Weekly Summary

15 Bullet Friday – The Best Security News of the Week – 2020.01.17

2020-01-17 by Lucas Samaras

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. How 2019’s Worst Corporate Hacks Could Have Been Prevented (Infosecurity Magazine, Jan 13 2020)
The majority of breaches can be avoided. User log-in credentials, customer databases, corporate emails, sensitive enterprise documents, medical and tax information are just a few examples of data that fell into the wrong hands and got publicly exposed.

2. Iranian Hackers Have Been ‘Password-Spraying’ the US Grid (Wired, Jan 09 2020)
A state-sponsored group called Magnallium has been probing American electric utilities for the past year.

3. Phishing for Apples, Bobbing for Links (Krebs on Security, Jan 13 2020)
“Anyone searching for a primer on how to spot clever phishing links need look no further than those targeting customers of Apple, whose brand by many measures remains among the most-targeted. Past stories here have examined how scammers working with organized gangs try to phish iCloud credentials from Apple customers who have a mobile device that is lost or stolen. Today’s piece looks at the well-crafted links used in some of these lures.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. Barr Asks Apple to Unlock Pensacola Killer’s Phones (The New York Times, Jan 14 2020)
The request set up a collision between law enforcement and big technology firms in the latest battle over privacy and security.

5. Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers (VICE, Jan 10 2020)
SIM swappers have escalated from bribing employees to using remote desktop software to get direct access to internal T-Mobile, AT&T, and Sprint tools.

6. Facebook Says Encrypting Messenger by Default Will Take Years (Wired, Jan 10 2020)
Mark Zuckerberg promised default end-to-end encryption throughout Facebook’s platforms. Nearly a year later, Messenger’s not even close.

*Cloud Security, DevOps, AppSec*
7. In App Development, Does No-Code Mean No Security? (Dark Reading, Jan 08 2020)
No-code and low-code development platforms are part of application development, but there are keys to making sure that they don’t leave security behind with traditional coding.

8. Learning from cryptocurrency mining attack scripts on Linux (Microsoft Azure Blog, Jan 14 2020)
Cryptocurrency mining attacks continue to represent a threat to many of our Azure Linux customers.

9. DevSecOps: 10 Best Practices to Embed Security into DevOps (DevOps, Jan 14 2020)
Steps to a Typical DevSecOps Workflow
– A developer starts by writing code within a version control system.
– Any required change is committed to the version control system.
– Another developer analyzes the code to identify any security defect that may weaken code quality.
– An environment is created to deploy and apply security configurations to the system.
– Next, a test automation suite is executed to evaluate the newly deployed application.
– After it passes the automation test, the application is deployed to a production environment.
– This new production environment is actively monitored for security threats.

*Identity Mgt & Web Fraud*
10. Google: Chrome Will Remove Third-Party Cookies and Tracking (Dark Reading, Jan 14 2020)
It’s “not about blocking” but removing them altogether, the company said.

11. Apple’s new privacy features have further rattled the location-based ad market (Digiday, Jan 15 2020)
People aren’t sharing data with apps thanks to Apple, and that’s left ad tech vendors with less location data to sell. Now, they’re trying to plug the gap with data from IP addresses or a mobile carrier.

12. Google voice Assistant gets new privacy ‘undo’ commands (Naked Security – Sophos, Jan 09 2020)
Google’s controversial voice Assistant is getting a series of new commands designed to work like privacy-centric ‘undo’ buttons.

*CISO View*
13. 2017 Data Breach Will Cost Equifax at Least $1.38 Billion (Dark Reading, Jan 15 2020)
Company agrees to set aside a minimum of $380.5 million as breach compensation and spend another $1 billion on transforming its information security over the next five years. The 147 million US consumers affected by the breach have one week from today to file a claim.

14. Fancy Bear’ Targets Ukrainian Oil Firm Burisma in Phishing Attack (Dark Reading, Jan 14 2020)
The oil & gas company is at the heart of the ongoing US presidential impeachment case.

15. A case for establishing a common weakness enumeration for hardware security (Help Net Security, Jan 13 2020)
Due to these missing reference materials for hardware vulnerabilities in the CWE, researchers do not have the same standard taxonomy that would enable them to share information and techniques with one another. If we expect hardware vendors and their partners to collectively deliver more secure solutions, we must have a common language for discussing hardware security vulnerabilities.

15 Bullet Friday – The Best Security News of the Week – 2020.01.10

2020-01-10 by Lucas Samaras

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. We Talked to Experts About Iran’s Cyberwar Capabilities (VICE, Jan 03 2020)
Iran lacks the overall cyber capabilities of Russia, China, or the U.S., but its hackers can still do damage.

2. Microsoft Shuts Down 50 Domains Used by North Korean Hacking Group (Dark Reading, Dec 31 2019)
Thallium’ nation-state threat group used the domains to target mostly US victims.

3. Ransomware forces Richmond Community Schools to close (SC Magazine, Jan 03 2020)
The Michigan district was hit on Dec. 27, with district officials informing parents and students on Dec. 31 that the planned Jan. 2 school re-opening would be pushed back.

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. Facebook Says It Will Ban ‘Deepfakes’ (The New York Times, Jan 07 2020)
The company said it would remove videos altered by artificial intelligence in ways meant to mislead viewers.

5. Burner phones are an eavesdropping risk for international travelers (Help Net Security, Jan 07 2020)
Unfortunately, even savvy travelers who do the right things – disabling Bluetooth, not connecting to unknown networks, never leaving their phone out of sight – are still at risk of conversations being eavesdropped on through their burner phones. But instead of choosing a “dumb” phone or asking users to not bring their phones into critical meetings, security teams have the following options at their disposal for mitigating the risk of high-level conversations being captured.

6. Google shutting down Xiaomi access to Assistant following Nest Hub picking up strangers’ camera feeds (Android Police, Jan 03 2020)
So-called “smart” security cameras have had some pretty dumb security problems recently, but a recent report regarding a Xiaomi camera linked to a Google

*Cloud Security, DevOps, AppSec*
7. Red Hat DevSecOps Strategy Centers on Quay (Container Journal, Jan 06 2020)
Red Hat is moving toward putting the open source Quay container registry at the center of its DevSecOps strategy for securing containers. The latest 3.2 version of Quay adds support for Container Security Operator, which integrates Quay’s image vulnerability scanning capabilities with Kubernetes.

8. Breaking Down the OWASP API Security Top 10 (Part 2) (Checkmarx, Jan 06 2020)
… the first five (5) risks and emphasized some of the possible attack scenarios in the context of the risks. In this article, I will attempt to clarify the last five (5) risks to help organizations understand the dangers associated with deficient API implementations.

9. Google Shifts to 90-Day Bug Disclosures by Default (Infosecurity Magazine, Jan 08 2020)
Project Zero team hopes it will improve thoroughness and adoption of patches

*Identity Mgt & Web Fraud*
10. Why a Steak in California Comes With a Privacy Notice (VICE, Jan 07 2020)
Under California’s new privacy law, even brick and mortar companies have to make it clear you can opt out of having your personal data sold.

11. Facebook Revamps Its Privacy Checkup Feature in Time for CES (Wired, Jan 07 2020)
Forget Portal. This year, Facebook is marketing itself as a privacy crusader.

12. China facial-recognition case puts Big Brother on trial (Yahoo News, Jan 08 2020)
Facial-recognition technology has become embedded in China, from airports to hotels, e-commerce sites and even public toilets, but a law professor had enough when asked to scan his face at a safari park. Guo Bing took the wildlife park to court, raising the temperature in a growing debate about privacy

*CISO View*
13. New SHA-1 Attack (Schneier on Security, Jan 08 2020)
“There’s a new, practical, collision attack against SHA-1: In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1”

14. Hackers claiming to be from Iran deface U.S. gov’t website (SC Magazine, Jan 06 2020)
The hackers defaced the Federal Depository Library Program, fdlp.gov, website with a picture of bleeding Trump as he’s being punched in the face

15. The Hidden Cost of Ransomware: Wholesale Password Theft (Krebs on Security, Jan 06 2020)
“Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. But all too often, ransomware victims fail to grasp that the crooks behind these attacks can and frequently do siphon every single password stored on each infected endpoint. The result of this oversight may offer attackers a way back into the affected organization, access to financial and healthcare accounts, or — worse yet — key tools for attacking the victim’s various business partners and clients.”

15 Bullet Friday – The Best Security News of the Week – 2020.01.03

2020-01-03 by Lucas Samaras

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Chinese Hackers Bypassing Two-Factor Authentication (Schneier on Security, Dec 26 2019)
On December 18th, DeepInstinct put out a great article outlining the latest Legion Loader campaign. Whether a parent, or organization, this served as a great example to demonstrate the effectiveness of DNS in mitigating this type of attack. Interesting story of how a Chinese state-sponsored hacking group is bypassing the RSA SecurID two-factor authentication system. How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA…

2. Ransomware at IT Services Provider Synoptek (Krebs on Security, Dec 27 2019)
“Synoptek, a California business that provides cloud hosting and IT management services to more than a thousand customers nationwide, suffered a ransomware attack this week that has disrupted operations for many of its clients, according to sources. The company has reportedly paid a ransom demand in a bid to restore operations as quickly as possible.”

3. Mitigating Web Threats with CleanBrowsing DNS (PerezBox, Dec 24 2019)
I encourage you to read DeepInstincts article if you want to better understand how it works. What I’ll focus in this article is how DNS can function as a highly effective security control to help you protect your network.

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. AI can protect old equipment from cyberattack (Houston Chronicle, Dec 30 2019)
“The energy vertical really faces what I would call the perfect storm,” said Leo Simonovich, global head of industrial cyber and digital security for Siemens.

“On the one hand, there’s a vast brownfield of assets that were never designed with security in mind,” he told me on the sidelines of Time Machine 2019, an artificial intelligence conference. “On the other hand, the energy vertical is undergoing a massive transformation with the introduction of renewables through digitalization and connectivity.”

5. 2020 Predictions: Mobile Security (SC Magazine, Dec 26 2019)
2020 will be the year of 5G, bringing with it not only faster speeds and bandwidth capabilities to our mobile devices, but also making them highly coveted targets by DDoS attackers. While mobile devices have always been targeted by financial or personal data thieves, 5G’s increased bandwidth allows attackers to take control over a relatively small number of mobile handsets and unleash a tremendous amount of damage.

6. Popular Mideast App Pulled After Report it Was Spying Tool (SecurityWeek, Dec 24 2019)
A popular mobile application developed in the United Arab Emirates has been removed from both Apple and Google’s online marketplaces following a report it was used for widespread government spying.

*Cloud Security, DevOps, AppSec*
7. Predictions 2020: Infrastructure and Ops Trends to Watch in 2020 (DevOps, Dec 24 2019)
Today, modernizing systems is more than simply moving technology to a new location. It requires an IT stack of a new generation of technologies and tools to work.

8. School software vendor Active Network suffers data breach (SC Magazine, Dec 30 2019)
Acitve Network’s Blue Bear Software platform reported that unauthorized activity in its network earlier this year resulted in customer PII being exposed. The company reported the issue to the California Attorney General’s office stating it recently became aware that between Oct. 1, 2019 and Nov. 13, 2019 there was illegal activity taking place…

9. Top 6 Software Testing Trends to Look Out in 2020 (DZone DevOps Zone, Dec 24 2019)
Some of the growing software testing trends that will continue to dominate in 2020, like AI and IoT in testing and increased automation testing in teams.

*Identity Mgt & Web Fraud*
10. Say Hello to SASE (Secure Access Service Edge) (Gartner Blog Network, Dec 23 2019)
So by now, most networking folks know about SDWAN. And of course, just when everyone is aware and comfortable with a technology, and it is (relatively) stable with over 25,000 paying customers, and we can start to absorb it…then Boom. Things change. And we are absolutely seeing the market evolve. And the new “thing” is SASE – Secure Access Service Edge, pronounced “sassy”.

11. Identity access management – An auditor’s view (SC Magazine, Dec 26 2019)
12 Best Practices from an Auditor’s view…

12. The 2019 State of the Auth Report: Has 2FA Hit Mainstream Yet? (The Duo Blog, Dec 09 2019)
The Study Results Show That 2FA Is Catching On
Awareness in 2FA shot up from 44% of respondents in 2017 to 77% in 2019. That’s a 33% gain over a two year period.

More Users Are Adopting 2FA Security for Protection
In 2017, a mere 28% of respondents were using 2FA compared to 53% in 2019. That is a solid 25% gain in user security.

*CISO View*
13. UN backs Russia on internet convention, alarming rights advocates (Yahoo News, Dec 28 2019)
The United Nations on Friday approved a Russian-led bid that aims to create a new convention on cybercrime, alarming rights groups and Western powers that fear a bid to restrict online freedom. The General Assembly approved the resolution sponsored by Russia and backed by China, which would set up a

14. Wawa Facing Lawsuits Over Data Breach at All of its Stores (SecurityWeek, Dec 28 2019)
The Wawa convenience store chain is facing a wave of lawsuits over a data breach that affected its 850 locations along the East Coast.

15. 2020 Predictions: Technology (SC Magazine, Dec 30 2019)
MITRE ATT&CK will become the go-to framework and common vocabulary for every SOC. For organizations required to have the most aggressive stances on security, such as financial services and healthcare, ATT&CK is already the go-to framework. In 2020, it will become a basis of conversation for security operations center (SOC) teams in other industries, including retail and manufacturing, as they mature their security postures.

15 Bullet Friday – The Best Security News of the Week – 2019.12.27

2019-12-27 by Lucas Samaras

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Meet Cliff Stoll, the Mad Scientist Who Invented the Art of Hunting Hackers (Wired, Dec 18 2019)
Thirty years ago, Cliff Stoll published The Cuckoo’s Egg, a book about his cat-and-mouse game with a KGB-sponsored hacker. Today, the internet is a far darker place—and Stoll has become a cybersecurity icon.

2. Webroot’s Listing of the ‘Nastiest’ Malware of 2019 (eWEEK, Dec 21 2019)
From zombie botnets to insidious email infiltrators, here are the top malware threats to hit us in 2019, according to Webroot.

3. Worried About Magecart? Here’s How to Check for It (Dark Reading, Dec 18 2019)
Researchers share how everyday users can check for malicious code on e-commerce websites.

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. Smartphone location data can be used to identify and track anyone (NYTimes, Dec 23 2019)
In today’s smartphone economy, hiding your location has become a major challenge.

5. The Pentagon’s AI Chief Prepares for Battle (Wired, Dec 18 2019)
Lt. Gen. Jack Shanahan doesn’t want killer robots—but he does want artificial intelligence to occupy a central role in warfighting.

6. Facebook removes accounts with AI-generated profile photos (Ars Technica, Dec 23 2019)
Likely the first use of AI to support an inauthentic social media campaign.

*Cloud Security, DevOps, AppSec*
7. Apple Kicks Off Public Bug Bounty Program (SecurityWeek, Dec 20 2019)
Apple this week kicked off its public bug bounty program, just over four months after announcing it officially at the Black Hat cybersecurity conference in Las Vegas.

8. Google Promises Upfront Financial Help for Securing Open Source Projects (SecurityWeek, Dec 20 2019)
Six years into running the Patch Rewards Program to help improve the security of open source projects, Google has decided to provide upfront financial support for such initiatives.

9. Google Details Its Zero-Trust Architecture. Can Enterprises Use It? (IT Pro, Dec 18 2019)
While large enterprises will already have many of the needed security tools, copying Google’s approach can be very complicated, Hatch said. “The complexities of large-scale infrastructure and applications can’t be resolved with a magic Band-Aid in short order.” A unified platform is needed to bring all the pieces together.

*Identity Mgt & Web Fraud*
10. What does your car know about you? We hacked a Chevy… (Washington Post, Dec 24 2019)
Our privacy experiment found hundreds of sensors and an always-on Internet connection. Driving surveillance is becoming very hard to avoid.

11. Ambiguity Around CCPA Will Lead to a Slow Start in 2020 (Dark Reading, Dec 20 2019)
But longer term, compliance to California’s new privacy law represents an opportunity for companies to increase customer trust and market share.

12. Google Cloud: Supporting our customers with the California Consumer Privacy Act (CCPA) (Google Cloud Blog, Dec 20 2019)
Businesses that collect California residents’ personal information and meet certain thresholds (for example, revenue) will need to comply with these obligations.

*CISO View*
13. Wawa Stores Plagued by Malware Since March (Infosecurity Magazine, Dec 20 2019)
Malware has been stealing credit card info from Wawa customers for 9 months

14. F5 Pays $1 Billion for Shape (Dark Reading, Dec 20 2019)
The acquisition adds fraud detection and prevention to the application delivery company’s tool collection.

15. Cybersecurity Experts Are Leaving the Federal Government. That’s a Problem. (NY Times, Dec 20 2019)
Cybersecurity Experts Are Leaving the Federal Government. That’s a Problem. The New York Times

15 Bullet Friday – The Best Security News of the Week – 2019.12.20

2019-12-20 by Lucas Samaras

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Hackers Can Mess With Voltages to Steal Intel Chips’ Secrets (Wired, Dec 10 2019)
A new attack called Plundervolt gives attackers access to the sensitive data stored in a processor’s secure enclave.

2. This password-stealing hacking campaign is targeting governments around the world (ZDNet, Dec 12 2019)
Researchers uncover a phishing campaign attempting to steal login credentials from government departments across North America, Europe and Asia – and nobody knows who is behind it.

3. Inside ‘Evil Corp,’ a $100M Cybercrime Menace (Krebs on Security, Dec 16 2019)
“The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself “Evil Corp” and stole roughly $100 million from businesses and consumers. As it happens, for several years KrebsOnSecurity closely monitored the day-to-day communications and activities of the accused and his accomplices. What follows is an insider’s look at the back-end operations of this gang.”

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. How Hackers Are Breaking Into Ring Cameras (VICE, Dec 11 2019)
“Ring Video Doorbell Config,” one thread on a hacking forum reads. A config is a file used to drive special software for rapidly churning through usernames or email addresses and passwords and trying to use them to log into accounts. Hackers have developed configs for a wide variety of websites and online services, from Uber to Facebook.

5. WhatsApp Fixes Yet Another Group Chat Security Gap (Wired, Dec 17 2019)
The flaw would have given attackers an avenue for crashing the app—every time a user opened an infected group thread.

6. Security Vulnerabilities in the RCS Texting Protocol (Schneier on Security, Dec 16 2019)
SRLabs founder Karsten Nohl, a researcher with a track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be vulnerable to interception and spoofing attacks. While using end-to-end encrypted internet-based tools like iMessage and WhatsApp obviates many of those of SS7 issues, Nohl says that flawed implementations of RCS make it not much safer than the SMS system it hopes to replace.

*Cloud Security, DevOps, AppSec*
7. How Google moved from perimeter-based to cloud-native security (Google, Dec 17 2019)
“a whitepaper about BeyondProd, which explains the model for how we implement cloud-native security at Google. As many organizations seek to adopt cloud-native architectures, we hope security teams can learn how Google has been securing its own architecture, and simplify their adoption of a similar security model.”

8. Mozilla mandates 2FA security for Firefox developers (Naked Security – Sophos, Dec 17 2019)
Mozilla last week fired off an important memo to all Firefox extension developers telling them to turn on authentication (2FA) on their addons.mozilla.org (AMO) accounts.

9. GitLab Paid Half a Million Dollars in Bug Bounties in One Year (SecurityWeek, Dec 16 2019)
GitLab has paid more than half a million dollars in rewards to security researchers who contributed to its public bug bounty program over the past year.

*Identity Mgt & Web Fraud*
10. 2020 Predictions: Privacy (SC Magazine, Dec 16 2019)
Predictions from executives at identity companies

11. Insights about the first five years of Right to Be Forgotten requests at Google (Elie Bursztein, Dec 13 2019)
The “Right to be Forgotten” (RTBF) is a landmark European ruling that governs the delisting of personal information from search results. This ruling establishes a right to privacy, whereby individuals can request that search engines delist URLs across the Internet that contain “inaccurate, inadequate, irrelevant or excessive” information uncovered by queries containing the name of the requester. What makes this ruling unique and challenging is that it requires search engines, when contemplating the requested delisting of URLs, to decide whether an individual’s right to privacy outweighs the public’s right to access lawful information.

12. Amazon Conference Badges Tracked Attendees’ Movements (VICE, Dec 19 2019)
AWS said the data was anonymous and to help understand attendance at certain events.

*CISO View*
13. Web Hosting Firm Slapped With $10 Million GDPR Fine (SecurityWeek, Dec 16 2019)
The investigation commenced following a complaint from a customer whose personal mobile phone number was given by 1&1’s customer helpline to a former life partner in 2018. Since the former partner already knew a lot of details, the helpline provided the phone number after being given the complainant’s name and date of birth. According to BfDI, this was insufficient ‘access control’ for access to personal data.

14. New Orleans Scrambles to Respond to Ransomware Attack (Infosecurity Magazine, Dec 16 2019)
Louisiana city the latest in long line to suffer this year

15. Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up (Krebs on Security, Dec 16 2019)
“As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of acquiescing to their tormentors.”