Cybersecurity News of the Week, February 23, 2020

SecureTheVillage Calendar

How to Get Cyber Secure Without Breaking the Bank with Stan Stahl and Cheryl Washington, SCSIM Inaugural All Day Summit, February 27, 10:00 – 10:45, Long Beach, CA

Personal Cyber Security with Dr. Steve Krantz, March 10, 1:00 – 2:30, Calabasas, CA

Webinar: How Simple Changes to Your Contracts Can Mitigate Risk Under the CCPA, Host Stan Stahl. Stan’s Guests: Matthew Seror, Shareholder Buchalter, Weiss Hamid, Associate Buchalter, March 12, 10:00 – 11:00

Personal Cyber Security with Dr. Steve Krantz, March 16, 11:15 – 12:15, Encino, CA

Protect Yourself From IDentity Theft, Stan Stahl, Karen Codman, March 18, 1:00 – 2:00, Long Beach

Protect Yourself From IDentity Theft, Stan Stahl, Karen Codman, March 18, 7:00 – 8:00, Long Beach

Individuals at Risk

Cyber Privacy

UCLA drops controversial face recognition plan: A major California university has dropped plans to use facial recognition for the surveillance of the campus. USA Today, February 20, 2020

Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum: MGM Resorts said security incident took place last summer and notified impacted guests last year. ZDNet, February 19, 2020

Cyber Danger

Delete these eight malware-ridden Android apps immediately: Security researchers from the firm Check Point have discovered two families of malware in apps on the Google Play Store: a new family called Haken and the resurgence of an older family called Joker. Digital Trends, February 21, 2020

Anxiety, depression and PTSD: The psychological side effects of the epidemic of data breaches and cyber crimes: After a restorative getaway last July – a week in Stockholm, another exploring Norway’s fjords and a picturesque hike deep into the peaceful wilds of western Sweden’s forests – Christopher Lane returned home to his Chicago condo and an overflowing mailbox. USA Today, February 21, 2020

Anatomy of a dumb spear-phish: Hitting librarians up for Zelle, CashApp cash … Read how a spear-phish attack was thwarted: Librarians smell something phishy in scam that scraped emails from association website. ars technica, February 19, 2020

Cyber Update

Adobe releases out-of-band patch for critical code execution vulnerabilities: Adobe has released an out-of-schedule fix to resolve two vulnerabilities that may expose user systems to code execution attacks. ZDNet, February 20, 2020

Cyber Defense

The Business of Cybersecurity Starts at Home: Anyone who’s worked in cybersecurity for longer than a few minutes has gotten the question: “you’re in cybersecurity … what should I do to protect myself?” There’s no shortage of frameworks, advice and “best practices” out there. Even so, tales of security breaches and stolen customer data dot the headlines every day. CPO, February 21, 2020

Cyber Humor

Information Security Management for the Organization

Information Security Management and Governance

10 Basic And Easy Cybersecurity Steps to Help an Organization Get Started: Is cybersecurity a top priority for your business? We certainly hope so. A recent report revealed that almost 64% of all businesses prioritize IT security above everything else. Even 80% of all SMBs rank IT security as a top business priority. Forbes, February 18, 2020

Cybersecurity in the C-Suite & Board

Cybersecurity Success: A Shared Responsibility Model Between Business And IT: It is an avowed mantra in cybersecurity that business has an essential role to play in protecting the proverbial crown jewels, in partnership with the IT division of a company. As the adage goes: Security is not a technology issue; it is a business issue. Forbes, February 21, 2020

How to Get CISOs & Boards on the Same Page: These two groups have talked past each other for years, each hobbled by their own tunnel vision and misperceptions. DarkReading, February 21, 2020

Information Security & Privacy Management

One in Three SMBs Rely on Free Cybersecurity Tools or Nothing: One in three small businesses with 50 or fewer employees rely on free or consumer-grade cybersecurity tools stated a research commissioned and published by BullGuard. The research also pointed out that one in five companies do not use any endpoint security whatsoever. The research which surveyed small businesses in the U.K. and the U.S. suggested that nearly 43% SMB owners are not prepared for a potential cyberattack or breach leaving their most sensitive financial, customer, and business data at risk. CISO Mag, February 20, 2020

Cyber Warning

Is your IT provider / MSP your biggest cybersecurity threat? IT Service suppliers being targeted by hackers: You may or may not know, but IT service providers and MSPs are currently being targeted by hackers. Numerous accounts of IT service provider and MSP breach are now being reported worldwide, and once the IT service provider is breached, so are their client’s networks. IT Pro Portal, February 21, 2020

Newly discovered cybercrime group uses new and unique tactics to target U.S. companies in Business Email Compromise (BEC) attacks: Researchers have uncovered a new business email compromise (BEC) threat actor, which they call Exaggerated Lion, targeting thousands of U.S. companies with money pilfering scams. The cybercrime ring is unique in its leveraging of Google’s cloud-based productivity suite, G Suite, and for its use of physical checks for collecting fraudulent payments – as opposed to wire transfers. ThreatPost, February 20, 2020

A New Cyber-Extortion Variant: Pay Up, Or We’ll Make Google Ban Your Ads: A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic. KrebsOnSecurity, February 17, 2020

Cybersecurity in Society

Cyber Crime

NRC Health Ransomware Attack Prompts Patient Data Concerns … The organization, which sells patient administration tools to hospitals – including Cedars Sinai, could not confirm whether patient data was accessed: A Feb. 11 ransomware attack targeting NRC Health has driven concerns about the security of patient data stored on the organization’s servers. NRC Health manages patient survey systems and works with 75% of the 200 largest hospital chains in the United States, CNBC reports. Dark Reading, February 21, 2020

Ransomware Damage Hit $11.5B in 2019: A new report shows the scale of ransomware’s harm and the growth of that damage year-over-year — an average of $141,000 per incident. DarkReading, February 20, 2020

Ransomware attack forces 2-day shutdown of natural gas pipeline: The US Department of Homeland Security (DHS) on Tuesday said that an infection by an unidentified ransomware strain forced the shutdown of a natural-gas pipeline for two days. NakedSecurity, February 20, 2020

ISS World, a global facilities maintenance company based in Denmark, says it’s gradually restoring its systems after a malware attack on Monday: The company, which provides facilities management, catering, security and other property-related services, has more than 500,000 employees worldwide. BankInfoSecurity, February 20, 2020

Cyber Attack Statistics You Need to Know: In 2020, you’ll be hard-pressed to find a business of any size that doesn’t use technology on a daily basis for at least one main aspect of running their company. This is why cybersecurity has become such a huge issue in today’s business world. Not only is the threat of cyber attacks growing every year, but the potential impact of these attacks is also getting more serious as technology advances and a larger percentage of business dealings unfold in the digital world. CPO, February 20, 2020

Hackers Were Inside Citrix for Five Months … criminal access said to be via “password spraying” attack: Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords. KrebsOnSecurity, February 19, 2020

How Chinese military hackers allegedly pulled off the Equifax data breach, stealing data from 145 million Americans: The Equifax data breach that compromised the personal data of almost 150 million Americans in 2017 unfolded like a classic robbery. USA Today, February 10, 2020

National Cybersecurity

Department of Defense Now Requires Defense Contractors to Obtain Cybersecurity Certification; How Difficult Will It Be?: As of 2026, the United States Department of Defense (DoD) will be requiring all defense contractors to complete a new cybersecurity certification course before submitting proposals. CPO, February 20, 2020

The US Blames Russia’s GRU for Sweeping Cyberattacks in Georgia … By calling out Russia for digital assaults on its neighboring country, the US hopes to head off similar efforts at home: For more than a decade, Russian hackers have tormented the country’s neighbors, bombarding Estonian websites with junk traffic and even triggering blackouts in Ukraine. As long as Russia has kept those relentless, disruptive cyberattacks within its own region, the West has mostly turned a blind eye. But as the US seeks to head off any digital meddling in its own upcoming election, the State Department is trying something different: Calling out Russia for a broad-scale act of digital sabotage that hit the country of Georgia last fall. Wired, February 20, 2020

Cyber Freedom

Russia Is Said to Be Interfering to Aid Sanders in Democratic Primaries: The nominal Democratic front-runner denounced Russia’s efforts to attack American democracy. The New York Times, February 21, 2020

Lawmakers Are Warned That Russia Is Meddling to Re-elect Trump … A classified briefing to House members is said to have angered the president, who complained that Democrats would “weaponize” the disclosure: WASHINGTON — Intelligence officials warned House lawmakers last week that Russia was interfering in the 2020 campaign to try to get President Trump re-elected, five people familiar with the matter said, a disclosure to Congress that angered Mr. Trump, who complained that Democrats would use it against him. The New York Times, February 21, 2020

Essays: Technologists vs. Policy Makers: Sometime around 1993 or 1994, during the first Crypto Wars, I was part of a group of cryptography experts that went to Washington to advocate for strong encryption. Matt Blaze and Ron Rivest were with me; I don’t remember who else. We met with then Massachusetts Representative Ed Markey. (He didn’t become a senator until 2013.) Back then, he and Vermont Senator Patrick Leahy were the most knowledgeable on this issue and our biggest supporters against government backdoors. They still are. Schneier on Security, February 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge