Cybersecurity News of the Week, July 11, 2021

SecureTheVillage – Volunteers Needed for Golf Tournament

Golfer? Cybersecurity Pro? STV CyberLeader? We are looking for 10-15 people to join the STV Golf Committee for the SecureTheVillage’s inaugural golf tournament on October 20, 2021 at Moorpark CC. The tournament will be part of our activities in support of Cybersecurity Awareness Month. The Golf Committee will consist of 10-15 people to help with marketing, logistics, setup, registration, administration, fundraising, etc.  Looking to fill these rolls for the committee and have a successful inaugural tournament for the Village. To volunteer or for more information, email Board Member Jason Meshekow at jasonm@intouchis.com.

Individuals at Risk

Cyber Privacy

BIG BROTHER IS ACTUALLY RONALD MCDONALD: When I was on the road between appointments before Covid 19, I’d find a Starbucks where I could have a cup of coffee, get on the free Wi-Fi and do some work. Then one day, I read that Starbucks’ biggest competitor isn’t Peet’s or Coffee Bean & Tea Leaf. It’s McDonald’s. The Food Lawyers, June 15, 2021

Cyber Update

Microsoft Issues Emergency Patch for Windows Flaw: Microsoft on Tuesday issued an emergency software update to quash a security bug that’s been dubbed “PrintNightmare,” a critical vulnerability in all supported versions of Windows that is actively being exploited. The fix comes a week ahead of Microsoft’s normal monthly Patch Tuesday release, and follows the publishing of exploit code showing would-be attackers how to leverage the flaw to break into Windows computers. KrebsOnSecurity, July 7, 2021

Secure The Human

Confessions of a Famous Fraudster: How and Why Social Engineering Scams Work: In a world in which bad news dominates, social engineering scams that carry a promise of good news can be incredibly lucrative for cyber criminals. SecurityIntelligence, July 1, 2021

Cyber Humor

Information Security Management for the Organization

Information Security Management

Public cloud security ‘just barely adequate,’ experts say: Between the sharp rise in cyberattacks and overall rapid migration to the cloud, cloud security is quickly becoming a top concern for enterprises. And the more clouds are being used, the more there is to worry about. VentureBeat, July 9, 2021

How stopping lateral movement can defend against ransomware [Q&A]: Over the last couple of years the number of ransomware attacks has soared. While high profile attacks make the headlines organizations of all sizes are at risk. BetaNews, July 9, 2021

Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management: 2nd Public Draft of NISTIR 8286A Available for Comment: A second public draft of NISTIR 8286A is available: “Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management.” The comment period is open through August 6, 2021. NIST, July 6, 2021

Cyber Talent

‘Barely able to keep up’: America’s cyberwarriors are spread thin by attacks: A once-quiet epidemic, ransomware has emerged in 2021 as a major national security issue. NBC, July 8, 2021

Cybersecurity in Society

Cyber Crime

CNA warns customers it suffered a major data breach: Cybercriminals obtained customer information before infecting CNA’s systems with ransomware. TechRadarPro, July 9, 2021

Column: He spent 24 years building his business. A ransomware attack blew it to smithereens: Fran Finnegan was on vacation in New York just before the Fourth of July weekend when he received a disturbing text message from one of his customers: How come his website was down? LA Times, July 9, 2021

Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software: Last week cybercriminals deployed ransomware to 1,500 organizations, including many that provide IT security and technical support to other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago. KrebsOnSecurity, July 8, 2021

Morgan Stanley discloses data breach that resulted from Accellion FTA hacks: Financial services firm says data was stolen by exploiting flaws discovered in December. ars technica, July 8, 2021

RNC says contractor breached in hack, GOP data secure: The Republican National Committee (RNC) on Tuesday acknowledged that one of its contractors had been breached by hackers linked to Russia but said its data had not been accessed. The Hill, July 6, 2021

Up to 1,500 businesses infected in one of the worst ransomware attacks ever: Mass compromise is having cascading effects around the world. ars technica, July 6, 2021

Cyber SURVEILLANCE

[VISUAL] The Overlapping Infrastructure of Urban Surveillance, and How to Fix It: Between the increasing capabilities of local and state police, the creep of federal law enforcement into domestic policing, the use of aerial surveillance such as spy planes and drones, and mounting cooperation between private technology companies and the government, it can be hard to understand and visualize what all this overlapping surveillance can mean for your daily life. We often think of these problems as siloed issues. Local police deploy automated license plate readers or acoustic gunshot detection. Federal authorities monitor you when you travel internationally. EFF, June 24, 2021

