Cybersecurity News of the Week, January 12, 2020

Individuals at Risk

Cyber Privacy

Facebook’s FTC Privacy Settlement Challenged in Court … Federal Judge Still Considering Objections From Privacy Groups: Six months after Facebook agreed to a landmark privacy settlement with the U.S. Federal Trade Commission that included a record $5 billion fine, a federal judge is still considering objections from advocacy groups that claim the deal doesn’t go far enough. BankInfoSecurity, January 10, 2020

Privacy Groups to Google: Please Kill Android Bloatware: You can often find bloatware on phones from mobile carriers, especially on cheaper handsets. But a coalition of privacy groups is worried the same pre-installed apps have background functions and data collection processes users aren’t aware of. PC Mag, January 10, 2020

Uncharted Waters: The Future of Location Data and Smartphone Tracking: The notion that governments and corporate giants are capable of exercising their technological might in order to monitor the behavior of ordinary people is nothing new. However, the notion that smaller, lesser-known companies — whose sole purpose is to collect, analyze, and resell location data — are doing precisely the same thing using smartphone tracking technology seems to be something entirely new indeed. CPO, January 9, 2020

Identity Theft

Lawmakers Prod FCC to Act on SIM Swapping: Crooks have stolen tens of millions of dollars and other valuable commodities from thousands of consumers via “SIM swapping,” a particularly invasive form of fraud that involves tricking a target’s mobile carrier into transferring someone’s wireless service to a device they control. But the U.S. Federal Communications Commission (FCC), the entity responsible for overseeing wireless industry practices, has so far remained largely silent on the matter. Now, a cadre of lawmakers is demanding to know what, if anything, the agency might be doing to track and combat SIM swapping. KrebsOnSecurity, January 9, 2020

Cyber Danger

Android Phone for Low-Income Americans Contains Malware … The Unimax (UMX) U686CL is also primed to deliver adware and serve owners aggressive advertising: The FCC Lifeline program was established to offer more affordable communications to low-income consumers, but it’s been discovered one of the subsidized smartphones offered through the program contains unremovable malware. PC Mag, January 10, 2020

Nobel laureate Paul Krugman said he likely fell for a phishing scam. Here’s how phishing scams work and how to avoid them: Paul Krugman, the Nobel Prize-winning economist and columnist for the New York Times, took to Twitter Wednesday to share some alarming news. Business Insider, January 9, 2020

Cyber Update

Firefox attacks: Homeland Security urges all users to update browsers immediately in rare warning: If you use Mozilla Firefox’s web browser, you’ll want to drop what you are doing right now and update it. That urging doesn’t just come from Mozilla—it comes from the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). FastCompany, January 10, 2020

Cyber Defense

Google Removes Nearly 1700 Malware-Infected Apps: Google said it has removed more than 1,700 Android apps infected with the malware Bread (Joker) since 2017. Google has defined the operation as one of the most persistent challenges in the company’s history. GritDaily, January 10, 2020

PayPal Confirms ‘High-Severity’ Password Security Vulnerability … The vulnerability was disclosed January 8 after being patched by PayPal on December 11, 2019: PayPal has confirmed that a researcher found a high-severity security vulnerability that could expose user passwords to an attacker. The researcher, Alex Birsan, earned a bug bounty of $15,300 (£11,700) for reporting the problem, which was disclosed January 8 having been patched by PayPal on December 11, 2019. Forbes, January 10, 2020

The age of cybersecurity is forcing parents to redefine “the talk”: According to data, children are using the internet more than ever before, and the trend shows no signs of slowing. QZ, January 10, 2020

Cyber Humor

Information Security Management in the Organization

Information Security Management and Governance

The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About: The vital role that cybersecurity plays in protecting our privacy, rights, freedoms, and everything up to and including our physical safety will be more prominent than ever during 2020. More and more of our vital infrastructure is coming online and vulnerable to digital attacks, data breaches involving the leak of personal information are becoming more frequent and bigger, and there’s an increasing awareness of political interference and state-sanctioned cyberattacks. The importance of cybersecurity is undoubtedly a growing matter of public concern. Forbes, January 10, 2020

Cybersecurity in the C-Suite

Learning from the Travelex cyber attack: Failing to prepare is preparing to fail … Key lesson from the Travelex breach is that an effective response to a breach is a critical business function & no longer the sole province of the IT department: Thankfully, we now live in a world where it is accepted that data breaches happen and organisations are more comfortable disclosing that they have been victim to an attack. However, with this welcome move away from victim blaming, organisations are now being judged more on how well they manage a breach. ComputerWeekly, January 10, 2020

Cyber Warning

Citrix ADC CVE-2019-19781 Exploits Released, Fix Now!: Numerous working exploits for the Citrix ADC (NetScaler) CVE-2019-19781 vulnerability are finally here and have been publicly posted in numerous locations. There is no patch available for this vulnerability, but Citrix has provided mitigations, which should be applied now! BleepingComputer, January 11, 2020

Tricky Phish Angles for Persistence, Not Passwords: Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password. KrebsOnSecurity, January 7, 2020

The Hidden Cost of Ransomware: Wholesale Password Theft: Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. But all too often, ransomware victims fail to grasp that the crooks behind these attacks can and frequently do siphon every single password stored on each infected endpoint. The result of this oversight may offer attackers a way back into the affected organization, access to financial and healthcare accounts, or — worse yet — key tools for attacking the victim’s various business partners and clients. KrebsOnSecurity, January 6, 2020

Cyber Defense

Microsoft Enables Security Defaults in Azure Active Directory: Microsoft introduced new secure default settings dubbed ‘Security Defaults’ to Azure Active Directory (Azure AD), now available for all license levels, including trial tenants. BleepingComputer, January 10, 2020

Cyber Talent

14 Effective Tips For Creating and Sustaining Strong Cybersecurity Teams: Cybersecurity is among the most prominent concerns for businesses in the 21st century. In the past, physical security was all a company needed. However, poor cybersecurity today could put a business’ assets at risk without perpetrators even needing to perform a physical break-in. Forbes, January 10, 2020

Winning the war for cybersecurity talent … Security leaders say they expect demand for talent to outstrip supply for at least the next several years. Your task: develop staffing plans that recognize that reality: The numbers aren’t encouraging for CISOs looking to hire security professionals: The U.S. cybersecurity labor market is short about 500,000 workers, according to a recent report from the nonprofit training group (ISC)². CSO, January 10, 2020

Cyber Extortion

Maze Ransomware Publishes 14GB of Stolen Southwire Files: The Maze Ransomware operators have released an additional 14GB of files that they claim were stolen from one of their victims for not paying a ransomware demand. BleepingComputer, January 10, 2020

Cybersecurity in Society

Cyber Crime

WannaCry was the most common crypto ransomware attack last year … Almost a quarter of all encryption ransomware attacks encountered the WannaCry virus last year: Almost a quarter (23.56%) of all encryption ransomware attacks that occurred in 2019 had encountered the WannaCry virus according to new research from TechRadar, January 10, 2020

Hackers Cripple Airport Currency Exchanges, Seeking $6 Million Ransom: Travelex’s stores, airport counters and exchange services were forced offline by a ransomware attack on New Year’s Eve. The New York Times, January 9, 2020

Cyber Defense

FBI Document-Seeding Tactics Echo Decades-Old Hacker-Hunting Trick: The technology industry moves at a lightning pace, but it’s surprising how many things stay the same. An FBI project to thwart hackers that recently surfaced by Ars Technica is a good example; it has a lot in common with techniques outlined in a book released 30 years ago. InfoSecurity, January 10, 2020

National Cybersecurity

The Cybersecurity 202: Threat of Iran cyberattack remains high even as Trump backs away from potential war: Government and industry officials are still on high alert for bruising cyberattacks from Iran even though President Trump and Iranian leaders stepped back from the brink of a broader military conflict. The Washington Post, January 9, 2020

How Businesses and the US Government Build Teams to Protect Cyber National Security: Businesses and the US government must work together to protect national security in the 21st century. But why? Imagine you’re the general counsel for a burgeoning startup telecom company that just went through its IPO. Forbes calls your company the “hottest new service provider in the United States.” One day you get an invitation from the FBI and US Department of Homeland Security (DHS), offering you and your C-suite a one-day security clearance to participate in a classified cyber briefing at the FBI’s Los Angeles office. Curious, you, your chief information security officer (CISO), and your CEO, accept. ACC Docket, December 20, 2019

Cyber Freedom

Buckle Up for Another Facebook Election: By opting not to change the company’s political advertising rules, Mark Zuckerberg has ensured another election shaped by the social network. New York Times, Jan 10, 2020

‘Chaos Is the Point’: Russian Hackers and Trolls Grow Stealthier in 2020: The National Security Agency and its British counterpart issued an unusual warning in October: The Russians were back and growing stealthier. New York Times, January 10, 2020

Voting machine vendors to testify on election security: The CEOs of the three biggest U.S. voting equipment manufacturers will testify before the House Administration Committee on Thursday, marking the first election security hearing of 2020. The Hill, January 9, 2020

A New Voting System Promises Reliable Paper Records. Security Experts Warn It Can’t Be Trusted: A just-released study says over ninety percent of errors introduced by ballot marking devices go undetected. Mother Jones, January 8, 2020

Essays: Bots Are Destroying Political Discourse As We Know It: Presidential-campaign season is officially, officially, upon us now, which means it’s time to confront the weird and insidious ways in which technology is warping politics. One of the biggest threats on the horizon: Artificial personas are coming, and they’re poised to take over political debate. The risk arises from two separate threads coming together: artificial-intelligence-driven text generation and social-media chatbots. These computer-generated “people” will drown out actual human discussions on the internet. Schneier On Security, January 7, 2020

Critical Infrastructure

Hackers Increasingly Probe North American Power Grid … But Electric Sector, Driven by Regulators, Has Been Adapting, Experts Say: Hackers have been demonstrating fresh interest in the North American electric sector’s network and computer infrastructure, security researchers warn. But experts also say that the sector is increasingly well-prepared to identify and repel attackers, and that launching disruptive or destructive attacks remains a difficult, laborious, time-consuming and geopolitically dangerous process for nation-state hackers. BankInfoSecurity, January 10, 2020

Cyber Enforcement

Man jailed for using data breach info leaks to claim over $12 million in IRS tax refunds … Information leaked due to data breaches was used to file fraudulent tax returns: A St. Louis resident has been sentenced to four years behind bars for stealing the identities of US citizens to file fraudulent tax return claims, made possible through data leaked in security incidents. ZDNet, January 10, 2020

Cyber Miscellany

2020s are the decade of commercial quantum computing, says IBM … IBM spent a great deal of time showing off its quantum-computing achievements at CES, but the technology is still in its very early stages: There’s plenty of uncertainty to go around in the quantum-computing world, from the weird behaviour of the qubits themselves right up to which tech companies are going to come out on top. IBM took the chance at CES to push its vision of quantum and to detail its customer list thus far. ZDNet, January 10, 2020

The Y2K bug is back, causing headaches for developers again…New York Parking Meters Stop Taking Credit Cards: Twenty years ago, some developers dealt with the millennium bug by postponing it until… now. ZDNet, January 8, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge