Cybersecurity News of the Week, February 7, 2021

Individuals at Risk

Identity Theft

Pandemic Proves to Be Fertile Ground for Identity Thieves: Number of identity theft cases more than doubled in 2020 from 2019, FTC report finds. AARP, February 5, 2021

The Cybersecurity 202: Coronavirus pandemic renews debate for hacker-proof IDs: Coronavirus has brought more scams than any event in the last decade. Lawmakers and advocates are proposing a way for the government to protect Americans: Giving everyone a digital ID that could prove they’re really who they say they are. The Washington Post, February 5, 2021

Cyber Privacy

3.2B email and password pairs were just leaked in the mother of all data breaches: Most of the data breaches you read about involve hacks of specific companies or organizations. A hotel’s credit card database was breached, for example, or an email service provider was hacked, exposing customer data and login credentials which can be used in turn to access more customer data. A newly posted cache of stolen customer details, however, takes this trend to an exponential and much more disturbing level. BGR, February 5, 2021

Hacker Sells Data for 500 Million Facebook Users Through Telegram Bot: A hacker is selling over 500 million Facebook users’ phone numbers through a Telegram bot, according to Motherboard. CPO, February 5, 2021

Cyber Update

Google patches an actively exploited Chrome zero-day: Google Chrome 88.0.4324.150 released with a fix. Users advised to update. ZDNet, February 4, 2021

Cyber Humor

Information Security Management for the Organization

Cybersecurity in the C-Suite & Board

The Big 8: How to heighten cybersecurity governance: Cyber defenders worldwide can all agree that 2020 was a transformational year. Both CISOs and security teams battled increased attack volumes and data breaches as attack techniques including island hopping continued to grow in frequency and sophistication. In its annual risk index, the World Economic Forum stated that cyberattacks are one of the most significant risks posed to corporations. The potential threats associated with these attacks have gone well beyond monetary and data loss, as falling victim can lead to attacks on customers, reputation damage, and regulatory fines that can have a grave impact on businesses. Security Magazine, February 4, 2021

Information Security Management

How to Protect Your Supply Chain From Cyberattack: Cyberthreats evolve constantly, but one rule endures: hackers will never break down your front door if they can get in through an open window. Most retailers are keenly aware that the credit card and customer data on their networks is a prime target for hackers, and so they barricade access points to their websites and ecommerce systems to ward off intrusion. But their cybersecurity teams pay much less attention to the sprawling network of vendors in the supply chain. For hackers this is a window of opportunity. Retail Touch Points, February 4, 2021. Author Ara Aslanian is a SecureTheVillage CyberLeader.

From SMEs for SMEs: Cybersecurity Tips for Small and Medium-Sized Enterprises: The Cyber Readiness Institute (CRI) asked its Small Business Advisory Council, a group of 15 public and private organizations that serve SMEs in various capacities, to identify key tips to help SMEs become more secure and resilient. The Council developed the following seven fundamental cybersecurity actions. While each enterprise’s individual circumstances will dictate the specifics of its cybersecurity program, the tips below serve as guardrails toward making your organization more cyber ready. Cyber Readiness Institute Small Business Advisory Council, January 29, 2021. SecureTheVillage Founder & President, Stan Stahl is a member of CRI’s Small Business Advisory Council.

Cyber Talent

New ISACA Report: Enterprises Struggling to Recruit and Staff Technical Privacy Pros: Privacy pros with the necessary technical skills are in-demand and hard to find even for well-funded enterprises, according to a new report from IT governance association ISACA. Enterprises are having a harder time staffing technical privacy teams than they are filling out their legal & compliance teams, with long delays in filling job openings and shorthanded departments being common. With the demand for these specialized professionals only expected to increase in the near term, hiring managers are looking to cross-train current employees to become experts on specific regional regulations such as the EU’s General Data Protection Regulation (GDPR). CPO, February 5, 2021

Cyber Culture

It’s time to rethink cybersecurity training… Again: Cybersecurity training today is much different than it was 10 years ago. In most organizations, we have developed training that is engaging, interactive, even enjoyable at times. Security leaders of yesterday realized that having a once a year, boring, PowerPoint like training that employees had to undergo to check a box was not working. Everyone dreaded that training and that led to skimming the material and clicking through slides, then brute-forcing their way through the answers on the final exam. Security Magazine, February 4, 2021

Cyber Update

Critical Flaws Reported in Cisco VPN Routers for Businesses—Patch ASAP: Cisco has rolled out fixes for multiple critical vulnerabilities in the web-based management interface of Small Business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. The Hacker News, February 5, 2021

Cybersecurity in Society

Cyber Crime

Hackers post detailed patient medical records from two hospitals to the dark web: The files, which number in at least the tens of thousands, includes patients’ personal identifying information. NBC, February 5, 2021

How a 2020 Cyber Attack Brought the New Zealand Stock Exchange to Its Knees: The website of the New Zealand Stock Exchange slowed to a crawl on a Tuesday afternoon in August. It was so badly throttled that the exchange couldn’t post market announcements, as required by financial regulators. So with an hour left for trading, management shut the entire operation down. InsuranceJournal, February 5, 2021

40+ Terrifying Cybersecurity Statistics You Need to Know for 2021: Interested in learning about trends in data loss prevention, ransomware, and cybercrime? These cybersecurity statistics from the last 5 years will outline contemporary cybersecurity trends and provide a preview of what is being predicted for the future of cybersecurity. Business to Community, February 5, 2021

Cyber Attack

New campaign targeting security researchers. Google’s Threat Analysis Group attributes campaign to a government-backed entity based in North Korea: Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with. Google, January 25, 2021

Cyber Privacy

Apple’s privacy policy kicks Facebook where it hurts: The iPhone-maker antagonises its ad-dependent Silicon Valley neighbours. The Economist, February 6, 2021

Pro: The Washington Privacy Act empowers consumers to retake control of their identity online in our data-fueled economy: The issue of electronic data privacy — the freedom to be left alone without our digital footprints and identity being monitored, monetized and used without our permission — is not a department down the hall, a staid academic theory or a white paper from a think tank., Seattle Times, February 5, 2021

Con: The People’s Privacy Act, not the Washington Privacy Act, is the better bill to protect consumers’ civil rights and civil liberties: For the third year in a row, the Washington state Legislature is considering a weak, industry-backed data privacy bill. The Washington Privacy Act (Senate Bill 5062) has vague language, a laundry list of exemptions and a provision that explicitly prohibits people from holding companies accountable when they violate people’s digital privacy rights. Seattle Times, February 5, 2021

Presidential Cybersecurity and Pelotons: President Biden wants his Peloton in the White House. For those who have missed the hype, it’s an Internet-connected stationary bicycle. It has a screen, a camera, and a microphone. You can take live classes online, work out with your friends, or join the exercise social network. And all of that is a security risk, especially if you are the president of the United States. Schneier on Security, February 5, 2021

Cyber Defense

Sophisticated cybersecurity threats demand collaborative, global response: Since December, the United States, its government, and other critical institutions including security firms have been addressing the world’s latest serious nation-state cyberattack, sometimes referred to as ‘Solorigate’ or ‘SUNBURST.’ As we shared earlier this is a moment of reckoning for our industry and needs a unified response of defenders across public and private sectors. Microsoft is committed to protecting our customers and safeguarding our communities and we are proud to partner with industry partners to respond to this attack and strengthen our collective defenses. We believe transparency and clarity are important for strong cybersecurity and in that spirit, we are sharing information about some commonly asked questions. We look forward to serving and protecting our customers and communities. Microsoft, February 4, 2021

Know Your Enemy

Cybercrime Goes Mainstream: Organized cybercrime is global in scale and the second-greatest risk over the next decade. DarkReading, February 5, 2021

Blockchain transactions confirm murky and interconnected ransomware scene: Criminal gangs often use multiple ransomware strains and jump ship from one RaaS (Ransomware-as-a-Service) to another, seeking better deals. ZDNet, February 4, 2021

‘ValidCC,’ a Major Payment Card Bazaar and Looter of E-Commerce Sites, Shuttered: ValidCC, a dark web bazaar run by a cybercrime group that for more than six years hacked online merchants and sold stolen payment card data, abruptly closed up shop last week. The proprietors of the popular store said their servers were seized as part of a coordinated law enforcement operation designed to disconnect and confiscate its infrastructure. KrebsOnSecurity, February 2, 2021

National Cybersecurity

Biden: US taking ‘urgent’ steps to improve cybersecurity: President Biden said Thursday that his administration is launching an “urgent initiative” to improve the nation’s cybersecurity, pointing to concerns around malign efforts by Russia and China. TheHill, February 4, 2021

Critical Infrastructure

Industrial Networks See Sharp Uptick in Hackable Security Holes: Claroty reports that adversaries, CISOs and researchers have all turned their attention to finding critical security bugs in ICS networks. ThreatPost, February 5, 2021

Cyber Enforcement

Facebook, Instagram, TikTok and Twitter Target Resellers of Hacked Accounts: Facebook, Instagram, TikTok, and Twitter this week all took steps to crack down on users involved in trafficking hijacked user accounts across their platforms. The coordinated action seized hundreds of accounts the companies say have played a major role in facilitating the trade and often lucrative resale of compromised, highly sought-after usernames. KrebsOnSecurity, February 4, 2021

U.K. Arrest in ‘SMS Bandits’ Phishing Service: Authorities in the United Kingdom have arrested a 20-year-old man for allegedly operating an online service for sending high-volume phishing campaigns via mobile text messages. The service, marketed in the underground under the name “SMS Bandits,” has been responsible for blasting out huge volumes of phishing lures spoofing everything from COVID-19 pandemic relief efforts to PayPal, telecommunications providers and tax revenue agencies. KrebsOnSecurity, February 1, 2021

Cyber Misc

Free coffee! Belgian researcher hacks prepaid vending machines: Belgian cybersecurity researcher Polle Vanhoof just published a fascinating and well-written paper about an exploitable hole he found in the payment system used in some Nespresso prepaid coffee machines. Naked Security, February 4, 2021

These Places Were Not Ready for Flash to Die: Adobe Flash went dark on Dec. 31. The software had been flickering out since 2017, when Adobe announced it would discontinue Flash with three and a half years’ warning. Reminder statements, press attention, and pop-ups warning about Flash’s discontinuation all followed. But despite the ample time to prepare, multiple government and corporate systems across the world were still caught by surprise when the Flash plugin finally died. Slate, February 5, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge