15 Bullet Friday – The Best Security News of the Week – 2020.11.06

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals (Krebs on Security, Oct 28 2020)
“On Monday, Oct. 27, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives…”

2. Iranian hackers probed election-related websites in 10 states, US officials say (CyberScoop, Nov 02 2020)
Suspected Iranian hackers have probed the election-related websites of 10 states and, in one case, accessed voter registration data, federal personnel told election security officials on Friday. The hackers were conducting broad scanning of certain state and local websites at the end of September, then attempted to exploit some of those websites to nab voter data, officials from the Department of Homeland Security said during a phone briefing.

3. Google’s Project Zero discloses Windows 0-day that’s been under active exploit (Ars Technica, Oct 30 2020)
Security flaw lets attackers escape sandboxes designed to contain malicious code.


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn


*AI, IoT, & Mobile Security*
4. Tracking Users on Waze (Schneier on Security, Oct 29 2020)
“A security researcher discovered a wulnerability in Waze that breaks the anonymity of users:

I found out that I can visit Waze from any web browser at waze.com/livemap so I decided to check how are those driver icons implemented. What I found is that I can ask Waze API for data on a location by sending my latitude and longitude coordinates. Except the essential traffic information, Waze also sends me coordinates of other drivers who are nearby. What caught my eyes was that identification number…”

5. New Wroba Campaign Is Latest Sign of Growing Mobile Threats (Dark Reading:, Oct 30 2020)
After years of mostly targeting users in Japan, Korea, and other countries in the region, operators of the Trojan expanded their campaign to the US this week.

6. How TinyML Makes Artificial Intelligence Ubiquitous (“artificial intelligence” – Google News, Nov 03 2020)
TinyML is the latest from the world of deep learning and artificial intelligence. It brings the capability to run machine learning models in a ubiquitous microcontroller – the smallest electronic chip present almost everywhere.

*Cloud Security, DevOps, AppSec*
7. The 10 Best Practices in Cloud Data Security (Cloud Security Alliance, Nov 03 2020)
Cloud security varies, and the best way to ensure everything is protected usually begins by understanding the combination of cloud location and cloud service your organization has.

8. Cybersecurity Awareness Month—New security announcements for Google Cloud (Google Cloud Blog, Oct 29 2020)
“The Google Cloud Security Showcase is a video resource that’s focused on solving security problems and helping you create a safer cloud deployment. With more than 50 step-by-step videos on specific security challenges or use cases, complete with actionable information to help you solve that specific issue, there’s something for every security professional. We’ve added 2 new use-case based videos this month”

9. Who’s selling SASE and what do you get? (Network World Security, Oct 30 2020)
Secure access service edge (SASE) architecture rolls networking and security into a cloud service, making it easier for enterprises to provide simple, secure access to corporate resources, but it’s still in its infancy. Vendors and service providers sell offerings that they call SASE, but what they actually provide and how they provide it varies widely.
SASE—pronounced “sassy”- is a term coined last year by Gartner, and it combines software-defined WAN (SD-WAN) with access control and security…

*Identity Mgt & Web Fraud*
10. California Proposition 24 Passes (Schneier on Security, Nov 05 2020)
“California’s Proposition 24, aimed at improving the California Consumer Privacy Act, passed this week. Analyses are very mixed. I was very mixed on the proposition, but on the whole I supported it. The proposition has some serious flaws, and was watered down by industry, but voting for privacy feels like it’s generally a good thing.”

11. LexisNexis to Pay $5 Million Class Action Settlement for Selling DMV Data (VICE, Nov 05 2020)
LexisNexis had taken data from DMVs and then resold it to other organizations that did not have a legally permissible use for the information, the complaint said.

12. Attackers want Active Directory privileges. Here’s how to stop them. (SC Media, Nov 02 2020)
A growing number of threat actors use advanced persistent threat (APT)  tactics to progress their attacks. More and more target Active Directory (AD), domain controllers, and flaws in Kerberos tickets to find weaknesses, steal credentials, and escalate privileges.

*CISO View*
13. Why Paying to Delete Stolen Data is Bonkers (Krebs on Security, Nov 04 2020)
“Companies hit by ransomware often face a dual threat: Even if they avoid paying the ransom and can restore things from scratch, about half the time the attackers also threaten to release sensitive stolen data unless the victim pays for a promise to have the data deleted. Leaving aside the notion that victims might have any real expectation the attackers will actually destroy the stolen data, new research suggests a fair number of victims who do pay up may see some or all of the stolen data…”

14. CERT/CC Seeks to Remove Fear Element From Named Vulnerabilities (SecurityWeek, Nov 03 2020)
Most people will immediately recognize CVE-2014-0160 as a vulnerability, but few will know which vulnerability it refers to. Call it Heartbleed, however, and more people will know more about it. That’s the strength of natural language over numbers — humans remember words more easily than numbers.

15. Security and the One Percent: A Thought Exercise in Estimation and Consequences (TaoSecurity, Oct 31 2020)
There’s a good chance that if you’re reading this post, you’re the member of an exclusive club. I call it the security one percent, or the security 1%. This is shorthand for the assortment of people and organizations who have the personnel, processes, technology, and support to implement somewhat robust digital security programs, especially those with the detection and response capabilities and not just planning and resistance/”prevention” functions.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn