Cybersecurity News of the Week, June 7, 2020

SecureTheVillage Calendar

TownHallWebinar: Securing Your Home and Family (Part 2) – SecureTheVillage. June 11 @ 10:00 am – 11:00 am PDT

Financial Services Cybersecurity Roundtable: Cyber and the Insider Threat – June 2020. June 19 @ 8:00 am – 10:00 am PDT

STVHappyHour: A CIO and a Cyberinsurance Broker Walk Into a Bar … June 23 @ 4:30 pm – 5:30 pm PDT

TownHallWebinar: Up On Cyber 2020. June 25 @ 8:00 am – 12:30 pm PDT

TownHallWebinar: Personal Cyber Security with Dr. Steve Krantz. July 21 @ 1:00 pm – 2:30 pm PDT Calabasas Senior Center Calabasas, CA

Individuals at Risk

Cyber Privacy

FTC Slams Children’s App Developer for COPPA Violations: Children’s app developer HyperBeard must pay $150,000 after the FTC claimed it violated privacy laws. ThreatPost, June 5, 2020

Identity Theft

Another Epidemic to Worry About: Identity Theft: Identity thieves are increasingly using stolen information to hijack their victims’ accounts, a costly type of fraud that’s expected to increase as the COVID-19 pandemic forces more Americans to work and shop online. Kiplinger, June 5, 2020

Cyber Humor

Information Security Management for the Organization

Cybersecurity in the C-Suite & Board

Ecommerce Unprepared for Dramatic Rise in Account Takeover Attacks – CPO Magazine. Research suggests over 1/4 of ecommerce retailers unprepared for attack and 2/3 of customers would stop shopping at online retailer if they suffered such an attack: Ensuring security in the online shopping world can be a tricky business for ecommerce retailers, with a sizeable minority not being prepared for account takeover attacks and equally as many customers willing to walk away if they suffer from one. CPO, June 4, 2020

Information Security Management

How Zero Trust Will Change Your Security Design Approach: As a security architect within IBM Security Services, I often get asked the question, “What exactly is a Zero Trust architecture?” Well, there is no single or unique answer to that question for two reasons. SecurityIntelligence, June 4, 2020

How Cybersecurity Leaders Can Chart the Seas of Business Communication: As organizations prepare for the remainder of 2020, cybersecurity leaders can use this opportunity to review their communication style and improve how they share key messages across the organization. Taking time to refine business communication can help those in security and technical leadership roles heighten the effectiveness of their messaging and ensure alignment with organizational priorities. SecurityIntelligence, June 3, 2020

Shift Your Cybersecurity Mindset to Maintain Cyber Resilience: As the business world navigates the ups and downs of today’s economy, a mindset shift is required to maintain cyber resilience. Cybersecurity, often an afterthought in a strong economy, must not be neglected in responding to shifts in the business landscape. SecurityIntelligence, June 4, 2020

Privacy Management

How to Monitor Employees While Respecting Data Privacy: Employee monitoring software is a critical resource for protecting intellectual property, securing sensitive data, and ensuring that company assets are used appropriately. The solutions used to monitor employees can collect a vast range of potentially data including file access history, internet use, keystrokes, and email traffic. To ensure compliance with data privacy regulations the implementation of these technologies must be properly assessed against the potential privacy impacts they can have for employees. CPO, June 5, 2020

Cyber Warning

This new ransomware targets Windows and Linux in surprising ways: Aimed at SMBs, educational facilities, and software companies, the ransomware leverages Java to encrypt server-based files, according to BlackBerry and KPMG. TechRepublic, June 4, 2020

Cybercriminals now spoofing job hunters to deploy password-stealing malware: Malicious files masquerading as curriculum vitae are being sent to businesses to install malware that can capture passwords and other sensitive information, says Check Point Research. TechRepublic, June 4, 2020

Secure The Human

Survey highlights major behavioral challenges in Work-From-Home security. Researchers found, e.g., that nearly half (48%) of employees are less likely to follow safe data practices while working remotely: As workers the world over begin adjusting to remote working, a whole host of security risks loom behind the scenes. This is evidenced by a new report published by email security firm Tessian, which reveals that nearly half of employees are less likely to follow safe data practices when working from home, and that US workers tend to more nonchalant about their data security than their counterparts in the UK. CPO, June 5, 2020

Cybersecurity in Society

Cyber Crime

IT Services Giant Conduent Restores Service After Suffering Ransomware Attack, Data Breach: Conduent, a $4.4 billion by revenue (2019) IT services giant, has admitted that a ransomware attack hit its European operations — but says it managed to restore most systems within eight hours. CBR, June 5, 2020

Electrolux, Others Conned Out of Big Money by BEC Scammer: Kenenty Hwan Kim has pleaded guilty to swindling the appliance giant and other companies in a set of elaborate schemes. ThreatPost, June 5, 2020

Michigan State University won’t pay ransom after cyber attack: EAST LANSING, MI — Michigan State University says it won’t pay a ransom demanded in a cyber attack that occurred over Memorial Day weekend. MLive, June 4, 2020

Ransomware attack hits federal IT contractor: Digital Management LLC (DMI), a Maryland-based IT professional services contractor that has done business with NASA and a number of other federal agencies, appears to have been hit with a ransomware attack. FCW, June 4, 2020

REvil Ransomware Gang Starts Auctioning Victim Data: The criminal group behind the REvil ransomware enterprise has begun auctioning off sensitive data stolen from companies hit by its malicious software. The move marks an escalation in tactics aimed at coercing victims to pay up — and publicly shaming those who don’t. But it may also signal that ransomware purveyors are searching for new ways to profit from their crimes as victim businesses struggle just to keep the lights on during the unprecedented economic slowdown caused by the COVID-19 pandemic. KrebsOnSecurity, June 2, 2020

Cyber Attack

Google Alerts Trump, Biden Campaigns of Targeted Phishing Attacks From China and Iran: Separate state-sponsored phishing attacks unsuccessfully attempted to infiltrate the campaign offices of President Donald Trump and former Vice President Joe Biden, according to Google’s Threat Analysis Group, which warned both candidates of the incidents and provided details to law enforcement officials. BankInfoSecurity, June 5, 2020

NSA Releases a Cybersecurity Advisory on Russian Hackers Takeover Through Special Crafted Emails: The National Security Agency (NSA) has warned of elite Russian military hackers actively exploiting a popular email program to infiltrate computer systems within the United States. The Russian military hacking group, Sandworm Team, operates as part of the Russian General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies. Sandworm has been in operation for more than a decade and has carried out sophisticated cyberattacks against governments, telecommunications, and energy sectors in Ukraine, Poland, the European Union, and NATO. The group was responsible for the NotPetya attacks in 2017, which resulted in the loss of billions of dollars in North America, Europe and Asia. It also carried out large-scale attacks against private websites in the country of Georgia. Sandworm enjoys Russian backing as the state-sanctioned threat actor carrying out Russian cyberwar campaign. CPO, June 4, 2020

Cyber Privacy

Final Proposed CCPA Regulations Submitted to California’s Office of Administrative Law, But the California Privacy Landscape Remains Clear as Mud: Foley & Lardner LLPThe California Attorney General Xavier Bacerra submitted the final proposed regulations (the “Regulations”) under the California Consumer Privacy Act of 2018 (“CCPA”) to the California Office of Administrative Law (“OAL”) on June 1, 2020. The Regulations were submitted on the last day that would normally be permitted under California law without reliance on other procedural measures that would have provided even less time for businesses subject to the CCPA to comply with the Regulations. Normally the OAL has 30 days to review any proposed regulations and, if approved, submit them to the California Secretary of State. However, Governor Newson’s Executive Order N-40-20 would extend this time as a result of the COVID-19 pandemic. For the Regulations to be adopted prior to the July 1, 2020 enforcement date (which Attorney General Bacerra has previously indicated will not be delayed), Attorney General Bacerra also requested that the OAL expedite and complete its review within 30 business days given CCPA’s statutory mandate for the regulations. Attorney General Bacerra also requested that the Regulations become effective immediately upon the filing of the approved Regulations with the Secretary of State so they will be immediately enforceable. JDSupra, June 5, 2020

Proposed California Privacy Rights Act Would Amend and Strengthen Existing State Privacy Laws, Bringing Them More in Line With GDPR Terms: The California Consumer Privacy Act (CCPA) is presently the strongest privacy rights act in the United States. Though it was modeled after the EU General Data Protection Regulation (GDPR) , it lacks the full spectrum of consumer protections. A proposed amendment to the 2018 ballot initiative would add some of those protections if it passes in November. Dubbed the California Privacy Rights Act (CPRA), the new bill would expand the scope of sensitive personal information, add new safeguards for minors, and establish a new independent enforcement agency among other terms. CPO, June 5, 2020

Cyber Freedom

Online voting is my 2020 cybersecurity nightmare: COVID-19 social distancing measures will likely continue through 2020 — or should — significantly impacting the November election. One proposed solution has been a shift to online voting — an approach that is the dream of many voting reform advocates and the nightmare of cyber and national security experts. The Hill, June 6, 2020

Q&A: Influential cybersecurity expert and Purdue University professor Eugene Spafford on the Risks of Internet Voting: Allowing people to cast their ballots online to circumvent coronavirus-related health concerns introduces problems that we simply don’t know how to manage, says the Purdue University professor and security leader. DarkReading, June 5, 2020

Cyber Government

Local, State Governments Face Cybersecurity Crisis. Ransomware hit small government organizations hard in 2019. Now they have to deal with budget cuts, pandemic precautions, social unrest, and the coming election cycle: Already under attack by cybercriminals and ransomware operators, state and local government are facing heightened cybersecurity threats as they move into the second half of 2020, when they will be required to manage elections while dealing with hard economic choices, experts said this week. DarkReading, June 5, 2020

Information Security Management

DOD Officials, Cybersecurity CMMC Accreditation Partners Struggle with the China Question as They Strengthen Security of Aerospace-Defense Supply Chain: The Defense Department and the accreditation body charged with implementing its Cybersecurity Maturity Model Certification aren’t clear on a plan to deal with contractors that have a significant portion of their supply chains based in China, according to a DOD official. NextGov, June 5, 2020

Cyber Defense

Google deletes Indian app that deleted Chinese apps: Google has deleted an app from the Play Store that offered to delete Android software associated with China. NakedSecurity, June 4, 2020

Know Your Enemy

Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion: An exhaustive inquiry published today by a consortium of investigative journalists says a three-part series KrebsOnSecurity published in 2015 on a Romanian ATM skimming gang operating in Mexico’s top tourist destinations disrupted their highly profitable business, which raked in an estimated $1.2 billion and enjoyed the protection of top Mexican authorities. KrebsOnSecurity, June 3, 2020

Career Choice Tip: Cybercrime is Mostly Boring: When law enforcement agencies tout their latest cybercriminal arrest, the defendant is often cast as a bravado outlaw engaged in sophisticated, lucrative, even exciting activity. But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious, and that highlighting this reality may be a far more effective way to combat cybercrime and steer offenders toward a better path. KrebsOnSecurity, May 29, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge