Cybersecurity News of the Week, October 3, 2021

Cybersecurity Awareness Month

Statement by President Joe Biden on Cybersecurity Awareness Month: Cyber threats can affect every American, every business regardless of size, and every community. That’s why my administration is marshalling a whole-of-nation effort to confront cyber threats. In bolstering US cybersecurity … the Federal government needs the partnership of every American and every American company in these efforts. The White House, October 1, 2021



The first annual SecureTheVillage Golf Tournament is October 20. Celebrate Cybersecurity Awareness Month on the links. Includes breakfast, lunch, and cocktail reception afterwards. Not a golfer? That’s OK. Come to the reception. A limited number of foursomes and sponsorships are still available.

CybersecureAmerica 2021: A Reasonable Approach to Reasonable Security, the Sequel

Following last year’s successful conference, this year’s annual conference in support of Cybersecurity Awareness Month returns to the topic of reasonable security. … Join SecureTheVillage and our expert panel of information security professionals for a workshop-style conference on reasonable security. October 21. 9:00 – 12:30 Pacific Time.

Individuals at Risk

Cyber Privacy

Neiman Marcus data breach impacts 4.6 million customers: Users were asked to change passwords—but were not offered free credit monitoring. ars technica, October 1, 2021

3.8 billion Clubhouse and Facebook user records allegedly scraped and merged, put for sale online: A user on a popular hacker forum is selling a database that purportedly contains 3.8 billion user records. CyberNews, September 23, 2021

Cyber Warning

Fears surrounding Pegasus spyware prompt new Trojan campaign: Criminals hope that the lure of a promise to protect you from spyware will make you click that link. ZDNet, September 30, 2021

GriftHorse Money-Stealing Trojan Takes 10M Android Users for a Ride: The mobile malware has fleeced hundreds of millions of dollars from victims globally, using sophisticated techniques. ThreatPost, September 29, 2021

Apple AirTag Bug Enables ‘Good Samaritan’ Attack: The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner’s phone number if the AirTag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page — or to any other malicious website. KrebsOnSecurity, September 28, 2021

Information Security Management In the Organization

Information Security Management

What Is Zero Trust? A Complete Guide for Security Professionals: Trust, for anyone or anything inside a secured network, should be hard to come by. The global shift to cloud environments has changed online security protocols. Therefore, strict verification (of everyone and everything) is now essential. The zero trust model isn’t overkill — it’s now a crucial tenet of network protection. SecurityIntelligence, September 30, 2021

These systems are facing billions of attacks every month as hackers try to guess passwords: Cyber criminals are becoming more aggressive in their attempts to break into RDP services with efforts to exploit weak passwords used in enterprise networks, warn researchers. ZDNet, September 30, 2021

NSA, CISA Release Guidance on Selecting and Hardening Remote Access VPNs: The National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Information Sheet today detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely. “Selecting and Hardening Remote Access VPN Solutions” also will help leaders in the Department of Defense, National Security Systems and the Defense Industrial Base better understand the risks associated with VPNs. NSA, September 28, 2021

Seven strategies for building a great security team: The dangers of a dysfunctional security team are easy to imagine, ranging from difficulty attracting and retaining talent to putting your organization at risk. These seven steps can make a world of difference. CSO, September 27, 2021

Executives and teams disagree on who is responsible for software security: Executives from the boardroom and the C-suite are realizing the damaging effect software supply chain attacks can have on their organizations, but they aren’t taking action. According to a recent report from Venafi, senior IT executives agree (97%) that software build processes are not secure enough, yet there is a disconnect when it comes to which team is responsible for driving security changes… 61% of executives said IT security teams should be responsible for software security, while 31% said development teams should be. VentureBeat, September 25, 2021

Cyber Culture

Cybersecurity Awareness Month: It’s Time to Ditch the Fear: Cybersecurity awareness month is here. Each year, it’s important to explore any new tactics the industry can leverage to raise awareness. The threat landscape is evolving and expanding too quickly for us to keep up. So, we can’t afford to rely on the same awareness gambits year after year. Security Intelligence, October 1, 2021

How Yahoo Built a Culture of Cybersecurity: Telling your employees that they should do something isn’t enough to inspire meaningful change. Just ask any employee who has ever watched a cybersecurity awareness video. Although the videos instruct employees to be mindful of data security, they seldom lead to a wholesale improvement of a company’s security behaviors. To improve your cybersecurity culture, and, ultimately, your businesses’ resistance to attacks, you must measure what people do when no one is looking. HBR, September 30, 2021

Cybersecurity in Society

Cyber Crime

Hackers rob thousands of Coinbase customers using MFA flaw: Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company’s SMS multi-factor authentication security feature. Bleeping Computer, October 1, 2021

Ransomware Is a Growing Problem. Here’s How the Cyberinsurance Industry Is Fueling It: Ransomware extracted $18 billion in payments last year, and it’s expected there will be an attack every 11 seconds by this year’s end, a problem that some security experts and academic researchers say is exacerbated by the system meant to protect against cybercrime: the insurance industry. Barrons, October 1, 2021

Baby’s Death Alleged to Be Linked to Ransomware: Access to heart monitors disabled by the attack allegedly kept staff from spotting blood & oxygen deprivation that led to the baby’s death. ThreatPost, September 28, 2021

UK umbrella payroll firm Giant Pay confirms it was hit by ‘sophisticated’ cyber-attack: Tech contractors fume at lack of info as company says it will ‘try’ to get them paid by Friday. TheRegister, September 28, 2021

Cybercrime is hitting communities of color at higher rates, study finds: Black people, Indigenous people, and people of color (BIPOC) are more likely to suffer from identity theft and financial impact from the fallout, according to survey data collected by internet security company Malwarebytes with the nonprofits Digitunity and the Cybercrime Support Network. CyberScoop, September 27, 2021

Cyber Attack

Anonymous leaks more EPIK host data; ‘larger than previous leak’: The latest EPIK data leak, according to Anonymous hackers involves bootable disk images, API tokens, over 500,000 private keys, etc. – All in plain-text format. HackRead, October 1, 2021

Proxy Phantom: Fraud rings flood online merchants with credential stuffing attacks: Over 1.5 million stolen credential sets are being used by one fraud operation. ZDNet, September 30, 2021

Know Your Enemy

More Than 90% of Q2 Malware Was Hidden in Encrypted Traffic: Organizations that have not implemented controls for detecting malware hidden in encrypted network traffic are at risk of having a vast majority of malicious tools being distributed in the wild, hitting their endpoint devices. DarkReading, September 30, 2021

Ransomware gangs are complaining that other crooks are stealing their ransoms: Ransomware gangs are shocked to find out that cyber crooks will scam other criminals if they can. ZDNet, September 30, 2021

How the Mafia Is Pivoting to Cybercrime: Investigators from Spanish and Italian police explain how organized crime is going online and expanding into cybercrime. Vice, September 22, 2021

Cyber Freedom

Russia arrests chief exec of cybersecurity Group-IB on treason charge: The chief executive of Group-IB has been arrested by law enforcement on suspicion of state treason. ZDNet, October 1, 2021

UMass Amherst Hires Cybersecurity Firm to Investigate Racist Emails: The university’s vice chancellor told students the emails, which targeted Black students, were part of a rise in “anti-Black racist incidents” on campus this academic year. The New York Times, September 30, 2021

National Cybersecurity

First on CNN: Biden administration to convene 30 countries to crack down on ransomware threat: The White House will convene a 30-country meeting this month to try to ramp up global efforts to address the threat of ransomware to economic and national security, President Joe Biden said in a statement shared exclusively with CNN. CNN, October 1, 2021

Congress demands briefing from FBI on decision not to share Kaseya decryption keys: Rep. Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, told ZDNet that it was “unacceptable” for the federal government to withhold decryptor keys from Kaseya. ZDNet, September 30, 2021

Content Security

Film studios sue “no logs” VPN provider for $10 million: Independent movie studios are demanding $10 million in damages from LiquidVPN. ars technica, September 27, 2021

Cyber Defense

FCC Proposal Targets SIM Swapping, Port-Out Fraud: The U.S. Federal Communications Commission (FCC) is asking for feedback on new proposed rules to crack down on SIM swapping and number port-out fraud, increasingly prevalent scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identity. KrebsOnSecurity, October 1, 2021

Cyber Talent

CISA and Girls Who Code Partner to Create Career Pathways for Young Women: Through this partnership, CISA and Girls Who Code will establish collaborative opportunities to provide awareness, training, and pathways into cybersecurity careers for girls, women, and those who identify as nonbinary. DarkReading, September 30, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge