Cybersecurity News of the Week, July 12, 2020

SecureTheVillage Calendar

TownHallWebinar: Personal Cyber Security with Dr. Steve Krantz. July 21 @ 1:00 pm – 2:30 pm PDT Calabasas Senior Center Calabasas, CA

STVHappyHour – July 2020. July 23 @ 4:30 pm – 5:30 pm PDT

Technology & Security Management HappyHour: Introduction to the ME-ISAC with Founder Chris Taylor. July 28 @ 4:30 pm – 5:30 pm PDT

TownHallWebinar: NIST Cyberprivacy Frameworks. August 13 @ 10:00 am – 11:00 am PDT

Financial Services Cybersecurity Roundtable – August 2020. August 21 @ 8:00 am – 10:00 am PDT

TownHallWebinar: The Great Reboot: Succeeding in a World of Catastrophic Risk and Opportunity with Bob Zukis & Others. September 10 @ 10:00 am – 11:00 am PDT

Individuals at Risk

Cyber Privacy

Signal’s New PIN Feature Worries Cybersecurity Experts: The popular encrypted app is now going to store your contacts in the cloud. Experts are worried this compromises users’ privacy. Vice, July 10, 2020

Apple Makes a Major Privacy Move in iOS 14 by Allowing Users to Disable Ad Tracking and Have Greater Insight Into App Permissions: The headline announcement from Apple’s 2020 Worldwide Developers Conference was that users would be getting an unprecedented level of control over personal privacy, enough that it might entirely upend mobile marketing on iOS. The headline item was that users would be able to selectively disable ad tracking by making their unique ID invisible to certain apps, but a suite of other enhanced privacy features was introduced: more detailed breakdowns of app permissions, new indicator lights and new Safari screening features among them. CPO, July 8, 2020

Inside the Invasive, Secretive “Bossware” Tracking Workers: COVID-19 has pushed millions of people to work from home, and a flock of companies offering software for tracking workers has swooped in to pitch their products to employers across the country. EFF, June 30, 2020

Identity Theft

E-Verify’s “SSN Lock” is Nothing of the Sort: One of the most-read advice columns on this site is a 2018 piece called “Plant Your Flag, Mark Your Territory,” which tried to impress upon readers the importance of creating accounts at websites like those at the Social Security Administration, the IRS and others before crooks do it for you. A key concept here is that these services only allow one account per Social Security number — which for better or worse is the de facto national identifier in the United States. But KrebsOnSecurity recently discovered that this is not the case with all federal government sites built to help you manage your identity online. KrebsOnSecurity, July 4, 2020

Cyber Update

Still using Windows 7? Zoom Issues Patch as Zero-Day Allows Remote Code Execution: Researchers said that the issue is only exploitable on Windows 7 and earlier. ThreatPost, July 9, 2020

Cyber Defense

Mozilla suspends Firefox Send service while it addresses malware abuse: Mozilla has temporarily suspended the Firefox Send file-sharing service while it adds a Report Abuse mechanism. ZDNet, July 7, 2020

Cyber Warning

Microsoft Warns on OAuth Attacks Against Cloud App Users: Application-based attacks that use the passwordless “log in with…” feature common to cloud services are on the rise. ThreatPost, July 9, 2020

SurveyMonkey Phishers Go Hunting for Office 365 Credentials: Security researchers are warning of a new phishing campaign that uses malicious emails from legitimate SurveyMonkey domains in a bid to bypass security filters. InfoSecurity, July 9, 2020

‘Undeletable’ Malware Shows Up in Yet Another Android Device: Researchers have found trojans and adware in preinstalled apps on a low-cost device distributed by the government-funded Lifeline Assistance Program. ThreatPost, July 9, 2020

11 Google Play apps infected with nasty Android malware: What to do: The malware signs users up to premium subscriptions. Toms Guide, July 9, 2020

Cyber Humor

Information Security Management for the Organization

Information Security Management

Overcoming Data Security Challenges in a Hybrid, Multicloud World: Cloud computing is evolving at a rapid pace. Today, there’s a range of choices for moving applications and data to cloud that includes various deployment models from public and private to hybrid cloud service types. Organizations are seeking ways to utilize multiple clouds as part of a broader digital strategy. With a multicloud approach, companies can avoid vendor lock-in and take advantage of the best-of-breed technologies, such as artificial intelligence (AI) and blockchain. SecurityIntelligence, July 9, 2020

Commentary: Cybersecurity Safeguards Should Extend to Supply-Chain Partners: Companies must treat cybersecurity as a supply chain as work changes under the coronavirus pandemic create new vulnerabilities, say two supply-chain educators. The Wall Street Journal, July 9, 2020

Google announced that its Tsunami vulnerability scanner for large-scale enterprise networks is going to be open-sourced: Google has decided to release as open-source a vulnerability scanner for large-scale enterprise networks named Tsunami. SecurityAffairs, July 9, 2020

Company web names hijacked via outdated cloud DNS records: US security researcher Zach Edwards recently tweeted about finding 250 company website names that had been taken over by cybercriminals. NakedSecurity, July 8, 2020

Cybersecurity As We Know It Is About To Change: Pundits across the world have set their sights on a post-pandemic future, arguing that a new normal is about to descend upon us. While I recognize much of what the future holds is ambiguous, I believe there is an area that will become our inevitable reality — continued cyberthreats as a result of rapid digitalization. Forbes, July 8, 2020

Privacy Management

CCPA 2.0 Will Be On California’s November 2020 Ballot: What Employers Need to Know: In 2018, the California legislature enacted the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020 but was amended six times before it even took effect. Concerned about prior proposals to weaken the CCPA and that consumers still do not understand how their personal information is being used by businesses, proponents of the CCPA have proposed a ballot initiative for the November 2020 ballot titled the California Privacy Rights Act of 2020 (CPRA)—colloquially known as CCPA 2.0. The CPRA qualified for the November ballot in late June. CPO, July 10, 2020

Cyber Warning

Researchers Discover New macOS Ransomware Downloaded From Pirated Torrent Sites … Ransomware operators do not track payments and are unlikely to provide the decryption keys even if victims paid the ransom: Computer security researchers uncovered a ransomware strain that exclusively targets computers running the macOS operating system. Known as OSX.ThiefQuest, the new Mac ransomware variant differs from other ransomware threats on its operations. Apart from encrypting files, the macOS ransomware installs a keylogger and a reverse shell on the infected devices. ThiefQuest also steals cryptocurrency wallet-related user files from the infected hosts. Researchers also found that the ransomware operators do not track payments and are unlikely to provide the decryption keys even if their customers paid the ransom. CPO, July 9, 2020

Cyber Defense

Video Conferencing Security Tips You May Have Overlooked: Video conferencing applications grew substantially following the outbreak of the coronavirus (COVID-19) global pandemic. According to Research and Markets article “Video Conferencing Demand Rises due to Social-Distancing,” video conferencing software experienced 62 million downloads in March 2020. This increase in use resulted from businesses adopting video conferencing platforms as a means to facilitate their transition to remote work. SecurityIntelligence, July 8, 2020

Cyber Talent

Is there really a cybersecurity skills shortage?: Companies are struggling to find cybersecurity talent, and roles remain unfilled for months at a time. But is there really a lack of qualified candidates on the market? Is the problem with the lack of skills – or are we inadvertently limiting the talent pool before we even post the job spec? SecurityMagazine, July 9, 2020

Cybersecurity in Society

Cyber Crime

APT Group Targets Fintech Companies: A little-known advanced persistent threat group dubbed Evilnum has been targeting fintech firms in the U.K. and Europe over the past two years, using spear-phishing emails and social engineering to start their attacks, according to the security firm ESET. BankInfoSecurity, July 9, 2020

Cyber Attack

Ex-cyber officials: Iran may change aggressive policies until licks wounds: Iran has acknowledged that at least the explosion at Natanz was likely an attack. The Jerusalem Post, July 11, 2020

Mitigating a 754 Million PPS DDoS Attack Automatically: On June 21, Cloudflare automatically mitigated a highly volumetric DDoS attack that peaked at 754 million packets per second. The attack was part of an organized four day campaign starting on June 18 and ending on June 21: attack traffic was sent from over 316,000 IP addresses towards a single Cloudflare IP address that was mostly used for websites on our Free plan. No downtime or service degradation was reported during the attack, and no charges accrued to customers due to our unmetered mitigation guarantee. Cloudflare, July 9, 2020

Know Your Enemy

The Secret Service on tracking Bitcoin and cybercrime: The US Secret Service has opened up on its views about cryptocurrency and cybercrime, and it’s not as anti-crypto as you may think. Decrypt, July 10, 2020

National Cybersecurity

U.S. Cybersecurity Policy, Strategy and Initiatives: Director Needed? … A bipartisan group of lawmakers has introduced legislation to establish a White House level director to head the nation’s cybersecurity initiatives: The recently introduced National Cyber Director Act would create a National Cyber Director within the White House, functioning as the President’s principal advisor on cybersecurity and associated emerging technology issues and recognized as the lead national-level coordinator for cyber strategy and policy. The legislation is sponsored by Reps. Jim Langevin (D-RI) and Mike Gallagher (R-WI) and backed by four additional congressional members. MSSP Alert, July 10, 2020

Cyber Law

Kinda sorta weakened version of EARN IT Act creeps closer: There are gut-churning tales of online child sexual abuse material. NakedSecurity, July 9, 2020

Cyber Freedom

Biden campaign hires top cybersecurity officials to defend against threats: The presidential campaign of former Vice President Joe Biden announced Friday that it had filled the positions of chief information security officer (CISO) and chief technology officer (CTO) in order to address potential cybersecurity threats to the campaign. The Hill, July 10, 2020

Cyber Surveillence

Using Adversarial Machine Learning, Researchers Look to Foil Facial Recognition: For privacy-seeking users, good news: Computer scientists are finding more ways to thwart facial and image recognition. But there’s also bad news: Gains will likely be short-lived. DarkReading, July 9, 2020

Internet of Things

U.N. Rules Require Cybersecurity Guarantees for Connected Cars … Car companies must introduce safeguards to protect vehicles from hackers under new rules: Manufacturers selling cars in jurisdictions including Japan, South Korea and the European Union will soon be required to secure connected vehicles against cyberattacks under a new United Nations regulation. The Wall Street Journal, July 9, 2020

Cyber Enforcement

Fxmsp Probe: Feds Say Group-IB Report Forced Its Hand: Hacking Suspect Named in Sealed Indictment Was Independently Outed by Researchers. BankInfoSecurity, July 9, 2020

Criminal charges reveal the identity of the “invisible god” hacker: Newly-unsealed court documents name a Kazakh man as the mastermind behind a hacking campaign that hit 44 countries. They also detail his short-lived successes. MIT Technology Review, July 7, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge