The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. No Two REvil Attacks Are the Same, Experts Warn (Infosecurity Magazine, Jun 15 2021)
The ransomware affiliate model drives a challenging variety of threats for defenders to tackle
2. NSA Releases Guidance for Securing Enterprise Communication Systems (SecurityWeek, Jun 18 2021)
The NSA on Thursday released guidance to help organizations secure their communication systems, specifically Unified Communications (UC) and Voice and Video over IP (VVoIP).
UC and VVoIP are call-processing systems that are used for communications and collaboration by many enterprises, including government agencies and their contractors.
3. Google Confirms Sixth Zero-Day Chrome Attack in 2021 (SecurityWeek, Jun 17 2021)
Google’s ongoing struggles with in-the-wild zero-day attacks against its flagship Chrome browser isn’t going away anytime soon.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened (VICE, Jun 17 2021)
A new paper shows that two old encryption algorithms still used in mobile networks can be exploited to spy on phones’ internet traffic.
5. The Future of Machine Learning and Cybersecurity (Schneier on Security, Jun 21 2021)
“The Center for Security and Emerging Technology has a new report: “Machine Learning and Cybersecurity: Hype and Reality.” Here’s the bottom line:
The report offers four conclusions:
Machine learning can help defenders more accurately detect and triage potential attacks. However, in many cases these technologies are elaborations on long-standing methods — not fundamentally new approaches — that bring new attack surfaces of their own.”…
6. Instructions Show How Cops Use GrayKey to Brute Force iPhones (VICE, Jun 22 2021)
Newly released documents provide new insight into the capabilities of the iPhone unlocking tech.
*Cloud Security, DevOps, AppSec*
7. AWS Acquires Encrypted Communications Service Wickr (SecurityWeek, Jun 25 2021)
Amazon’s AWS subsidiary on Friday announced the acquisition of Wickr, a late-stage startup that sells end-to-end encrypted communications tools.
8. Security Flaw Discovered In Peloton Equipment (Dark Reading, Jun 16 2021)
The vulnerability could give attackers remote root access to the bike’s tablet, researchers report.
9. Cloud Database Exposes 800M+ WordPress Users’ Records (, Jun 25 2021)
Misconfiguration at hosting provider DreamHost led to the privacy breach
*Identity Mgt & Web Fraud*
10. Colorado Passes New Privacy Act (Infosecurity Magazine, Jun 18 2021)
Comprehensive data privacy law awaits signature of state governor
11. Identity Eclipses Malware Detection at RSAC Startup Competition (Dark Reading, Jun 22 2021)
All 10 finalists in the Innovation Sandbox were focused on identity, rather than security’s mainstay for the last 20 years: Malware detection.
12. A Billion CVS Records Exposed (Infosecurity Magazine, Jun 17 2021)
Misconfiguration error leaves CVS database without password protection
13. Hit by a Ransomware Attack? Your Payment May be Deductible (SecurityWeek, Jun 19 2021)
As ransomware attacks surge, the FBI is doubling down on its guidance to affected businesses: Don’t pay the cybercriminals. But the U.S. government also offers a little-noticed incentive for those who do pay: The ransoms may be tax deductible.
14. Google Launches SLSA, a New Framework for Supply Chain Integrity (Dark Reading, Jun 17 2021)
The “Supply chain Levels for Software Artifacts” aims to ensure the integrity of components throughout the software supply chain.
15. NIST Publishes Ransomware Guidance (Infosecurity Magazine, Jun 22 2021)
Draft Cybersecurity Framework Profile for Ransomware Risk Management released