The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Kaseya Releases Security Patch as Companies Continue to Recover (Dark Reading, Jul 12 2021)
Estimates indicate the number of affected companies could grow, while Kaseya faces renewed scrutiny as former employees reportedly criticize its lack of focus on security.
2. New Age Network Detection: Collection and Analysis (Securosis Blog, Jul 06 2021)
“As we get back into the New Age Network Detection series, let’s revisit the first post. We made the case that we’re undergoing technology disruption on a scale and at a velocity that we haven’t seen. Unfortunately, security has failed to keep pace with the attackers. The industry’s response has been to move the goalposts focusing on new shiny tech widgets every couple of years. We summed it up pretty well in the first post.”
3. CISA Analysis Reveals Successful Attack Techniques of FY 2020 (Dark Reading, Jul 09 2021)
The analysis shows potential attack paths and the most effective techniques for each tactic documented in CISA’s Risk and Vulnerability Assessments.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~20,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. We Got the Phone the FBI Secretly Sold to Criminals (VICE, Jul 08 2021)
Anom’ phones used in an FBI honeypot are mysteriously showing up on the secondary market. We bought one.
5. Voice cloning of growing interest to actors and cybercriminals (BBC, Jul 11 2021)
As voice cloning technology has become ever more effective, it is of increasing interest to actors… and cybercriminals.
6. Android Updates for July 2021 Patch Tens of High-Severity Vulnerabilities (SecurityWeek, Jul 08 2021)
Google on Wednesday announced the availability of the July 2021 security updates for the Android operating system, which include patches for over 40 vulnerabilities.
*Cloud Security, DevOps, AppSec*
7. Advancing resiliency threat modeling for large distributed systems (Azure Blog, Jul 07 2021)
All service engineering teams in Azure are already familiar with postmortems as a tool for better understanding what went wrong, how it went wrong, and the customer impact of the related outage. For today’s post in our Advancing Reliability blog series, we share insights into our journey as we work towards advancing our postmortem and resiliency threat modeling processes.
8. Microsoft Paid Out $13.6 Million in Bug Bounties in Past Year (SecurityWeek, Jul 09 2021)
“Microsoft this week revealed that it paid out more than $13.6 million in bug bounties between July 1, 2020, and June 30, 2021.
As part of the company’s 17 bug bounty and grant programs, participating security researchers can earn awards as high as $250,000 — the highest rewards are for critical vulnerabilities in Hyper-V.”
9. Firefox 90 Adds Cross-Origin Protections, Advanced Tracker Blocker (SecurityWeek, Jul 13 2021)
Mozilla this week pushed Firefox 90 to the stable channel with several security improvements, including better protections against cross-origin threats and an advanced tracker blocking mechanism.
*Identity Mgt & Web Fraud*
10. Europe Makes the Case to Ban Biometric Surveillance (Wired, Jul 09 2021)
Companies are racing to track everything about you. It could be a convenient way to reduce fraud—or seriously creepy and discriminatory.
11. New Framework Aims to Describe & Address Complex Social Engineering Attacks (Dark Reading, Jul 09 2021)
As attackers use more synthetic media in social engineering campaigns, a new framework is built to describe threats and provide countermeasures.
12. Colorado Passes Consumer Privacy Law (Schneier on Security, Jul 15 2021)
First California. Then Virginia. Now Colorado.
Here’s a good comparison of the three states’ laws.
13. China Taking Control of Zero-Day Exploits (Schneier on Security, Jul 14 2021)
“China is making sure that all newly discovered zero-day exploits are disclosed to the government.
Under the new rules, anyone in China who finds a vulnerability must tell the government, which will decide what repairs to make. No information can be given to “overseas organizations or individuals” other than the product’s manufacturer.
No one may “collect, sell or publish information on network product security vulnerabilities,” say the rules issued by the Cyberspace Administration of China and the police and industry ministries.”
14. REvil Ransomware Site Goes Offline (VICE, Jul 13 2021)
The prolific ransomware group is responsible for the wide-ranging attack on Kaseya.
15. Iranian State-Sponsored Hacking Attempts (Schneier on Security, Jul 13 2021)
Masquerading as UK scholars with the University of London’s School of Oriental and African Studies (SOAS), the threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive information. The threat actor, an APT who we assess with high confidence supports Islamic Revolutionary Guard Corps (IRGC) intelligence collection efforts, established backstopping for their credential phishing infrastructure by compromising a legitimate site of a highly regarded academic institution to deliver personalized credential harvesting pages disguised as registration links. Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage.”