Cybersecurity News of the Week, February 2, 2020

Individuals at Risk

Cyber Privacy

Firefox now shows what telemetry data it’s collecting about you: Users can no go to about:telemetry and see what Mozilla is collecting about their Firefox installs. ZDNet, February 1, 2020

Avast Unit Stops Collecting User Data After Privacy Complaints: Company to close data-selling subsidiary, but experts say users of antivirus software could still be at risk. ConsumerReports, January 30, 2020

Ring Doorbell App Packed with Third-Party Trackers: Ring isn’t just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers. EFF, January 27, 2020

Many of the Major Dating Apps Are Leaking Personal Data to Advertisers: Testing conducted by the Norwegian Consumer Council (NCC) has found that some of the biggest names in dating apps are funneling sensitive personal data to advertising companies, in some cases in violation of privacy laws such as the European General Data Protection Regulation (GDPR). CPO, January 30, 2020

Cyber Danger

Kobe Bryant Wallpaper Caught Spreading Cryptojacking Malware: While the world mourns the unexpected death of the NBA star Kobe Bryant, malicious actors didn’t spend much time taking advantage of the situation. Fossbytes, February 1, 2020

Microsoft Issues Excel Security Alert As $100 Million ‘Evil Corp’ Campaign Evolves: Evil Corp may well be best known to millions of viewers of the Mr. Robot TV drama as the multi-national corporation that Elliot and FSociety hack. However, back in the real world, Evil Corp not only exists but is weaponizing Microsoft Excel to spread a malware payload. Researchers from Microsoft Security Intelligence have this week taken to Twitter to warn users to be alert to the ongoing campaign being run by Evil Corp, also known as TA505. Like most successful cybercriminals, Evil Corp is constantly evolving in terms of techniques and tools. The latest twist in this felonious tale involves Microsoft Excel as a payload delivery vehicle. Forbes, January 31, 2020

Ashley Madison cyber-breach: 5 years later, users are being targeted with ‘sextortion’ scams: Scammers have found a new way to wring money out of unsuspecting victims of the 2015 breach of the Ashley Madison affair-dating website, by using their stolen credentials in an amped-up version of the common “sextortion” scam. CNBC, January 31, 2020

97 of the world’s 100 largest airports have massive cybersecurity risks: An investigation of airport cybersecurity found glaring gaps in security for web and mobile applications, misconfigured public clouds, Dark Web exposure and code repositories leaks. TechRepublic, January 30, 2020

Coronavirus Campaigns Spread Emotet, Malware: The ongoing global spread of the disease precipitates malware infections. ThreatPost, January 30, 2020

Cyber Update

Ring Drops a Major App Update, Placing Privacy and Security Settings Front and Center: Ring has begun pushing out an update to its phone app with the aim of consolidating all of its security settings, a likely response to general privacy concerns, as well as more specific ones about “hackers” who’ve hijacked in-home camera feeds in recent months. Gizmodo, January 31, 2020

Cyber Defense

How to change iOS 13 settings for better security: Learn how to secure your iOS 13 devices and protect your privacy by tweaking the default settings. TechRepublic, January 31, 2020

‘George’ the Most Popular Password That’s a Name: A new study of stolen passwords reflects the consequences of password overload. DarkReading, January 31, 2020

Cyber Humor

Information Security Management for the Organization

Information Security & Privacy Management

Data Classification: Not Just for CISOs Anymore: Data classification has always been regarded as a foundational element of any viable data security strategy. After all, most organizations are creating, utilizing and storing more potentially sensitive data than ever before. CPOP, January 31, 2020

How Do You Measure the Success of Your Patch Management Efforts?: If you follow the news, you will often see that yet another company has been breached or taken hostage by ransomware. If you read the full details of these stories, usually they have one main thing in common: These organizations are behind in patch management. The question that arises, then, is why? SecurityIntelligence, January 31, 2020

8 non-technical ways to improve your company’s cybersecurity: Cybersecurity solutions aren’t always complicated. From planning ahead to simple fixes, here’s what you should be doing right now. MIT, January 29, 2020

Gaining Insight Into the Ponemon Institute’s 2020 Cost of Insider Threats Report” Today, I’m pleased to share some of the key findings from the 2020 Cost of Insider Threats Global Report. This is the third benchmark study, independently sponsored by IBM Security and ObserveIT to help understand the direct and indirect costs that result from insider threats. The first study was conducted in 2016 and focused exclusively on companies in the U.S. SecurityIntelligence, January 27, 2020

Cyber Defense

The Case for Integrating Dark Web Intelligence Into Your Daily Operations: Some of the best intelligence an operator or decision-maker can obtain comes straight from the belly of the beast. That’s why dark web intelligence can be incredibly valuable to your security operations center (SOC). By leveraging this critical information, operators can gain a better understanding of the tactics, techniques and procedures (TTPs) employed by threat actors. With that knowledge in hand, decision-makers can better position themselves to protect their organizations. SecurityIntelligence, January 30, 2020

Cybersecurity in Society

Cyber Privacy

Facebook to Pay $550M to Settle Class Action Case Over Facial Recognition: The settlement in a case over the social network’s Tag Suggestions feature is the latest financial blow the company has taken over its handling of user privacy. ThreatPost, January 30, 2020

Emerging Trends: What to Expect From Privacy Laws in 2020: Over the past few years, we’ve witnessed some defining moments for protecting the privacy of customer data around the globe: CPO, January 29, 2020

Cyber Crime

A cyberattack known as e-skimming is getting more common with the rise of online shopping: During the busy holiday shopping season late last year, firearms maker American Outdoor Brands noticed a problem with one of its websites, which sells mostly hats, shirts and accessories. CNBC, January 31, 2020

Average Ransomware Payments More Than Doubled in Q4 2019: Ransomware attackers collected an average of around $84,000 from victim organizations, up from $41,000 in Q3 of 2018, Coveware says. DarkReading, January 27, 2020

Cyber Attack

Report: FBI Investigating NSO Group Over Notorious International Hacks: The FBI is investigating shady cyber-intelligence company NSO Group and the possible use of its phone-hijacking tools in several high-profile hacks, Reuters reported on Thursday. Gizmodo, January 31, 2020

The Staggering Vulnerability of Global Elites: Anyone can get hacked. But when it happens to the rich and powerful, the stakes can be extraordinarily high. The Atlantic, January 30, 2020

UN didn’t patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it: For an organization accused of being ‘all talk, no action’, there’s not even enough talking – to its own employees. The Register, January 29, 2020

Someone Tried to Hack My Phone. Technology Researchers Accused Saudi Arabia: From a suspicious text message I received, technology researchers concluded that hackers working for Saudi Arabia had targeted my phone with powerful Israeli software. The New York Times, January 28, 2020

National Cybersecurity

Iranian Hackers Target U.S. Gov. Vendor With Malware: APT34 has been spotted in a malware campaign targeting customers and employees of a company that works closely with U.S. federal agencies, and state and local governments. ThreatPost, January 31, 2020

Cyber Freedom

The Cybersecurity 202: Election officials confident about security days before first contests of 2020: Election officials are striking a confident tone about digital security at their final summit before caucus and primary season begins. But they’re also planning for the worst, war-gaming how to handle any major hacks from Russia or other adversaries. The Washinton Post, January 31, 2020

The Cybersecurity 202: There’s a new cross-country effort to train election and campaign pros on digital security: A team from the University of Southern California has embarked on a 50-state tour to give cybersecurity training to poll workers and state and local campaign staffers who will be the last line of defense against Russian hacking in 2020. The Washington Post, January 30, 2020

Cyber Regulation

Securities and Exchange Commission Office of Compliance Inspections and Examinations (OCIE) Provides Observations on Cybersecurity and Operational Resiliency Best Practices> Securities and Exchange Commission Office of Compliance Inspections and Examinations (OCIE) Provides Observations on Cybersecurity and Operational Resiliency Best Practices. National Law Review, January 31, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge