Cybersecurity News of the Week, December 20, 2020

SecureTheVillage Calendar

Dr. Steve Krantz Webinar: Personal Cybersecurity January 12, 2021 @ 1:00 pm – 3:00 pm PST

Caltech/Fullstack Cyber Bootcamp Virtual/Online Hiring Day. January 12, 2021 @ 2:00 pm – 4:30 pm PST

Dr. Steve Krantz Webinar: Become A CyberGuardian January 14, 2021 @ 12:30 pm – 2:00 pm PST

Information Security Management Webinar: Ask the Lawyer: Updates on the Evolving Security and Privacy Legal Landscape with Jordan Fischer. January 14, 2021 @ 10:00 am – 11:00 am PST

Financial Services Cybersecurity Roundtable: Protecting Yourself and Your Business Against the Latest Cyber Threats with Mark Rhodes-Ousley. January 22, 2021 @ 8:30 am – 10:00 am PST

Digital Directors Network: Global Case Studies In Innovation Governance: An Australian And US Perspective January 27, 2021 @ 4:00 pm – 5:15 pm PST

Individuals at Risk

Cyber Privacy

Americans Don’t Trust the US Government — Especially with Their Data: In the digital age, personal data is one of the most valuable commodities — it wields the potential to sway elections and affect the economy. Being a lucrative asset, big tech companies like Facebook make huge profits from gathering and selling the information we share online, from names to physical locations to web searches. CPO, December 17, 2020

Medical Data Leaks Have Exposed 45 Million Records; Encryption, Basic Connection Security Measures Are Sorely Lacking: Medical data leaks are among the fastest-growing segments of cyber crime, and for good reason. Health care systems contain great quantities of sensitive and valuable personal information, but also tend to operate on outdated systems that have inadequate security elements. CPO, December 16, 2020

Cyber Warning

Here’s How Shopping Scams On Facebook Are Ripping Off Thousands of Customers, With The Money Flowing Overseas: The sea glass Christmas trees appeared on Richard Edmonson’s Facebook feed in October, in between a relative’s photo and a friend’s meme. Their boughs were varying shades of translucent blue and turquoise; a starfish sat on top. Edmonson, who lives in Edinburg, Tex., didn’t click on the post, but it reappeared the next day, and then the day after that. “The more I saw it, the more it looked legit. I thought it would be a perfect Christmas gift for my sister,” he says. He ordered two for $40. Time, December 18, 2020

How to Not Fall for a Charity Scam This Holiday Season: This holiday season, many people will turn to charities to give back. The last thing they want to do is give money to scammers instead of a cause they truly support. According to the FBI’s website, charity fraud rises during the holidays, when people choose to make end-of-year tax deductible gifts. SecurityIntelligence, December 18, 2020

Fishy French COVID contact tracing app is a data thief pest: An unknown threat actor attempts to scam people with a credential-stealing malware app. Sophos, December 18, 2020

Cyber Holidays

UK spy agency challenges ‘wise men and women’ to solve Christmas card puzzle: Try your luck at solving the GCHQ Christmas card puzzle. CNN, December 18, 2020

Cyber Humor

Information Security Management for the Organization

Cybersecurity in the C-Suite & Board

Beazley Breach Insight: Ransomware severity and costs increase in 2020: New York, Dec. 16, 2020 (GLOBE NEWSWIRE) — Specialist insurer Beazley has reported that ransomware attacks increased in terms of both severity and costs this year compared to 2019 and have become the biggest cyber threat facing organizations. Global Newswire, December 16, 2020

Information Security Management

CISO playbook: 3 steps to breaking in a new boss: As CISOs know all too well, change is inevitable—and that includes organizational regime change. Here, security leaders share their best advice for starting new C-suite relationships off on the right foot. CSO, December 17, 2020

A first-hand account of ransomware: To pay or not to pay: Digital transformation has led to the deployment of a greater number of innovations and applications that generate more and more data. While the world’s collective knowledge and advancement depends on the ongoing aggregation, analysis and distribution of vast amounts of data, the preservation of these digital assets, especially during the pandemic, is at risk from cyberattacks. SecurityMagazine, December 17, 2020

5 common decision-making biases in cybersecurity: Biases in decision-making can contribute to adverse cybersecurity outcomes. Find out why being empathetic and giving others the benefit of the doubt are key when addressing these biases. TechRepublic, December 17, 2020

The Best Cybersecurity Predictions For 2021 Roundup: PwC’s latest survey finds that 96% of executives have shifted their cybersecurity strategy due to Covid-19 and 40% of executives say they are accelerating digitization. Forbes, December 15, 2020

Cyber Talent

Top 10 in-demand cybersecurity skills for 2021: The list of needed security skills is long and growing. Here’s what experts say is driving the demand. CSO, December 15, 2020

Cyber Culture

CISOs should be ready to confront the psychology of cybersecurity in 2021: While most organizations are happy to put the pandemic-dominated 2020 behind them, 2021 will bring more of the same security challenges. SCMedia, December 16, 2020

Cybersecurity in Society

Cyber Crime

DoppelPaymer Ransomware Attack Disrupts Foxconn’s Operations in the Americas, Hackers Delete Terabytes of Data, Demand $34 Million: The world’s leading electronics manufacturing company Foxconn suffered a ransomware attack that encrypted more than a thousand servers and exfiltrated more than 100 GB of data. The attack involving the DoppelPaymer ransomware occurred at a Mexican facility on the Thanksgiving weekend. CPO, December 17, 2020

Cyber Privacy

U.S. Schools Are Buying Phone-Hacking Tech That the FBI Uses to Investigate Terrorists: In May 2016, a student enrolled in a high-school in Shelbyville, Texas, consented to having his phone searched by one of the district’s school resource officers. Looking for evidence of a romantic relationship between the student and a teacher, the officer plugged the phone into a Cellebrite UFED to recover deleted messages from the phone. According to the arrest affidavit, investigators discovered the student and teacher frequently messaged each other, “I love you.” Two days later, the teacher was booked into the county jail for sexual assault of a child. Gizmodo, December 11, 2020

Cyber Fine

Human Capital: Ex-Pinterest employees who alleged discrimination say ‘no progress has been made’: This was quite the week for Pinterest and not in a good way. While the company settled the gender discrimination lawsuit brought forth by its former COO, the hefty $22.5 million settlement highlighted some of the tech industry’s inequities. TechCrunch, December 19, 2020

Cyber Law

IoT Cybersecurity Improvement Act Signed Into Law: New Security Requirements for Federal Government Devices: The IoT Cybersecurity Improvement Act of 2020 is now federal law, meaning that US government “smart devices” will be subject to a new and more stringent set of security standards. CPO, December 18, 2020

National Cybersecurity – Solar Winds

Trump downplays impact of hack, questions whether Russia involved: President Trump on Saturday downplayed the impact of a sprawling hack on a litany of government agencies while questioning officials’ conclusion that Russia was behind the attack. TheHill, December 19, 2020

Lawmakers ask whether massive hack amounted to act of war: Lawmakers are raising questions about whether the attack on the federal government widely attributed to Russia constitutes an act of war. The Hill, December 18, 2020

How U.S. agencies’ trust in untested software opened the door to hackers: The government doesn’t do much to verify the security of software from private contractors. And that’s how suspected Russian hackers got in. Politico, December 19, 2020

NSA warns of federated login abuse for local-to-cloud attacks: The US National Security Agency describes two techniques abused in recent attacks for escalating attacks from local networks to cloud infrastructure. ZDNet, December 18, 2020

Washington Needs a Cybersecurity Overhaul: When they enter office, Biden and Harris must make up for lost ground. Foreign Policy, December 18, 2020

Three Things America Must Do Immediately to Prevent More Cybersecurity Attacks: It starts with prioritizing defense against cyberattacks. Interview w Alex Stamos, director of the Stanford Internet Observatory. Slate, December 18, 2020

What the SolarWinds compromise means for IT: A renewed awareness of IT supply chain risks emerged from the attack. CIOs now seek more visibility into the inner workings of their providers. CIO Dive, December 17, 2020

A moment of reckoning: the need for a strong and global cybersecurity response: The final weeks of a challenging year have proven even more difficult with the recent exposure of the world’s latest serious nation-state cyberattack. This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous. As much as anything, this attack provides a moment of reckoning. It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response. Brad Smith, President, Microsoft, December 17, 2020

We’re not saying this is how SolarWinds was backdoored, but its FTP password ‘leaked on GitHub in plaintext’: ‘solarwinds123’ won’t inspire confidence, if true… TheRegister, December 16, 2020

Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack: The broad Russian espionage attack on the U.S. government and private companies, underway since spring and detected only a few weeks ago, is among the greatest intelligence failures of modern times. The New York Times, December 16, 2020

Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach: Analysis: This week Microsoft took a series of dramatic steps against the recent SolarWinds supply chain attack. In the size, speed and scope of its actions, Microsoft has reminded the world that it can still muster firepower like no one else as a nearly-overwhelming force for good. GeekWire, December 16, 2020

I Was the Homeland Security Adviser to Trump. We’re Being Hacked.: The magnitude of this national security breach is hard to overstate. Thomas Bossert, The New York Times, December 16, 2020

SolarWinds attack explained: And why it was so hard to detect: A group believed to be Russia’s Cozy Bear gained access to government and other systems through a compromised update to SolarWinds’ Orion software. Most organizations aren’t prepared for this sort of software supply chain attack. CSO, December 15, 2020

Dark Halo Leverages SolarWinds Compromise to Breach Organizations: Volexity is releasing additional research and indicators associated with compromises impacting customers of the SolarWinds Orion software platform. Volexity has also published a guide for responding to the SolarWinds breach, and how to detect, prevent, and remediate this supply chain attack. Volexity, December 14, 2020

Mitigate SolarWinds Orion Code Compromise … Technical Mitigation Details: This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise,” DHS, Cybersecurity and Infrastructure Security Agency (CISA), December 13, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge