The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. US Military Cyber Chief Defends More Aggressive Strategy (Infosecurity Magazine, Aug 27 2020)
Head of US Cyber Command says America was right to become more proactive over cybersecurity
2. TLS and VPN Flaws Offer Most Pen Tester Access (Infosecurity Magazine, Aug 26 2020)
Vulnerabilities in TLS and a 10-year-old botnet are the most common findings from penetration tests
3. Sendgrid Under Siege from Hacked Accounts (Krebs on Security, Aug 28 2020)
“Email service provider Sendgrid is grappling with an unusually large number of customer accounts whose passwords have been cracked, sold to spammers, and abused for sending phishing and email malware attacks. Sendgrid’s parent company Twilio says it is working on a plan to require multi-factor authentication for all of its customers, but that solution may not come fast enough for organizations having trouble dealing with the fallout in the meantime.”
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. The Coming Revolution in Intelligence Affairs (Foreign Affairs, Aug 31 2020)
How Artificial Intelligence and Autonomous Systems Will Transform Espionage
5. Researchers develop AI technique to protect medical devices from anomalous instructions (Help Net Security, Aug 26 2020)
Researchers at Ben-Gurion University of the Negev have developed a new AI technique that will protect medical devices from malicious operating instructions in a cyberattack as well as other human and system errors. Complex medical devices such as CT (computed tomography), MRI (magnetic resonance imaging) and ultrasound machines are controlled by instructions sent from a host PC. Abnormal or anomalous instructions introduce many potentially harmful threats to patients, such as…
6. 1,200 iOS apps unknowingly handing over dollars to Chinese ad platform (SC Media, Aug 25 2020)
Malicious code embedded in the Chinese mobile ad platform Mintegral SDK, used by 1,200-plus iOS apps downloaded more than 300 million times monthly, is siphoning off advertising dollars. Mintegral SDK positions its platform as presenting app developers and advertisers with an opportunity to monetize their ad-based marketing. But Snyk researchers found evidence that SDK users…
*Cloud Security, DevOps, AppSec*
7. Fastly Sets DevSecOps Strategy After Signal Sciences Buy (DevOps, Sep 02 2020)
In the wake of acquiring Signal Sciences for $770 million, Fastly is gearing up to expand the range of security services it offers as part of an effort to advance adoption of best DevSecOps practices. Artur Bergman, chief architect for Fastly, said a forthcoming wave of edge computing applications will require web applications firewalls (WAF) that can be deployed and managed remotely to protect them. As a provider of a content delivery network (CDN), Fastly will leverage the WAF platform developed by Signal Sciences to secure edge computing platforms within a forthcoming [email protected] service that promises to unified web application and application programming interface (API) security.
8. Five critical cloud security challenges and how to overcome them (Help Net Security, Aug 31 2020)
Fortunately, there’s no reason why cloud computing can’t be done securely. You need to recognize the most critical cloud security challenges and develop a strategy for minimizing these risks. By doing so, you can get ahead of problems before they start, and help ensure that your security posture is strong enough to keep your core assets safe in any environment.
9. Why Kubernetes Clusters Are Intrinsically Insecure (& What to Do About Them) (Dark Reading, Sep 02 2020)
By following best practices and prioritizing critical issues, you can reduce the chances of a security breach and constrain the blast radius of an attempted attack. Here’s how.
*Identity Mgt & Web Fraud*
10. DNC Warns Campaign Staffers of Dating App Dangers (Dark Reading, Aug 28 2020)
The Democratic National Committee advises against sharing too much work and personal information on popular dating apps.
11. Confessions of an ID Theft Kingpin, Part II (Krebs on Security, Aug 27 2020)
“Yesterday’s piece told the tale of Hieu Minh Ngo, a hacker the U.S. Secret Service described as someone who caused more material financial harm to more Americans than any other convicted cybercriminal. Ngo was recently deported back to his home country after serving more than seven years in prison for running multiple identity theft services. He now says he wants to use his experience to convince other cybercriminals to use their skills for good.”
12. UVA Researcher Charged with Computer Intrusion & Trade Secret Theft (Dark Reading, Aug 31 2020)
Chinese national Haizhou Hu was researching bio-mimics and fluid dynamics at the University of Virginia.
13. The FBI Intrusion Notification Program (TaoSecurity, Sep 03 2020)
The FBI intrusion notification program is one of the most important developments in cyber security during the last 15 years. This program achieved mainstream recognition on 24 March 2014 when Ellen Nakashima reported on it for the Washington Post in her story U.S. notified 3,000 companies in 2013 about cyberattacks.
14. Gartner Predicts 75% of CEOs Will be Personally Liable for Cyber-Physical Security Incidents by 2024 (Gartner, Sep 01 2020)
Liability for cyber-physical security incidents will pierce the corporate veil to personal liability for 75% of CEOs by 2024…
15. Facebook Announces Formal Vulnerability Disclosure Policy for Third-Party Bugs (Dark Reading, Sep 03 2020)
The social media giant has also launched a new website for sharing information on WhatsApp security.