Cybersecurity News of the Week, September 5, 2021


The first annual SecureTheVillage Golf Tournament is October 20! Celebrate cybersecurity awareness month on the links. Includes breakfast, lunch, and cocktail reception afterwards. Not a golfer? That’s OK. Come to the reception. Sponsorships still available.

Individuals at Risk

Cyber Privacy

Apple delays controversial child protection features after privacy outcry: Apple is delaying its child protection features announced last month, including a controversial feature that would scan users’ photos for child sexual abuse material (CSAM), following intense criticism that the changes could diminish user privacy. The changes had been scheduled to roll out later this year. The Verge, September 3, 2021

The FTC wants to ban a stalkerware app maker and make it notify victims. Is that enough?: The Federal Trade Commission announced Wednesday a proposed settlement with Support King, the company behind alleged Android stalkerware app SpyFone, and its CEO Scott Zuckerman that will ban the company and Zuckerman from the surveillance business, delete data it harvested, and seek to notify victims. TheRecord, September 2, 2021

How to Hide Your House From Nosy People on Google Maps: Ask Google Street View (and its competitors) to blur your house from their photos. LifeHacker, September 2, 2021

Vaccine passports: Is your personal data in safe hands?: Vaccination passports may facilitate the return to normalcy, but there are also concerns about what kinds of personal data they collect and how well they protect it. Here’s what you should know. WeLiveSecurity, August 31, 2021

Cyber Update

WhatsApp Patches Vulnerability in Image Filter Function That Could Have Led to Data Exposure: WhatsApp brought the patch in February and added two new checks in place to restrict memory access. Gadgets360, September 2, 2021

Cyber Warning

This phishing attack is using a sneaky trick to steal your passwords, warns Microsoft: Hovering over a link in an email isn’t going to be enough to check if it’s going to take you to a dangerous site. ZDNet, August 31, 2021

Cyber Humor

Information Security Management for the Organization

Information Security Management

The OWASP Top 10 Threats Haven’t Changed in 2021 — But Defenses Have: The more things change, the more they stay the same. Despite a changing threat landscape and threat actors who keep upping their game, the vulnerabilities behind the threats remain consistent. The OWASP Top 10, ranked by the Open Web Application Security Project, lists the 10 most prominent and dangerous risks and threats for applications. SecurityIntelligence, September 1, 2021

Don’t use single‑factor authentication, warns CISA: The federal agency urges organizations to ditch the bad practice and instead use multi-factor authentication methods. WeLiveSecurity, August 31, 2021

Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakes: CISA warns of risky behaviours that leave networks exposed to cyberattacks – and should be addressed immediately if employed. ZDNet, August 31, 2021

Cyber Warning

FBI, CISA warn of potential cyberattacks over holiday weekends: They cited the Mother’s Day weekend attack on Colonial Pipeline, the Memorial Day weekend attack on major meat processor JBS as well as the July 4 Kaseya attack. ZDNet, August 31, 2021

Cyber Talent

Don’t forget to evaluate soft skills when hiring for cybersecurity positions: Soft skills are just as important, if not more so, than technical skills in cybersecurity professionals. People with soft skills can be trained in tech skills, expert says. TechRepublic, August 31, 2021

Cybersecurity in Society

Cyber Crime

Gift Card Gang Extracts Cash From 100k Inboxes Daily: Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period. Here’s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online. KrebsOnSecurity, September 2, 2021

US farm loses $9 million in the aftermath of a ransomware attack: A US farm lost a whopping $9 million due to a temporary shutdown of its farming operations following a ransomware attack earlier this year, the FBI said this week. TheRecord, September 2, 2021

Beyond the pandemic: Why are data breach costs at an all‑time high?: It might be tempting to blame the record-high costs of data breaches on the COVID-19 pandemic alone. But dig deeper and a more nuanced picture emerges. WeLiveSecurity, August 27, 2021

Cyber Loss

Dallas Police Dept Loses 8 Terabytes of Crime Data, Throwing Court Cases Into Chaos: The police department says the cache was lost during a routine data migration in April. Gizmodo, August 18, 2021

Cyber Attack

What Has Changed Since the 2017 WannaCry Ransomware Attack?: The cybersecurity world is still feeling the effects of the 2017 WannaCry ransomware attack today. While the majority of the damage occurred in the weeks after May 12, 2017, WannaCry ransomware attacks actually increased 53% from January 2021 to March 2021. SecurityIntelligence, September 1, 2021

TikTokers flood Texas abortion whistleblower site with Shrek memes, fake reports and porn: Critics of Texas’ new law have been filing hundreds of fake reports to the whistleblowing website in hopes of crashing it. The Guardian, September 1, 2021

Cyber Surveillance

From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits: We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click iMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY. CitizenLab, August 24, 2021

Know Your Enemy

15-Year-Old Malware Proxy Network VIP72 Goes Dark: Over the past 15 years, a cybercrime anonymity service known as VIP72 has enabled countless fraudsters to mask their true location online by routing their traffic through millions of malware-infected systems. But roughly two weeks ago, VIP72’s online storefront — which ironically enough has remained at the same U.S.-based Internet address for more than a decade — simply vanished. KrebsOnSecurity, September 1, 2021

BEC Scammers Seek Native English Speakers on Underground: Cybercrooks are posting help-wanted ads on dark web forums, promising to do the technical work of compromising email accounts but looking for native English speakers to carry out the social-engineering part of these lucrative scams. ThreatPost, September 1, 2021

How ransomware runs the underground economy: Ransomware gangs are adopting all the core elements of legitimate businesses—including defined staff roles, marketing plans, partner ecosystems, and even venture capital investments—and some hallmarks of more traditional criminal enterprises. CSO, August 31, 2021

Cyberattackers are now quietly selling off their victim’s internet bandwidth: Proxyware is yet another way for criminals to generate revenue from their victims. ZDNet, August 31, 2021

Deepfakes in cyberattacks aren’t coming. They’re already here: In March, the FBI released a report declaring that malicious actors almost certainly will leverage “synthetic content” for cyber and foreign influence operations in the next 12-18 months. This synthetic content includes deepfakes, audio or video that is either wholly created or altered by artificial intelligence or machine learning to convincingly misrepresent someone as doing or saying something that was not actually done or said. VentureBeat, August 28, 2021

National Cybersecurity

U.S. National Security Agency Issues Update on Quantum-Resistant Encryption: Preparing for a quantum computing future and the new national security challenges. TomsHardware, September 2, 2021

9 notable government cybersecurity initiatives of 2021: Governments are increasingly taking on cybersecurity threats, as these nine government-led initiatives from around the globe show. CS0, September 2, 2021

There’s a Better Way to Stop Ransomware Attacks: Mr. Rosenzweig is a lawyer who writes and consults on issues of cybersecurity. He worked on cybersecurity policy at the Department of Homeland Security, where he was the deputy assistant secretary for policy from 2005 to 2009. The New York Times, August 31, 2021

How Congress and NIST Can Help Organizations Better Manage Cyber Risk: On Aug. 25, the Biden administration announced a new public-private initiative to improve the nation’s cybersecurity. The White House directed the National Institute for Standards and Technology (NIST) to partner with industry and other stakeholders to develop a new framework to “improve the security and integrity of the technology supply chain.” LawFare, August 31, 2021

Cyber Fine

SEC fines three companies over hacked employee email accounts: The US Securities and Exchange Commission has fined three brokerage firms on Monday for neglecting to secure employee accounts, incidents that led to the exposure of their customers’ data. TheRecord, September 2, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge