The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. Hackers Can Mess With Voltages to Steal Intel Chips’ Secrets (Wired, Dec 10 2019)
A new attack called Plundervolt gives attackers access to the sensitive data stored in a processor’s secure enclave.
2. This password-stealing hacking campaign is targeting governments around the world (ZDNet, Dec 12 2019)
Researchers uncover a phishing campaign attempting to steal login credentials from government departments across North America, Europe and Asia – and nobody knows who is behind it.
3. Inside ‘Evil Corp,’ a $100M Cybercrime Menace (Krebs on Security, Dec 16 2019)
“The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself “Evil Corp” and stole roughly $100 million from businesses and consumers. As it happens, for several years KrebsOnSecurity closely monitored the day-to-day communications and activities of the accused and his accomplices. What follows is an insider’s look at the back-end operations of this gang.”
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. How Hackers Are Breaking Into Ring Cameras (VICE, Dec 11 2019)
“Ring Video Doorbell Config,” one thread on a hacking forum reads. A config is a file used to drive special software for rapidly churning through usernames or email addresses and passwords and trying to use them to log into accounts. Hackers have developed configs for a wide variety of websites and online services, from Uber to Facebook.
5. WhatsApp Fixes Yet Another Group Chat Security Gap (Wired, Dec 17 2019)
The flaw would have given attackers an avenue for crashing the app—every time a user opened an infected group thread.
6. Security Vulnerabilities in the RCS Texting Protocol (Schneier on Security, Dec 16 2019)
SRLabs founder Karsten Nohl, a researcher with a track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be vulnerable to interception and spoofing attacks. While using end-to-end encrypted internet-based tools like iMessage and WhatsApp obviates many of those of SS7 issues, Nohl says that flawed implementations of RCS make it not much safer than the SMS system it hopes to replace.
*Cloud Security, DevOps, AppSec*
7. How Google moved from perimeter-based to cloud-native security (Google, Dec 17 2019)
“a whitepaper about BeyondProd, which explains the model for how we implement cloud-native security at Google. As many organizations seek to adopt cloud-native architectures, we hope security teams can learn how Google has been securing its own architecture, and simplify their adoption of a similar security model.”
8. Mozilla mandates 2FA security for Firefox developers (Naked Security – Sophos, Dec 17 2019)
Mozilla last week fired off an important memo to all Firefox extension developers telling them to turn on authentication (2FA) on their addons.mozilla.org (AMO) accounts.
9. GitLab Paid Half a Million Dollars in Bug Bounties in One Year (SecurityWeek, Dec 16 2019)
GitLab has paid more than half a million dollars in rewards to security researchers who contributed to its public bug bounty program over the past year.
*Identity Mgt & Web Fraud*
10. 2020 Predictions: Privacy (SC Magazine, Dec 16 2019)
Predictions from executives at identity companies
11. Insights about the first five years of Right to Be Forgotten requests at Google (Elie Bursztein, Dec 13 2019)
The “Right to be Forgotten” (RTBF) is a landmark European ruling that governs the delisting of personal information from search results. This ruling establishes a right to privacy, whereby individuals can request that search engines delist URLs across the Internet that contain “inaccurate, inadequate, irrelevant or excessive” information uncovered by queries containing the name of the requester. What makes this ruling unique and challenging is that it requires search engines, when contemplating the requested delisting of URLs, to decide whether an individual’s right to privacy outweighs the public’s right to access lawful information.
12. Amazon Conference Badges Tracked Attendees’ Movements (VICE, Dec 19 2019)
AWS said the data was anonymous and to help understand attendance at certain events.
13. Web Hosting Firm Slapped With $10 Million GDPR Fine (SecurityWeek, Dec 16 2019)
The investigation commenced following a complaint from a customer whose personal mobile phone number was given by 1&1’s customer helpline to a former life partner in 2018. Since the former partner already knew a lot of details, the helpline provided the phone number after being given the complainant’s name and date of birth. According to BfDI, this was insufficient ‘access control’ for access to personal data.
14. New Orleans Scrambles to Respond to Ransomware Attack (Infosecurity Magazine, Dec 16 2019)
Louisiana city the latest in long line to suffer this year
15. Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up (Krebs on Security, Dec 16 2019)
“As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of acquiescing to their tormentors.”