Weekly Summary

15 Bullet Friday – The Best Security News of the Week – 2019.12.06

2019-12-06 by Lucas Samaras

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. SQL Injection Errors No Longer the Top Software Security Issue (Dark Reading, Nov 27 2019)
In newly updated Common Weakness Enumeration (CWE), SQL injection now ranks sixth.
[1] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
[2] CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
[3] CWE-20 Improper Input Validation
[4] CWE-200 Information Exposure
[5] CWE-125 Out-of-bounds Read
[6] CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

2. Exploit kits are slowly migrating toward fileless attacks (ZDNet, Nov 27 2019)
Three out of the nine exploit kits active today are using fileless attacks to infect victims.

3. A decade of hacking: The most notable cyber-security events of the 2010s (ZDNet, Dec 02 2019)
ZDNet takes a look over the most important data breaches, cyber-attacks, and malware strains of the last decade.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. World-first mobile phone detection cameras rolled out in Australia (the Guardian, Dec 03 2019)
New South Wales hopes to cut fatalities on the state’s roads by a third with devices that operate day and night in all weather

5. Millions of SMS messages exposed in database security lapse (TechCrunch, Dec 02 2019)
The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students. The Austin, Texas-based company says one of the advantages to its service is that recipients can also text back, allowing them to have two-way conversations with brands or businesses.

6. Crooks are exploiting unpatched Android flaw to drain users’ bank accounts (Help Net Security, Dec 03 2019)
Hackers are actively exploiting StrandHogg, a newly revealed Android vulnerability, to steal users’ mobile banking credentials and empty their accounts, a Norwegian app security company has warned. “Promon identified the StrandHogg vulnerability after it was informed by an Eastern European security company for the financial sector (to which Promon supplies app security support) that several banks in the Czech Republic had reported money disappearing from customer accounts.

*Cloud Security, DevOps, AppSec*
7. HackerOne breach lets outsider read customers’ bug reports (Ars Technica, Dec 04 2019)
Company security analyst sent session cookie allowing account take-over.

8. The Next Evolution in AWS Single Sign-On (AWS News Blog, Nov 27 2019)
“Today we announced the next evolution of AWS Single Sign-On, enabling enterprises that use Azure AD to leverage their existing identity store with AWS Single Sign-On. Additionally, automatic synchronization of user identities, and groups, from Azure AD is also supported. Users can now sign into the multiple accounts and applications that make up their AWS environments using their existing Azure AD identity – no need to remember additional usernames and passwords – and they will use the sign-in experience they are familiar with.”

9. Understanding and Selecting RASP 2019: New Paper (Securosis Blog, Nov 19 2019)
“2019 updated research paper from our recent series, Understanding and Selecting RASP (Runtime Application Self-Protection). RASP was part of the discussion on application security in just about every one of the hundreds of calls we have taken, and it’s clear that there is a lot of interest – and confusion – on the subject, so it was time to publish a new take on this category.”

*Identity Mgt & Web Fraud*
10. China introduces mandatory face scans for phone users (Yahoo News , Dec 01 2019)
China will require telecom operators to collect face scans when registering new phone users at offline outlets starting Sunday, according to the country’s information technology authority, as Beijing continues to tighten cyberspace controls.

11. Pressure mounts for federal privacy law with second bill (Naked Security – Sophos, Nov 29 2019)
Pressure is gathering for a federal privacy law in the US with the introduction of a second bill that would protect consumer data.

12. Twitter Promises Increased Transparency With New Privacy Center (SecurityWeek, Dec 03 2019)
Twitter this week announced the launch of a privacy center whose goal is to provide increased transparency on how the social platform handles user information.

*CISO View*
13. U.S. Targets Russian ‘Evil Corp’ Hacker Group With Sanctions, Indictments (WSJ, Dec 06 2019)
The Trump administration placed a $5 million bounty on the leader of a Russian hacker group called Evil Corp for his alleged work for Moscow’s intelligence agency, part of what U.S. officials say is a broader reprisal for a Kremlin-directed cyber offensive against the U.S.

14. The fall and rise of a spyware empire (MIT Technology Review, Dec 02 2019)
Human rights abuse and a decimated reputation killed Hacking Team. The new owners want to rebuild.

15. 2020 U.S. census plagued by hacking threats, cost overruns (Reuters, Dec 05 2019)
The Pega-built website was hacked from IP addresses in Russia during 2018 testing of census systems, according to two security sources with direct knowledge of the incident. One of the sources said an intruder bypassed a “firewall” and accessed parts of the system that should have been restricted to census developers.

15 Bullet Friday – The Best Security News of the Week – 2019.11.29

2019-11-29 by Lucas Samaras

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. French Hotel Giant Leaks 1TB+ of Client Data (Infosecurity Magazine, Nov 22 2019)
Unsecured Elasticsearch database once again to blame

2. Web Skimmers Use Phishing Tactics to Steal Data (Infosecurity Magazine, Nov 25 2019)
“This skimmer is interesting because it looks like a phishing page copied from an official template for CommWeb, a payments acceptance service offered by Australia’s Commonwealth Bank,” he explained. “The attackers have crafted it specifically for an Australian store running the PrestaShop Content Management System (CMS), exploiting the fact that it accepts payments via the Commonwealth Bank.” The fake payments page even alerts users if any fields they fill in are invalid.

3. Cloudflare Open-Sources Network Vulnerability Scanner (SecurityWeek, Nov 22 2019)
Security and web performance services provider Cloudflare this week announced the open source availability of Flan Scan, its lightweight network vulnerability scanner.

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. Google Offering Up to $1.5 Million for Pixel Titan M Exploits (SecurityWeek, Nov 21 2019)
Google on Thursday announced that it’s expanding its Android bug bounty program, and certain types of exploits can now earn researchers up to $1.5 million

5. Data breach compromises T-Mobile prepaid accounts (SC Magazine, Nov 22 2019)
Wireless communications company T-Mobile has disclosed a data breach incident that impacts certain customers with pre-paid service accounts. “Our cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account.

6. The U.S. is racking up tactical victories in Huawei fight (Washington Post, Nov 25 2019)
Only a handful of nations, meanwhile, have followed the U.S. push for a full Huawei ban including Australia, New Zealand and Japan. Britain previously decided to limit Hauwei contracts to the periphery of its 5G networks rather than core systems, but U.S. officials have argued that still gives the company far too much access.

*Cloud Security, DevOps, AppSec*
7. How to get started with security response automation on AWS (AWS Security Blog, Nov 26 2019)
Security response automation is a planned and programmed action taken to achieve a desired state for an application or resource based on a condition or event. When you implement security response automation, you should adopt an approach that draws from existing security frameworks. Frameworks are published materials which consist of standards, guidelines, and best practices in order help organizations manage cybersecurity-related risk. Using frameworks helps you achieve consistency and scalability and enables you to focus more on the strategic aspects of your security program.

8. The Likely Reason Disney\+ Accounts Are Getting ‘Hacked’ (Wired, Nov 20 2019)
Credential stuffing, where names and passwords leaked in previous breaches are reused, strikes again.

9. Developers worry about security, still half of teams lack an expert (Help Net Security, Nov 25 2019)
While nearly 75% of developers worry about the security of their applications and 85% rank security as very important in the coding and development process, nearly half of their teams lack a dedicated cybersecurity expert, according to WhiteHat Security.

*Identity Mgt & Web Fraud*
10. The CA DMV Is Making $50M a Year Selling Drivers’ Personal Info (Vice, Nov 25 2019)
A document obtained by Motherboard shows how DMVs sell people’s names, addresses, and other personal information to generate revenue.

11. NYPD fingerprint database touched by ransomware (SC Magazine, Nov 25 2019)
The New York City Police Department’s fingerprint database was hit with ransomware in October 2018, a local newspaper learned. The attack was brought in by a third-party vendor who was installing video equipment at the NYPD’s police academy when it connected its infected computer to the police network, according to the New York Post.

12. Healthcare Execs Charged in $1Bn Fraud Scheme (Infosecurity Magazine, Nov 27 2019)
According to the Department of Justice, the group sold pharmaceuticals clients ad inventory that they didn’t have, and under-delivered on ad campaigns, before falsifying performance data and patient engagement metrics.

*CISO View*
13. Google Shares Data on State-Sponsored Hacking Attempts (SecurityWeek, Nov 27 2019)
Google’s Threat Analysis Group (TAG) this week shared some data on government-backed hacking and disinformation attempts targteting its customers

14. Champagne, shotguns, and surveillance at spyware’s grand bazaar (MIT Technology Review, Nov 26 2019)
The world’s leading surveillance and spyware companies gathered in Paris to meet growing demand from governments around the world.

