The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Patch by Tonight: CISA Issues Emergency Directive for Critical Netlogon Flaw (Dark Reading, Sep 21 2020)
The directive requires all federal agencies to apply a patch for Windows Netlogon vulnerability CVE-2020-1472 by midnight on Sept. 21.
2. Chinese Antivirus Firm Was Part of APT41 ‘Supply Chain’ Attack (Krebs on Security, Sep 17 2020)
The U.S. Justice Department this week indicted seven Chinese nationals for a decade-long hacking spree that targeted more than 100 high-tech and online gaming companies. The government alleges the men used malware-laced phishing emails and “supply chain” attacks to steal data from companies and their customers. One of the alleged hackers was first profiled here in 2012 as the owner of a Chinese antivirus firm.
3. Google offers high-risk Chrome users additional scanning of risky files (Help Net Security, Sep 18 2020)
Google is providing a new “risky files” scanning feature to Chrome users enrolled in its Advanced Protection Program (APP). About the Advanced Protection Program Google introduced the Advanced Protection Program in 2017. It’s primarily aimed at users whose accounts are at high risk of compromise through targeted attacks – journalists, human rights and civil society activists, campaign staffers and people in abusive relationships, executives and specific employees – but anyone can sign up for it.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. How to Keep Facebook From Detecting Fake Accounts in Leaked Manual (VICE, Sep 22 2020)
A leaked manual from Blackdot Solutions, a British company that offers social media monitoring services, included a step-by-step guide on how to create fake profiles on Facebook and LinkedIn.
5. Oracle will inherit TikTok security, privacy headaches (SC Media, Sep 17 2020)
By partnering with the popular Chinese videosharing platform TikTok, Oracle will inherit a laundry list of security and privacy issues once the deal is approved, as soon as Sept. 20, by TikTok parent company ByteDance. TikTok boasts 100 million users in the U.S. and 689 million globally.
6. It’s Impossible for You to Know Which Apps Sell Your Location Data to Trump (VICE, Sep 18 2020)
The Trump campaign paid $4 million to a data broker called Phunware, which collects your sensitive data from dozens of apps.
*Cloud Security, DevOps, AppSec*
7. Get ready for upcoming changes in the AWS SSO user sign-in process (AWS Blog, Sep 18 2020)
To improve security, enhance user experience, and address compatibility with future AWS Identity changes, AWS Single Sign-On (SSO) is making changes to the sign-in process that will affect some AWS SSO customers. The changes will go into effect globally in early October 2020.
8. 12 Bare-Minimum Benchmarks for AppSec Initiatives (Dark Reading, Sep 23 2020)
The newly published Building Security in Maturity Model provides the software security basics organizations should cover to keep up with their peers.
9. HackerOne Paid Out Over $107 Million in Bug Bounties (SecurityWeek, Sep 22 2020)
Hacker-powered bug hunting platform HackerOne on Tuesday announced that it paid more than $44.75 million in bounty rewards over the past 12 months, with the total payouts to date surpassing $107 million.
*Identity Mgt & Web Fraud*
10. Facebook warns privacy rules could force exit European market (Ars Technica, Sep 22 2020)
Facebook official charges Irish regulators haven’t treated Facebook fairly.
11. Companies Can Track Your Phone’s Movements to Target Ads (Wired, Sep 18 2020)
Brands are seeking new ways to customize messages. A startup that gathers data on when you pick up your phone, or when you go out on a run, can help.
12. $100,000 in bribes helped fraudulent Amazon sellers earn $100 million, DOJ says (Ars Technica, Sep 18 2020)
DOJ: Bribes to Amazon workers also helped sellers get rivals’ accounts suspended.
13. What are the traits of an effective CISO? (Help Net Security, Sep 21 2020)
Only 12% of CISOs excel in all four categories of the Gartner CISO Effectiveness Index. “Today’s CISOs must demonstrate a higher level of effectiveness than ever before,” said Sam Olyaei, research director at Gartner.
14. FBI, DHS Warn of ‘Likely’ Disinformation Campaigns About Election Results (Dark Reading, Sep 23 2020)
Nation-state actors and cybercriminals could wage cyberattacks and spread false information about the integrity of the election results while officials certify the final vote counts.
15. Govt. Services Firm Tyler Technologies Hit in Apparent Ransomware Attack (Krebs on Security, Sep 23 2020)
“Tyler Technologies, a Texas-based company that bills itself as the largest provider of software and technology services to the United States public sector, is battling a network intrusion that has disrupted its operations. The company declined to discuss the exact cause of the disruption, but their response so far is straight out of the playbook for responding to ransomware incidents.”