Cybersecurity News of the Week, February 14, 2021

Individuals at Risk

Identity Theft

Identity Theft Doubled During the Pandemic as Fraudsters Targeted COVID-19 Relief Payments: The Federal Trade Commission (FTC) says that cases of identity theft skyrocketed during the COVID-19 pandemic, with incidents reported doubling compared to 2019. CPO, February 12, 2021

Cyber Privacy

Dating Apps Are Even Less Transparent Than Facebook and Google: As Valentine’s Day approaches, couples across the country are preparing for this long-standing tradition—and there’s a very good chance they met through online dating. But while dating apps can help people find a partner (or just a fun date), they can also subject users to incredible hate and harassment. Despite the fact that dating apps have accrued significant reach and influence, these companies provide very little transparency around how they keep users safe and how they moderate content. Much of the conversation around online platform accountability focuses on companies like Facebook and Google. But dating apps face many of the same issues. Slate, February 13, 2021

Do VPN Companies Track Your Browsing Data?: People use VPNs to protect their privacy from hackers, ISPs, and data thieves. But do VPNs themselves collect your browsing data and sell it to third parties? Here’s what you need to know. How-to Geek, February 12, 2021

Google: Here’s why some people get more phishing emails and malware spam: Gmail stops 99.9% of phishing attacks from reaching inboxes – but that doesn’t stop scammers trying new things in an effort to sneak through defences. ZDNet, February 10, 2021

Cyber Update

A Windows Defender vulnerability lurked undetected for 12 years: Microsoft patched the bug in its A/V program after researchers spotted it last fall. ars techncia, February 13, 2021

Apple finally patches this dangerous macOS security flaw: Apple has patched the critical vulnerability affecting the Sudo application on macOS devices. Although an update had already been released for the other affected operating systems, the macOS version of the security bug remained exploitable until now. TechRadar, February 10, 2021

Microsoft Patch Tuesday, February 2021 Edition: Microsoft today rolled out updates to plug at least 56 security holes in its Windows operating systems and other software. One of the bugs is already being actively exploited, and six of them were publicized prior to today, potentially giving attackers a head start in figuring out how to exploit the flaws. KrebsOnSecurity, February 9, 2021

Cyber Warning

Roses are Red, Romance Scammers Increasingly Make You Blue: Lockdown Has Led to a Surge in Fraudster Romeos Operating Remotely, Police Warn. BankInfoSecurity, February 12, 2021

Pre-Valentine’s Day Malware Attack Mimics Flower, Lingerie Stores: Emails pretending to confirm hefty orders from lingerie shop Ajour Lingerie and flower store Rose World are actually spreading the BazaLoader malware. ThreatPost, February 11, 2021

Cyber Fraud

Fallen victim to online fraud? Here’s what to do…: Online fraud is a huge challenge for businesses and consumers alike as cybercriminals continue to develop new mechanisms to separate innocent parties from their money. NakedSecurity, February 12, 2021

Information Security Management for the Organization

Information Security Management

Why A Zero-Trust Policy Is Important For Remote Companies And Cybersecurity Effectiveness: More than a lack of resources, cybersecurity seems to suffer from a lack of an effective approach, especially as the face of work is changing. The emergence of remote work as the norm for many companies comes with new cybersecurity challenges. Remote working results in less control over the organization’s resources, which heightens the risk of data breaches. It is, therefore, more important than ever to approach cybersecurity from a risk-based perspective. Forbes, February 12, 2021

Researchers identify 223 vulnerabilities used in recent ransomware attacks: Ransomware is getting worse. Cybersecurity analysts have been screaming this sentiment from the rooftops for years, but now new research examining the expanding landscape of software vulnerabilities leveraged in ransomware attacks offers up some hard numbers that put the depth of this problem into context. SCMedia, February 11, 2021

Supply chain security is actually worse than we think: Most enterprises have no clue they’re sitting ducks for average attackers of moderate skill, much less nation state-backed adversaries with unlimited resources. ZDNet, February 10, 2021

Ransomware Demands Spike 320%, Payments Rise: Remote work continues to fueling a spike in phishing and cyberattacks, particularly in the U.S. ThreatPost, February 8, 2021

Cyber Warning

Ransomware Attackers Set Their Sights on SaaS: Ransomware has begun to target data-heavy SaaS applications, open source, and Web and application frameworks. DarkReading, February 11, 2021

Cybersecurity in Society

Cyber Crime

US Treasury: Yellen warns of ‘explosion’ of cybercrime risk…The US Treasury Secretary said the pandemic had made the situation worse as more criminals move online.: US Treasury Secretary Janet Yellen has warned of an “explosion of risk” from criminals using digital technologies. BBC, February 11, 2021

The Accellion Data Breach Seems to Be Getting Bigger: Data breaches have a tendency to grow past initially reported figures. Organizations don’t always know how screwed they are right away, investigations take time, and new victims are discovered amidst the wreckage. This is certainly proving to be the case with Accellion, the Palo Alto, Calif.-based cloud provider that experienced what appears to be a fairly catastrophic cyberattack in December. Gizmodo, February 10, 2021

Cyber Attack

The Long Hack: How China Exploited a U.S. Tech Supplier: For years, U.S. investigators found tampering in products made by Super Micro Computer Inc. The company says it was never told. Neither was the public. Bloomberg, February 12, 2021

Cyber Surveillence

They Stormed the Capitol. Their Apps Tracked Them: Times Opinion was able to identify individuals from a trove of leaked smartphone location data. The New York Times, February 5, 2021

Cyber Privacy

WSJ: Zuckerberg tells staff to ‘inflict pain’ on Apple as privacy battle intensifies: As the battle between Facebook and Apple intensifies, The Wall Street Journal is out with a new report this morning detailing Facebook’s anger at Apple. The report explains that one of the turning points in the battle was an interview Tim Cook did in 2018 amid Facebook’s Cambridge Analytics scandal. 9to5Mac, February 13, 2021

Privacy Without Monopoly: Data Protection and Interoperability: The problems of corporate concentration and privacy on the Internet are inextricably linked. A new regime of interoperability can revitalize competition in the space, encourage innovation, and give users more agency over their data; it may also create new risks to user privacy and data security. This paper considers those risks and argues that they are outweighed by the benefits. New interoperability, done correctly, will not just foster competition, it can be a net benefit for user privacy rights. EFF, February 12, 2021

New state privacy initiatives turn up heat on Congress: Congress is coming under increasing pressure to create a federal framework for data privacy laws as states forge ahead with their own plans. TheHill, February 10, 2021

mHealth Apps Expose Millions to Cyberattacks: Researcher testing of 30 mobile health apps for clinicians found that all of them had vulnerable APIs. ThreatPost, February 12, 2021

Know Your Enemy

Darknet crypto kingpin JokerStash retires after illicit $1 billion run: research: The kingpin or kingpins of the world’s biggest illicit credit card marketplace have retired after making an estimated fortune of over $1 billion in cryptocurrency, according to research by blockchain analysis firm Elliptic shared with Reuters. CyberNews, February 12, 2021

National Cybersecurity

It is time for federal chief privacy officers: As the Biden administration organizes a new government, we have an opportunity to institutionalize privacy as a top priority across government. The mounting threats to privacy and cybersecurity are serious. New, more powerful surveillance capabilities continue to appear in a relentless stream: “modernized” biometric collection programs; advanced uses of artificial intelligence; acquisition of sensitive information from data aggregators; and broader sharing of intelligence information — to name only a few. Unsurprisingly, the increased collection, sharing, and retention of personal information exacerbates cybersecurity risks, as illustrated by the data breach of U.S. Customs and Border Protection’s travelers photo database. In many respects, privacy and cybersecurity are inextricably intertwined. The Hill, February 12, 2021

How the United States Lost to Hackers: America’s biggest vulnerability in cyberwarfare is hubris. The New York Times, February 11, 2021

Protecting the cybersecurity of America’s networks: America’s networks are under attack. While there are multiple challenges facing the Biden FCC, the ongoing attacks and how cybersecurity was dismantled by the Trump FCC should move cybersecurity high on the new agenda. Brookings, February 11, 2021

Suspected Chinese Hackers Exploit a Different SolarWinds Hack To Compromise USDA’s National Finance Center: Suspected Chinese hackers compromised the U.S. government systems through a second SolarWinds hack, according to Reuters. Quoting sources who spoke the condition of anonymity, Reuters reports that the hackers breached a federal payroll agency exposing thousands of federal employees’ records. CPO, February 11, 2021

How to stop handing our cybersecurity keys to hackers.. We make it far too easy for the bad guys: On Wednesday, I return to Capitol Hill, at least virtually, to testify in front of Congress, this time in front of the House of Representatives Committee on Homeland Security. The committee is holding a timely hearing on cyber threats to American businesses and government agencies and what we can do to improve our collective security and resilience. I was the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) from November 2018 to November 2020. Although I am testifying in my personal capacity, my new venture, Krebs Stamos Group, now represents SolarWinds, the company whose software was hijacked by Russian government cyberspies as a part of a broad campaign targeting U.S. government and private sector systems that resulted in compromises at multiple federal agencies and at private companies. Christopher Krebs, TheHill, February 10, 2021

The Next Cyberattack Is Already Under Way: Amid a global gold rush for digital weapons, the infrastructure of our daily lives has never been more vulnerable. The New Yorker, February 8, 2021

Critical Infrastructure

Florida City’s Water Hack: Poor IT Security Laid Bare: Oldsmar Used Windows 7, Shared TeamViewer Password, Didn’t Have a Firewall BankInfoSecurity, February 11, 2021

What’s most interesting about the Florida water system hack? That we heard about it at all: Stories about computer security tend to go viral when they bridge the vast divide between geeks and luddites, and this week’s news about a hacker who tried to poison a Florida town’s water supply was understandably front-page material. But for security nerds who’ve been warning about this sort of thing for ages, the most surprising aspect of the incident seems to be that we learned about it at all. KrebsOnSecurity, February 10, 2021

Cyber Enforcement

Arrest, Raids Tied to ‘U-Admin’ Phishing Kit: Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin, a software package used to administer what’s being called “one of the world’s largest phishing services.” The operation was carried out in coordination with the FBI and authorities in Australia, which was particularly hard hit by phishing scams perpetrated by U-Admin customers. KrebsOnSecurity, February 8, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge