"Threat Landscape" , we security folks get it , what about "Trust Landscape"?. This is an interesting phrase highly relevant to this "everything is connected" world and has a big impact on how we manage risk.

In the digital world, 3rd through Nth party risk is far greater than first party risk. It's like when you trust your home to your teenage kids, it's the friends of their friends you should worry about the most.

https://www.rsa.com/en-us/blog/2019-03/the-trust-landscape

Someone forgot the importance of API and cryptographic keys - NCSU academics scanned GitHub accounts for a period of nearly six months and found 575,456 API and cryptographic keys, of which 201,642 were unique, all spread over more than 100,000 GitHub project. 81% of the secrets were not removed," researchers said. "It is likely that the developers for this 81% either do not know the secrets are being committed or are underestimating the risk of compromise."

In one case, we found what we believe to be AWS credentials for a major website relied upon by millions of college applicants in the United States, possibly leaked by a contractor

They also found AWS credentials for the website of a major government agency in a Western European country. In that case, we were able to verify the validity of the account, and even the specific developer who committed the secrets. This developer claims in their online presence to have nearly 10 years of development experience

Last, but not least, researchers also found 7,280 RSA keys inside OpenVPN config files. By looking at the other settings found inside these configuration files, researchers said that the vast majority of the users had disabled password authentication and were relying solely on the RSA keys for authentication, meaning anyone who found these keys could have gained accessed to thousands of private networks.

https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/

Fastest hacker in the world

https://twitter.com/i/status/1110164673112887297

"Supply Chain Attack" - I am afraid we are going to here this more often. The good news is that it is not prevalent (which could change anytime) , the bad news is most of us are totally unprepared for this.

https://thehackernews.com/2019/03/asus-computer-hacking.html

MFA is a MUST, here is another story to support it - Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees


https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/

It is time to update our employee training messages - Blackmail, primarily sextortion, accounts for 1 in 10 spear-phishing message. The attacks are likely under reported because of the sensitive nature of the threat.

Gift cards have become a common way for scammers to cash out

Barracuda Networks found that 83% of targeted phishing attacks, also known as spear-phishing, appear as a message from an administrator at a popular service, asking for the user to log in.

For victims of BEC scams, text messaging presents additional dangers. The attacker now has the target's mobile number, which allows them to potentially punish non-compliant victims with spam



https://www.darkreading.com/threat-intelligence/stealing-corporate-funds-still-top-goal-of-messaging-attacks/d/d-id/1334194

Security technology or product will NOT help us unless, we understand how to IMPLEMENT them securely. Don't take my word, here is what the hacker (behind more than 840 million account records appearing for sale on the Dark Web) told ZDnet , he obtained these records just last month, and that they all lacked strong encryption for their passwords.

With this latest credential dump, a total of 38 companies have found their users’ account data up for sale on the underground at the hands of Gnosticplayers. The six companies impacted this time are an eclectic bunch, comprising the GameSalad developer platform, a Brazilian Amazon-equivalent called Estante Virtual, project-management apps Coubic and LifeBear, and two Indonesian companies: The Bukalapak e-commerce giant and a student career site, YouthManual.

https://threatpost.com/fourth-credential-spill-dreammarket/142901/

2FA is a MUST but combining 2FA with Awareness training is the way-to-go - Hackers have been refining their password-stealing schemes to also nab the one-time passcode. So-called "phishing kits" steal a victim's password and two-factor authentication passcode as they type it into deceptive email and login pages, and then quickly break into the affected account within the 30-SECOND time limit.

OR
Use hardware-based solution like USB security keys (which introduce a different problem, support and maintenance)

https://in.pcmag.com/google-titan-security-key-bundle/129100/google-phishing-attacks-that-can-beat-two-factor-are-on-the

Software Supply Chain Attack - When modern software applications, such as websites or mobile phone apps, are built using complex supply chains of third party libraries or open source components which are COMPROMISED.

No wonder, #9 in OWASP top 10 is "Using Components with Known Vulnerabilities".

In supply chain attacks, attackers leverage trusted third party vendors to deliver malware to unsuspecting customers by inserting malware into third-party code

Through the supply chain threat actors can reach a wide range of organizations due to third party code that is used by so many software engineers across all industries.

Furthermore, there is no good way to partition third party libraries or code from your organization’s in-house built code. As a result, it all runs within the same privilege.

https://blog.checkpoint.com/2019/03/13/mobile-supply-chain-attacks-are-more-than-just-an-annoyance/

Great news for windows 10 users - Microsoft will automatically uninstall buggy software updates installed on your system if Windows 10 detects a startup failure, which could be due to incompatibility or issues in new software.

For Windows 10 users who believe that the updates in question should not have been uninstalled, Microsoft allows them to manually install driver or quality updates.

https://thehackernews.com/2019/03/windows-buggy-updates.html

Serverless computing is popular. How about the associated Security Risks? - Let's start with a dozen.

A new guide from the Cloud Security Alliance offers mitigations, best practices, and a comparison between traditional applications and their serverless counterparts.

https://www.darkreading.com/cloud/the-12-worst-serverless-security-risks/a/d-id/1334079

Looks like Voice Phishing (VISHING) popularity is on the rise - taxpayer voice phishing scams are up nearly 20x. Since January 2018, the FTC says, it’s received more than 63,000 reports of this scam. Reported losses totaling $16.6 million, with a median loss of $1,484.

The FTC asks us all to remember these things:

• Your Social Security Number is not about to be suspended. Your bank account is not about to be seized.
• The real SSA will never call to threaten your benefits or tell you to wire money, send cash, or put money on gift cards.
• You can’t believe the numbers on your caller ID. Scammers can easily fake those. But if you’re worried, call the real SSA at 1-800-772-1213. You can trust that number if you dial it yourself – just not on your caller ID.
• Never give your SSN, credit card or bank account number to anyone who contacts you. Ever.

https://nakedsecurity.sophos.com/2019/03/11/ftc-says-taxpayer-voice-phishing-scams-are-up-nearly-20x/

Docker vulnerability + exposed remote Docker API = Fully compromised host. Researchers found 3,822 Docker hosts with the remote API open for public, and after attempting to connect to IPs via port 2735 to list Docker images, a total of 400 IPs were accessible. These could be compromised for the purposes of illicit cryptocurrency mining.

It is possible to interact with Docker via terminals or remote application programming interfaces (APIs). However, if these control mechanisms are exposed, this can lead to the compromise of the container and potentially the applications contained within.

A vulnerability, CVE-2019-5736, was publicly reported in February which can be used to secure host root access from a Docker container, and as Imperva researchers note, "the combination of this new vulnerability and exposed remote Docker API can lead to a fully compromised host."

https://www.zdnet.com/article/exposed-docker-hosts-can-be-used-in-cryptocurrency-mining/

[Risk Assessment Failure] Comcast did not protect its mobile accounts with a unique PIN. It used "0000" and the consequence was - Someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with his credit card—and went to the Apple Store in Atlanta and bought a computer.

To port a phone line from Comcast to another wireless carrier, a customer needs to know his or her Comcast mobile account number. Carriers generally use PINs to verify that a customer seeking to port a number actually owns the number. But Comcast reportedly set the PIN to 0000 for all its customers, and there was apparently no way for customers to change it. That means that an attacker who acquired a victim's Comcast account number could easily port the victim's phone number to another carrie


https://arstechnica.com/information-technology/2019/03/a-comcast-security-flub-helped-attackers-steal-mobile-phone-numbers/

BACKSTORY - A cloud-based enterprise-level threat analytics platform from Chronicle (Google company). Sounds interesting so, The most important question is , Are you ready to store your security logs on Google cloud platform?

Backstory converts log data—such as DNS traffic, NetFlow, endpoint logs, proxy logs—into meaningful, quickly searchable and actionable information to help companies gain insights into digital threats and attacks on their networks, but at scale to offer a more complete picture of the threat landscape.

Backstory also compares data against "threat intelligence" signals collected from a variety of partners and other sources, including the Alphabet-owned VirusTotal, Avast, Proofpoint and Carbon Black.

It also continuously compares any new piece of information against your company's historical activity, to notify you of any historical access to known-bad web domains, malware-infected files, and other threats

https://thehackernews.com/2019/03/backstory-cybersecurity-software.html

Here is a nice CyberSecurity AD (without stuff like hoodies, hackers and computers) with a clean message.- https://www.youtube.com/watch?v=DeCL4TAI0CE

https://www.youtube.com/watch?v=DeCL4TAI0CE

Some useful stats to help Software developers: 22,022 security vulnerabilities were disclosed in 2018 and 27% had no known or available fixes

• 47.9% - Web Related
• 27.5% - Access, Authentication
• 67.7% - Improper input validation 
• 33% - severity rating of 7 or above. Nearly one-third of them had public exploits available and more than half were remotely exploitable.

https://www.darkreading.com/vulnerabilities---threats/more-than-22000-vulns-were-disclosed-in-2018-27--without-fixes/d/d-id/1333998