The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. FBI: Block Email Forwarding to Stop BEC Attackers (Infosecurity Magazine, Dec 02 2020)
Feds warn of visibility challenge for IT administrators
2. Mac users warned of more Ocean Lotus malware targeted attacks (Graham Cluley, Dec 02 2020)
Security researchers have warned of the latest incarnation of a backdoor trojan horse that has been used in the past to target Mac users. If you’re a Mac user, I really hope you’re running anti-virus software.
3. Unmanaged Devices Heighten Risks for School Networks (Dark Reading, Dec 01 2020)
Gaming consoles, Wi-Fi Pineapples, and building management systems are among many devices Armis says it discovered on K-12 school networks.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever (Ars, Dec 01 2020)
Before Apple patch, Wi-Fi packets could steal photos. No interaction needed. Over the air.
5. Trump Signs IoT Security Bill into Law (Dark Reading, Dec 07 2020)
The Internet of Things Cybersecurity Improvement Act of 2020 is now official.
6. Many Android Apps Expose Users to Attacks Due to Failure to Patch Google Library (SecurityWeek, Dec 04 2020)
A vulnerability in the Google Play Core Library continues to impact many applications several months after official patches were released.
*Cloud Security, DevOps, AppSec*
7. Open Source Does Not Equal Secure (Schneier on Security, Dec 03 2020)
“Way back in 1999, I wrote about open-source software:
First, simply publishing the code does not automatically mean that people will examine it for security flaws. Security researchers are fickle and busy people. They do not have the time to examine every piece of source code that is published. So while opening up source code is a good thing, it is not a guarantee of security. I could name a dozen open source security libraries that no one has ever heard of, and no one has ever evaluated.”
8. Three common cloud encryption questions and their answers on AWS (AWS Security Blog, Dec 07 2020)
At Amazon Web Services (AWS), we encourage our customers to take advantage of encryption to help secure their data. Encryption is a core component of a good data protection strategy, but people sometimes have questions about how to manage encryption in the cloud to meet the growth pace and complexity of today’s enterprises.
9. Open Source Flaws Take Years to Find But Are Quick to Fix (Dark Reading, Dec 02 2020)
Companies need to embrace automation and dependency tracking to keep software secure, GitHub says in its annual security report.
*Identity Mgt & Web Fraud*
10. Apple to Tighten App Privacy, Remove Apps That Don’t Comply (SecurityWeek, Dec 08 2020)
Apple is stepping up privacy for app users, forcing developers to be more transparent about data collection and warning they could be removed if they don’t comply with a new anti-tracking measure, a company executive and regulators said Tuesday.
11. Food bank loses nearly $1,000,000 in Business Email Compromise scam (Graham Cluley, Dec 05 2020)
A food bank in Philadelphia has ended up out of pocket after scammers successfully tricked it out of almost one million dollars.
12. Feds logged website visitors in 2019, citing Patriot Act authority (Ars Technica, Dec 04 2020)
Privacy-minded lawmakers want feds to have to get warrants for web browsing data.
13. Nation-State Hackers Breached FireEye, Stole Its Red Team Tools (Dark Reading, Dec 08 2020)
"Novel techniques" used by the attackers cheated security tools and forensics, according to FireEye CEO Kevin Mandia.
14. Industry Reactions to FireEye Breach: Feedback Friday (SecurityWeek, Dec 11 2020)
Cybersecurity firm FireEye this week revealed that a highly sophisticated threat group likely sponsored by a foreign government breached its network and stole some of its Red Team tools.
15. Foxconn hit with record-breaking $34 million ransom demand after cyber attack (Graham Cluley, Dec 08 2020)
The world’s largest electronics manufacturer, Foxconn, has suffered a cyber attack and extortionists are reportedly demanding a $34 million ransom be paid for the recovery of its data.