15. Five Years Later, Who Really Hacked Sony? (The Hollywood Reporter, Nov 27 2019)
The massive cyberattack just before Thanksgiving 2014 crippled a studio, embarrassed executives and reshaped Hollywood. The FBI blamed a North Korea scheme to retaliate for the comedy ‘The Interview,’ but many whose lives were upended have doubts. Says Seth Rogen: “The fact that [co-director Evan Goldberg and I] were never really specifically targeted always raised suspicions in my head.”

15 Bullet Friday – The Best Security News of the Week – 2019.11.22

2019-11-22 by Lucas Samaras

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Attack tools and techniques used by major ransomware families (Help Net Security, Nov 15 2019)
Ransomware is typically distributed in one of three ways: as a cryptoworm, which replicates itself rapidly to other computers for maximum impact (for example, WannaCry); as ransomware-as-a-service (RaaS), sold on the dark web as a distribution kit (for example, Sodinokibi); or by means of an automated active adversary attack, where attackers manually deploy the ransomware following an automated scan of networks for systems with weak protection.

2. Over 100,000 Fake Domains With Valid TLS Certificates Target Major Retailers (SecurityWeek, Nov 15 2019)
Venafi, a company that helps organizations secure cryptographic keys and digital certificates, says it has uncovered over 100,000 typosquatted domains with valid TLS certificates that appear to target major retailers.

3. Security of North American Energy Grid Tested in GridEx Exercise (SecurityWeek, Nov 18 2019)
A major exercise whose goal was to test the cyber and physical security of North America’s grid has enabled the energy industry and governments to review and improve incident response plans and collaboration.

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. Facebook Discloses WhatsApp MP4 Video Vulnerability (Dark Reading, Nov 18 2019)
A stack-based buffer overflow bug can be exploited by sending a specially crafted video file to a WhatsApp user.

5. 146 New Vulnerabilities All Come Preinstalled on Android Phones (Wired, Nov 15 2019)
The dozens of flaws across 29 Android smartphone makers show just how insecure the devices can be, even brand-new.

6. NSA won’t collect phone location data, promises US government (Naked Security – Sophos, Nov 18 2019)
US intelligence agencies won’t harvest US residents’ geolocation data in future investigations, revealed the US government this month.

*Cloud Security, DevOps, AppSec*
7. GitHub Security Lab to make open source more secure (Help Net Security, Nov 15 2019)
When a researchers identifies a vulnerability in an open source project and shares the discovery with the GitHub Security Lab team, the team reports it to the publicly-listed security contact for the project or the project maintainers.

8. Official Monero website is hacked to deliver currency-stealing malware (Ars Technica, Nov 19 2019)
GetMonero.com delivers Linux and Windows binaries that steal users’ funds.

9. Macy’s online store compromised in Magecart-style attack (Help Net Security, Nov 19 2019)
The webshop of noted U.S. department store company Macy’s has been compromised and equipped with an information-stealing JavaScript, which ended up collecting users’ personal and payment card information for a week.

*Identity Mgt & Web Fraud*
10. When Bank Communication is Indistinguishable from Phishing (Troy Hunt, Nov 19 2019)
There’s a supremely simple way of banks handling this situation and it was demonstrated by AMEX shortly after the St George incident when they called to verify an unusual credit card transaction. We did the “we want to verify you”, “no I want to verify you” dance after which they simply said, “turn over your card and call us on the number on the back”. How easy is that?!

11. Out of Season IRS Phishing Campaigns (Akamai, Nov 21 2019)
According to Akamai’s research, this campaign used at least 289 different domains and 832 URLs over 47 days. The same fake IRS login page was used in each instance. Moreover, according to Akamai’s visibility into global network traffic, the campaign targeted over 100,000 victims worldwide.

12. Most Americans feel powerless to prevent data collection, online tracking (Help Net Security, Nov 18 2019)
Most U.S. adults say that the potential risks they face because of data collection by companies (81%) and the government (66%) outweigh the benefits, but most (>80%) feel that they have little or no control over how these entities use their personal information, a recent Pew Research Center study on USA digital privacy attitudes has revealed.

*CISO View*
13. U.S. manufacturing group hacked by China as trade talks intensified (Reuters, Nov 22 2019)
As trade talks between Washington and Beijing intensified earlier this year, suspected Chinese hackers broke into an industry group for U.S. manufacturers that has helped shape President Donald Trump’s trade policies, according to two people familiar with the matter.

14. How Iran’s Government Shut Off the Internet (Wired, Nov 17 2019)
After years of centralizing internet control, Iran pulled the plug on connectivity for nearly all of its citizens.

15. Twitter finally upgrades its 2FA security feature. Mobile number no longer required! (Graham Cluley, Nov 22 2019)
Hundreds of millions of Twitter users now have an improved way to better safeguard their accounts from being compromised.

15 Bullet Friday – The Best Security News of the Week – 2019.11.15

2019-11-15 by Lucas Samaras

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. BlueKeep exploitation activity seen in the wild (Kevin Beaumont, Nov 11 2019)
Back in May 2019, Microsoft released at patch for CVE-2019–0708, a Remote Desktop vulnerability I nicknamed BlueKeep — as exploitation…

2. Mac users warned that disabling all Office macros doesn’t actually disable all Office macros (Graham Cluley, Nov 07 2019)
Astonishingly, consumers and companies who believe they have protected their computers by configuring MS Office to “Disable all macros without notification” are actually opening themselves up to the possibility of being silently infected.

3. Inside the Microsoft team tracking the world’s most dangerous hackers (MIT Technology Review, Nov 11 2019)
From Russian Olympic cyberattacks to billion-dollar North Korean malware, how one tech giant monitors nation-sponsored hackers everywhere on earth.

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. Google creates App Defense Alliance to fight bad apps (Google, Nov 11 2019)
Announcing a partnership between Google, ESET, Lookout, and Zimperium. It’s called the App Defense Alliance and together, we’re working to stop bad apps before they reach users’ devices.

5. Evaluating the Digital Standard (New America, Nov 11 2019)
In 2018, New America’s Open Technology Institute (OTI) launched a project to educate people about the Digital Standard,⁠ a new framework for evaluating the privacy and security of internet-connected consumer products and software. The Standard was developed by a group of organizations including Ranking Digital Rights, in collaboration with Consumer Reports.

6. Facebook is secretly using your iPhone’s camera as you scroll your feed (The Next Web, Nov 12 2019)
The issue has come to light after a user going by the name Joshua Maddux took to Twitter to report the unusual behavior, which occurs in the Facebook app for iOS. In footage he shared, you can see his camera actively working in the background as he scrolls through his feed.

*Cloud Security, DevOps, AppSec*
7. Boris Johnson deepfake endorses Jeremy Corbyn for PM (Business Insider, Nov 12 2019)
Boris Johnson appeared to endorse Jeremy Corbyn for prime minister in a convincing deepfake video Business Insider

8. Bugcrowd breaks its weekly bounty payout record (SC Magazine, Nov 08 2019)
For the first time in Bugcrowd’s seven-year history it paid out more than $500,000 in bounty fees to its white hats in a one-week period. For all of October more than 550 white-hat hacker working with Bugcrowd earned $1.6 million with the top recipient taking home $40,000.

9. New Azure Security Center and Azure platform security capabilities (Microsoft Azure Blog, Nov 06 2019)
“At Microsoft Ignite we’re sharing the many new capabilities our teams have built to improve security with Azure Security Center and the Azure Platform. We have a long list of new innovations, and this blog provides our general direction and summarizes some of our favorite new features.”

*Identity Mgt & Web Fraud*
10. Court Rules Govt Can’t Search Your Phone at the Airport for No Reason (VICE, Nov 12 2019)
The ruling is a significant win for privacy rights of Americans and tourists traveling to the United States.

11. Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans (WSJ, Nov 14 2019)
Google is teaming with one of the country’s largest health-care systems on an ambitious project named “Project Nightingale” to collect and crunch detailed health information of millions of Americans across 21 states.

12. Your DNA Profile is Private? A Florida Judge Just Said Otherwise (The New York Times, Nov 14 2019)
Privacy experts say a warrant granted in Florida could set a precedent, opening up all consumer DNA sites to law enforcement agencies across the country.

*CISO View*
13. Cybersecurity expert Alex Stamos on what scares him most about the upcoming U.S. presidential election (TechCrunch, Nov 14 2019)
In fact, in nearly every conceivable way, “responsibilities that were once clearly public sector responsibilities are now private sector responsibilities,” he told Frenkel during a later part of their discussion. He would know, having seen it first-hand.

“When I was the chief security officer at Facebook,” he told the audience, “I had a child safety team. We probably put more bad guys away than almost any law enforcement agency outside of the FBI or [Homeland Security Investigations unit] in the child safety realm. Like, there’s no local police department in the United States that put away more child predators than the Facebook child safety team. That is a crazy stat.

14. We Need a Global Standard for Reporting Cyber Attacks (Harvard Business Review, Nov 11 2019)
Regulators should be collecting a standardized data set, so we can measure the threat.

15. Breach affecting 1 million was caught only after hacker maxed out target’s storage (Ars Technica, Nov 13 2019)
Hacker’s data archive file grew so big that the target’s hard drive ran out of space.

15 Bullet Friday – The Best Security News of the Week – 2019.11.08

2019-11-08 by Lucas Samaras

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. As Phishing Kits Evolve, Their Lifespans Shorten (Dark Reading, Oct 30 2019)
Most phishing kits last less than 20 days, a sign defenders are keeping up in the race against cybercrime.

2. The First BlueKeep Mass Hacking Is Finally Here—but Don’t Panic (Wired, Nov 02 2019)
After months of warnings, the first successful attack using Microsoft’s BlueKeep vulnerability has arrived—but isn’t nearly as bad as it could have been.

3. US grounds Chinese-made drones as part of security review (Naked Security – Sophos, Nov 04 2019)
The exception: drones being used in emergencies, such as fighting wildfires, search and rescue, and dealing with natural disasters.

Share on Twitter Facebook LinkedIn

*AI, IoT, & Mobile Security*
4. Pentagon publishes AI guidelines (Naked Security – Sophos, Nov 04 2019)
Called AI Principles: Recommendations on the Ethical Use of Artificial Intelligence by the Department of Defense, the missive is an attempt to lay out ground rules for the use of AI early on, giving the military a framework on which to build its AI systems. Frameworks like these are important for the safe rollout of new technologies, it points out, citing civil engineering and nuclear-powered vessels as examples.

5. Hackers Can Use Lasers to ‘Speak’ to Your Amazon Echo or Google Home (Wired, Nov 04 2019)
By sending laser-powered “light commands” to a smart assistant, researchers could force it to unlock cars, open garage doors, and more.

6. MESSAGETAP: Who’s Reading Your Text Messages? (Fire Eye, Oct 31 2019)
Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts. APT41’s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions.

*Cloud Security, DevOps, AppSec*
7. Google Launches OpenTitan Project to Open Source Chip Security (Dark Reading, Nov 05 2019)
OpenTitan is an open source collaboration among Google and technology companies to strengthen root-of-trust chip design.

8. Microsoft Unveils New Security Tools for Azure (SecurityWeek, Nov 04 2019)
…at its Ignite 2019 conference, Microsoft announced a series of tools to expand the security capabilities of its Azure and Microsoft 365 platforms.

9. AWS re:Invent 2019 security guide: sessions, workshops, and chalk talks (AWS Security Blog, Nov 01 2019)
With re:Invent 2019 just weeks away, the excitement is building and we’re looking forward to seeing you all soon! If you’re attending re:Invent with the goal of improving your organization’s cloud security operations, here are some highlights from the re:Invent 2019 session catalog. Reserved seating is now open, so get your seats in advance for your favorite sessions.

*Identity Mgt & Web Fraud*
10. California DMV Leak Spills Data from Thousands of Drivers (Dark Reading, Nov 06 2019)
Federal agencies reportedly had improper access to Social Security data belonging to 3,200 license holders.

11. Accounting Scams Continue to Bilk Businesses (Dark Reading, Nov 06 2019)
Yes, ransomware is plaguing businesses and government organizations, but impersonators inserting themselves into financial workflows – most often via e-mail – continue to enable big paydays.

12. Details of an Airbnb Fraud (Schneier on Security, Nov 06 2019)
“This is a fascinating article about a bait-and-switch Airbnb fraud. The article focuses on one particular group of scammers and how they operate, using the fact that Airbnb as a company doesn’t do much to combat fraud on its platform. But I am more interested in how the fraudsters essentially hacked the complex sociotechnical system that is Airbnb. The whole article is worth reading.”

*CISO View*
13. A Military Camera Said ‘Made in U.S.A.’ The Screen Was in Chinese. (The New York Times, Nov 07 2019)
The surveillance equipment was actually manufactured in China, raising concerns that Beijing could have used it for spying, prosecutors said.

14. Tipped off by an NSA breach, researchers discover new APT hacking group (Ars Technica, Nov 05 2019)
With a tip that came from one of the biggest breaches in US National Security Agency history, researchers have discovered a new hacking group that infected targets with a previously unknown piece of advanced malware. Dubbed DarkUniverse, the group is probably tied to ItaDuke, a group that has actively targeted Uyghur and Tibetans since 2013.

15. A Cybersecurity Firm’s Sharp Rise and Stunning Collapse (The New Yorker, Nov 05 2019)
Tiversa dominated an emerging online market—before it was accused of fraud, extortion, and manipulating the federal government.