The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. #RSAC: The Most Dangerous New Attack Techniques (Infosecurity Magazine, May 20 2021)
Annual panel at the RSA Conference identifies a number of areas of concern, including improper session handling and an evolution of ransomware
2. Vulnerabilities in billions of Wi-Fi devices let hackers bypass firewalls (Ars Technica, May 21 2021)
FragAttacks let hackers inject malicious code or commands into encrypted Wi-Fi traffic.
3. #RSAC: The Security Risks of Cryptocurrency (Infosecurity Magazine, May 19 2021)
While it’s not likely that cryptocurrency will replace the US dollar as a reserve currency in the short term, RSA Conference session details cryptocurrency security risks and mitigations
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Hacker’s guide to deep-learning side-channel attacks: the theory (Elie Bursztein, May 21 2021)
Learn the concepts behind deep-learning side-channels attack, a powerful cryptanalysis technique, by using it to recover AES cryptographic keys from a hardware device.
5. Recycle Your Phone, Sure, But Maybe Not Your Number (Krebs on Security, May 19 2021)
Many online services allow users to reset their passwords by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over one thanks to a divorce, job termination or financial crisis can be devastating.
6. Mobile stalkerware is on the rise (Help Net Security, May 21 2021)
Mobile stalkerware, which is software silently installed by stalkers onto victims’ mobile devices without their knowledge, is on the rise, an ESET research finds. In 2019, ESET telemetry recorded almost five times more Android stalkerware detections than in 2018, and in 2020, almost 1.5 times more were recorded than in 2019. In addition, serious vulnerabilities were discovred in Android stalkerware apps and their monitoring servers that could result in serious user impact if exploited.
*Cloud Security, DevOps, AppSec*
7. MacOS Zero-Day Let Attackers Bypass Privacy Preferences (Dark Reading, May 25 2021)
Apple has released security patches for vulnerabilities in macOS and tvOS that reports indicate have been exploited in the wild.
8. Label standard and best practices for Kubernetes security (Help Net Security, May 26 2021)
This article talks about label standard and best practices for Kubernetes security, a common area where I see organizations struggle to define the set of labels required to meet their security requirements. My advice is to always start with a hierarchical security design that can achieve your enterprise security and compliance requirements, then define your label standard in alignment with your design.
9. The state of AppSec and the journey to DevSecOps (Help Net Security, May 23 2021)
While the perceived benefits of DevSecOps to both security and DevOps are high, much progress must be made in defining a repeatable and consistent governance model for true DevSecOps to take hold, a ZeroNorth survey of 250 global security, DevOps and IT professionals reveals.
*Identity Mgt & Web Fraud*
10. Lemonade Bragged It Uses AI to Detect Fraud. It Didn’t Go Well (VICE, May 26 2021)
Lemonade backtracked after suggesting it uses “non-verbal cues” like eye movements to reject claims. Its response raises more questions than answers.
11. USPS Reportedly Uses Clearview AI to Spy on Americans (Infosecurity Magazine, May 20 2021)
US Postal Service reportedly uses facial recognition tech to identify unknown targets in investigations
12. Millions of People’s Location Data Revealed a ‘Universal’ Pattern In Study (VICE, May 26 2021)
A team modeled recurring visits to various city locations using billions of mobile phone datapoints across four continents.
13. The Story of the 2011 RSA Hack (Schneier on Security, May 27 2021)
Really good long article about the Chinese hacking of RSA, Inc. They were able to get copies of the seed values to the SecurID authentication token, a harbinger of supply-chain attacks to come.
14. DHS to issue first cybersecurity regulations for pipelines after Colonial hack (Washington Post, May 26 2021)
Federal officials will replace voluntary cybersecurity guidance for the pipeline industry with mandatory regulations following a devastating cyberattack on the Colonial pipeline earlier this month.
15. Double-Encrypting Ransomware (Schneier on Security, May 21 2021)
This seems to be a new tactic:
Emsisoft has identified two distinct tactics. In the first, hackers encrypt data with ransomware A and then re-encrypt that data with ransomware B. The other path involves what Emsisoft calls a “side-by-side encryption” attack, in which attacks encrypt some of an organization’s systems with ransomware A and others with ransomware B. In that case, data is only encrypted once, but a victim would need both decryption keys to unlock everything.