The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Disrupting Ransomware by Disrupting Bitcoin (Schneier on Security, Jul 26 2021)
In this light, banning cryptocurrencies like bitcoin is an obvious solution. But while the solution is conceptually simple, it’s also impossible because — despite its overwhelming problems — there are so many legitimate interests using cryptocurrencies, albeit largely for speculation and not for legal payments.

We suggest an easier alternative: merely disrupt the cryptocurrency markets. Making them harder to use will have the effect of making them less useful as a ransomware payment vehicle, and not just because victims will have more difficulty figuring out how to pay. The reason requires understanding how criminals collect their profits.

2. Biden Administration Responds to Geopolitical Cyber Threats (Dark Reading, Jul 23 2021)
In response to growing concerns regarding the recent uptick in large-scale, nation-state-backed ransomware attacks on critical infrastructure, the Biden administration is taking new action to tackle the evolving challenges posed by ransomware attacks.

3. Ignore API security at your peril (Help Net Security, Jul 26 2021)
Application programming interfaces (APIs) are at the core of nearly every digital experience – whether that is the delivery of mobile apps that enable consumers to monitor and personalize their exercise routines using an IoT connected device, or making it easy for car owners to track and share their in-vehicle driving behaviors with an insurer, or enabling remote monitoring services that allow patients with chronic conditions to record and report their daily stats and receive …

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~20,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. An explosive spyware report shows limits of iOS, Android security (Ars Technica, Jul 24 2021)
Amnesty International sheds alarming light on an NSO Group surveillance tool.

5. A princess raced to escape Dubai’s powerful ruler. Then her phone appeared on the list. (Washington Post, Jul 21 2021)
In the days before commandos dragged Princess Latifa from her getaway yacht in the Indian Ocean, her number was added to a list that included targets of a powerful spyware, a new investigation shows.

6. Hiding Malware in ML Models (Schneier on Security, Jul 27 2021)
“Interesting research: “EvilModel: Hiding Malware Inside of Neural Network Models”.

Abstract: Delivering malware covertly and detection-evadingly is critical to advanced malware campaigns. In this paper, we present a method that delivers malware covertly and detection-evadingly through neural network models. Neural network models are poorly explainable and have a good generalization ability. By embedding malware into the neurons, malware can be delivered covertly with minor or even no impact…”

*Cloud Security, DevOps, AppSec*
7. Google Cloud Unveils New SOC, IDS Solutions (SecurityWeek, Jul 22 2021)
Google Cloud this week announced new security offerings for its customers, including Autonomic Security Operations to improve security operations centers (SOCs) and Cloud Intrusion Detection System (IDS) for network-based threat detection.

8. What We Learn from MITRE’s Most Dangerous Software Weaknesses List (SecurityWeek, Jul 26 2021)
A look into MITRE’s 2021 CWE Top 25 Most Dangerous Software Weaknesses

9. The three most important AWS WAF rate-based rules (AWS Security Blog, Jul 22 2021)
In this post, we explain what the three most important AWS WAF rate-based rules are for proactively protecting your web applications against common HTTP flood events, and how to implement these rules. We share what the Shield Response Team (SRT) has learned from helping customers respond to HTTP floods and show how all AWS WAF…

*Identity Mgt & Web Fraud*
10. De-anonymization Story (Schneier on Security, Jul 28 2021)
This is important:

Monsignor Jeffrey Burrill was general secretary of the US Conference of Catholic Bishops (USCCB), effectively the highest-ranking priest in the US who is not a bishop, before records of Grindr usage obtained from data brokers was correlated with his apartment, place of work, vacation home, family members’ addresses, and more.


The data that resulted in Burrill’s ouster was reportedly obtained through legal means. Mobile carriers sold­ — and still sell — ­location data to brokers who aggregate it and sell it to a range of buyers, including advertisers, law enforcement, roadside services, and even bounty hunters.

11. Venmo gets more private—but it’s still not fully safe (Ars Technica, Jul 25 2021)
Until it offers privacy by default, it remains a liability for many of its users.

12. Fraud on the Farm: How a baby-faced CEO turned a Farmville clone into a massive Ponzi scheme (Rest of World, Jul 23 2021)
On November 21, 2019, 25-year-old Recep Ataş stepped onto a shooting range in the Istanbul suburb of Başakşehir. He fired several rounds at the target, before suddenly aiming the weapon directly…

*CISO View*
13. The Life Cycle of a Breached Database (Krebs on Security, Jul 29 2021)
Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Here’s a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database.

14. No More Ransom: We Prevented Ransomware Operators From Earning $1 Billion (SecurityWeek, Jul 26 2021)
No More Ransom is celebrating its 5th anniversary and the project says it has helped more than 6 million ransomware victims recover their files and prevented cybercriminals from earning roughly $1 billion.

15. How to develop a skilled cybersecurity team (Help Net Security, Jul 26 2021)
What skills should aspiring information security workers possess and work on? What certifications can come in handy more than others? What strategies should organizations employ to develop a well-staffed cybersecurity team? Where should they look for talent? What advice do those already working in the field have for those who want to enter it? (ISC)² wanted to know the answer to these and other questions, so they asked 1,024 infosec professionals and 1,010 cybersecurity job…