The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Chinese Supply-Chain Attack on Computer Systems (Schneier on Security, Feb 13 2021)
“Bloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. It’s been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret:
China’s exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under the Foreign Intelligence Surveillance Act, or FISA, according to five of the officials.
There’s lots of detail in the article, and I recommend that you read it through.
This is a follow on, with a lot more detail, to a story Bloomberg reported on in fall 2018. I didn’t believe the story back then, writing:
I don’t think it’s real. Yes, it’s plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.
I seem to have been wrong. From the current Bloomberg story:
Mike Quinn, a cybersecurity executive who served in senior roles at Cisco Systems Inc. and Microsoft Corp., said he was briefed about added chips on Supermicro motherboards by officials from the U.S. Air Force….”
2. Microsoft: web shell attacks have doubled over the past year (SC Media, Feb 12 2021)
While they’re easy for attackers to set up, web shells can be difficult for defenders to detect, since they’re often targeted to specific servers and can hide in the noise of internet traffic, scanning, probing and unsuccessful attacks that most organizations see on a daily basis.
3. New research reveals who’s targeted by email attacks (Google Cloud Blog, Feb 09 2021)
Every day, we stop more than 100 million harmful emails from reaching Gmail users. Last year, during the peak of the pandemic crisis we saw 18 million daily malware and phishing emails related to COVID-19. This is in addition to more than 240 million COVID-related daily spam messages. Our ML models evolve to understand and filter new threats, and we continue to block more than 99.9% of spam, phishing, and malware from reaching our users.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Mobile Health Apps Found to Expose Records of Millions of Users (SecurityWeek, Feb 11 2021)
An analysis of 30 popular mobile health (mHealth) applications has revealed that all of them expose the full patient records of millions of people.
5. With Trump gone, Huawei tells Biden it’s not a security threat (Ars Technica, Feb 10 2021)
With a new president in town, Huawei CEO says he would welcome friendlier relations.
6. Prosecutors Suspend Government Spyware Used in WhatsApp Phishing Attacks (VICE, Feb 10 2021)
Because of a serious malfunction, prosecutors in Italy suspend the use of a spyware used to go after organized crime, according to two sources with knowledge of the case.
*Cloud Security, DevOps, AppSec*
7. Helping users keep their org secure w/ phone’s built-in security key (Google, Feb 16 2021)
“We want as many of our customers as possible to adopt this essential protection and to make them aware of potential risks they are exposed to if they don’t. That’s why today we’re launching a new Recommender into Active Assist, our portfolio of services that help teams operate and optimize their cloud deployments with proactive intelligence instead of unnecessary manual effort. This new “Account security” recommender will automatically detect when a user with elevated permissions, such as a Project Owner, is eligible to use their phone’s built-in security key to better protect their account, but has not yet turned on this important safeguard. “
8. Facebook Announces Payout Guidelines for Bug Bounty Program (SecurityWeek, Feb 16 2021)
Facebook on Tuesday announced several new features for its bug bounty program, including an educational resource and payout guidelines.
9. Tips for boosting the “Sec” part of DevSecOps (Help Net Security, Feb 17 2021)
The most significant barrier to achieving DevSecOps is the continued perception that “Sec” is not already a part of “Dev” and “Ops”, says James Arlen, CISO at cloud data platform provider Aiven. Also, the fact this needs to be explicitly called out is actually a barrier in itself.
*Identity Mgt & Web Fraud*
10. Virginia is about to get a major CA-style data privacy law (Ars Technica, Feb 11 2021)
Virginia’s the first on deck since California’s CCPA in 2018, but more are coming.
11. U.S. Indicts North Korean Hackers in Theft of $200 Million (Krebs on Security, Feb 17 2021)
“The U.S. Justice Department today unsealed indictments against three men accused of working with the North Korean regime to carry out some of the most damaging cybercrime attacks over the past decade, including the 2014 hack of Sony Pictures, the global WannaCry ransomware contagion of 2017, and the theft of roughly $200 million and attempted theft of more than $1.2 billion from banks and other victims worldwide.”
12. How to Solve Security Problems of Identity Verification Systems (eWEEK, Feb 12 2021)
There are many different perspectives on how identity verification systems should work to provide confidence, trust and interoperability between different sectors, both local and international. At the same time, these solutions should ensure a decent level of privacy. Comprehensive security instruments are required to address threats such as the abuse of power by some privileged players in the ID verification ecosystem.
13. Microsoft: 1000+ Hackers Worked on SolarWinds Campaign (Infosecurity Magazine, Feb 16 2021)
Russian-backed cyber-espionage operation is “largest” world has seen
14. U.S. Charges North Korean Hackers Over $1.3 Billion Bank Heists (SecurityWeek, Feb 17 2021)
Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe
15. SolarWinds Attackers Breached 100+ Private Firms (Infosecurity Magazine, Feb 19 2021)
White House briefing reveals extent of attack on tech industry