Cybersecurity News of the Week, November 7, 2021

Individuals at Risk

Cyber Privacy

Facebook, Citing Societal Concerns, Plans to Shut Down Facial Recognition System: Saying it wants “to find the right balance” with the technology, the social network will delete the face scan data of more than one billion users. The New York Times, November 5, 2021

Massive cyber heist rocks high society jeweller Graff: Hackers have plundered the personal details of world leaders, Hollywood A-listers and billionaire tycoons in a massive ‘virtual heist’ on exclusive jewellery firm Graff, The Mail on Sunday can reveal. DailyMail, October 30, 2021 Leaked Customer Data, Just Like Sister Firms Jared, Kay Jewelers Did in 2018: In December 2018, bling vendor Signet Jewelers fixed a weakness in their Kay Jewelers and Jared websites that exposed the order information for all of their online customers. This week, Signet subsidiary updated its website to remediate a nearly identical customer data exposure. KrebsOnSecurity, October 28, 2021

Cyber Defense

Google wants every account to use 2FA, starts auto-enrolling users: Two-factor authentication is coming to Google accounts whether you want it or not. ars technica, November 3, 2021

Cyber Warning

‘Tis the Season for the Wayward Package Phish: The holiday shopping season always means big business for phishers, who tend to find increased success this time of year with a lure about a wayward package that needs redelivery. Here’s a look at a fairly elaborate SMS-based phishing scam that spoofs FedEx in a bid to extract personal and financial information from unwary recipients. KrebsOnSecurity, November 4, 2021

Phishing attacks are harder to spot on your smartphone. That’s why hackers are using them more: Cybersecurity researchers warn about a rise in cyber criminals going after mobile devices as a means of gaining entry to networks. ZDNet, November 2, 2021

The Booming Underground Market for Bots That Steal Your 2FA Codes: The bots convincingly and effortlessly help hackers break into Coinbase, Amazon, PayPal, and bank accounts. Vice, November 2, 2021

Phishing and Spam Lures Feature Sports, Aim to Steal Credentials: Spam volume declined slightly in the third quarter, but attackers sent almost 36 million malicious email attachments, up 5% from the previous quarter, one security firm says. DarkReading, November 2, 2021

Fortinet warns of Black Friday scams involving PS5s, Xboxes and fake Amazon gift card generators that steal crypto: Researchers with FortiGuard Labs said they found a file titled “Amazon Gift Tool.exe” that was being marketed on a publicly available file repository site as a free Amazon gift card generator. ZDNet, October 30, 2021

Cyber Danger

‘Sideloading is a cyber criminal’s best friend,’ according to Apple’s software chief: Craig Federighi says that “the floodgates are open for malware” if Apple allows sideloading on iOS. The Verge, November 3, 2021

Cyber Humor

Information Security Management for the Organization

Cybersecurity in the C-Suite & Board

Twitter’s infosec chief makes the case for cybersecurity expertise in boardrooms: Rinki Sethi worked at Walmart, IBM, eBay, Intuit, and Palo Alto Networks before joining Twitter as its chief information security officer in September 2020. This past August, Sethi was named to the board of directors of the security technology company ForgeRock. Fortune, October 28, 2021

Information Security Management

Cyber security is no longer enough: businesses need cyber resilience: Today, we work from anywhere, on more devices, more networks, facing more risk than ever before. Widespread phishing, malware, ransomware attacks, and other frauds pose a risk not just to individuals or platforms, but to entire economies, governments, and our way of life. World Economic Forum, November 3, 2021

Public Clouds & Shared Responsibility: Lessons from Vulnerability Disclosure: Much is made of shared responsibility for cloud security. But Oliver Tavakoli, CTO at Vectra AI, notes there’s no guarantee that Azure or AWS are delivering services in a hardened and secure manner. ThreatPost, October 26, 2021

Cyber Warning

FBI says ransomware groups are using private financial information to further extort victims: The FBI has warned that ransomware groups are targeting companies involved in “significant, time-sensitive financial events,” like mergers and acquisitions, in an effort to coerce victims into paying their ransom demands. TechCrunch, November 3, 2021

Microsoft warns of rise in password sprays targeting cloud accounts: The Microsoft Detection and Response Team (DART) says it detected an increase in password spray attacks targeting privileged cloud accounts and high-profile identities such as C-level executives. BleepingComputer, October 31, 2021

Cybersecurity in Society

Cyber Crime

Squid Game Cryptocurrency Scammers Make Off With $3.3 Million: The SQUID coin scam was covered uncritically by mainstream news outlets. Gizmodo, November 1, 2021

A Coinbase user lost $11.6 million in under 10 minutes after falling for a fake-notification scam, the US attorney’s office said: A federal judge this month approved a warrant to claw back more than $600,000 in bitcoin from a Huobi Global wallet, after federal investigators said it was part of an $11.6 million haul stolen from a Coinbase account. Yahoo, October 31, 2021

Cyber Privacy

Mozilla Firefox joins browsers implementing Global Privacy Control: The GPC allows users to tell websites not to sell or share their personal data. ZDNet, October 29, 2021

Cyber Defense

Cyber Command head says US has carried out a ‘surge’ to address ransomware attacks: (CNN)US Cyber Command head and director of the National Security Agency Gen. Paul Nakasone said Wednesday that the US had “conducted a surge” over the past three months to address the problem of ransomware attacks on US interests. CNN, November 3, 2021

Pentagon issues revised cyber standards for contractors: The Defense Department on Thursday released a revamped framework and digital security standards for contractors that is intended to “minimize barriers” for compliance. TheRecord, November 3, 2021

CISA creates catalog of known exploited vulnerabilities, orders agencies to patch: The US Cybersecurity and Infrastructure Security Agency has established today a public catalog of vulnerabilities known to be exploited in the wild and has issued a binding operational directive ordering US federal agencies to patch affected systems within specific timeframes and deadlines. TheRecord, November 3, 2021

NIST unveils draft criteria for ‘seal of approval’ scheme on consumer software security: The US National Institute of Standards and Technology (NIST) has released draft criteria for a cybersecurity labeling system focused on consumer software. The Daily Swig, November 2, 2021

National Cybersecurity

US sanctions four companies selling hacking tools, including NSO Group & Candiru: The US government has sanctioned today four companies that develop and sell spyware and other hacking tools, the US Department of Commerce announced today. TheRecord, November 3, 2021

Hackers are stealing data today so quantum computers can crack it in a decade: The US government is starting a generation-long battle against the threat next-generation computers pose to encryption. TechnologyReview, November 3, 2021

UN cyberattack? Simulation game stresses challenges of responsible attribution: A distributed denial of service (DDoS) attack severely disrupts operations at the United Nations, including email and communications. Investigation of this event turns up additional evidence of a sophisticated targeted attack against UN infrastructure. Is a nation-state APT group behind this campaign? A hacktivist? Perhaps a hacker-for-hire enterprise? If so, who? SCMedia, October 22, 2021

Cyber Readiness

As Cyber Events Plague U.S. Execs, 14% of Organizations With Revenues Greater Than $500M Still Have No Cyber Plan: Deloitte’s 2021 Future of Cyber survey shows similarities, differences in U.S. and non-U.S. C-suite responses. PRNewswire, October 26, 2021

Know Your Enemy

The ‘Groove’ Ransomware Gang Was a Hoax: A number of publications in September warned about the emergence of “Groove,” a new ransomware group that called on competing extortion gangs to unite in attacking U.S. government interests online. It now appears that Groove was all a big hoax designed to toy with security firms and journalists. KrebsOnSecurity, November 2, 2021

Cyber Politics

Why MAGA Social Media Is a Hacker’s Wet Dream: The flurry of social media apps aimed at conservatives promise free speech will reign—but more often than not they’re crashing and burning before they can even get going. TheDailyBeast, October 31, 2021

Cyber Career

How much can you make with an associate in cybersecurity?: An associate degree in cybersecurity can pave the way to many entry-level jobs. Read on to discover the jobs and salaries you may land with the degree. ZDNet, October 29, 2021

Cyber Enforcement

British administrator for darknet market Silk Road ordered to forfeit £490,000 in Bitcoin: Thomas White pleaded guilty in 2019 to drug trafficking, money laundering, and making 464 Category A images of child abuse, the most severe, and was jailed for five years and four months. Sky News, November 2, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge