SecureTheVillage Calendar
STVHappyHour: A CIO and a Cyberinsurance Broker Walk Into a Bar … June 23 @ 4:30 pm – 5:30 pm PDT
TownHallWebinar: Protect Yourself From IDentity Theft with Karen Codman. June 23 @ 7:00 pm – 8:00 pm PDT
TownHallWebinar: Up On Cyber 2020. June 25 @ 8:00 am – 12:30 pm PDT
Leadership Council Meeting, July 8: Special Guest Dr. Vinton Cerf, Father of the Internet. July 8 @ 12:00 pm – 1:30 pm PDT
TownHallWebinar: Personal Cyber Security with Dr. Steve Krantz. July 21 @ 1:00 pm – 2:30 pm PDT Calabasas Senior Center Calabasas, CA
Individuals at Risk
Cyber Privacy
Google removes 106 Chrome extensions for collecting sensitive user data: Security firm identifies 111 malicious Chrome extensions collecting user keystrokes, clipboard content, cookies, more. ZDNet, June 18, 2020
Cyber Defense
Goodbye SMS—Google Confirms Powerful New Update For Millions Of Users: SMS messages are something of a security disaster. These unencrypted, open-form text messages travel across multiple unsecured networks, from sender to recipient. The system is a throwback to a long-gone era. This is becoming better known when we message one other—thus the rise of encrypted alternatives, WhatsApp, iMessage and Signal. But, ironically, that same SMS system has become the default delivery mechanism for most two-factor authentication (2FA) codes. And that’s not good. Forbes, June 17, 2020
Cyber Update
Unpatched vulnerability identified in 79 Netgear router models…Replace if your model is too old to update: A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely. ZDNet, June 18, 2020
Cyber Danger
Turn on MFA Before Crooks Do It For You: Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. But people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Here’s the story of one such incident. KrebsOnSecurity, June 19, 2020
Popular mobile banking apps are riddled with security flaws, and Android users are more at risk. Users cautioned to properly secure their mobile devices: A study of banking apps for iOS and Android found poor source code protection, cleartext storage of sensitive data, and other serious flaws that make it easy for attackers to break into accounts. TechRepublic, Juen 18, 2020
Google Alerts accidentally circulating malware among users…Scammers are using fake data breach notifications to distribute malware and scams: Fraudsters are using black SEO, Google Sites and spam pages to push fake data breach notifications impersonating big name companies in an effort to distribute malware and scams. TechRadarPro, June 17, 2020
Cyber Humor
Information Security Management for the Organization
Information Security Management
Building relationships: The key to becoming a true cybersecurity leader. Slowly but surely, organizations are starting to view information security as a business problem, not an IT problem, and as everybody’s responsibility: “The CISO role is evolving to be less technical and more business-centric and, in many organizations, the CISO no longer reports to the CIO or CTO, but rather to the CEO or Board of Directors. As a result, many more business decisions are made with security [and privacy] in mind,” says Naomi Buckwalter, Director of Information Security & Privacy, Energage. HelpNetSecurity, June 18, 2018
As Businesses Reopen, A New Storm Of Cybercrime Activity Looms: There is nothing ordinary about the amount of disruption that will impact our lives moving forward as countries and states reopen following the coronavirus pandemic. In the context of the cloud, disruptions caused by COVID-19 have opened the door to another type of virus: cybersecurity threats. Today we are witnessing a rapid rise of opportunistic cybercriminal activity taking advantage of the chaos created by COVID-19. Forbes, June 18, 2020
Adapting information security management practices to post-Covid world. Microsoft Reports: COVID-19 Attacks Still Less Than 2% of Total Threats: COVID-19-themed cyber-attacks comprised only a tiny amount of overall threat volumes over the past four months despite sensational headlines, according to Microsoft. InfoSecurity, June 18, 2020
Privacy Management
French Privacy Watchdog Offers New Guidance for Web Scraping and Its Use in Direct Marketing: Explicit General Data Protection Regulation (GDPR) guidance on the subject of web scraping for purposes of direct marketing has finally been laid out to the public following the publication of a set of guidelines by France’s data watchdog, the CNIL. CPO, June 19, 2020
Cyber Warning
Phishing Campaign Targeting Office 365, Exploits Brand Names: Attackers use trusted entities to trick victims into giving up their corporate log-in details as well as to bypass security protections. ThreatPost, June 18, 2020
Cybercriminals Continue To Attack MSPs And IT Vendors … ConnectWise MSP Partners Hit By Ransomware: Multiple ConnectWise partners have had their customers hit with ransomware through a software flaw that the company revealed last week with one having several end users compromised, according to a source who spoke on condition of anonymity. CRN, June 18, 2020
Cybersecurity in Society
Cyber Crime
Elon Musk Bitcoin vanity addresses used to scam users out of $2 million: While Bitcoin giveaway scams have been around for more than two years, new trick helps scammers net massive profits. ZDNet, June 19, 2020
Maze Ransomware Gang Continues Data-Leaking Spree: Latest Named Victims Include Engineering Firm, Furniture Manufacturer, Pet Spa. BankInfoSecurity, June 18, 2020
Cognizant Says Maze Ransomware Attackers Hijacked Tax ID, Social Security, Passport Data: The cybercriminals who hit Cognizant this spring “exfiltrated” data related to employees’ corporate credit cards among other personal data including Social Security numbers, tax IDs, financial account information, and driver’s license and passport details, according to two letters Cognizant filed with California state regulators. CRN, June 18, 2020
