The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. 83% of Businesses Hit With a Firmware Attack in Past Two Years (Dark Reading, Mar 31 2021)
A new Microsoft-commissioned report finds less than 30% of organizations allocate security budget toward preventing firmware attacks.
2. Spotlight: Malware Lead Generation At Scale (Elie on Internet Security and Privacy., Apr 05 2021)
Malware is one of the key threats to online security today, with applications ranging from phishing mailers to ransomware and trojans. We present Spotlight, a large-scale malware lead-generation framework.
3. Wi-Fi Devices as Physical Object Sensors (Schneier on Security, Apr 05 2021)
“The new 802.11bf standard will turn Wi-Fi devices into object sensors:
In three years or so, the Wi-Fi specification is scheduled to get an upgrade that will turn wireless devices into sensors capable of gathering data about the people and objects bathed in their signals.”
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Mobile providers exposing sensitive data to leakage and theft (Help Net Security, Apr 01 2021)
Data exposure is a significant, unaddressed problem for Europe’s top mobile providers and, by extension, more than 253 million customers who sign up for their services and share sensitive personal data, according to research by Tala Security. Mobile providers are exposing sensitive data Sensitive data is at significant risk via form data exposure: Forms used to capture credentials, banking details, passport numbers, etc., are exposed to an average of 19 third-parties.
5. Ubiquiti All But Confirms Breach Response Iniquity (Krebs on Security, Apr 04 2021)
For four days this past week, Internet-of-Things giant Ubiquiti did not respond to requests for comment on a whistleblower’s allegations the company had massively downplayed a “catastrophic” two-month breach ending in January to save its stock price, and that Ubiquiti’s insinuation that a third-party was to blame was a fabrication. I was happy to add their eventual public response to the top of Tuesday’s story on the whistleblower’s claims, but their statement deserves a post of its own because it actually confirms and reinforces those claims.
6. New Play Store rules block most apps from scanning your entire app list (Ars Technica, Apr 02 2021)
Your app list can contain sensitive data, so Google is locking down access.
*Cloud Security, DevOps, AppSec*
7. The Role of Visibility in Securing Cloud Applications (Dark Reading, Apr 01 2021)
Traditional data center approaches aren’t built for securing modern cloud applications.
8. 58% of IT and security pros concerned about security in the cloud (Help Net Security, Apr 06 2021)
The Cloud Security Alliance and AlgoSec published which queried nearly 1,900 IT and security professionals from a variety of organization sizes and locations, sought to gain deeper insight into the complex cloud environment that continues to emerge and that has only grown more complex since the onset of the pandemic.
9. SAP applications are getting compromised by skilled attackers (Help Net Security, Apr 07 2021)
Newly provisioned, unprotected SAP applications in cloud environments are getting discovered and compromised in mere hours, Onapsis researchers have found, and vulnerabilities affecting them are being weaponized in less than 72 hours after SAP releases security patches. Internet-exposed systems are more likely to be exploited and compromised, but there are also threats out there that are equipped to compromise SAP systems from the inside, they noted.
*Identity Mgt & Web Fraud*
10. Are You One of the 533M People Who Got Facebooked? (Krebs on Security, Apr 06 2021)
“Ne’er-do-wells leaked personal data — including phone numbers — for some 553 million Facebook users this week. Facebook says the data was collected before 2020 when it changed things to prevent such information from being scraped from profiles. To my mind, this just reinforces the need to remove mobile phone numbers from all of your online accounts wherever feasible. Meanwhile, if you’re a Facebook product user and want to learn if your data was leaked, there are easy ways to find out.”
11. How Apple’s new App Tracking Transparency policy works (Ars Technica, Apr 07 2021)
Paper covers IDFA alternatives, rules for Apple’s own apps, and more.
12. As online fraud rises, 72% of retail brands expect to grow fraud teams (Help Net Security, Apr 04 2021)
Retailers around the world are increasing their fraud teams and budgets because of a significant rise in all types of online fraud during the pandemic, a research by Ravelin finds. 72% of retail brands around the world expect to grow fraud teams in the next year, while 76% predict their budget to tackle fraud will increase in the next 12 months — with 20% expecting a “significant” increase.
13. Google’s Project Zero Finds a Nation-State Zero-Day Operation (Schneier on Security, Apr 08 2021)
Google’s Project Zero discovered, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been exploited by “Western government operatives actively conducting a counterterrorism operation”:
The exploits, which went back to early 2020 and used never-before-seen techniques, were “watering hole” attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts thanks to their…
14. Booking.com Fined $558,000 for Late Breach Notification (Infosecurity Magazine, Apr 01 2021)
Dutch regulator brands 2018 incident a “serious violation”
15. DHS Secretary Outlines Biden Administration’s Cybersecurity Vision (Infosecurity Magazine, Apr 01 2021)
DHS secretary Alejandro Mayorkas spoke during RSAC webcast