The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Attackers tried to insert backdoor into PHP source code (Help Net Security, Mar 29 2021)
The PHP development team has averted an attempted supply chain compromise that could have opened a backdoor into many web servers. What happened? “[On Sunday, March 28] two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” developer Nikita Popov explained…
2. CISA Adds Two Web Shells to Exchange Server Guidance (Dark Reading, Mar 25 2021)
Officials update mitigation steps to include two new Malware Analysis Reports identifying Web shells seen in Exchange Server attacks.
3. Securing APIs: Modern API Security (Securosis Blog, Mar 29 2021)
“As we started the API Security series, we went through how application architecture evolves and how that’s changing the application attack surface. API Security requires more than traditional application security. Traditional application security tactics like SAST/DAST, WAF, API Gateway, and others are necessary but not sufficient. We need to build on top of the existing structures of application security to protect modern applications.”
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. T-Mobile, Verizon, AT&T Stop SMS Hijacks After Motherboard Investigation (VICE, Mar 25 2021)
All the mobile carriers have mitigated a major SMS security loophole that allowed a hacker to hijack text messages for just $16.
5. 5G network slicing vulnerability leaves enterprises exposed to cyberattacks (Help Net Security, Mar 24 2021)
AdaptiveMobile Security today publicly disclosed details of a major security flaw in the architecture of 5G network slicing and virtualized network functions. The fundamental vulnerability has the potential to allow data access and denial of service attacks between different network slices on a mobile operator’s 5G network, leaving enterprise customers exposed to malicious cyberattack.
6. System Update: New Android Malware (Schneier on Security, Mar 30 2021)
“Researchers have discovered a new Android app called “System Update” that is a sophisticated Remote-Access Trojan (RAT). From a news article:
The broad range of data that this sneaky little bastard is capable of stealing is pretty horrifying. It includes: instant messenger messages and database files; call logs and phone contacts; Whatsapp messages and databases; pictures and videos; all of your text messages; and information on pretty much everything else that is on your phone…”
*Cloud Security, DevOps, AppSec*
7. Severe Flaws in Official ‘Facebook for WordPress’ Plugin (SecurityWeek, Mar 26 2021)
A critical vulnerability in the official Facebook for WordPress plugin could be abused to upload arbitrary files, essentially leading to remote code execution, according to a warning from security researchers at Wordfence.
8. #IMOS21: Six Components of a Bug Bounty Program (Infosecurity Magazine, Mar 25 2021)
Verizon Media’s Sean Poris outlines to how to run a successful bug bounty scheme
9. 40% of Apps Leaking Information (Dark Reading, Mar 26 2021)
Apps in manufacturing most at risk, according to WhiteHat Security.
*Identity Mgt & Web Fraud*
10. The war against the virus also fueling a war against fraud (Help Net, Mar 26 2021)
TransUnion’s latest analysis of global online fraud trends found that since the COVID-19 pandemic began, fraudsters are increasing their rate of digital schemes against businesses. In addition, a recent study found that more than one in three global consumers have recently been targeted by digital fraud related to COVID-19. Billions of transactions illustrate a war against digital fraud…
11. Android sends 20x more data to Google than iOS sends to Apple, study says (Ars Technica, Mar 30 2021)
Google contests the estimate, saying it’s based on flawed methodology.
12. U.S. Special Operations Command Paid $500,000 to Secretive Location Data Firm (VICE, Mar 30 2021)
Anomaly 6 is run by ex-military and location industry veterans.
13. Double-Extortion Ransomware Attacks Surged in 2020 (Infosecurity Magazine, Mar 30 2021)
15 ransomware families were observed using double-extortion tactics last year, compared to just one in 2019
14. Tim Callahan: ‘CISOs must voluntarily be part of the solution’ (SC Media, Mar 30 2021)
Tim Callahan, chief information security officer at Aflac, says security leaders must focus on age-old fundamentals while working to educate employees about the latest threats.
15. Whistleblower: Ubiquiti Breach “Catastrophic” (Krebs on Security, Mar 30 2021)
“On Jan. 11, Ubiquiti Inc. [NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.”