Individuals at Risk
Mass. tax collector breach victims double original estimate. Names, tax identification numbers, and payroll processors’ banking information of more than 39,000 business taxpayers compromised in breach: As typical with most data breaches initially underestimating the overall impact of a cybersecurity “incident,” the hack of the Massachusetts Department of Revenue disclosed last week was more twice as large than originally anticipated by the tax-collecting agency. SC Magazine, February 23, 2018
LA Philharmonic employees’ W-2 information stolen in cyberattack: The Los Angeles Philharmonic has fallen victim to a cyberattack that resulted in the theft of W-2 information for everyone that worked there in 2017. ABC, February 22, 2018
have i been pwned?: Check if you have an account that has been compromised in a data breach. Reminder that different sites need different passwords.
Equifax’s massive 2017 data breach keeps getting worse as another 2.4 million victims identified: Equifax said Thursday that 2.4 million more consumers than previously reported were affected by the massive data breach the company suffered last year, adding to an already stunning toll. The Washington Post, March 1, 2018
Government contractor claims it can unlock any iPhone: New reports today surfaced revealing that government organizations might have access to all iPhones currently on the market. A government contractor apparently figured out how to crack iOS 11. The Next Web, February 28, 2018
If You’ve Not Already Done It, Update Your Flash Player as North Korea Flash Player Flaw Now Being Exploited by Cybercriminals: Endpoint security firm Morphisec has spotted a massive campaign that exploits a recently patched Adobe Flash Player vulnerability to deliver malware. SecurityWeek, February 26, 2018
Don’t fall for fake iTunes and App Store messages: Ever received an email that looks for all the world like it’s from Apple? Like, maybe a receipt from an iTunes purchase that you don’t remember making? Naked Security, February March 2, 2018
Beyond the Password Era: Changing Consumer Habits Signal the End Is Near: The death of the password has been rumored for years, but to this day it remains the primary way we identify ourselves online, with the average user now managing well over 100 accounts that require a password. Yet changing tides in the cybersecurity landscape, combined with evolving technology and consumer preferences, indicate that the end of the password era may finally be at hand. SecurityIntelligence, February 28, 2018
How to Fight Mobile Number Port-out Scams: T-Mobile, AT&T and other mobile carriers are reminding customers to take advantage of free services that can block identity thieves from easily “porting” your mobile number out to another provider, which allows crooks to intercept your calls and messages while your phone goes dark. Tips for minimizing the risk of number porting fraud are available below for customers of all four major mobile providers, including Sprint and Verizon. KrebsOnSecurity, February 28, 2018
Dangerous Banking Malware Discovered Lurking on Brand-new Android Phones: The unwanted, pre-installed software (or bloatware) that comes on most smartphones these days is bothersome enough. But it could be worse. Your new phone could have been infected with malware before you even turned it on for the first time. Forbes, March 2, 2018
Apple Warns About Convincing App Store Scam Emails That Steal Your Credit Cards: Apple is warning against a new wave of phishing attacks targeting iOS and macOS customers. The latest campaign sends app subscription renewal emails to Apple users, informing them their free trial is going to end after which their cards will be charged. wccftech, February 28, 2018
FTC warning users to do homework before using VPN apps: The FTC is warning users to read the fine print and do their homework before purchasing a VPN app as users could be opening themselves up to the very exploits they are looking to avoid. SC Magazine, February 23, 2018
Information Security Management in the Organization
Information Security Management and Governance
2% of Amazon S3 Public Buckets Aren’t Write-Protected, Exposed to Ransom Attacks: New research published on Monday reveals that 5.8% of all Amazon S3 buckets are publicly readable, while 2% are publicly writeable —with the latter allowing anyone to add, edit, or delete data, and even hold a victim’s data for ransom. BleepingComputer, February 28, 2018
New Cyber Security Style Guide helps bridge the communication gap: I think I’m going to start all my hot takes with that quote from Cool Hand Luke from now on, because the inability of most security folk to communicate with non-security folk is tearing apart our political and social and economic fabric. The people who govern our lives and who will shape the future of our world do not understand information security. Unless we break out of our cozy in-clique exclusionary slang, that can only end badly–for all of us. CSO, March 2, 2018
Financial Cyber Threat Sharing Group Phished: The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, said today that a successful phishing attack on one of its employees was used to launch additional phishing attacks against FS-ISAC members. KrebsOnSecurity, March 1, 2018
