I’m excited to publish the third ReThink Security Newsletter. In the last few weeks there have been several interesting security news events. More and more companies, cities, and individuals are getting hit by massive ransomware attacks that are locking up people’s data unless they’re able to buy bitcoin and pay. The attacks are getting more sophisticated by the day and evolving to adapt to different protections. I’ve addressed the issues in two new articles.
Recent ReThink Articles
Protecting Yourself and Your Enterprise from Ransomware Attacks - Ransomware is a fast-growing attack against users, companies, and even cities. Read this article to see what you can to do protect yourself and your company from these attacks.
Does Dropbox Protect You from Ransomware? - There is some misinformation floating around on the protections that Cloud Sync Providers like DropBox, Box, iCloud and OneDrive provide you. In this article I dive into the specifics on what you can expect from each of the providers.
Why the Apple Card is a Gorgeous Piece of Garbage - I’ve been using the Apple Card for a few weeks now. I think the account has some great benefits, but the card is a case of form without function.
More Security Headlines
The CEO of Twitter and Square had his Twitter account hacked using SIM card cloning. We’ve known about the possibility of a SIM cloning attack for some time now, as other victims have had massive amounts of money stolen through this attack. This allows the attacker to clone your cell phone to respond to SMS-based 2FA codes or other authentication queries. A good description of that attack is here. If you are the CEO of Twitter and Square, a $3B financial services company, you should take steps to protect against this attack. If you’re an average user you’re probably safe for a bit longer.
The insurance company AIG did some interesting research (PDF) and found that, by reported incident, Business Email Compromise (BEC) actually overtook Ransomware attacks in 2018. Educating your employees and users to use a strong passphrase and MFA is a great mitigation for BEC.
Some researchers tried to prove that our phones aren’t listening to us all the time. They looked at data usage in a quiet and noisy room to see if they could infer anything from the amount of data being transferred. Their tests don’t give me confidence, and it’s not possible to prove a negative, so take the conclusions with a grain of salt.
Google has published some good guidelines on how to do a code review. This goes beyond security code reviews. It’s worth a read and reference for any developer or manager.
Bruce Schneier brought back The Doghouse feature on his blog for a special edition on Crown Sterling. The whole Crown Sterling story has been fun to watch unfold, but it’s gotten big enough to get Schneier to take a stance. "TIME AI" sounds like something that Doctor Who should use, not something to be taken seriously in cryptography.
I’ve said before that ML and Data Science will allow for unprecedented monitoring. Years ago it might have been possible to hide in public view because it was impossible for a human to review all the CCTV or phone call metadata. Now ML is being used to quickly index, query, and analyze any pool of data. Recently that has been focused on all mail being sent through the U.S. Postal Service.
If you have any questions or comments, please don't hesitate to email us at newsletter@rethinksecurity.io
- Joe Basirico and Jason Taylor (J&J)
