15 Bullet Friday – The Best Security News of the Week – 2020.07.31

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Vulnerability in Cisco Firewalls Exploited Shortly After Disclosure (SecurityWeek, Jul 24 2020)
Cisco this week informed customers that it has patched a high-severity path traversal vulnerability in its firewalls that can be exploited remotely to obtain potentially sensitive files from the targeted system. The first attempts to exploit the flaw were observed shortly after disclosure.

2. Researchers Reveal New Security Flaw Affecting China’s DJI Drones (The Hacker News, Jul 27 2020)
Cybersecurity Researchers Revealed New Security Flaws Affecting China’s DJI Drones

3. FBI Issues Alert on Use of Chinese Tax Software (SecurityWeek, Jul 27 2020)
The Federal Bureau of Investigation has issued an alert to inform organizations in the United States of the risk associated with the use of Chinese tax software.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~15,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. Apple Will Start Sending Special Devices to iPhone Hackers (VICE, Jul 22 2020)
Apple officially launched the iPhone Research Device Program, and will send iPhone hackers and security researchers special devices that will make it easier for them to find bugs and vulnerabilities.

5. Is TikTok Spying On You For China? (Forbes, Jul 27 2020)
A new security report has just been published, adding substance to the U.S. threats being made against China’s social media sensation.

6. Adversarial Machine Learning and the CFAA (Schneier on Security, Jul 23 2020)
“In this paper, we ask, “What are the potential legal risks to adversarial ML researchers when they attack ML systems?” Studying or testing the security of any operational system potentially runs afoul the Computer Fraud and Abuse Act (CFAA), the primary United States federal statute that creates liability for hacking.”

*Cloud Security, DevOps, AppSec*
7. Organizations Continue to Struggle With App Vulns (Dark Reading, Jul 24 2020)
A high percentage of discovered bugs remain unremediated for a long time, a new study shows.

8. Attackers exploit Twilio’s misconfigured cloud storage, inject malicious code into SDK (Help Net Security, Jul 23 2020)
Twilio has confirmed that, for 8 or so hours on July 19, a malicious version of their TaskRouter JS SDK was being served from their one of their AWS S3 buckets. “Due to a misconfiguration in the S3 bucket that was hosting the library, a bad actor was able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks,” the company shared.

9. How to use AWS Organizations to simplify security at enormous scale (AWS Security Blog, Jul 22 2020)
AWS Organizations provides central governance and management across AWS accounts. In this post, we explain how AWS Organizations can make the lives of your Information Security engineers easier, based on our experience in the Information Security team at Amazon. The service control policies (SCPs) feature in AWS Organizations offers you central control over permissions…

*Identity Mgt & Web Fraud*
10. Business ID Theft Soars Amid COVID Closures (Krebs on Security, Jul 27 2020)
“When a business owner wants to open a new line of credit, creditors typically check with Dun & Bradstreet to gauge the business’s history and trustworthiness.

In 2019, Dun & Bradstreet saw more than a 100 percent increase in business identity theft. For 2020, the company estimates an overall 258 percent spike in the crime. Dun & Bradstreet said that so far this year it has received over 4,700 tips and leads where business identity theft or malfeasance are suspected.”

11. Nation State Attackers Shift to Credential Theft (Infosecurity Magazine, Jul 29 2020)
Nation state attackers shift from financial theft and gain to stealing user credentials

12. Rite Aid Drops Facial Recognition Tech (Infosecurity Magazine, Jul 29 2020)
US drugstore chain removes facial recognition technology from 200 stores

*CISO View*
13. Twitter employees were spear-phished over the phone (Help Net Security, Jul 31 2020)
“The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” Twitter explained.

“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.”

14. Thinking of a Cybersecurity Career? Read This (Krebs on Security, Jul 24 2020)
“Thousand of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills. Here’s a look at a recent survey that identified some of the bigger skills gaps, and some thoughts about how those seeking a career in these fields can better stand out from the crowd.”

15. EU Sanctions on Russian, Chinese ‘Cyber Attackers’ (SecurityWeek, Jul 30 2020)
The European Union imposed its first ever sanctions against alleged cyber attackers on Thursday, targeting Russian and Chinese individuals and a specialist unit of Moscow’s GRU military intelligence agency.

Share on facebook
Share on twitter
Share on linkedin