jun 02 2020)
Microsoft is sponsoring a Machine Learning Security Evasion Competition this year, with partners CUJO AI, VMRay, and MRG Effitas, the company has announced.
How Using AI Vastly Improves Threat Detection (eWEEK, May 26 2020)
The on-premises solution observes network traffic for threats and pinpoints “patient zero” or the original source of an attack with a timestamp. It then detects the lateral spread from patient zero to all subsequent compromised systems and users. This can help deal with what I’ve been calling the “asymmetric security challenge” that occurs when the security team needs to protect an exponentially growing attack surface, but the bad guys only have to find a single way in.
Clearview AI facial recogition sued again – this time by ACLU (Naked Security – Sophos, May 29 2020)
Clearview AI, the company that’s scraped billions of images to build a facial recognition system, is getting sued again.
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap (Dark Reading, Jun 01 2020)
a few ways companies can implement AI and automation to ensure there are no gaps in cybersecurity in the midst of this talent shortage:
UK Government Launches Funding Program to Boost Security of IoT Market (Infosecurity Magazine, May 29 2020)
Innovators are encouraged to bid for funding to develop assurance schemes for IoT products
Nest users now covered by Google’s ultra-secure Advanced Protection Program (Ars Technica, Jun 01 2020)
APP is the most effective way to prevent hijackings. So what are you waiting for? Google rolled out APP in 2017. It requires users to have at least two physical security keys, such as those available from Yubico, Google’s Titan brand, or other providers.
26 IoT Flaws Enable Denial-of-Service Attacks, Privilege Escalation (Dark Reading, Jun 01 2020)
Research details vulnerabilities in the Zephyr Real Time Operating Systems and MCUboot, both used in IoT devices and sensors.
Security remains a major concern for enterprise IoT integration (Help Net Security, Jun 02 2020)
With 50% of respondents identifying data, network, and device security as the biggest challenge to IoT adoption, the insights reinforce the trend of enterprises moving more away from the public internet, as concerns such as malware and data theft and leakage increase.
New Android vulnerability Strandhogg 2.0 exploits user trust (Ars Technica, May 26 2020)
SuperHappyFunGame, once installed, could steal the focus from unrelated apps.
The Security of Your Android Device May Depend on Where You Live (SecurityWeek, May 27 2020)
One problem is the open and global nature of the Android operating system. Handset manufacturers seek to differentiate themselves and gain a competitive edge over other manufacturers by adding their own proprietary apps to the default Android device — sometimes known as bloatware. “Specifically,” commented F-Secure UK director of research James Loureiro, “we have seen devices that come with over 100 applications added by the vendor, introducing a significant attack surface that changes by region.”
Abandoned Apps May Pose Security Risk to Mobile Devices (Dark Reading, May 29 2020)
Mobile providers don’t often update users when applications are not supported by developers, security firm says.