Cybersecurity News of the Week, March 29, 2020

SecureTheVillage Calendar

Online: Cyber Security for the Home Office: Protecting Yourself While Working Remotely, SecureTheVillage Board Members Evan Rees & Dr. Steve Krantz, Online, April 2 @ 11:30 – 1:00, San Pedro Chamber of Commerce E-Lunch & Learn

CANCELLED: 2020 Cyber Trends: CCPA Compliance | Hack Trends – Professional Panel , April 7, Long Beach

Webinar: Preparing for CMMC Certification, SecureTheVillage Board Member Chris Rose and SecureTheVillage President Dr. Stan Stahl, Online, April 9 @ 10:00 – 11:00

Personal Cyber Security with Dr. Steve Krantz, May 26 @ 1:00 pm – 2:30 pm Calabasas Senior Center Calabasas, CA

Personal Cyber Security with Dr. Steve Krantz, July 21 @ 1:00 pm – 2:30 pm Calabasas Senior Center Calabasas, CA

Individuals at Risk

Cyber Privacy

Now that everyone’s using Zoom, here are some privacy risks you need to watch out for: Don’t let tattle-tale software features disrupt your remote workflow. Cnet, March 28, 2020

How to stop trolls from taking over your Zoom call: Zoombombing can be prevented, but it’s not as easy as it should be. The Verge, March 27, 2020

As Zoom Booms, Incidents of ‘ZoomBombing’ Become a Growing Nuisance: Numerous instances of online conferences being disrupted by pornographic images, hate speech or even threats can be mitigated using some platform tools. ThreatPost, March 26, 2020

What You Should Know About Online Tools During the COVID-19 Crisis: A greater portion of the world’s work, organizing, and care-giving is moving onto digital platforms and tools that facilitate connection and productivity: video conferencing, messaging apps, healthcare and educational platforms, and more. It’s important to be aware of the ways these tools may impact your digital privacy and security during the COVID-19 crisis. EFF, March 19, 2020

Employers Deploy Spy Software to Monitor At-Home Workers: The email came from the boss. We’re watching you, it told Axos Financial Inc. employees working from home. We’re capturing your keystrokes. We’re logging the websites you visit. Every 10 minutes or so, we’re taking a screen shot. InsuranceJournal, March 27, 2020

Cyber Update

Zoom updates iOS app to remove code that sent device data to Facebook: Users should update to the latest version. The Verge, March 28, 2020

Identity Theft

Your Social Security Number Costs $4 On The Dark Web, New Report Finds: A two-year study reveals the cost of fake passports, compromised bank accounts, and DDoS attacks on the dark web. Forbes, March 25, 2020

Cyber Danger

Hackers Trick Thousands Into Downloading Dangerous ‘Google Chrome Update’: Researchers from the Russian ‘Doctor Web’ virus laboratory have issued a warning after discovering thousands of victims have been tricked into downloading a dangerous backdoor that is disguised as an update to Google Chrome. Forbes, March 26, 2020

667% spike in email phishing attacks due to coronavirus fears: New data from Barracuda shows cybercriminals are taking advantage of people’s concerns during the COVID-19 pandemic. TechRepublic, March 26, 2020

Over a Billion Android Devices No Longer Supported by Security Updates: More than one billion Android devices globally are no longer supported by operating system security updates, leaving them potentially exposed to a slew of harmful cyberattacks and their users at risk of being hacked, a study by the UK consumer watchdog Which? has found. CPO, March 26, 2020

US Government Sites Give Bad Security Advice: Many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now. KrebsOnSecurity, March 25, 2020

New attack on home routers sends users to spoofed sites that push malware: Attack, which uses DNS hijacking, is the latest to capitalize on pandemic anxiety. ars technica, March 25, 2020

Cyber Humor

Information Security Management for the Organization

Information Security Management and Governance

Cybersecurity tactics for the coronavirus pandemic: The COVID-19 pandemic has presented chief information security officers (CISOs) and their teams with two immediate priorities. One is securing work-from-home arrangements on an unprecedented scale now that organizations have told employees to stop traveling and gathering, and government officials in many places have advised or ordered their people to stay home as much as possible. The other is maintaining the confidentiality, integrity, and availability of consumer-facing network traffic as volumes spike—partly as a result of the additional time people are spending at home. McKinsey, March 2020

Cybersecurity’s dual mission during the coronavirus crisis: Chief information-security officers must balance two priorities to respond to the pandemic: protecting against new cyberthreats and maintaining business continuity. Four strategic principles can help. McKinsey, March 2020

Cyber Danger

Microsoft to Pause Non-Essential Software Updates. Move Comes as COVID-19 Drives Surge of Work-From-Home Employees That IT Must Support: Microsoft has announced that it will pause all non-essential Windows updates. The move comes as IT teams are continuing to respond to the ongoing fallout caused by the COVID-19 pandemic. The rapid rise of the disease has led to numerous organizations instructing the vast majority – if not all – of their workers to work from home, leading to a rapid rise in IT support requirements. BankInfoSecurity, March 26, 2020

Cyber Law

Comparing the CCPA and the GDPR: When the General Data Protection Regulation (GDPR) took effect back in 2018, the digital world was thrust into a new era of data privacy regulation. The new law set unprecedented standards for transparency, user control, and accountability. Shortly after its institution, a similar law emerged in California — the California Consumer Privacy Act (CCPA). CPO, March 26, 2020

Privacy in the time of COVID – 19; Nothing’s Changed, Everything’s Changed: There’s no question that the novel Coronavirus, COVID-19, has created massive disruptions in our lives. Those of us who can work are working remotely, social distancing has become the rule of the day, and while this will end, there is no sure end date in sight. Robert Braun, Esq., Cybersecurity Lawyer Forum, March 24, 2020

Cannabis Companies are Overlooking Data Security Laws and Regulations: The state-legal cannabis industry has been slowly crawling into existence over the past decade. Despite federal illegality, most states have legalized medical cannabis and about a dozen states have legalized adult-use cannabis. For compliant cannabis businesses, becoming operational is no easy endeavor and may lead to myopic compliance that fails to consider essential business practices, such as compliance with data security laws. Jurist, March 17, 2020

Cybersecurity in Society

Cyber Crime

Cyber insurer Chubb had data stolen in Maze ransomware attack: Chubb, a major cybersecurity insurance provider for businesses hit by data breaches, has itself become a target of a data breach. TechCrunch, March 26, 2020

Tupperware Website Hit by Card Skimmer. Researchers Say Magecart-Style Attack Targeted Payment Card Data: Tupperware, known for its colorful array of food storage containers, is the latest company to have its website hit with a card skimmer that siphons off payment card details at checkout, according to the security firm Malwarebytes. BankInfoSecurity, March 26, 2020

Healthcare Workers Targeted By Dangerous New Windows Ransomware Campaign Using Coronavirus As Bait: Cybercriminals, who truly deserve the epithet of cyberscum, are attacking healthcare targets with a new and dangerous Windows ransomware campaign. Forbes, March 22, 2020

Cyber Privacy

Patient Privacy vs Public Health Concerns as South Korea Placing Public Health Concerns Over Patient Privacy: A COVID-19 Case Study: For about three weeks from late February to early March, the nation of South Korea was locked in the grips of a tight battle with the spread of the respiratory illness COVID-19, brought about by the ongoing Wuhan Coronavirus pandemic. While a strong state response has since brought the epidemic under some measure of control in the country, the methods used by the South Korean government have nevertheless ignited a new debate around where public health concerns and patient privacy should be met. CPO, March 26, 2020

Cyber Attack

BadUSB Stick Mailed to Company From ‘Best Buy’: Security experts have intercepted a highly targeted attack in which a malicious USB device was mailed out to a US company. BankInfoSecurity, March 27, 2020

Google sent users 40,000 warnings of nation-state hack attacks in 2019. Government-backed hackers target journalists, dissidents, gov’t officials, and others: Google’s threat analysis group, which counters targeted and government-backed hacking against the company and its users, sent account holders almost 40,000 warnings in 2019, with government officials, journalists, dissidents, and geopolitical rivals being the most targeted, team members said on Thursday. ars technica, March 26, 2020

Google: State-Sponsored Hackers Are Trying to Pose as Journalists in Phishing Attacks: ‘We’ve seen a rising number of attackers, including those from Iran and North Korea, impersonating news outlets or journalists,’ Google said on Thursday. PC Mag, March 26, 2020

Cyber Espionage

Recently discovered, mass-targeted watering-hole campaign has been aiming at Apple iPhone users in Hong Kong: The malware, the work of a new APT called TwoSail Junk, allows deep surveillance and total control over iOS devices. ThreatPost, March 26, 2020

Chinese Cyber Espionage Continues Despite COVID-19. FireEye Finds APT41 Conducting a Global Campaign: Despite the global COVID-19 pandemic, which started in China, Chinese cyber espionage campaigns are continuing, with a new campaign from one advanced persistent threat group targeting at least 75 enterprises in 20 countries, according to the security firm FireEye. BankInfoSecurity, March 26, 2020

Know Your Enemy

“Trust Your Client:” A Look Inside a Huge Credit Card Ring Just Shut Down By Russian Federal Security Service (FSB): Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade. KrebsOnSecurity, March 26, 2020

Cyber Enforcement

FBI Takes Down a Russian-Based Hacker Platform; Arrests Suspected Russian Site Administrator: San Diego – A Russian-based cyber platform known as DEER.IO was shut down by the FBI today, and its suspected administrator – alleged Russian hacker Kirill Victorovich Firsov – was arrested and charged with crimes related to the hacking of U.S. companies for customers’ personal information. Department of Justice, March 24, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge