Cybersecurity News of the Week, May 9, 2021

Individuals at Risk

Identity Theft

She responded to a smishing scam. Then the spam texts got worse. Experts explain why. Text message scams are on the rise, but there’s little that can be done to stop them: It took just a momentary lapse in judgment for Alyssa Beckwith to fall for the scam. Yahoo, May 6, 2021

Cyber Privacy

96% of US users opt out of app tracking in iOS 14.5, analytics find: Some of the first data on user behavior exceeds advertisers’ worst fears. ars technica, May 7, 2021

They Told Their Therapists Everything. Hackers Leaked It All: A mental health startup built its business on easy-to-use technology. Patients joined in droves. Then came a catastrophic data breach. Wired, May 4, 2021

Cyber Update

Severe vulnerabilities in Dell firmware update driver found and fixed: Dell firmware update driver 2.3 can be exploited to gain kernel-level privilege. ars technica, May 5, 2021

Cyber Defense – World Password Day

Google will automatically enroll users in two-factor authentication soon: Google hates passwords, so it’s trying to replace them with two-factor authentication. PCWorld, May 6, 2021

Class Is In Session With Dashlane’s “Worst Password Awards”: NEW YORK, May 5, 2021 /PRNewswire/ — Ahead of World Password Day, Dashlane shares its first-ever, mid-year Worst Password Awards—a reminder of how easy it is to make a password faux pas, even when we think we’re protected. Dashlane champions the awareness that World Password Day brings for creating strong and unique passwords for every account, but unfortunately the “holiday” is not always a cause for celebration. As data breaches continue to make headlines, it’s clear that people and businesses need more education and easy-to-use tools that align with their online behaviors in order to pass the cybersecurity test. THe Record, May 5, 2021

Planning Our Passwordless Future: All the talk that passwords could one day go away seemed too good to be true, yet the scales are finally started to tip to a passwordless reality. DarkReading, May 5, 2021

The Wages of Password Re-use: Your Money or Your Life: When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. When cybercriminals develop the same habit, it can eventually cost them their freedom. KrebsOnSecurity, May 4, 2021

The password hall of shame (and 10 tips for better password security): Banish these common passwords now and employ these tips for better password security. CSO, April 15, 2021

Cyber Humor

Information Security Management for the Organization

Cybersecurity in the C-Suite & Board

Leading from the Top: Information Security Governance: Most of the business leaders and executives that I talk to frame information security as a problem for IT to manage and solve; however, IT cannot and should not manage or solve this problem on their own. David Lam, Partner & CISO, Miller Kaplan, LA Business Journal, May 3, 2021

Information Security Management

Malicious Office 365 Apps Are the Ultimate Insiders: Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others. KrebsOnSecurity, May 5, 2021

Secure The Human

Cybersecurity: Don’t blame employees—make them feel like part of the solution: Scientists find that blaming employees is counterproductive and suggest creating a safe environment for people to admit their mistakes and learn from them. One company already puts that into practice. TechRepublic, May 6, 2021

Cyber Insurance

Insurer AXA Halts Ransomware Crime Reimbursement in France: In an apparent industry first, the global insurance company AXA says it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals. US News & World Report, May 6, 2021

Cybersecurity in Society

Cyber Crime

Colonial Pipeline cyberattack shuts down pipeline that supplies 45% of East Coast’s fuel: Colonial Pipeline, which accounts for 45% of the East Coast’s fuel, said it has shut down its operations due to a cyberattack. ZDNet, May 8, 2021

Three Affiliated Tribes Hit by Ransomware Attack, Holding Tribal Information Hostage: NEWTOWN, N.D. — On April 28, the Three Affiliated Tribes—the Mandan, Hidatsa & Arikara Nation—announced to its staff and employees that its server was hacked and believe it was by malicious software called ransomware. Since the server was hacked, the tribe has been unable to access files, email and critical information. NativeNewsOnline, May 7, 2021

Microsoft: Business email compromise attack targeted dozens of orgs: Microsoft detected a large-scale business email compromise (BEC) campaign that targeted more than 120 organizations using typo-squatted domains registered a few days before the attacks started. BleepingComputer, May 7, 2021

Ransomware Recovery Costs More Than Double in a Year, Now Average $1.85 Million: A new report from cybersecurity firm Sophos indicates that ransomware recovery costs have shot up in the past year, with the average case approaching $2 million in total expenses. This is up from an average of $761,000 in 2020. CPO, May 7, 2021

Ryuk ransomware attack caused by student pirating software: A software crack came with an info-stealer. TechRadarPro, May 7, 2021

Scripps Health’s Cyber Outage Caused By ‘Ransomware Attacks’: Cal. Dept. of Public Health: On Friday, the California Department of Public Health (CDPH) described the ongoing situation at Scripps Heath as a case of “ransomware attacks.” NBC, May 7, 2021

Massive DDoS Attack Disrupts Belgium Parliament: A large-scale incident earlier this week against Belnet and other ISPs has sent a wave of internet disruption across numerous Belgian government, scientific and educational institutions. ThreatPost, May 6, 2021

Cyber Defense

U.S. Federal Agencies Unite to Mitigate Ransomware Menace – MSSP Alert: The ransomware scourge, which previously had caught the federal government’s interest, has now captured its full attention as cyber extortion attacks on agencies, schools, hospitals and other big game targets have skyrocketed. MSSP Alert, May 7, 2021

National Cybersecurity – Solar Winds

US, UK Agencies Warn Russian Hackers Are Adapting Based on Government Advisories: The adversary is changing its tools to avoid detection while attacking the vulnerabilities governments issue warnings about. NextGov, May 7, 2021

SolarWinds: Hackers Accessed Our Office 365 Since Early 2019: Hackers persistently accessed SolarWinds’ internal systems, Microsoft Office 365 environment and software development environment for months before carrying out their vicious cyberattack, the company said. CRN, May 7, 2021

National Cybersecurity

The Cybersecurity 202: Lawmakers want greater resources, authorities for CISA to protect critical infrastructure. Cyber Readiness Institute calls out urgent need to strengthen cyber readiness of small & Medium-sized businesses.: Leading voices in Congress say the nation’s top cybersecurity agency needs better resources to handle growing threats to critical services like water and power. Washington Post, May 7, 2021

Cyber Law

Key Developments in CCPA Litigation for Q1 2021: As we move deeper into the second year of CCPA litigation, the substantive issues continue to develop and we remain focused on the patterns and implications of recent filings and rulings. In this post, we highlight notable developments in three cases that occurred in the first quarter of 2021. These cases raise significant issues regarding judicial interpretation of the private right of action in the CCPA, the definition of a “data breach,” and CCPA plaintiffs’ ability to access pre-complaint discovery. AdLawAccess, May 4, 2021

Internet of Things

A Tesla is a computer on wheels, so don’t be surprised how it got hacked: Like any gadget, a Tesla is a computer just waiting to get hacked. Fox, May 8, 2021

Cyber Misc

Opposition to Net Neutrality Was Faked, New York Says: The state attorney general’s office reached an agreement that levies millions in penalties on third-party services that generated the comments. New York Times, May 6, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge