Cybersecurity Awareness Month
Statement by President Joe Biden on Cybersecurity Awareness Month: Cyber threats can affect every American, every business regardless of size, and every community. That’s why my administration is marshalling a whole-of-nation effort to confront cyber threats. In bolstering US cybersecurity … the Federal government needs the partnership of every American and every American company in these efforts. The White House, October 1, 2021
SECURETHEVILLAGE
FIRST ANNUAL GOLF TOURNAMENT
The first annual SecureTheVillage Golf Tournament is October 20. Celebrate Cybersecurity Awareness Month on the links. Includes breakfast, lunch, and cocktail reception afterwards. Not a golfer? That’s OK. Come to the reception. A limited number of foursomes and sponsorships are still available.
CybersecureAmerica 2021: A Reasonable Approach to Reasonable Security, the Sequel
Following last year’s successful conference, this year’s annual conference in support of Cybersecurity Awareness Month returns to the topic of reasonable security. … Join SecureTheVillage and our expert panel of information security professionals for a workshop-style conference on reasonable security. October 21. 9:00 – 12:30 Pacific Time.
Individuals at Risk
Cyber Privacy
Neiman Marcus data breach impacts 4.6 million customers: Users were asked to change passwords—but were not offered free credit monitoring. ars technica, October 1, 2021
3.8 billion Clubhouse and Facebook user records allegedly scraped and merged, put for sale online: A user on a popular hacker forum is selling a database that purportedly contains 3.8 billion user records. CyberNews, September 23, 2021
Cyber Warning
Fears surrounding Pegasus spyware prompt new Trojan campaign: Criminals hope that the lure of a promise to protect you from spyware will make you click that link. ZDNet, September 30, 2021
GriftHorse Money-Stealing Trojan Takes 10M Android Users for a Ride: The mobile malware has fleeced hundreds of millions of dollars from victims globally, using sophisticated techniques. ThreatPost, September 29, 2021
Apple AirTag Bug Enables ‘Good Samaritan’ Attack: The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner’s phone number if the AirTag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page — or to any other malicious website. KrebsOnSecurity, September 28, 2021
Information Security Management In the Organization
Information Security Management
What Is Zero Trust? A Complete Guide for Security Professionals: Trust, for anyone or anything inside a secured network, should be hard to come by. The global shift to cloud environments has changed online security protocols. Therefore, strict verification (of everyone and everything) is now essential. The zero trust model isn’t overkill — it’s now a crucial tenet of network protection. SecurityIntelligence, September 30, 2021
These systems are facing billions of attacks every month as hackers try to guess passwords: Cyber criminals are becoming more aggressive in their attempts to break into RDP services with efforts to exploit weak passwords used in enterprise networks, warn researchers. ZDNet, September 30, 2021
NSA, CISA Release Guidance on Selecting and Hardening Remote Access VPNs: The National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Information Sheet today detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely. “Selecting and Hardening Remote Access VPN Solutions” also will help leaders in the Department of Defense, National Security Systems and the Defense Industrial Base better understand the risks associated with VPNs. NSA, September 28, 2021
Seven strategies for building a great security team: The dangers of a dysfunctional security team are easy to imagine, ranging from difficulty attracting and retaining talent to putting your organization at risk. These seven steps can make a world of difference. CSO, September 27, 2021
Executives and teams disagree on who is responsible for software security: Executives from the boardroom and the C-suite are realizing the damaging effect software supply chain attacks can have on their organizations, but they aren’t taking action. According to a recent report from Venafi, senior IT executives agree (97%) that software build processes are not secure enough, yet there is a disconnect when it comes to which team is responsible for driving security changes… 61% of executives said IT security teams should be responsible for software security, while 31% said development teams should be. VentureBeat, September 25, 2021
Cyber Culture
Cybersecurity Awareness Month: It’s Time to Ditch the Fear: Cybersecurity awareness month is here. Each year, it’s important to explore any new tactics the industry can leverage to raise awareness. The threat landscape is evolving and expanding too quickly for us to keep up. So, we can’t afford to rely on the same awareness gambits year after year. Security Intelligence, October 1, 2021
How Yahoo Built a Culture of Cybersecurity: Telling your employees that they should do something isn’t enough to inspire meaningful change. Just ask any employee who has ever watched a cybersecurity awareness video. Although the videos instruct employees to be mindful of data security, they seldom lead to a wholesale improvement of a company’s security behaviors. To improve your cybersecurity culture, and, ultimately, your businesses’ resistance to attacks, you must measure what people do when no one is looking. HBR, September 30, 2021
Cybersecurity in Society
Cyber Crime
Hackers rob thousands of Coinbase customers using MFA flaw: Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company’s SMS multi-factor authentication security feature. Bleeping Computer, October 1, 2021
Ransomware Is a Growing Problem. Here’s How the Cyberinsurance Industry Is Fueling It: Ransomware extracted $18 billion in payments last year, and it’s expected there will be an attack every 11 seconds by this year’s end, a problem that some security experts and academic researchers say is exacerbated by the system meant to protect against cybercrime: the insurance industry. Barrons, October 1, 2021
Baby’s Death Alleged to Be Linked to Ransomware: Access to heart monitors disabled by the attack allegedly kept staff from spotting blood & oxygen deprivation that led to the baby’s death. ThreatPost, September 28, 2021
UK umbrella payroll firm Giant Pay confirms it was hit by ‘sophisticated’ cyber-attack: Tech contractors fume at lack of info as company says it will ‘try’ to get them paid by Friday. TheRegister, September 28, 2021
Cybercrime is hitting communities of color at higher rates, study finds: Black people, Indigenous people, and people of color (BIPOC) are more likely to suffer from identity theft and financial impact from the fallout, according to survey data collected by internet security company Malwarebytes with the nonprofits Digitunity and the Cybercrime Support Network. CyberScoop, September 27, 2021
Cyber Attack
Anonymous leaks more EPIK host data; ‘larger than previous leak’: The latest EPIK data leak, according to Anonymous hackers involves bootable disk images, API tokens, over 500,000 private keys, etc. – All in plain-text format. HackRead, October 1, 2021
Proxy Phantom: Fraud rings flood online merchants with credential stuffing attacks: Over 1.5 million stolen credential sets are being used by one fraud operation. ZDNet, September 30, 2021
Know Your Enemy
More Than 90% of Q2 Malware Was Hidden in Encrypted Traffic: Organizations that have not implemented controls for detecting malware hidden in encrypted network traffic are at risk of having a vast majority of malicious tools being distributed in the wild, hitting their endpoint devices. DarkReading, September 30, 2021
Ransomware gangs are complaining that other crooks are stealing their ransoms: Ransomware gangs are shocked to find out that cyber crooks will scam other criminals if they can. ZDNet, September 30, 2021
How the Mafia Is Pivoting to Cybercrime: Investigators from Spanish and Italian police explain how organized crime is going online and expanding into cybercrime. Vice, September 22, 2021
Cyber Freedom
Russia arrests chief exec of cybersecurity Group-IB on treason charge: The chief executive of Group-IB has been arrested by law enforcement on suspicion of state treason. ZDNet, October 1, 2021
UMass Amherst Hires Cybersecurity Firm to Investigate Racist Emails: The university’s vice chancellor told students the emails, which targeted Black students, were part of a rise in “anti-Black racist incidents” on campus this academic year. The New York Times, September 30, 2021
National Cybersecurity
First on CNN: Biden administration to convene 30 countries to crack down on ransomware threat: The White House will convene a 30-country meeting this month to try to ramp up global efforts to address the threat of ransomware to economic and national security, President Joe Biden said in a statement shared exclusively with CNN. CNN, October 1, 2021
Congress demands briefing from FBI on decision not to share Kaseya decryption keys: Rep. Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, told ZDNet that it was “unacceptable” for the federal government to withhold decryptor keys from Kaseya. ZDNet, September 30, 2021
Content Security
Film studios sue “no logs” VPN provider for $10 million: Independent movie studios are demanding $10 million in damages from LiquidVPN. ars technica, September 27, 2021
Cyber Defense
FCC Proposal Targets SIM Swapping, Port-Out Fraud: The U.S. Federal Communications Commission (FCC) is asking for feedback on new proposed rules to crack down on SIM swapping and number port-out fraud, increasingly prevalent scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identity. KrebsOnSecurity, October 1, 2021
Cyber Talent
CISA and Girls Who Code Partner to Create Career Pathways for Young Women: Through this partnership, CISA and Girls Who Code will establish collaborative opportunities to provide awareness, training, and pathways into cybersecurity careers for girls, women, and those who identify as nonbinary. DarkReading, September 30, 2021
