Weekly Summary

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Iranian Hackers Targeted Presidential Campaign, Microsoft Says (The New York Times, Oct 04 2019)
Microsoft said in a security report Friday that journalists and other government officials were also targeted. It did not name the campaign.

2. Casbaneiro: Dangerous cooking with a secret ingredient (WeLiveSecurity, Oct 03 2019)
Número dois in our series demystifying Latin American banking trojans

3. New Research into Russian Malware (Schneier on Security, Oct 02 2019)
“There’s some interesting new research about Russian APT malware: The Russian government has fostered competition among the three agencies, which operate independently from one another, and compete for funds. This, in turn, has resulted in each group developing and hoarding its tools, rather than sharing toolkits with their counterparts, a common sight among Chinese and North Korean state-sponsored hackers.”

---

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

---

*AI, IoT, & Mobile Security*
4. Decades-Old Code Is Putting Millions of Critical Devices at Risk (Wired, Oct 01 2019)
Nearly two decades ago, a company called Interpeak created a network protocol that became an industry standard. It also had severe bugs that are only now coming to light.

5. New Unpatchable iPhone Exploit Allows Jailbreaking (Schneier on Security, Oct 08 2019)
-Checkm8 requires physical access to the phone. It can’t be remotely executed, even if combined with other exploits.
-The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
-Checkm8 doesn’t bypass the protections offered by the Secure Enclave and Touch ID.
-All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances. The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don’t have the unlock PIN, to access the data stored on it.
-Checkm8 is going to benefit researchers, hobbyists, and hackers by providing a way not seen in almost a decade to access the lowest levels of iDevices.

6. Inside New York City’s Partnership With Israeli iPhone Hacking Company Cellebrite (Medium, Oct 08 2019)
Documents reveal the Manhattan DA subscribes to a program that lets authorities break into iPhones in-house

*Cloud Security, DevOps, AppSec*
7. macOS Catalina: Security and privacy improvements (Help Net Security, Oct 08 2019)
First things first: starting with Catalina, the system runs on its own dedicated, read-only APFS volume and – Apple claims – “nothing can accidentally overwrite critical operating system files.” Another big change that starts with Catalina is the deprecation of kernel extensions (“kexts”).

8. Global Study Finds Orgs Are Failing to Protect Data in the Cloud (Infosecurity Magazine, Oct 08 2019)
Just 32% of orgs think securing data in the cloud is their own responsibility

9. Google Cloud Worth $225 Billion, Deutsche Bank Says (IT Pro, Oct 03 2019)
The value ascribed by Deutsche Bank to Google Cloud is nearly twice the market value of IBM.

*Identity Mgt & Web Fraud*
10. Twitter Took Phone Numbers for Security and Used Them for Advertising (VICE, Oct 08 2019)
This could make people think twice about using a phone number to secure their account at all.

11. 2019 Global Password Security Report (LastPass, Oct 08 2019)
57% of businesses globally are using multifactor authentication, compared to 45% last year.
13x is how often an employee reuses a password, on average.
23% of employees access their password vault on a smartphone.

12. FBI’s Use of Surveillance Database Violated Americans’ Privacy Rights, Court Found (WSJ, Oct 09 2019)
Some of the FBI’s electronic surveillance activities violated the constitutional privacy rights of Americans swept up in a controversial foreign intelligence program, a surveillance court has ruled.

*CISO View*
13. The Same Old Encryption Debate Has a New Target: Facebook (Wired, Oct 03 2019)
Attorney general William Barr seems eager to reignite the encryption wars, starting with the social media giant.

14. Russian Secret Weapon Against U.S. 2020 Election Revealed In New Cyberwarfare Report (Forbes, Oct 08 2019)
A terrifying​ new report maps out Russia’s full cyberwarfare ecosystem, an attack structure designed​ to be “almost impossible” to defend against.

15. Credit Info Exposed in TransUnion Data Security Incident (BleepingComputer, Oct 10 2019)
Using a credential stuffing attack, an unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files.

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. German Cops Raid “Cyberbunker 2.0,” Arrest 7 in Child Porn, Dark Web Market Sting (Krebs on Security, Sep 28 2019)
“German authorities said Friday they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker. Incredibly, for at least two of the men accused in the scheme, this was their second bunker-based hosting business that was raided by cops and shut down for courting and supporting illegal activity online.”

2. On Chinese “Spy Trains” (Schneier on Security, Sep 26 2019)
“Part of the reasoning behind this legislation is economic, and stems from worries about Chinese industries undercutting the competition and dominating key global industries. But another part involves fears about national security. News articles talk about “spy trains,” and the possibility that the train cars might surreptitiously monitor their passengers’ faces, movements, conversations or phone calls.”

3. Cybercriminals plan to make L7 routers serve card stealing code (Help Net Security, Sep 26 2019)
One of the Magecart cybercriminal groups is testing a new method for grabbing users’ credit card info: malicious skimming code that can be loaded into files used by L7 routers. L7 routers are commercial grade routers, typically used by airports, hotels, casinos, malls and similar establishments and organizations, to deliver wireless connectivity to a great number of users.

---

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

---

*AI, IoT, & Mobile Security*
4. Why Checkm8 iDevice jailbreak exploit is a game changer (Ars Technica, Sep 28 2019)
Unpatchable vulnerability is a game-changer that even Apple will be unable to stop.

5. Researchers Think They Know How Many Phones Are Vulnerable to ‘SIMjacker’ Attacks (VICE, Sep 27 2019)
They also created a tool to determine whether your phone’s SIM card is vulnerable.

6. Legit-Looking iPhone Lightning Cables That Hack You Will Be Mass Produced and Sold (VICE, Sep 30 2019)
Their creation has been successfully fully outsourced to a factory, the security researcher behind the cables said.

*Cloud Security, DevOps, AppSec*
7. Cisco Webex & Zoom Bug Lets Attackers Spy on Conference Calls (Dark Reading, Oct 01 2019)
The “Prying-Eye” vulnerability could let intruders scan for unprotected meeting IDs and snoop on conference calls.

8. 60% of Major US Firms Have Been Hacked in Cloud: Study (SecurityWeek, Sep 25 2019)
Hackers have penetrated cloud computing networks of some 60 percent of top US companies, with virtually all industry sectors hit, security researchers said Tuesday.

9. Cloud Attacks Prove Effective Across Industries in the First Half of 2019 (Proofpoint, Oct 01 2019)
In a study encompassing the first half of 2019, Proofpoint researchers analyzed data from more than one thousand cloud service tenants with over 20 million user accounts.

*Identity Mgt & Web Fraud*
10. Government to Begin DNA Testing on Detained Immigrants (New York Times, Oct 03 2019)
The Department of Homeland Security said it would begin testing on hundreds of thousands of immigrants in federal detention facilities.

11. Disinformation campaigns cheap and easy to launch: Recorded Future (SC Magazine, Sep 30 2019)
Researchers conducted an experiment to see what it would take for malicious actors to either boost a company’s online stature or tear it down and found both could be accomplished in about 30 days and cost just a few thousand dollars.

12. MyPayrollHR CEO Arrested, Admits to $70M Fraud (Krebs on Security, Sep 27 2019)
“Earlier this month, employees at more than 1,000 companies saw one or two paycheck’s worth of funds deducted from their bank accounts after the CEO of their cloud payroll provider absconded with $35 million in payroll and tax deposits from customers. On Monday, the CEO was arrested and allegedly confessed that the diversion was the last desperate gasp of a financial shell game that earned him $70 million over several years.”

*CISO View*
13. NSA on the Future of National Cybersecurity (Schneier on Security, Oct 01 2019)
Glenn Gerstell, the General Counsel of the NSA, wrote a long and interesting op-ed for the New York Times where he outlined a long list of cyber risks facing the US.

14. China’s New Cybersecurity Program: NO Place to Hide (China Law Blog, Sep 30 2019)
This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government.

15. 38% of the Fortune 500 do not have a CISO (Help Net Security, Oct 01 2019)
38% of the 2019 Fortune 500 do not have a chief information security officer (CISO).
Of this 38%, only 16% have another executive that is listed as responsible for cybersecurity strategy, such as a vice president of security.
Of the 62% that do have a CISO, only 4% have them listed on their company leadership pages.

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. CookieMiner malware targets Macs, steals passwords and SMS messages, mines for cryptocurrency (Graham Cluley, Sep 18 2019)
the macOS-based malware can steal browser cookies from users’ Google Chrome and Apple Safari browsers. Specifically, cookies associated with the following cryptocurrency exchanges…The cookies are grabbed from the infected user’s browser, zipped up and then uploaded to a remote server under the control of the criminals.

2. Hotel websites infected with skimmer via supply chain attack (SC Magazine, Sep 18 2019)
A Magecart card-skimming campaign this month sabotaged the mobile websites of two hotel chains by executing a supply chain attack on a third-party partner, researchers have reported. The third party in both instances was Roomleader, a Barcelona-based provider of digital marketing and web development services. One of the ways Roomleader helps hospitality companies build out their online booking functionality is through a library module called “viewedHotels,” which saves viewed hotel information in visitors’ browser cookies.

3. WeWork’s Wi-Fi Exposed Files, Credentials, Emails (Dark Reading, Sep 20 2019)
For years, sensitive documents and corporate data have been easily viewable on the coworking space’s open network.

---

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

---

*AI, IoT, & Mobile Security*
4. What security and privacy enhancements has iOS 13 brought? (Help Net Security, Sep 23 2019)
With the release of iPhone 11 and its two Pro variants, Apple has released iOS 13, a substantial functional update of its popular mobile operating system. But while many users are happy to finally get a complete Dark Mode for the device or a better phone camera, some are more interested in security and privacy enhancements.

5. Verizon Makes SIM Swapping Hard. Why Doesn’t AT&T, Sprint, and T-Mobile? (VICE, Sep 19 2019)
Verizon employs different security procedures when porting a phone number to a different SIM card than the other carriers. This is making SIM swapping attacks harder to perform against Verizon customers.

6. Huawei Suspended From Global Forum Aimed at Combating Cybersecurity Breaches (WSJ, Sep 18 2019)
A group formed to respond quickly to hacks and other cyber threats has temporarily expelled the Chinese company after legal advice

*Cloud Security, DevOps, AppSec*
7. DevSecOps: Recreating Cybersecurity Culture (Dark Reading, Sep 18 2019)
Bringing developers and security teams together guided by a common goal requires some risk-taking. With patience and confidence, it will pay off. Here’s how.

8. How data breaches forced Amazon to update S3 bucket security (Help Net Security, Sep 23 2019)
Amazon launched its Simple Storage Service (better known as S3) back in 2006 as a platform for storing just about any type of data under the sun…Amazon took this issue head on in November 2018, when they added an option to block all public access globally to every S3 bucket in an account.

9. Older vulnerabilities and those with lower severity scores still being exploited by ransomware (Help Net Security, Sep 25 2019)
Almost 65% of top vulnerabilities used in enterprise ransomware attacks targeted high-value assets like servers, close to 55% had CVSS v2 scores lower than 8, nearly 35% were old (from 2015 or earlier), and the vulnerabilities used in WannaCry are still being used today, according to RiskSense.

*Identity Mgt & Web Fraud*
10. Russian national confesses to biggest bank hack in US history (Ars Technica, Sep 23 2019)
In all, defendant stole more than 100 million records stole, prosecutors say.

11. Google Wins EU Fight Against Worldwide ‘Right to be Forgotten’ (SecurityWeek, Sep 24 2019)
Google is not required to apply an EU “right to be forgotten” to its search engine domains outside Europe, the EU’s top court ruled Tuesday in a landmark decision.

12. Millions of YouTube accounts hijacked through phishing and compromised 2FA (SC Magazine, Sep 24 2019)
Cybersecurity executives blamed YouTube’s continued use of multifactor authentication and relying on user credentials instead of more advanced forms authentication as the reasons behind why millions of accounts were hijacked over the last few days.

*CISO View*
13. How The U.S. Hacked ISIS (NPR, Sep 26 2019)
In 2016, the U.S. launched a classified military cyberattack against ISIS to bring down its media operation. NPR interviewed nearly a dozen people who lived it.

14. Women in Cybersecurity: Where We Are and Where We’re Going (Scientific American, Sep 23 2019)
Here’s how to bring gender equality to a thoroughly male-dominated field

15. How Google Changed the Secretive Market for the Most Dangerous Hacks in the World (VICE, Sep 23 2019)
For five years, Google has funded Project Zero, a team of hackers with the sole mission of finding bugs in whatever software they wanted to research, be it Google’s or somebody else’s. Are they making the internet safer?

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Malware Linked to Ryuk Targets Financial & Military Data (Dark Reading, Sep 13 2019)
A newly discovered campaign, packing traces of Ryuk ransomware, aims to steal confidential information.

2. Intel: SSH-stealing NetCAT bug not really a problem (Naked Security – Sophos, Sep 13 2019)
There’s another vulnerability in Intel chips, with another catchy name: NetCAT.

3. North Korean Hackers Use New Tricks in Attacks on U.S. (SecurityWeek, Sep 12 2019)
Hackers linked to North Korea have been targeting entities in the United States using evasion techniques that involve an uncommon file format, U.S.-based business compromise intelligence startup Prevailion reported on Wednesday.

---

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

---

*AI, IoT, & Mobile Security*
4. Simjacker silent phone hack could affect a billion users (Naked Security-Sophos, Sep 16 2019)
The shadowy world of phone-surveillance-for-hire became a little clearer last week following the discovery of a phone exploit called Simjacker.

5. T-Mobile Has a Secret Setting to Protect Your Account From Hackers That It Refuses to Talk About (VICE, Sep 13 2019)
T-Mobile’s little known NOPORT setting can protect your phone number from SIM swapping.

6. How Artificial Intelligence Is Changing Cyber Security Landscape and Preventing Cyber Attacks (Entrepreneur, Sep 14 2019)
The world is going digital at an unprecedentedly fast pace, and the change is only going to go even faster. The digitalization means everything is moving at lightning speed – business, entertainment, trends, new products, etc. The consumer gets what he or she wants instantly because the service provider has the means to deliver it.

*Cloud Security, DevOps, AppSec*
7. MITRE Releases 2019 List of Top 25 Software Weaknesses (Dark Reading, Sep 17 2019)
The list includes the most frequent and critical weaknesses that can lead to serious software vulnerabilities.

8. Leaky database spills data on 20 million Ecuadorians and businesses (Naked Security – Sophos, Sep 18 2019)
Included are deep details on 7 million minors, one grownup named Julian Assange, and perhaps a few million deceased Ecuadorians.

9. The Air Force Will Let Hackers Try to Hijack an Orbiting Satellite (Wired, Sep 17 2019)
At the Defcon hacking conference next year, the Air Force will bring a satellite for fun and glory.

*Identity Mgt & Web Fraud*
10. Banks, Arbitrary Password Restrictions and Why They Don’t Matter (Troy Hunt, Sep 17 2019)
Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don’t matter. Also, allow me to argue with myself for a moment: banks shouldn’t have these restrictions in place anyway.

11. Barclaycard: So Far, So Good for Strong Customer Authentication (Infosecurity Magazine, Sep 18 2019)
Barclaycard has reported no negative impact from introducing Strong Customer Authentication (SCA) last weekend. The new user authentication rules mandated by the European Union’s revised Payment Services Directive (PSD2) were introduced by the UK’s leading acquirer on Saturday, September 14.

12. Millions of Americans’ Medical Images and Data Are Available on the Internet. Anyone Can Take a Peek (ProPublica, Sep 19 2019)
Hundreds of computer servers worldwide that store patient X-rays and MRIs are so insecure that anyone with a web browser or a few lines of computer code can view patient records. One expert warned about it for years.

*CISO View*
13. WannaCry – the worm that just won’t die (Naked Security – Sophos, Sep 18 2019)
WannaCry never went away – it just became less obvious. Remember WannaCry? That’s the infamous self-spreading ransomware attack that stormed the world in May 2017. WannaCry was an unusual strain of ransomware for two main reasons.

14. U.S. sanctions North Korea hacking groups, says attacks funded missile program (SC Magazine, Sep 13 2019)
The U.S. Office of Foreign Assets Control (OFAC) sanctioned North Korea Friday for ransomware attacks on the Swift interbank messaging system and other critical infrastructure targets that generated funding for the nation-state’s weapons and missile programs. The Treasury Department targeted three state-sponsored hacking groups – the Lazarus Group, whose WannaCry attacks wreaked havoc…

15. Advanced hackers are infecting IT providers in hopes of hitting their customers (Ars Technica, Sep 18 2019)
Previously undocumented Tortoiseshell is skilled, but by no means perfect.

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense* 1. Cyber-security incident at US power grid entity linked to unpatched firewalls (ZDNet, Sep 09 2019) Hackers used a DoS flaw to reboot firewalls at an electric power grid operator for hours.

2. Cisco Releases Guides for Analyzing Compromised Devices (SecurityWeek, Sep 03 2019) Cisco has released new guides to help first responders collect forensic evidence from potentially compromised or tampered with IOS, IOS XE, ASA, and Firepower Threat Defense (FTD) devices.

3. Chinese Group Built Advanced Trojan by Reverse Engineering NSA Attack Tool (Dark Reading:, Sep 06 2019) APT3 quietly monitored an NSA attack on its systems and used the information to build a weapon of its own.

---

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

---

*AI, IoT, & Mobile Security*

4. 120 Million Workers Need To Be Retrained Because Of AI (Forbes, Sep 10 2019) In the next three years, as many as 120 million workers in the world’s 12 largest economies may need to be retrained or reskilled as a result of AI and intelligent automation; only 41% of CEOs surveyed say that they have the people, skills and resources required to execute their business strategies; the time it takes to close a skills gap through training has increased from 3 days on average in 2014 to 36 days in 2018 [IBM]

5. Cybercriminals Impersonate Chief Exec’s Voice with AI Software (Dark Reading, Sep 03 2019) Scammers leveraged artificial intelligence software to mimic the voice of a chief executive and successfully request $243,000.

6. Apple Disputes Google’s Claims of a Devastating iPhone Hack (VICE, Sep 06 2019) Apple says that Google oversold the nature of the hack and that it quickly fixed the vulnerability.

*Cloud Security, DevOps, AppSec*

7. Wikipedia fights off huge DDoS attack (Naked Security – Sophos, Sep 11 2019) Wikipedia has suffered what appears to be the most disruptive Distributed Denial of Service (DDoS) attack in recent memory.

8. Court Rules That ‘Scraping’ Public Website Data Isn’t Hacking (VICE, Sep 11 2019) The Ninth Circuit Court of Appeals shot down LinkedIn’s claim that a company that was using its public facing data was violating the Computer Fraud and Abuse Act.

9. Chrome bumps ineffective EV certificates off the omnibar (Naked Security – Sophos, Sep 10 2019) Ever notice a missing company name next to the URL address bar? Ever change behavior because of it? Likely not, so bye-bye, useless badge.

*Identity Mgt & Web Fraud*

10. DMVs Are Selling Your Data to Private Investigators (VICE, Sep 06 2019) You gave them your data in exchange for a driver’s license. DMVs are making tens of millions of dollars selling it, documents obtained by Motherboard show.

11. Google’s differential privacy library can now be used by anyone (Help Net Security, Sep 06 2019) Google has open-sourced a differential privacy library that helps power some of its core products. What it differential privacy? Differential privacy is a method for analyzing data contained in a database and providing helpful insight from it, without disclosing the actual information contained in the data to the analysts. It’s meant to keep sensitive information usable but thoroughly anonymized.

12. NY Payroll Company Vanishes With $35 Million (Krebs on Security, Sep 11 2019) “MyPayrollHR, a now defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations this past week after stiffing employees at thousands of companies. The ongoing debacle, which allegedly involves malfeasance on the part of the payroll company’s CEO, resulted in countless people having money drained from their bank accounts and has left nearly $35 million worth of payroll and tax payments in legal limbo.”

*CISO View*

13. New NSA cyber lead says agency must share more info about digital threats (Washington Post, Sep 05 2019) The NSA is the U.S. government’s premier digital spying agency and it has a well-earned reputation for keeping secrets. But the agency needs to stop keeping so many things confidential and classified if it wants to protect the nation from cyberattacks.

14. #GartnerSEC: Maersk CISO Outlines Lessons Learned From NotPetya Attack (Infosecurity Magazine, Sep 10 2019) We were the collateral victim of a state-sponsored attack and look what it did, so if you are trying to build a company to stop 100% of state-sponsored weapons, forget it. If you adopt a strategy around that, you will fail.

15. On Cybersecurity Insurance (Schneier on Security, Sep 10 2019) Good paper on cybersecurity insurance: both the history and the promise for the future. From the conclusion: Policy makers have long held high hopes for cyber insurance as a tool for improving security. Unfortunately, the available evidence so far should give policymakers pause. Cyber insurance appears to be a weak form of governance at present.