The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. FBI, CISA Echo Warnings on ‘Vishing’ Threat (Krebs on Security, Aug 21 2020)
“The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or “vishing” attacks targeting companies. The advisory came less than 24 hours after KrebsOnSecurity published an in-depth look at a crime group offering a service that people can hire to steal VPN credentials and other sensitive data from employees working remotely during the Coronavirus pandemic.”
2. Voice Phishers Targeting Corporate VPNs (Krebs on Security, Aug 19 2020)
“The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers’ networks. But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees.”
3. Akamai: Credential Stuffing Attacks Against Media Services Surging During #COVID19 (Infosecurity Magazine, Aug 21 2020)
The rise in the use of media services during lockdown is leading to more credential stuffing attacks
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. CISA Releases 5G Security Guidelines (Dark Reading:, Aug 24 2020)
The new document defines lines of effort for developing security for the growing 5G network.
5. Malicious iOS SDK breaches user privacy for millions (Help Net Security, Aug 24 2020)
Researchers discovered a malicious functionality within the iOS MintegralAdSDK (aka SourMint), distributed by Chinese company Mintegral.
6. How COVID-19 pushed companies towards a mobile security strategy (SC Media, Aug 24 2020)
At the start of 2020, many organizations were already focused on protecting their mobile employees – whether they were business travelers or the occasional employee working from home. COVID-19 changed the game. Entire workforces have been forced to work remotely. Many had already made the transition to only using smartphones and tablets for work. Others…
*Cloud Security, DevOps, AppSec*
7. Let’s Hack a Pipeline: Argument Injection (Azure DevOps Blog, Aug 21 2020)
In this series of posts, we’ll walk through some common security pitfalls when setting up Azure Pipelines. We don’t really want to get hacked, so we’ll also show off the mitigation.
8. Apple OS developer supply chain threatened by ‘clever’ malware attack (SC Media, Aug 20 2020)
In an attack described as a “clever” supply-chain threat, XCSSET malware is being injected undetected into programs created by unwitting Xcode Apple developers who share their projects on the GitHub repository.
9. Using Cloud Logging as your single pane of glass (Cloud Blog, Aug 21 2020)
“Logs are an essential tool for helping to secure your cloud deployments. In the first post in this series, we explored Cloud Identity logs and how you can configure alerts for potentially malicious activity in the Cloud Identity Admin Console to make your cloud deployment more secure. Today, we’ll take it a step further and look at how you can centralize collection of these logs to view activity across your deployment in a single pane of glass.”
*Identity Mgt & Web Fraud*
10. Identifying People by Their Browsing Histories (Schneier on Security, Aug 25 2020)
“Interesting paper: “Replication: Why We Still Can’t Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories”:
We examine the threat to individuals’ privacy based on the feasibility of reidentifying users through distinctive profiles of their browsing history visible to websites and third parties.”
11. iOS 14 privacy settings will tank ad targeting business, Facebook warns (Ars Technica, Aug 26 2020)
Facebook is worried that users won’t opt in to tracking when given the choice.
12. The Loophole the DMV Uses to Sell Your Data to Private Investigators (VICE, Aug 27 2020)
Some private investigators told Motherboard that the reasons they can give to DMVs to access drivers’ personal data are too broad.
13. Musk: Tesla Was Target of Russian Ransomware Conspiracy (Infosecurity Magazine, Aug 28 2020)
Employee at car giant allegedly offered $1m to help deploy malware
14. Three places for early warning of ransomware and breaches that aren’t the dark web (Help Net Security, Aug 25 2020)
For better or worse, a lot of cybercrime sleuthing and forecasting tends to focus on various underground sites and forums across the deep and dark web corners of the Internet. Whenever a report cites passwords, contraband or fraud kits trafficked in these underground dens, it makes elusive fraudsters and extortion players sound tangible.
15. MITRE Releases ‘Shield’ Active Defense Framework (Dark Reading, Aug 24 2020)
Free knowledge base offers techniques and tactics for engaging with and better defending against network intruders.