The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Five Eyes Cybersecurity Agencies Release Incident Response Guidance (SecurityWeek, Sep 07 2020)
Cybersecurity agencies in Australia, Canada, New Zealand, the United Kingdom, and the United States have published a joint advisory focusing on detecting malicious activity and incident response.

read more

2. Apple notarization process, meant to protect, approved Shlayer malware (SC Media, Sep 01 2020)
Apple appears to have inadvertently approved OSX.Shlayer malware as part of the security notarization process it has touted would boost user confidence that the Developer ID-signed software they distribute has the innovative tech giant’s seal of approval. “While it is unclear “what the Shlayer folks did to get their malware notarized,” essentially Apple’s process “allowed…

3. Visa Issues Alert for ‘Baka’ JavaScript Skimmer (SecurityWeek, Sep 07 2020)
A JavaScript skimmer identified earlier this year uses dynamic loading to avoid detection by static malware scanners, Visa warns. Referred to as Baka, the e-commerce skimmer was first discovered in February 2020, but has already impacted several merchant websites across numerous global regions.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. How Government AI Stole Hundreds of Millions of Dollars From Citizens (VICE, Sep 03 2020)
The Australian government really screwed people on this one. A major world government relies on a defective and cruel algorithm for debt collection, to extort money out of its most vulnerable citizens who were already on social assistance. Or to put it more succinctly: state-sponsored shakedowns via Artificial Intelligence, that ends up being so flawed it results in the country taking hundreds of millions of dollars from its own people.

5. Microsoft builds deepfakes detection tool to combat election disinformation (Help Net Security, Sep 02 2020)
Microsoft has developed a deepfakes detection tool to help news publishers and political campaigns, as well as technology to help content creators “mark” their images and videos in a way that will show if the content has been manipulated post-creation.

6. CEOs Could Face Jail Time for IoT Attacks by 2024 (Infosecurity Magazine, Sep 02 2020)
Gartner warns of personal liability for cyber-physical systems

*Cloud Security, DevOps, AppSec*
7. Defense in depth using AWS Managed Rules for AWS WAF (part 1) (AWS Blog, Sep 02 2020)
The post is in two parts. This first part describes AWS Managed Rules for AWS WAF and how it can be used to provide defense in depth. The second part shows how to apply AWS Managed Rules for WAF.

8. Deploying defense in depth using AWS Managed Rules for AWS WAF (part 2) (AWS Blog, Sep 02 2020)
“In this post, I show you how to use recent enhancements in AWS WAF to manage a multi-layer web application security enforcement policy. These enhancements will help you to maintain and deploy web application firewall configurations across deployment stages and across different types of applications.”

9. Oracle loses $10B JEDI cloud contract appeal yet again (TechCrunch, Sep 03 2020)
It’s worth noting that for all its complaints that the deal favored Amazon, Microsoft actually won the bid. Even with that determination, the deal remains tied up in litigation as Amazon has filed multiple complaints, alleging that the president interfered with the deal and that they should have won on merit.

*Identity Mgt & Web Fraud*
10. Insider Attack on the Carnegie Library (Schneier on Security, Sep 08 2020)
“Greg Priore, the person in charge of the rare book room at the Carnegie Library, stole from it for almost two decades before getting caught.
It’s a perennial problem: trusted insiders have to be trusted.”

11. What happens to funds once they have been stolen in a cyberattack? (Help Net Security, Sep 08 2020)
SWIFT and BAE Systems published a report that describes the complex web of money mules, front companies and cryptocurrencies that criminals use to siphon funds from the financial system after a cyber attack. The report highlights the ingenuity of money laundering tactics to obtain liquid financial assets and avoid any subsequent tracing of the funds.

12. Here’s How Police Request Data From WhatsApp and Facebook (VICE, Sep 10 2020)
Facebook has chosen to review user data requests manually, without screening the email address of people who request access to the portals, which are made for law enforcement agents only.

*CISO View*
13. What is Threat Modeling and GitHub’s Process (The GitHub Blog, Sep 10 2020)
Using Microsoft’s Threat Modeling Tool or OWASP’s Threat Dragon to bring security and engineering teams together to discuss systems. Generating action items that improve security.

14. China Launches Initiative for Global Data Security Issues (SecurityWeek, Sep 08 2020)
China has launched an initiative to address global data security issues, a countermove to the U.S. “clean network” program that is aimed at discouraging other countries from using Chinese technology.

15. Hacker-for-hire groups profit by commoditizing APT tactics (SC Media, Sep 09 2020)
In the span of just over three months, researchers have exposed three mercenary, “hacker-for-hire” groups engaging in industrial espionage and stealing corporate secrets for profit.