The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Surge in cyber attacks targeting open source software projects (Help Net Security, Aug 13 2020)
There has been a massive 430% surge in next generation cyber attacks aimed at actively infiltrating open source software supply chains, Sonatype has found. Rise of next-gen software supply chain attacks According to the report, 929 next generation software supply chain attacks were recorded from July 2019 through May 2020. By comparison 216 such attacks were recorded in the four years between February 2015 and June 2019.
2. NSA & FBI Disclose New Russian Cyberespionage Malware (Dark Reading, Aug 13 2020)
APT 28, aka Fancy Bear, is deploying the Drovorub malware designed for Linux systems as part of cyber-espionage operations.
3. Malicious Actor Controlled 23% of Tor Exit Nodes (SecurityWeek, Aug 11 2020)
A malicious actor was at one point in control of roughly 23% of the entire Tor network’s exit capacity, a security researcher has discovered.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Secret Service Bought Phone Location Data from Apps, Contract Confirms (VICE, Aug 17 2020)
An internal Secret Service document describes the purchase of Locate X, a product that uses location data harvested from ordinary apps.
5. Should I Segment my IoT Devices Onto Their Own Networks? (Dark Reading, Aug 17 2020)
Understanding the criticality and importance of the device determines the level of segmentation.
6. Hackers can eavesdrop on mobile calls with $7,000 worth of equipment (Ars Technica, Aug 13 2020)
VoLTE calls were supposed to be more secure. A fatal flaw can unravel that promise.
*Cloud Security, DevOps, AppSec*
7. IT Pros Name Misconfiguration #1 Cloud Security Threat (Infosecurity Magazine, Aug 13 2020)
Check Point report reveals skills shortage is biggest barrier to adoption. The top four threats were cited as: misconfiguration (68%), unauthorized cloud access (58%), insecure interfaces (52%), and account hijacking (50%).
8. Chrome 86 will prominently warn about insecure forms on secure pages (Help Net Security, Aug 18 2020)
Entering information into and submitting it through insecure online forms will come with very explicit warnings in the upcoming Chrome 86, Google has announced. The new alerts The browser will show a warning when a user begins filling out a mixed form (a form on a HTTPS site that does not submit through an HTTPS channel) and when a user tries to submit a mixed form.
9. How to Stay Secure on GitHub (Dark Reading, Aug 18 2020)
GitHub, used badly, can be a source of more vulnerabilities than successful collaborations. Here are ways to keep your development team from getting burned on GitHub.
*Identity Mgt & Web Fraud*
10. California DMV Is Selling Drivers’ Data to Private Investigators (VICE, Aug 18 2020)
An internal document obtained by Motherboard lists the commercial requesters for California DMV data.
11. Canadian Citizens Lose #COVID19 Funds After Govt Account Hijacking (Infosecurity Magazine, Aug 17 2020)
Thousands of Canada Revenue Agency and GCKey accounts are compromised. A statement from the Treasury Board of Canada Secretariat on Saturday revealed that the attackers had used tried-and-tested credential stuffing techniques to hijack GCKey and Canada Revenue Agency (CRA) accounts.
12. Ritz London clients scammed after apparent data breach (WeLiveSecurity, Aug 19 2020)
Armed with personal data stolen from the hotel’s dining reservation system, fraudsters trick guests into handing over their credit card details
13. Former Uber CSO Charged in Hack Cover-up (Dark Reading, Aug 20 2020)
Joe Sullivan, Uber’s former CSO, has been charged with obstruction of justice and misprision of a felony following a 2016 hack of the ride-share company. If convicted, Sullivan faces a maximum of five years in prison for the obstruction charge and a maximum of three years in prison for the misprision charge.
14. Black Hat USA 2020 Musings: Weird and Wonderful Virtual Events are Here to Stay (Dark Reading, Aug 20 2020)
Black Hat USA 2020 was nothing like an in-person event, but it was incredibly useful for all involved, providing even the most grizzled industry veterans with fresh perspectives.
15. Microsoft Put Off Fixing Zero Day for 2 Years (Krebs on Security, Aug 17 2020)
A security flaw in the way Microsoft Windows guards users against malicious files was actively exploited in malware attacks for two years before last week, when Microsoft finally issued a software update to correct the problem.