The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Apple’s Ransomware Mess Is the Future of Online Extortion (Wired, Apr 23 2021)
This week, hackers stole confidential schematics from a third-party supplier and demanded $50 million not to release them.
2. Justice Dept. Creates Task Force to Stop Ransomware Spread (Dark Reading, Apr 21 2021)
One goal of the group is to take down the criminal ecosystem that enables ransomware, officials say.
3. Hackers are exploiting a Pulse Secure 0-day to breach orgs around the world (Ars Technica, Apr 20 2021)
Exploits allow state-backed hackers to bypass 2FA and breach defense contractors.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Signal CEO Hacks Cellebrite iPhone Hacking Device Used By Cops (VICE, Apr 21 2021)
One of the biggest encrypted chat apps in the world just showed how a device used to decrypt messages can be hacked and tampered with.
5. Massive Android Botnet Hits Smart TV Ad Ecosystem (SecurityWeek, Apr 21 2021)
Security researchers at Human Security (formerly White Ops) have discovered a massive botnet of Android devices being used to conduct fraud in the connected TV advertising ecosystem.
6. When AIs Start Hacking (Schneier on Security, Apr 26 2021)
“If you don’t have enough to worry about already, consider a world where AIs are hackers.
Hacking is as old as humanity. We are creative problem solvers. We exploit loopholes, manipulate systems, and strive for more influence, power, and wealth. To date, hacking has exclusively been a human activity. Not for long.
As I lay out in a report I just published, artificial intelligence will eventually find vulnerabilities in all sorts of social, economic, and political systems, and then exploit them”
*Cloud Security, DevOps, AppSec*
7. Hackers Used ‘Mind-Blowing’ Bug to Dodge macOS Safeguards (Wired, Apr 26 2021)
The vulnerability was patched Monday, but hackers had already used it to spread malware.
8. The next big thing in cloud computing? Shh… It’s confidential (Help Net Security, Apr 28 2021)
Over the last year, there’s been a great deal of talk about confidential computing—including secure enclaves or TEEs (Trusted Execution Environments). These are now available in servers built on chips from Amazon Nitro Enclaves, Intel SGX (Software Guard Extensions), and AMD SEV (Secure Encrypted Virtualization).
The confidential cloud employs these technologies to establish a secure and impenetrable cryptographic perimeter that seamlessly extends from a hardware root of trust to protect data in use, at rest, and in motion.
9. Is Low-Code Development a Security Risk? (DevOps, Apr 26 2021)
Compared to traditional development, low-code involves a variety of personas working together to build applications while dealing with automatically generated code, ready-made components and built-in default configurations. This shift in environment revealed some unique challenges that need to be addressed. There are a few common security challenges with remote teams building on low-code.
*Identity Mgt & Web Fraud*
10. The New iOS Update Lets You Stop Ads From Tracking You (Wired, Apr 26 2021)
Facebook and other advertisers fought the move, but App Tracking Transparency is finally here.
11. Experian’s Credit Freeze Security is Still a Joke (Krebs on Security, Apr 26 2021)
In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States. Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space.
12. Supreme Court kills FTC’s “strongest tool” for getting refunds to scam victims (Ars Technica, Apr 23 2021)
Unanimous ruling limits FTC power to obtain refunds; it’s up to Congress to fix it.
13. Task Force Seeks to Disrupt Ransomware Payments (Krebs on Security, Apr 29 2021)
Some of the world’s top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes.
14. CISA, NIST Provide New Resource on Software Supply Chain Attacks (SecurityWeek, Apr 27 2021)
In a joint document published this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) provide information on software supply chain attacks, the associated risks, and how organizations can mitigate them.
15. Only 8% of businesses that paid a ransom got all of their data back (Help Net Security, Apr 28 2021)
The average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021, a Sophos survey reveals. The average ransom paid is $170,404. A paid ransom guarantees little The global findings also show that only 8% of organizations manage to get back all of their data after paying a ransom, with 29% getting back no more than half of their data…