15 Bullet Friday – The Best Security News of the Week – 2020.10.09

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. The biggest cyber threats organizations deal with today (Help Net Security, Sep 30 2020)
Microsoft has released a new report outlining enterprise cyberattack trends in the past year (July 2019 – June 2020) and offering advice on how organizations can protect themselves. Based on over 8 trillion daily security signals and observations from the company’s security and threat intelligence experts, the Microsoft Digital Defense Report 2020 draws a distinction between attacks mounted by cybercriminals and those by nation-state attackers.

2. Truncated URLs Look to Make Big Dent in Phishing (Dark Reading, Oct 02 2020)
The approach is a long time in coming and will test the premise that users can more easily detect a suspicious domain from the name alone.

3. Attacks Aimed at Disrupting the Trickbot Botnet (Krebs on Security, Oct 02 2020)
“Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations.”


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn


*AI, IoT, & Mobile Security*
4. Detecting Deep Fakes with a Heartbeat (Schneier on Security, Oct 01 2020)
“Researchers can detect deep fakes because they don’t convincingly mimic human blood circulation in the face:

In particular, video of a person’s face contains subtle shifts in color that result from pulses in blood circulation. You might imagine that these changes would be too minute to detect merely from a video, but viewing videos that have been enhanced to exaggerate these color shifts will quickly disabuse you of that notion. This phenomenon forms the basis of a technique called…”

5. UK says Huawei coding quality still falls short, as global businesses look toward 5G (SC Media, Oct 01 2020)
The United Kingdom’s official Huawei auditing board claims the beleaguered Chinese telecommunications supplier continues to show “concerning issues” in its approach to software development and data security.

6. AI email security: Understanding the human behind the keyboard (Darktrace Blog, Oct 01 2020)
Despite organizations adopting ‘secure’ email gateways and extensive employee training, 94% of cyber-attacks still start in the inbox. Cyber AI understands the human beings behind email communications and autonomously responds to anomalous emails it deems malicious, stopping attacks that other tools miss.

*Cloud Security, DevOps, AppSec*
7. GitHub Tool Spots Security Vulnerabilities in Code (Dark Reading, Sep 30 2020)
Scanner, which just became generally available, lets developers spot problems before code gets into production.

8. New Research Finds Bugs in Every Anti-Malware Product Tested (Dark Reading, Oct 06 2020)
Products from every vendor had issues that allowed attackers to elevate privileges on a system — if they already were on it.

9. Microsoft Paid Out Over $374,000 for Azure Sphere Vulnerabilities (SecurityWeek, Oct 06 2020)
Microsoft on Tuesday shared the results of its three-month-long Azure Sphere Security Research Challenge and the company says it has paid out more than $374,000 to participants.

*Identity Mgt & Web Fraud*
10. CBP Bought ‘Global’ Location Data from Weather and Game Apps (VICE, Oct 06 2020)
New documents obtained by Motherboard provide more detail on what exactly location data firms are selling to the U.S. government.

11. Introducing Amazon One—a new innovation to make everyday activities effortless (Amazon Blog, Oct 08 2020)
We’re always looking for ways to make our customers’ lives better, and one area where we’ve spent time innovating is the customer shopping experience in stores. Today, our physical retail team is excited to introduce a new innovation called Amazon One.

12. Verizon Payment Security Report is a Wake-up Call: Time to Refocus on PCI DSS Compliance (Dark Reading:, Oct 06 2020)
Too many organizations fail to enact the baseline payment security controls, according to the Verizon 2020 Payment Security Report, and the recent Blackbaud ransomware incident is merely the latest evidence.

*CISO View*
13. Cyber Pearl Harbor Is Happening Right Now — It’s Ransomware (Daniel Miessler, Oct 06 2020)
I think the only reason we survived this long without serious disruption to business—like we’re seeing now—is because attackers didn’t have their acts together. Their tooling wasn’t nearly as good as it is now, and they hadn’t linked their tooling with the business models.

Today there are multiple routes to make money from an insecure business. Once they get in—via rdp or phishing or drive-bys—they are not only extorting people who want to get their data back.

14. Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work (Krebs on Security, Oct 08 2020)
“today’s attackers have exactly zero trouble gaining that initial intrusion: The real challenge seems to be hiring enough people to help everyone profit from the access already gained.”

15. How Netflix Makes Security Decisions: A Peek Inside the Process (Dark Reading, Oct 06 2020)
A senior information security risk engineer explains how Netflix’s risk management program helps businesses leaders make key decisions.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn