The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Malware Is Now Targeting Apple’s New M1 Processor (Wired, Feb 17 2021)
Two distinct strains of malware have already adjusted to the new silicon just months after its debut.
2. Microsoft says SolarWinds hackers stole source code for 3 products (Ars Technica, Feb 18 2021)
The company said it found no indication the breach allowed customers to be hacked.
3. China Hijacked an NSA Hacking Tool—and Used It for Years (Wired, Feb 22 2021)
The hackers used the agency’s EpMe exploit to attack Windows devices years before the Shadow Brokers leaked the agency’s zero-day arsenal online.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Apple Offers Its Closest Look Yet at iOS and MacOS Security (Wired, Feb 18 2021)
In its latest Platform Security Guide, Cupertino raised the curtain on the critical features that protect against hackers.
5. Apple Is Going to Make It Harder to Hack iPhones With Zero-Click Attacks (VICE, Feb 22 2021)
Multiple exploit developers tell Motherboard an upcoming change in iOS could make zero-click exploits harder to pull off.
6. “ShareIt” Android app with over a billion downloads is a security nightmare (Ars Technica, Feb 16 2021)
Trend Micro audited one of Android’s most popular file-sharing apps. It’s not good.
*Cloud Security, DevOps, AppSec*
7. Defending software build pipelines from malicious attack (UK Gov NCSC, Feb 18 2021)
Compromise of your software build pipeline can have wide-reaching impact; here’s how to tackle the problem.
8. Half of Apps Contain at Least One Serious Exploitable Vulnerability (Infosecurity Magazine, Feb 18 2021)
Nearly 70% of apps in manufacturing have at least one serious vulnerability
9. The state of multicloud adoption, its drivers, and the technologies enabling it (Help Net Security, Feb 21 2021)
Turbonomic announced findings from the survey of over 800 global IT professionals that examines the current state of multicloud adoption, its drivers, and the technologies enabling it, including containers, public cloud, and edge computing.
*Identity Mgt & Web Fraud*
10. Brussels Okays EU-UK Personal Data Flows (SecurityWeek, Feb 19 2021)
The European Commission lifted the threat of crucial data flows between Europe and Britain being blocked in a move that would have crippled business activity as it said Friday that privacy safeguards in the UK met European standards.
11. Apple details major security, privacy enhancements in its devices (Help Net Security, Feb 19 2021)
Security and privacy are a big selling point for Apple. The company has released on Thursday a newer version of its Platform Security Guide, outlining the security and privacy innovations and improvements its users will be able to take advantage of.
12. Think Tank Warns of “Silent Stealing” Fraud (Infosecurity Magazine, Feb 23 2021)
Scammers may be going downmarket to target consumers
13. Accellion FTA attacks, extortion attempts might be the work of FIN11 (Help Net Security, Feb 23 2021)
Mandiant/FireEye researchers have tentatively linked the Accellion FTA zero-day attacks to FIN11, a cybercrime group leveraging CLOP ransomware to extort targeted organizations. Accellion has also confirmed on Monday that “out of approximately 300 total FTA clients, fewer than 100 were victims of the attack.”
14. On Chinese-Owned Technology Platforms (Schneier on Security, Feb 25 2021)
“I am a co-author on a report published by the Hoover Institution: “Chinese Technology Platforms Operating in the United States.” From a blog post:
The report suggests a comprehensive framework for understanding and assessing the risks posed by Chinese technology platforms in the United States and developing tailored responses. It starts from the common view of the signatories — one reflected in numerous publicly available threat assessments — that China’s power is growing, that a large part of…”
15. Sequoia Capital Suffers Data Breach (Dark Reading, Feb 22 2021)
The attack began with a successful phishing email.