Cybersecurity News of the Week, March 1, 2020

SecureTheVillage Calendar

Personal Cyber Security with Dr. Steve Krantz, March 10, 1:00 – 2:30, Calabasas, CA

Webinar: How Simple Changes to Your Contracts Can Mitigate Risk Under the CCPA, Host Stan Stahl. Stan’s Guests: Matthew Seror, Shareholder Buchalter, Weiss Hamid, Associate Buchalter, March 12, 10:00 – 11:00

Personal Cyber Security with Dr. Steve Krantz, March 16, 11:15 – 12:15, Encino, CA

Protect Yourself From IDentity Theft, Stan Stahl, Karen Codman, March 18, 1:00 – 2:00, Long Beach

Protect Yourself From IDentity Theft, Stan Stahl, Karen Codman, March 18, 7:00 – 8:00, Long Beach

Financial Services Cybersecurity Roundtable – March 2020, Kevin Tsuei, CISSP, CEH, CISA, Technology Practice Director, AuditOne, Technology Risk Mitigation for Bankers: Understanding Cybersecurity Risks & The Latest Regulatory Expectations, March 20, 8:00am – 10:00am

Individuals at Risk

Cyber Privacy

Clearview AI has billions of our photos. Its entire client list was just stolen: New York (CNN Business)Clearview AI, a startup that compiles billions of photos for facial recognition technology, said it lost its entire client list to hackers. CNN, February 26, 2020

IoT Insecurity: When Your Vacuum Turns on You: From vacuum cleaners to baby monitors, the IoT landscape continues to be plagued by concerning security issues that lead to privacy threats. ThreatPost, February 27, 2020

Cyber Danger

Android Malware Can Steal 2FA Codes From Google Authenticator App … Malware disguises itself as an app like “Flash Player” to get user to grant it Android’s Accessibility Service privileges: An Android malware strain being sold to hackers has gained a scary capability: it can now try to steal two-factor codes from the Google Authenticator app. PCMag, February 28, 2020

Cyber Update

Devices You Own Were Among Billions Vulnerable To A Nasty Wi-Fi Bug: Do you own a smartphone, tablet, or laptop? Do you have a wireless router in your home? If you do, then you were probably vulnerable to an insidious attack targeting Wi-Fi chips. Forbes, February 28, 2020

Cyber Defense

These Are the Passwords That Hackers Will Guess First: When it comes to creating a password, many of us focus on devising a combination of letters, numbers, and symbols that we will always be able to remember. According to technology expert Burton Kelso, it is human nature to fall into a predictable routine of creating passwords. “We tend to create passwords based on things familiar to us such as common words, names, and locations,” he explains. “Then we try to make things complicated for a hacker by adding a capital letter, a number, or a special character.” However, unless we come up with unpredictable passwords, we are giving hackers an easy way to break into our accounts. MSN, February 27, 2020

Dear passwords: Forget you. Here’s what is going to protect us instead: Do you hate remembering passwords? Soon, you may be able to forget them for good. USA Today, February 28, 2020

Cyber Humor

Information Security Management for the Organization

Information Security Management and Governance

A Practical Guide to Zero-Trust Security: There are five different pillars to implement when moving to a modern, zero-trust security model. ThreatPost, January 15, 2020

What’s Old Is New, What’s New Is Old: Aged Vulnerabilities Still in Use in Attacks Today … IBM Analysis Shows Most Common Attacks Exploit Vulnerabilities That Have Been Identified and Patched More Than 2 Years Ago. Update. Update. Update: As reported in the IBM X-Force Threat Intelligence Index 2020, X-Force research teams operate a network of globally distributed spam honeypots, collecting and analyzing billions of unsolicited email items every year. Analysis of data from our spam traps reveals trending tactics that attackers are utilizing in malicious emails, specifically, that threat actors are continuing to target organizations through the exploitation of older Microsoft Word vulnerabilities (CVE-2017-0199 and CVE-2017-11882). SecurityIntelligence, February 26, 2020

Is your IT partner your biggest cybersecurity threat?: You may or may not know, but IT service providers and MSPs are currently being targeted by hackers. Numerous accounts of IT service provider and MSP breach are now being reported worldwide, and once the IT service provider is breached, so are their client’s networks. ITPortalPro, February 21, 2020

Privacy Management

Scalable Data Protection Is Critical to Support Data Privacy: Modern privacy regulations are founded on a variety of principles going back to 1890 that sought to protect citizens from “yellow journalism.” Over the following years, governments enacted legislation that sought to respect an individual’s right to privacy, including their image and their correspondence. SecurityIntelligence, February 26, 2020

Secure The Human

Make employees part of the security solution, says cybersecurity adviser: There is a growing discussion today about how companies should address the “human element” in security solutions to face the greater sophistication of cyberattacks, but the best approach is to make people part of the solution, not part of the problem. siliconAngle, February 27, 2020

Cyber Warning

Ransomware victims thought their backups were safe. They were wrong: Ransomware victims are finding out too late that their vital backups are online and also getting encrypted by crooks, warns cybersecurity agency. ZDNet, February 27, 2020

Cyber Defense

Ransomware Prevention and Response for CISOs: Document provides an aggregation of already existing federal government and private industry best practices and mitigation strategies focused on the prevention and response to ransomware incidents. FBI

Cybersecurity in Society

Cyber Crime

‘Shark Tank’s’ Barbara Corcoran fell for this very common phishing scam — and it cost her almost $400,000 … “Lesson learned: Be careful when you wire money!” Corcoran tweeted on Wednesday: This common email phishing scam just caught a Shark. MarketWatch, February 28, 2020

Ransomware wipes evidence, lets suspected drug dealers walk free: Six alleged drug criminals will go free thanks to a ransomware attack on a small Florida city, it was revealed this month. NakedSecurity, February 28, 2020

20 Ransomware Statistics You’re Powerless to Resist Reading … Ransomware attacks are on the rise — and they’re estimated to cost global organizations $20 billion by 2021, according to Cybersecurity Ventures: Let’s kick off our ransomware statistics list with a single number: $377,000. HashedOut, February 27, 2020

FBI Says $140+ Million Paid to Ransomware, Offers Defense Tips: Through the analysis of collected ransomware bitcoin wallets and ransom notes, the FBI states that victims have paid over $140 million to ransomware operators over the past six years. BleepingComputer, February 27, 2020

National Cybersecurity

Cyber-espionage campaign in Middle East, Europe picked up speed after Soleimani killing: Iran-linked hackers have been running spearphishing email campaigns against governmental organizations in Turkey, Jordan and Iraq in recent months in a likely effort to gather intelligence, according to research published Wednesday by Dell Secureworks. Cyberscoop, February 26, 2020

U.S. defense agency says sensitive personal data ‘compromised’ in data breach … Breach could provide leverage to nation state attackers, says ex-CIA office: A hack on the Defence Information Systems Agency (DISA), responsible for US military communication including calls made by President Trump, exposed the personal data of about 200,000 people, it was announced last week. NSTech, February 25, 2020

Know Your Enemy

Stealing advanced nations’ Mac malware isn’t hard. Here’s how one hacker did it: Former NSA hacker repackages in-the-wild Mac malware for his own use. ars technica, February 28, 2020

Cyber Freedom

The Cybersecurity 202: South Carolina election officials confident the primary will go smoothly. Here’s what they’re up against: South Carolina election officials are confident their first-in-the-South primary will go smoothly on Saturday — despite looming threats of Russian hacking, misinformation, or an Iowa caucus-style tech failure. The Washington Post, February 27, 2020

Governments of the world just ramped up spying on reporters: ONE DAY LAST SUMMER, I noticed that one of our Middle East correspondents was visiting the Financial Times newsroom. I’m head of cyber security at the paper, and I have found that foreign correspondents are often at the tip of the spear for strange and interesting threats. So I stopped to chat. CJR, February 17, 2020

Critical Infrastructure

Critical Infrastructure Agencies Must Fully Adopt NIST Cyber Framework, GAO Says: In a report released Feb. 25, the Government Accountability Office (GAO) said that “most” of nine agencies tasked with protecting the 16 critical infrastructure sectors “have not developed methods to determine the level and type of adoption of the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity.” MeriTalk, February 26, 2020

Internet of Things

RSAC 2020: GM’s Transportation Future Hinges on Cybersecurity: CEO Mary T. Barra addressed the high stakes in rolling out self-driving cars and biometric-enhanced vehicles, where one cyber-event could derail plans for emerging automotive technologies. ThreatPost, February 27, 2020

Cyber Education

A Road Map for Better Government Cybersecurity From North Dakota: Imagine the impact on the government cybersecurity landscape if the mantra for every U.S. state were something like, “Every student, every school, cyber-educated.” It’s the first I’ve heard about an objective this bold, and it comes from a state that gets little media exposure: North Dakota. SecurityIntelligence, February 25, 2020

Cyber Miscellany

How a Hacker’s Mom Broke Into a Prison—and the Warden’s Computer … Security analyst John Strand had a contract to test a correctional facility’s defenses. He sent the best person for the job: his mother: John Strand breaks into things for a living. As a penetration tester, he gets hired by organizations to attack their defenses, helping reveal weaknesses before actual bad guys find them. Normally, Strand embarks on these missions himself, or deploys one of his experienced colleagues at Black Hills Information Security. But in July 2014, prepping for a pen test of a South Dakota correctional facility, he took a decidedly different tack. He sent his mom. Wired, February 26, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge