15 Bullet Friday – The Best Security News of the Week – 2021.08.06

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Feds list the top 30 most exploited vulnerabilities. Many are years old (Ars Technica, Jul 29 2021)
Hackers continue to exploit publicly known—and often dated—software vulnerabilities.

2. Navigating the 2021 threat landscape: Security operations, cybersecurity maturity (Help Net Security, Aug 02 2021)
Findings from a new report from ISACA in partnership with HCL Technologies show that 35 percent of respondents report that their enterprises are experiencing more cyberattacks, three percentage points higher than last year.

3. US Gov Warning: VPN, Network Perimeter Product Flaws Under Constant Attack (SecurityWeek, Jul 28 2021)
The U.S. government and its allies are pleading with defenders to pay attention to gaping holes in perimeter-type devices, warning that advanced threat actors are feasting on known security defects in VPN appliances, network product gateways and enterprise cloud applications.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~20,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. Apple releases patch for zero‑day flaw in iOS, iPadOS and macOS (WeLiveSecurity, Jul 28 2021)
The vulnerability is under active exploitation by unknown attackers and affects a wide range of Apple’s products.

5. Android Banking Trojan ‘Vultur’ Abusing Accessibility Services (SecurityWeek, Jul 30 2021)
A newly discovered Android banking Trojan relies on screen recording and keylogging instead of HTML overlays for the capturing of login credentials, according to security researchers at ThreatFabric.

6. Google Patches High-Risk Android Security Flaws (SecurityWeek, Aug 03 2021)
Google this week pushed out a security-themed Android update with fixes for more than 30 security flaws that expose mobile users to a range of malicious hacker attacks.

*Cloud Security, DevOps, AppSec*
7. New CISA & NSA Guidance Details Steps to Harden Kubernetes (SecurityWeek, Aug 04 2021)
New guidance from the United States Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) provides information on the steps that administrators can take to minimize risks associated with Kubernetes deployments.

8. Storing Encrypted Photos in Google’s Cloud (Schneier on Security, Jul 30 2021)
“Abstract: Cloud photo services are widely used for persistent, convenient, and often free photo storage, which is especially useful for mobile devices. As users store more and more photos in the cloud, significant privacy concerns arise because even a single compromise of a user’s credentials give attackers unfettered access to all of the user’s photos.”

9. Software downloaded 30,000 times from PyPI ransacked developers’ machines (Ars Technica, Jul 30 2021)
Expect to see more of these “Frankenstein” malware packages, researchers warn.

*Identity Mgt & Web Fraud*
10. Zoom Lied about End-to-End Encryption (Schneier on Security, Aug 05 2021)
“The facts aren’t news, but Zoom will pay $85M — to the class-action attorneys, and to users — for lying to users about end-to-end encryption, and for giving user data to Facebook and Google without consent.

The proposed settlement would generally give Zoom users $15 or $25 each and was filed Saturday at US District Court for the Northern District of California. It came nine months after Zoom agreed to security improvements and a “prohibition on privacy and security misrepresentations” in a settlement with the Federal Trade Commission, but the FTC settlement didn’t include compensation for users.”

11. A New Approach to Securing Authentication Systems’ Core Secrets (Dark Reading, Aug 05 2021)
Researchers at Black Hat USA explain issues around defending “Golden Secrets” and present an approach to solving the problem.

12. Google Play gets mandatory app privacy labels in April 2022 (Ars Technica, Jul 29 2021)
After delaying its iOS privacy labels for months, Google copies the feature for Play.

*CISO View*
13. CISA Launches JCDC, the Joint Cyber Defense Collaborative (Dark Reading:, Aug 05 2021)
“We can’t do this alone,” the new CISA director told attendees in a keynote at Black Hat USA today.

14. #BHUSA: Researchers Criticize Apple Bug Bounty Program (, Aug 05 2021)
While Apple pays well, researchers at Black Hat argue there is a clear lack of transparency on when, or even if, reported vulnerabilities will be fixed

15. Ransom demands reaching $1.2M, smaller companies increasingly targeted (Help Net Security, Aug 03 2021)
Ransom demands have grown substantially over the past year, smaller companies are increasingly targeted, and cyber criminals continue to take advantage of dislocations in how we work, according to a Coalition report. From the first half of 2020 to 2021, the average ransom demand made to Coalition policyholders increased nearly threefold, from $450,000 to $1.2 million per claim.