Cyber Attack
Hidden Cyber War Between Israel and Iran Spills Into Public View With Attacks on Physical Infrastructure: For decades now there has been something of a tacit agreement among nations that spying and hacking are not enough to constitute acts of war, and that these battles are to be kept in the shadows for the most part. The general public is occasionally impacted by this quiet cyber war in the form of a personal information breach or a state-sponsored raid on the confidential assets of a private company, but attackers have generally stopped short of executing virtual attacks that create real damage in the physical world. CPO, June 19, 2020
Australia says it has been targeted by a ‘sophisticated’ state-based cyber attack. China suspected: Sydney/Hong Kong (CNN Business)The Australian government is grappling with massive cyber attacks from what Prime Minister Scott Morrison has described as a “malicious” and “sophisticated” state-based actor. CNN, June 19, 2020
AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever: The previous record for the largest DDoS attack ever recorded was of 1.7 Tbps, recorded in March 2018. ZDNet, June 17, 2020
No, The U.S. Has Not Suffered The Biggest Cyber-Attack In History: Here’s What Actually Happened at T-Mobile: As hundreds of thousands of people reported mobile carriers and internet services down, and ‘DDoS’ started trending on Twitter, ‘Anonymous’ laid the blame on China and suggested a major cyber-attack was underway. Here’s what actually happened. Forbes, June 16, 2020
Know Your Enemy
Cybercrime Has Undergone an Industrial Revolution – How to Keep Up: Cybercrime is an industry, with its own service economy, tools for hire, solution providers and end users, and this shadow economy is growing. Over several years, the cyber-criminal underground has undergone its own industrial revolution, a profound and far-reaching process of modernization and innovation. InfoSecurity, June 18, 2020
Ransomware News Roundup: Maze Gang Forms Extortion Cartel: In early June 2020, the Maze gang teamed up with other crypto-malware actors to extort non-paying victims using its shared data leaks platform. Maze wasn’t the only strain that made news. Those behind the REvil family also attracted the security community’s attention when it began auctioning off data stolen by their creation. Additionally, security researchers discovered two new crypto-malware groups: Kupidon and Avaddon. SecurityIntelligence, June 18, 2020
National Cybersecurity
When Security Takes a Backseat to Productivity: So ends a key section of a report the U.S. Central Intelligence Agency produced in the wake of a mammoth data breach in 2016 that led to Wikileaks publishing thousands of classified documents stolen from the agency’s offensive cyber operations division. The analysis highlights a shocking series of security failures at one of the world’s most secretive entities, but the underlying weaknesses that gave rise to the breach also unfortunately are all too common in many organizations today. KrebsOnSecurity, June 17, 2020
Cyber Freedom
Nation State Hackers Take Aim at Trump and Biden Campaigns: Nation state hackers originating from foreign governments have launched phishing attacks against campaign staff belonging to US presidential candidates Joe Biden and Donald Trump, according to observations by the Google Threat Analysis Group (TAG). While ultimately unsuccessful, the attacks have prompted mixed responses from the campaigns involved and have raised fresh alarm about cybersecurity preparedness among presidential candidates and their susceptibility to nation state hackers more broadly. CPO, June 18, 2020
Systemic Racism Is a Cybersecurity Threat. Understanding how systemic racism influences cybersecurity is integral to protecting the American people, deterring U.S. adversaries, & defending American businesses: For years there have been well documented discussions about the need to expand gender and racial diversity in cybersecurity. People have argued that if we address social and systemic issues separately, we will get the technology right. However, the social and the technological are mutually constitutive. Bringing in new points of view is crucial to cybersecurity, but we also have to change the systems in which technology is embedded and review technology against the backdrop of larger systemic issues to reduce vulnerabilities. Council on Foreign Relations, June 16, 2020
Cyber Law
A New CCPA Data Breach Lawsuit Is “Minted.” Online stationery and craft company Minted Inc. has been hit with a CCPA class action lawsuit, stemming from a massive data breach the company disclosed in late May: Online stationery and craft company Minted Inc. has been hit with a CCPA class action lawsuit, stemming from a massive data breach the company disclosed in late May. The proposed class action lawsuit, filed in a California federal court, claims that Minted Inc. failed to implement “reasonable security measures” and to properly encrypt certain personal information. See Atkinson v. Minted, Inc., No. 3:20-cv-03869 (N.D. Cal. June 11, 2020). As a result, the hackers allegedly accessed the company’s database that contained customers’ names and login credentials, including unredacted and unencrypted account information. Some 73.2 million records were allegedly stolen and included passwords, names, and other information. JDSupra, June 17, 2020
Cyber Enforcement
FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy: An information technology specialist at the Federal Emergency Management Agency (FEMA) was arrested this week on suspicion of hacking into the human resource databases of University of Pittsburgh Medical Center (UPMC) in 2014, stealing personal data on more than 65,000 UPMC employees, and selling the data on the dark web. KrebsOnSecurity, June 18, 2020
