Cybersecurity News of the Week, June 28, 2020

SecureTheVillage Calendar

Leadership Council Meeting, July 8: Special Guest Dr. Vinton Cerf, Father of the Internet. July 8 @ 12:00 pm – 1:30 pm PDT

TownHallWebinar: NIST Cyberprivacy Cybersecurity Frameworks. July 9 @ 10:00 am – 11:00 am PDT

TownHallWebinar: Personal Cyber Security with Dr. Steve Krantz. July 21 @ 1:00 pm – 2:30 pm PDT Calabasas Senior Center Calabasas, CA

STVHappyHour – July 2020. July 23 @ 4:30 pm – 5:30 pm PDT

TownHallWebinar: NIST Cyberprivacy Frameworks. August 13 @ 10:00 am – 11:00 am PDT

Financial Services Cybersecurity Roundtable – August 2020. August 21 @ 8:00 am – 10:00 am PDT

TownHallWebinar: The Great Reboot: Succeeding in a World of Catastrophic Risk and Opportunity with Bob Zukis & Others. September 10 @ 10:00 am – 11:00 am PDT

Individuals at Risk

Cyber Privacy

Safari for iOS 14 will spotlight the ad trackers following your every move: Safari set to receive privacy boost with iOS 14 and macOS 11. TechRadar, June 26, 2020

TikTok To Stop Clipboard Snooping After Apple Privacy Feature Exposes Behavior: App will stop reading users’ device cut-and-paste data after a new banner alert in an Apple update uncovered the activity. ThreatPost, June 26, 2020

‘BlueLeaks’ Exposes Files from Hundreds of Police Departments: Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals. KrebsOnSecurity, June 26, 2020

Exposed Data Contains Explicit Images and Conversations of Niche Dating Apps Users: vpnMentor research team led by Noam Rotem and Ran Locar uncovered a security flaw that exposed sensitive information from several niche dating apps. Over 20 million files, including explicit pictures shared by users, were released in the breach. Initial investigation of the exposed data reveals that the apps share a common developer because of common storage infrastructure and app design. The compromised apps targeted people with alternative lifestyles and released sensitive data, including sexual fetishes, dating preferences, and sexually transmitted diseases. The source of the leak was a misconfigured Amazon Web Services account, and it was unclear whether any hacker had accessed the information before vpnMentor discovered the security flaw. CPO, June 26, 2020

350,000 Social Media Influencers and Users at Risk Following Data Breach: Personal data of an estimated 100,000 social media influencers has been accessed and partially leaked following a breach at social media marketing firm Preen.Me, Risk Based Security has discovered. The same breach has also led to more than 250,000 social media users having their information fully exposed on a deep web hacking forum, leaving these individuals at risk of being targeted by scams. InfoSecurity Magazine, June 25, 2020

VICTORY: Zoom Will Offer End-to-End Encryption to All Its Users: We are glad to see Zoom’s announcement today that it plans to offer end-to-end encryption to all its users, not just those with paid subscriptions. Zoom initially stated it would develop end-to-end encryption as a premium feature. Now, after 20,000 people signed on to EFF and Mozilla’s open letter to Zoom, Zoom has done the right thing, changed course, and taken a big step forward for privacy and security. EFF, June 17, 2020

Identity Theft

What your personal identity and data are worth on the Dark Web: Your credit card is worth around $33, your driver’s license around $27, and your PayPal account around $42, according to TechRepunlic, June 25, 2020

Cyber Humor

Information Security Management for the Organization

Cybersecurity in the C-Suite & Board

Ransomware Attacks Have Consumers Up in Arms, Wants CEOs Punished: Chief executives should be held personally accountable for ransomware attacks against their companies, a new survey has suggested, with many consumers believing that they should give out compensation if their company suffers an attack. CPO, June 26, 2020

Information Security Management

There is no cybersecurity silver bullet: There’s no single cybersecurity solution. TechRadarPro, June 26, 2020

Security Has Become an Arms Race: With COVID-19 (coronavirus) forcing almost all non-essential workers to halt travel and work from home full-time, our dependency on connected devices has never been so high. Even after the global health crisis passes, it is likely that this trend of increased digital dependency will continue in the wake of COVID-19, thrusting us into a “new normal,” where remote connectivity is more deeply integrated into our daily lives than ever before. In this “new normal,” not only will we be surrounded by more connected devices than ever before, but these devices will be increasingly sophisticated with higher levels of functionality. CPO, June 26, 2020

Cyber Warning

Most malware in Q1 2020 was delivered via encrypted HTTPS connections: 67% of all malware in Q1 2020 was delivered via encrypted HTTPS connections and 72% of encrypted malware was classified as zero day, so would have evaded signature-based antivirus protection, according to WatchGuard. HelpNetSecurity, June 25, 2020

Cyber Danger

Chinese bank forced western companies to install malware-laced tax software … GoldenSpy backdoor trojan found in a Chinese bank’s official tax software, which the bank has been forcing western companies to install: A Chinese bank has forced at least two western companies to install malware-laced tax software on their systems, cyber-security firm Trustwave said in a report published today. ZDNet, June 25, 2020

Cyber Update

Attackers Target Vulnerable Exchange Servers: Microsoft is warning its customers that attackers are increasingly targeting unpatched exchange servers.BankInfoSecurity, June 26, 2020

Cybersecurity in Society

Cyber Crime

Major US Companies Targeted in New Ransomware Campaign: Evil Corp. group hit at least 31 customers in campaign to deploy WastedLocker malware, according to Symantec. DarkReading, June 26, 2020

‘The most stressful four hours of my career:’ How it feels to be the victim of a hacking attack: Being a victim of cybercrime can be about much more than just the financial losses. ZDNet, June 26, 2020

A hacker group stole $200 million from 5 Bitcoin exchanges … The hacker group used “spear-phishing” attacks to gain access to crypto exchanges. And it proved to be effective: A single hacker group has stolen $200 around million in cryptocurrency from exchanges, cyber-security firm ClearSky revealed in a report yesterday. Decrypt, June 26, 2020

Cyber Warning

FBI warns K12 schools of ransomware attacks via RDP: The FBI has issued a security alert warning K12 schools of the “ransomware threat” during the COVID-19 pandemic. ZDNet, June 25, 2020

Cyber Attack

Two record DDoSes disclosed this week underscore their growing menace … More bots + better DDoS traps = ever-growing amounts of junk traffic: Distributed denial-of-service attacks—those floods of junk traffic that criminals use to disrupt or completely take down websites and services—have long been an Internet scourge, with events that regularly cripple news outlets and software repositories and in some cases bring huge parts on the Internet to a standstill for hours. Now there’s evidence that DDoSes, as they’re usually called, are growing more potent with two record-breaking attacks coming to light in the past week. ars technica, June 25, 2020

Cyber Defense

Bill proposes national cyber-security czar: A bill with bipartisan Congressional support proposes create a national cyber-security czar who would report directly to the president. ComplianceWeek, June 26, 2020

Know Your Enemy

Russian Criminal Group Finds New Target: Americans Working at Home … A hacking group calling itself Evil Corp. has shown up in corporate networks with sophisticated ransomware. American officials worry election infrastructure could be next: A Russian ransomware group whose leaders were indicted by the Justice Department in December is retaliating against the U.S. government, many of America’s largest companies and a major news organization, identifying employees working from home during the pandemic and attempting to get inside their networks with malware intended to cripple their operations. The New York Times, June 25, 2020

Cyber Law

GOOGLE APPEAL DISMISSED IN FRANCE, WILL PAY THE LARGEST FINE IN GDPR HISTORY: Google isn’t having an easy time of it as data protection is tightening. Recently, the French Supreme Court of Administrative Law rejected Google’s claim that it had to pay a $57 million fine last year for failing to tell its users how to handle their personal information. On June 19, the French State Council officially released the trial results, confirming the previous investigation results of the data regulator CNIL, that Google did not provide Android users with “clear enough” information reminders. This means that it did not have lawful consent to use user data for specific advertising. Considering the seriousness and continuity of Google’s violations, the $57 million fine is also justified. GizChina, June 26, 2020

Importance of CCPA Compliance Highlighted by First Round of Private Actions: The first wave of California Consumer Privacy Act litigation has begun to roll in, and the complaints are already raising interesting questions about the scope of CCPA’s private right of action. The actions assert a variety of claims under numerous theories and present a broad range of potential risks to businesses subject to CCPA. In light of the many questions that surround CCPA’s private right of action, the extent of possible liability from private litigation is still largely unknown and potentially significant. National Law Review, June 26, 2020

Internet of Things

How Amazon and Walmart Could Fix IoT Security … Bruce Schneier Says Pressure on Retailers Could Fix Insecure IoT Supply Chains: IOT devices can be made cheaply and quickly. But as a result, they may lack adequate security features.BankInfoSecurity, June 25, 2020

Cyber Enforcement

New Charges, Sentencing in Satori IoT Botnet Conspiracy: The U.S. Justice Department today charged a Canadian and a Northern Ireland man for allegedly conspiring to build botnets that enslaved hundreds of thousands of routers and other Internet of Things (IoT) devices for use in large-scale distributed denial-of-service (DDoS) attacks. In addition, a defendant in the United States was sentenced today to drug treatment and 18 months community confinement for his admitted role in the botnet conspiracy. KrebsOnSecurity, June 25, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge