The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. GoldenSpy’ Malware Hidden in Tax Software Spies on Companies Doing Business in China (Dark Reading, Jun 25 2020)
Advanced persistent threat (APT) campaign aims to steal intelligence secrets from foreign companies operating in China.
2. Majority of new remote employees use their personal laptops for work (WeLiveSecurity, Jun 23 2020)
And many of them didn’t receive any new security training or tools from their employer to properly secure the devices, a study finds
3. Variant of Mac malware ‘Shlayer’ spreads via poisoned web searches (SC Media, Jun 22 2020)
Researchers have discovered a new variant of Shlayer Mac malware that bypasses Apple’s built-in security protections and is being spread via malicious results from Google web searches. Shlayer is used generally to distributed bundled adware or unwanted programs.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. iPhone Apps Stealing Clipboard Data (Schneier on Security, Jun 29 2020)
iOS apps are repeatedly reading clipboard data, which can include all sorts of sensitive information. While Haj Bakry and Mysk published their research in March, the invasive apps made headlines again this week with the developer beta release of iOS 14. A novel feature Apple added provides a banner warning every time an app reads clipboard contents. As large numbers of people began testing the beta release, they quickly came to appreciate just how many apps engage in the practice and just how often they do it.
5. Is It Legal for Cops to Force You to Unlock Your Phone? (Wired, Jun 27 2020)
Because the relevant Supreme Court precedents predate the smartphone era, the courts are divided on how to apply the Fifth Amendment.
6. Analyzing IoT Security Best Practices (Schneier on Security, Jun 25 2020)
“Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. We explore not the failure to follow best practices, but rather a surprising lack of understanding, and void in the literature, on what (generically) “best practice” means, independent of meaningfully identifying specific individual practices.”
*Cloud Security, DevOps, AppSec*
7. HackerOne Reveals Top 10 Bug-Bounty Programs (Dark Reading, Jun 29 2020)
Rankings based on total bounties paid, top single bounty paid, time to respond, and more.
8. Chinese bank requires foreign firm to install app with covert backdoor (Ars Technica, Jun 26 2020)
A multinational tech company gets schooled in the risks of doing business in China.
9. What is a cyber range and how do you build one on AWS? (AWS Security Blog, Jun 24 2020)
“In this post, we provide advice on how you can build a current cyber range using AWS services.
Conducting security incident simulations is a valuable exercise for organizations. As described in the AWS Security Incident Response Guide, security incident response simulations (SIRS) are useful tools to improve how an organization handles security events. These simulations can be tabletop sessions, individualized labs, or full team exercises conducted using a cyber range.
A cyber range is an isolated virtual environment used by security engineers, researchers, and enthusiasts to practice their craft and experiment with new techniques. Traditionally, these ranges were developed on premises, but on-prem ranges can be expensive to build and maintain (and do not reflect the new realities of cloud architectures).”
*Identity Mgt & Web Fraud*
10. California’s CCPA Gets Teeth Today (Infosecurity Magazine, Jul 01 2020)
California is enforcing its consumer privacy protection law after a six-month grace period
11. Man Convicted of Stealing High Tech Trade Secrets for China (SecurityWeek, Jun 28 2020)
A federal judge has convicted a Chinese national of economic espionage, stealing trade secrets and engaging in a conspiracy for the benefit of his country’s government.
12. Unemployment Insurance Fraud and Identity Theft: Up Close and Personal (Lenny Zeltser, Jul 01 2020)
How the Scam Works. “In the scheme that I encountered, the scammer impersonates the victim to file an unemployment claim with the state to receive money as the unemployment benefit. To achieve this, the scammer:”
13. COVID-19 ‘Breach Bubble’ Waiting to Pop? (Krebs on Security, Jun 30 2020)
The COVID-19 pandemic has made it harder for banks to trace the source of payment card data stolen from smaller, hacked online merchants. On the plus side, months of quarantine have massively decreased demand for account information that thieves buy and use to create physical counterfeit credit cards. But fraud experts say recent developments suggest both trends are about to change — and likely for the worse.
14. UCSF paid $1.4 million ransom in NetWalker attack (SC Media, Jun 29 2020)
The University of California, San Francisco (UCSF) ponied up $1.4 million to hackers to retrieve data encrypted during a NetWalker ransomware attack disclosed in early June. “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,”…
15. The Security Value of Inefficiency (Schneier on Security, Jul 02 2020)
“For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that’s a good thing. Running just at the margins is efficient. A single just-in-time global supply chain is efficient. Consolidation is efficient. And that’s all profitable. Inefficiency, on the other hand, is waste. Extra inventory is inefficient. Overcapacity is inefficient.”