Cyber Privacy

ProtonMail, DuckDuckGo, others ask EU & US regulators to ban surveillance-based advertising: A group of privacy-first tech companies, including the likes of ProtonMail, DuckDuckGo, Vivaldi, Tutanota, and Startpage, have published an open letter today asking EU and US regulators to take action and ban surveillance-based advertising. TheRecord, July 7, 2021

Cyber Defense

The U.S. Desperately Needs a Civilian Cybersecurity Corps: Here is how we maximize its scale and potential. NextGov, July 9, 2021

New York City Opens Cyberattack Defense Center: Initiative brings together government agencies and business groups to share intelligence and respond to digital threats. The Wall Street Journal, July 8, 2021

Know Your Enemy

The anatomy of a ransomware attack: Inside the hacks that lock down computer systems and damage businesses. The Washington Post, July 9, 2021

Where do all those cybercrime payments go?: Here on Naked Security, we’ve regularly asked the question, or at least implied it: “Where do you think all those cybercrime payments go?” NakedSecurity, July 9, 2021

This Crowdsourced Ransomware Payment Tracker Shows How Much Cybercriminals Have Heisted: Ransomwhere keeps a publicly available running tally of ransoms paid out to cybercriminals in bitcoin. Gizmodo, July 6, 2021

Cyber Insurance

Cyber Insurance Industry in Crosshairs of Ransomware Criminals: In the past few weeks, ransomware criminals claimed as trophies at least three North American insurance brokerages that offer policies to help others survive the very network-paralyzing, data-pilfering extortion attacks they themselves apparently suffered. InsuranceJournal, July 7, 2021

National Cybersecurity

Biden Warns Putin to Act Against Ransomware Groups, or U.S. Will Strike Back: Mr. Biden’s phone call appeared to be a pointed ultimatum to stop the hackers, who have attacked computer networks in the United States with relative impunity. The New York Times, July 9, 2021

The NSA’s ‘New’ Mission: Get More Public With the Private Sector: The National Security Agency’s gradual emergence from the shadows was “inevitable” in cybersecurity, says Vinnie Liu, co-founder and CEO of offensive security firm Bishop Fox and a former NSA analyst. Now the agency has to figure out how to best work with the private sector, especially organizations outside the well-resourced and seasoned Fortune 100. DarkReading, July 8, 2021

Top lawyer for U.S. cyberwarriors calls for military cyber response to global criminal hackers: The U.S. has long been reluctant to respond forcefully with cyber weapons to hacking by either nations or criminals, partly because the U.S. is vulnerable. NBC, July 8, 2021

Revisiting a Framework on Military Takedowns Against Cybercriminals: In an April Lawfare post, Jason Healey offered a five-part test to determine the appropriateness of using U.S. military cyberspace operations to respond to criminal cyber activities. The test counsels that the military should operate against criminal cyber threats based solely on their imminence, the perils they pose, their magnitude, and their link to major nation-state adversaries. LawFare, July 2, 2021

Cyber Lawsuit

Kroger, British Airways Agree to Settle Data Breach Lawsuits: U.S.-based pharmacy and supermarket chain Kroger and U.K.-based British Airways have each agreed to settle class action lawsuits filed in the wake of two massive data breaches. BankInfoSecurity, July 6, 2021

Cyber Law

Colorado third state to enact comprehensive privacy law: Colorado became the third state to pass a comprehensive data privacy law when Gov. Jared Polis signed the Colorado Privacy Act (CPA) on Wednesday. Compiance Week, July 8, 2021

Connecticut Governor Lamont signs bill offering companies a shield from data breach lawsuits: bill shielding Connecticut businesses from liability for data breaches as long as they adopt and maintain approved cybersecurity protocols is now law. HBJ, July 7, 2021

New York Department of Financial Services Issues New Guidance on Ransomware Prevention: DFS Guidance Identifies Key Cybersecurity Measures to Reduce Risk of Ransomware Attacks. Superintendent Linda A. Lacewell today announced that the New York State Department of Financial Services (DFS) has issued new guidance on preventing ransomware attacks. In the guidance, DFS identifies cybersecurity controls that significantly reduce the risk of a ransomware attack and should be implemented by companies wherever possible. DFS NY, June 30, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge