December 7

News/Trends

• Nokia: IoT Botnets Comprise 78% of Malware on Networks

• Govt served Twitter with a FISA order to deploy NIT against us – TheDarkOverlord

• Kids’ VTech tablets vulnerable to eavesdropping hackers

• Unencrypted medical data leads to 12-state litigation

• Facebook staff’s private emails published by fake news inquiry

• Emotet and Trickbot Are the Future of Malware

• Unpatched Vulnerabilities Enable Adobe Flash Zero-Day

Law/Policy

• The DoJ’s Secret Legal Arguments to Break Cryptography

• Bipartisan bill would create grant program promoting cybersecurity education

• Zuckerberg denies Facebook ever ‘sold anyone’s data’

• Security firm releases new tool to fight cyber threats to critical infrastructure

Technical

• Performance Evaluation of Cryptographic Ciphers on IoT Devices

• Revisiting Deniability in Quantum Key Exchange via Covert Communication and Entanglement Distillation

• Differentially Private Data Generative Models

• When Homomorphic Cryptosystem Meets Differential Privacy: Training Machine Learning Classifier with Privacy Protection

Reports, Blogs, Etc.

• Your Personal Data is Already Stolen

• Bad Consumer Security Advice

• A Breach, or Just a Forced Password Reset?

• Security Risks of Chatbots

• Malicious Chrome extension which sloppily spied on academics believed to originate from North Korea

• Smashing Security #107: Sextorting the US army, and a Touch ID scam
• It looked like a Citrix ShareFile phishing attack, but wasn’t

• Adobe Flash Zero-Day Spreads via Office Docs

Advertisements

November 30

News/Trends

• Overall Volume of Thanksgiving Weekend Malware Attacks Lower This Year

• Anti-Botnet Guide Aims to Tackle Automated Threats

• Attackers Run on Dunkin’s DD Perks Rewards
• NSA Exploits Not Silent but Eternally Problematic
• Attackers Keen on Automated Browsers
• Amazon launches patient data-mining service to assist docs
• Microsoft Patch Alert: After months of bad news, November’s patching seems positively serene

• 57m Americans’ details leaked online by another misconfigured server

Law/Policy

• Security firm predicts hackers will increasingly use AI to help evade detection in 2019

• Rosenstein: Social media companies need to self-regulate or government will take action

• Yemen civil war playing out online, researchers say

• DOJ: Two Iranian hackers charged in SamSam ransomware attacks

Technical

• MOBIUS: Model-Oblivious Binarized Neural Networks

• Functional Analysis Attacks on Logic Locking

• (Un)Encrypted Computing and Indistinguishability Obfuscation

• Survey on Misbehavior Detection in Cooperative Intelligent Transportation Systems

Reports, Blogs, Etc.

• That Bloomberg Supply-Chain-Hack Story

• FBI Takes Down a Massive Advertising Fraud Ring

• Distributing Malware By Becoming an Admin on an Open-Source Project

• MITRE Changes the Game in Security Product Testing

• Dell suffers security breach, reset customer passwords (but didn’t tell customers why until now)

• Half of all Phishing Sites Now Have the Padlock

• How to Shop Online Like a Security Pro

November 16

News/Trends

• Most Orgs Enabling BYOD Lack Security Controls

• Prepping a Mock Notification Letter Before a Cybersecurity Breach Hits

• 26M Texts Exposed in Poorly Secured Vovox Database

• Judge asks if Alexa is witness to a double murder

• How to rob an ATM? Let me count the ways…

• Spectre, Meltdown researchers unveil 7 more speculative execution attacks
• Facebook Bug Let Websites Access Private User Data

• Employees’ Poor Security Habits Getting Worse, Survey Find

Law/Policy

• Cybersecurity ‘moonshot’ panel sends recommendations to White House

• State Dept. says defendant in GOP donor’s hacking case has diplomatic immunity

• Congressional panel warns of national security threat from Chinese tech

• Bill cementing cybersecurity agency at DHS heads to Trump’s desk

Technical

• Opening the Doors to Dynamic Camouflaging: Harnessing the Power of Polymorphic Devices

• Phishing in an Academic Community: A Study of User Susceptibility and Behavior

• McEliece Cryptosystem Based On Extended Golay Code

• Achieving Differential Privacy using Methods from Calculus

Reports, Blogs, Etc.

• Some of My Favorite Shell Aliases From Over the Years

• Smashing Security #104: The world’s most evil phishing test, and cyborgs in the workplace

• Apple says nothing as Apple ID accounts mysteriously locked down

• Hidden Cameras in Streetlights

• Chip Cards Fail to Reduce Credit Card Fraud in the US

• More Spectre/Meltdown-Like Attacks

• That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards

• Bug Bounty Hunter Ran ISP Doxing Service

November 9

News/Trends

• 258,000 encrypted IronChat phone messages cracked by police

• Phishing Attempts Soar to 137 Million in Q3
• IBM’s Watson to Rank Threat Severity for NIST

• Ranting researcher publishes VM-busting zero-day without warning

• Google warning: Fix your dodgy ads within 30 days or get banned

• Stealthy Crypto-Mining Malware Evades Detection

Law/Policy

• NSA official: China violating agreement on cyber economic espionage

• DNC tech chief: No successful hacks seen during midterms

• Dems to ramp up oversight of Trump tech regulators

• North Korean hacker group poses ‘serious threat to the banking sector,’ security firm says

Technical

• Shining Light On Shadow Stacks

• Efficient semiquantum key distribution

• Private Continual Release of Real-Valued Data Streams

• An Efficient Privacy-Preserving Incentive Scheme without TTP in Participatory Sensing Network

Reports, Blogs, Etc.

• U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service

• Busting SIM Swappers and SIM Swap Myths

• Chinese headmaster fired after setting up his own secret cryptomining rig at school

• Privacy and Security of Data at Universities

• iOS 12.1 Vulnerability

• Consumer Reports Reviews Wireless Home-Security Cameras

• Security of Solid-State-Drive Encryption

November 2

News/Trends

• Where Is the Consumer Outrage about Data Breaches?
• Google Smart Lock on Chrome OS: 2 fast fixes and a power-user tip
• Email a Top Attack Vector, Users Can’t ID a Fake
• Energy, Utilities Attacks Inside IT Networks Rise

• Another day, another update, another iPhone lockscreen bypass

• SamSam Attackers Have Hit 67 Ransomware Targets
• Nowhere to Hide

• Not Every Security Flaw Is Created Equal

Law/Policy

• Hoaxes, hate speech find home on Instagram

• Senate Dem wants to imprison tech execs over repeated privacy violations

• Campaign cybersecurity poses next major challenge for federal election officials

• Dem slams intel chief over classified response on Trump’s Chinese election meddling claims

Technical

• A Mixture Model Based Defense for Data Poisoning Attacks Against Naive Bayes Spam Filters

• Encryption-then-Compression Systems using Grayscale-based Image Encryption for JPEG Images

• Security and Protocol Exploit Analysis of the 5G Specifications

• Securing IoT Apps with Fine-grained Control of Information Flows

Reports, Blogs, Etc.

• The Language and Nature of Fileless Attacks Over Time

• Building Your Own Dedicated IPSEC VPN in Less Than 10 Minutes

• How to Punish Cybercriminals

• Buying Used Voting Machines on eBay

• Was the Triton Malware Attack Russian in Origin?

• Yes, you should update your iPhone to iOS 12.1, but its lock screen is *still* unsafe

• Videos and MS Office documents – ingredients for a malware attack

• YAPBS – Yet Another Password Breach Scam

October 26

News/Trends

• Election Security Is Risky at State and Local Levels
• One-Fifth of US Consumers Never Return to Breached Brands

• 3 Keys to Reducing the Threat of Ransomware

• Apple and Samsung punished for slowing down old smartphones

• Multiple Phishing Campaigns Target Universities

• DeepPhish: Simulating Malicious AI to Act Like an Adversary

• No Place for Security as Cryptocurrency Skills Demand Soars

Law/Policy

• Facebook finds evidence of Iranian disinformation campaign

• Kremlin ‘amused’ by report that Russia listening to Trump’s phone calls

• Security firm finds county election websites lack cybersecurity protections

• Dems question if Google violated FTC privacy settlement

Technical

• An Efficient Encryption Scheme with Verifiable Outsourced Decryption in Mobile Cloud Computing

• Evading classifiers in discrete domains with provable optimality guarantees

• Privacy-preserving classifiers recognize shared mobility behaviours from WiFi network imperfect data

• Playing With Danger: A Taxonomy and Evaluation of Threats to Smart Toys

Reports, Blogs, Etc.

• Smashing Security #101: Rule 34, Twitter scams, and Facebook fails

• The Language and Nature of Fileless Attacks Over Time

• How Do You Fight a $12B Fraud Problem? One Scammer at a Time

• Who Is Agent Tesla?

• Detecting Fake Videos

• Android Ad-Fraud Scheme

• On Disguise

October 19

News/Trends

• Cyber Espionage Campaign Reuses Code from China’s APT1

• Cybersecurity for Small Business: New FTC Resources

• Secret Comment Crew Code Spotted in New Attack

• Experts Question ‘Official’ Drop in Cybercrime

• Serious D-Link router security flaws may never be patched

• The libssh “login with no password” bug – what you need to know [VIDEO]

• Apple privacy portal lets you see everything it knows about you

• New Security Woes for Popular IoT Protocols

Law/Policy

• States seek to reassure voters’ cyber concerns ahead of critical midterms test

• Hackers linked to Russia infect three companies in Ukraine, Poland: cybersecurity firm

• DHS cyber head pushes back on report of increased attacks on election infrastructure

• Most government domains adopt program to prevent sending of fake emails

Technical

• Differentially Private Double Spectrum Auction with Approximate Social Welfare Maximization

• Channel-Envelope Differencing Eliminates Secret Key Correlation: LoRa-Based Key Generation in Low Power Wide Area Networks

• Private Machine Learning in TensorFlow using Secure Computation

• Fourier domain asymmetric cryptosystem for privacy protected multimodal biometric security

Reports, Blogs, Etc.

• West Virginia Using Internet Voting

• Government Perspective on Supply Chain Security

• Supply Chain Security 101: An Expert’s View

• Security in a World of Physically Capable Computers

• Preparing to Release the OWASP IoT Top 10 2018

• The Language and Nature of Fileless Attacks Over Time

• Pentagon data breach puts personal details of 30,000 staff at risk

• Fake Adobe update really *does* update Flash (while also installing cryptominer)