The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Mysterious Israeli Spyware Vendor’s Windows Zero-Days Caught in the Wild (VICE, Jul 15 2021)
Microsoft and Citizen Lab found a new kind of spyware made by the mysterious Israeli vendor Candiru, and targeting someone in Europe based on their political beliefs.
2. CISA Issues Emergency Directive to Address ‘PrintNightmare’ Vulnerability (SecurityWeek, Jul 14 2021)
CISA says multiple threat actors are exploiting the Windows ‘PrintNightmare’ vulnerability
3. UK Spy Agency Releases Annual Threat Report (SecurityWeek, Jul 16 2021)
MI5’s UK Annual Threat Update 2021 from director general Ken McCallum almost mirrors the threat warnings delivered by U.S. government agencies: ransomware and IP theft in cyber, and extreme right-wing terrorism amplified by online echo chambers.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~20,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Private Israeli spyware used to hack journalists, activists worldwide (WAPO, Jul 19 2021)
Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners.
5. IoT malware attacks rose 700% during the pandemic (Help Net Security, Jul 20 2021)
Zscaler released a study examining the state of IoT devices left on corporate networks during a time when businesses were forced to move to a remote working environment. The report analyzed over 575 million device transactions and 300,000 IoT-specific malware attacks blocked over the course of two weeks in December 2020 – a 700% increase when compared to pre-pandemic findings.
6. The Pentagon Is Bolstering Its AI Systems—by Hacking Itself (Wired, Jul 19 2021)
A new “red team” will try to anticipate and thwart attacks on machine learning programs
*Cloud Security, DevOps, AppSec*
7. Google to Bring HTTPS-First Mode to Chrome Browser (Dark Reading, Jul 14 2021)
Beginning in M94, Chrome will offer HTTPS-First Mode, which will attempt to upgrade all page loads to HTTPS.
8. Application security tools ineffective against new and growing threats (Help Net Security, Jul 19 2021)
A study by Fastly and ESG, based on insights from information security and IT professionals representing hundreds of organizations globally, revealed growing concerns around adequately securing the rapidly rising number of mission-critical cloud services and API-centric applications. Outdated offerings, false positives, and ineffective blocking are among the main causes driving this global concern.
9. Most financial services mobile apps still rely on passwords, even with added friction (Help Net Security, Jul 20 2021)
Incognia announced a report which highlights results from their most recent study focusing on authentication and friction at login and the password reset process. The study was conducted to provide banking, financial services, and investing/trading mobile apps with insights on the state of mobile app login authentication and the friction when a user resets their password.
*Identity Mgt & Web Fraud*
10. Combating deepfakes: How we can future-proof… (Help Net Security, Jul 20 2021)
So, an obvious question is whether deepfakes are powerful enough to fool the biometric-based solutions on which institutions such as banks and governments are becoming so dependent. Answer = not yet
11. Spam Kingpin Peter Levashov Gets Time Served (Krebs on Security, Jul 20 2021)
A federal judge in Connecticut today handed down a sentence of time served to spam kingpin Peter “Severa” Levashov, a prolific purveyor of malicious and junk email, and the creator of malware strains that infected millions of Microsoft computers globally. Levashov has been in federal custody since his extradition to the United States and guilty plea in 2018, and was facing up to 12 more years in prison. Instead, he will go free under three years of supervised release and a possible fine.
12. Catholic priest quits after “anonymized” data revealed alleged use of Grindr (Ars Technica, Jul 21 2021)
Location data is almost never anonymous.
13. Kaseya gets master decryptor to help customers still suffering from REvil attack (Ars Technica, Jul 22 2021)
REvil ransomware struck as many as 1,500 networks, but a master key is now available.
14. NSO Group Hacked (Schneier on Security, Jul 20 2021)
“NSO Group, the Israeli cyberweapons arms manufacturer behind the Pegasus spyware — used by authoritarian regimes around the world to spy on dissidents, journalists, human rights workers, and others — was hacked. Or, at least, an enormous trove of documents was leaked to journalists.
There’s a lot to read out there. Amnesty International has a report. Citizen Lab conducted an independent analysis. The Guardian has extensive coverage. More coverage.”
15. Saudi Aramco confirms data leak after $50 million cyber ransom demand (Ars Technica, Jul 22 2021)
World’s largest oil producer says some company files were compromised.