The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. UPnP vulnerability lets attackers steal data, scan internal networks (Help Net Security, Jun 09 2020)
A vulnerability (CVE-2020-12695) in Universal Plug and Play (UPnP), which is implemented in billions of networked and IoT devices – personal computers, printers, mobile devices, routers, gaming consoles, Wi-Fi access points, and so on – may allow unauthenticated, remote attackers to exfiltrate data, scan internal networks or make the devices participate in DDoS attacks.
2. Another Intel Speculative Execution Vulnerability (Schneier on Security, Jun 11 2020)
“That has turned out to be true. Here’s a new vulnerability: On Tuesday, two separate academic teams disclosed two new and distinctive exploits that pierce Intel’s Software Guard eXtension, by far the most sensitive region of the company’s processors.”
3. Alarm sounded over security risks in online voting system (WeLiveSecurity, Jun 09 2020)
Bad actors could tamper with ballots cast via OmniBallot without being detected by voters, election officials or the tool’s developer, a study finds
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Ripple20 Bugs Put Hundreds of Millions of IoT Devices at Risk (Wired, Jun 16 2020)
The so-called Ripple20 vulnerabilities affect equipment found in data centers, power grids, and more.
5. GTP Vulnerabilities Expose 4G/5G Networks to High-Impact Attacks (SecurityWeek, Jun 12 2020)
Vulnerabilities in the GPRS Tunnelling Protocol (GTP) expose 4G and 5G cellular networks to a variety of attacks, including denial-of-service, user impersonation, and fraud, Positive Technologies security researchers warn.
6. T-Mobile Outage Mistaken for Massive DDoS Attack on U.S. (SecurityWeek, Jun 16 2020)
Wireless carrier T-Mobile on Monday suffered a major outage in the United States that impacted service at other carriers as well, and it ended up being reported as a “massive” distributed denial of service (DDoS) attack.
*Cloud Security, DevOps, AppSec*
7. Data Security in the SaaS Age: Focus on What You Control (Securosis Blog, Jun 15 2020)
“Returning to the Data Breach Triangle, you can stop a breach by either ‘eliminating’ the data to steal, stopping the exploit, or preventing egress/exfiltration. In SaaS you cannot control the exploit, so forget that. You also probably don’t see the traffic going directly to a SaaS provider unless you inefficiently force all traffic through an inspection point. So focusing on egress/exfiltration probably won’t suffice either.
That leaves you to control the data.”
8. Exposed Cloud Databases Attacked 18 Times Per Day (Infosecurity Magazine, Jun 15 2020)
Comparitech’s honeypot research finds first raid just eight hours in
9. Machine-learning clusters in Azure hijacked to mine cryptocurrency (Ars Technica, Jun 11 2020)
Microsoft shuts down hacking spree that preyed on misconfigured machines.
*Identity Mgt & Web Fraud*
10. Massive spying on users of Chrome shows new security weakness (Reuters, Jun 18 2020)
A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions.
11. The Russian Disinfo Operation You Never Heard About (Wired, Jun 16 2020)
The campaign known as Secondary Infektion appears to be a distinct effort from the meddling of the IRA and GRU—and it went undetected for years
12. More ad fraud apps found hiding on Google Play Store (Naked Security – Sophos, Jun 17 2020)
Fraudulent Android app developers have been discovered trying to manipulate Google’s Play Store security by removing suspicious code before adding it back in to see what trips detection systems.
13. When Security Takes a Backseat to Productivity (Krebs on Security, Jun 17 2020)
“The CIA acknowledged its security processes were so “woefully lax” that the agency probably would never have known about the data theft had Wikileaks not published the stolen documents online. What kind of security failures created an environment that allegedly allowed a former CIA employee to exfiltrate so much sensitive data? Here are a few, in no particular order:
Failing to rapidly detect security incidents.
Failing to act on warning signs about potentially risky employees.
Moving too slowly to enact key security safeguards.
A lack of user activity monitoring or robust server audit capability.
No effective removable media controls.
No single person empowered to ensure IT systems are built and maintained securely throughout their lifecycle.
Historical data available to all users indefinitely.”
14. Three years after WannaCry, what have we learned? (Help Net Security, Jun 15 2020)
Three years ago, the WannaCry ransomware worm wreaked havoc on hundreds of thousands of organizations worldwide, ranging from hospitals that had to pause urgent operations to multinational delivery services that were forced to halt the transportation of goods. In fact, experts claim business interruption costs from the notorious ransomware attack topped off at about $8 billion. As cybersecurity practitioners, we all remember where we were when we first heard about WannaCry. We remember the knot
15. U.S. Officials ‘Alarmed’ by Zoom Cooperation With China (SecurityWeek, Jun 15 2020)
United States House representatives last week sent a letter to Zoom to demand explanation for the communication platform’s decision to close the accounts of U.S.-based Chinese activists.