The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. MITRE Adds MacOS, More Data Types to ATT&CK Framework (Dark Reading, Apr 30 2021)
Version 9 of the popular threat matrix will improve support for a variety of platforms, including cloud infrastructure.
2. Tesla Car Hacked Remotely From Drone via Zero-Click Exploit (SecurityWeek, May 03 2021)
Two researchers have shown how a Tesla — and possibly other cars — can be hacked remotely without any user interaction. They carried out the attack from a drone.
3. Inside One of the Biggest Apple Device Hacks Ever (VICE, Apr 30 2021)
On the latest CYBER we talk about wow hackers exploited a MacOs bug.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. AI can alter geospatial data to create deepfake geography (Help Net Security, Apr 29 2021)
A fire in Central Park seems to appear as a smoke plume and a line of flames in a satellite image. Colorful lights on Diwali night in India, seen from space, seem to show widespread fireworks activity. Both images exemplify what a University of Washington-led study calls “location spoofing.” The photos – created by different people, for different purposes – are fake but look like genuine images of real places.
5. Microsoft warns of damaging vulnerabilities in dozens of IoT operating systems (SC Media, Apr 30 2021)
The flaws affect at least 25 different products made by more than a dozen organizations, including Amazon, ARM, Google Cloud, Samsung, RedHat, Apache and others.
6. Apple reports 2 iOS 0-days that let hackers compromise fully patched devices (Ars Technica, May 03 2021)
Webkit flaws in just-released iOS 14.5 lets attackers execute malicious code.
*Cloud Security, DevOps, AppSec*
7. Malicious Office 365 Apps Are the Ultimate Insiders (Krebs on Security, May 05 2021)
Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.
8. Serious MacOS Vulnerability Patched (Schneier on Security, Apr 30 2021)
“Apple just patched a MacOS vulnerability that bypassed malware checks.
The flaw is akin to a front entrance that’s barred and bolted effectively, but with a cat door at the bottom that you can easily toss a bomb through. Apple mistakenly assumed that applications will always have certain specific attributes. Owens discovered that if he made an application that was really just a script—code that tells another program what do rather than doing it itself—and didn’t include a standard application metadata file called “info.plist,” he could silently run the app on any Mac. The operating system wouldn’t even give its most basic prompt: “This is an application downloaded from the Internet. Are you sure you want to open it?””
9. Cybersecurity Community Unhappy With GitHub’s Proposed Policy Updates (SecurityWeek, Apr 30 2021)
GitHub wants to update its policies regarding security research, exploits and malware, but the cybersecurity community is not happy with the proposed changes.
*Identity Mgt & Web Fraud*
10. Your Old Phone Number Can Be Used to Hack You, Study Finds (VICE, May 06 2021)
The majority of old phone numbers are still tied to important online accounts that can be easily taken over by hackers.
11. Google to Automatically Enable Two-Step Verification for Some Accounts (SecurityWeek, May 06 2021)
Google is marking World Password Day with a blog post summarizing the password management features it offers, and the company announced that it will automatically enroll some accounts in two-step verification (2SV).
12. Identifying the Person Behind Bitcoin Fog (Schneier on Security, May 03 2021)
“The person behind the Bitcoin Fog was identified and arrested. Bitcoin Fog was an anonymization service: for a fee, it mixed a bunch of people’s bitcoins up so that it was hard to figure out where any individual coins came from. It ran for ten years.
Identifying the person behind Bitcoin Fog serves as an illustrative example of how hard it is to be anonymous online in the face of a competent police investigation:
Most remarkable, however, is the IRS’s account of tracking down Sterlingov using the very same sort of blockchain analysis that his own service was meant to defeat. “
13. DoD Lets Researchers Target All Publicly Accessible Info Systems (Dark Reading, May 05 2021)
The Department of Defense expands its vulnerability disclosure program to include a broad range of new targets.
14. More US agencies potentially hacked, this time with Pulse Secure exploits (Ars Technica, Apr 30 2021)
Zero-day vulnerability under attack has a severity rating of 10 out of 10.
15. An ambitious plan to tackle ransomware faces long odds (Ars Technica, May 01 2021)
Heavyweight task force proposes framework to tackle a major cybersecurity problem.