The Roles CFOs And CMOs Need To Play In Cybersecurity Protection: There are a lot of players in the C-Suite these days, and chances are good they all have their own strategic priorities. The CFO wants to save money and deliver quality returns to investors. The CMO wants to churn data to find better and smarter ways to reach customers. The CIO wants to find ways to utilize new technology while keeping the company—and its customers—safe. And while all of those priorities are important, the silos and the “divide and conquer” mentality are no longer relevant in today’s digital landscape. In fact, I’d say there is one thing that should be the top priority for every executive—cyber security. Forbes, March 2, 2018
CFOs Don’t Worry Enough About Cyber Risk: Every executive team and board of directors is asking themselves the same question in regard to their cyber risk right now: what can we do differently to avoid being the next Equifax, Yahoo! or Target, and protect our shareholder value? HBR, December 1, 2017
Cybersecurity in Society
Cyber-Squabble Between Digital Certificate Vendors Results in Leak of 23,000 Private Keys, Triggers Security Scramble: Digital certificate reseller Trustico is sparring with certificate authority DigiCert, which recently took over Symantec’s digital certificate business, over a serious security incident. BankInfoSecurity, March 1, 2018
Malware said to force closure of hundreds of Tim Hortons outlets across Canada: A mysterious malware has taken out the cash registers of hundreds of Tim Hortons restaurants across Canada forcing many of them to close prompting legal action from franchise owners. SC Magazine, February 28, 2018
Know Your Enemy
Tony Soprano of Cybercrime Snitches on Russian Hacker: The man who allegedly orchestrated the JP Morgan hack is cooperating with the U.S. against the man accused of running one of the most notorious botnets ever. Daily Beast, February 28, 2018
U.S. intel: Russia compromised seven states prior to 2016 election: The U.S. intelligence community developed substantial evidence that state websites or voter registration systems in seven states were compromised by Russian-backed covert operatives prior to the 2016 election — but never told the states involved, according to multiple U.S. officials. NBC News, February 28, 2018
NSA Director: Trump Has Given No Specific Order to Combat Russian Meddling in 2018 Election. Says Putin has concluded there’s little price to pay for his interference in the U.S. election and that therefore he can continue this activity: A top U.S. intelligence official said Tuesday that President Donald Trump has given him no specific instructions to combat Russian meddling in the 2018 congressional elections that mirrors Moscow’s interference in the 2016 presidential contest aimed at helping Trump win. Voice of America, February 27, 2018
Germany admits hackers infiltrated federal ministries. Russian group suspected. Malware may have been in the network for a year before being discovered: German security services have admitted they uncovered a cyberattack on the government in December. Sources say the malware had been planted up to a year earlier and could be the work of a notorious Russian hacking group. DW, February 28, 2018
US border agents haven’t verified e-passport data for over 10 years: E-passports – high-tech passports with chips to store traveler information and cryptographic hashes to verify that the passports haven’t been forged or otherwise tampered with – have been required for more than 10 years to get into the US if you’re coming from one of the 38 countries on the visa-waiver list. Naked Security, February 26, 2018
Nation state cyber-attacks on the rise – detect lateral movement quickly, says new Crowdstrike report: The line between cyber-criminals and nation-state hackers is increasingly blurred. The volume and intensity of cyber-attacks hit a new high in 2017 alongside the increasing level of sophistication of hacks. SC Magazine, February 26, 2018
23 state AGs refile lawsuit challenging net neutrality repeal: The lawsuit by a coalition of attorneys general comes as the FCC files notice of its repeal to the Federal Register. CNet, February 22, 2018
David Cameron fake ID gang jailed for £1m online scam: A fraudster who advertised his counterfeit ID factory using a fake driving licence of former prime minister David Cameron has been jailed. BBC, February 16, 2018
SEC Reportedly Launches Cryptocurrency Probe: The U.S. Securities and Exchange Commission has issued dozens of subpoenas and requests for information to technology companies, executives and advisers involved in initial coin offerings, the Wall Street Journal reports, citing unnamed individuals with knowledge of the SEC’s probe. BankInfoSecurity, March 1, 2018
Ethereum Scammers Posing as Tech Celebrities Are Running Rampant On Twitter: Scammers are tricking gullible Twitter users into sending their hard-earned ether (Ethereum’s in-house cryptocurrency) to random addresses with the empty promise of a hefty giveaway. It’s the latest chapter in the neverending saga of scammers exploiting the cryptocurrency gold rush, and the so-called Bitcoin or Ethereum FOMO, or fear of missing out on an investment. Motherboard, February 23, 2018
SecureTheVillage Teams-up with Daily Journal & CalLawyer CyberForum: SecureTheVillage proudly joins The Daily Journal and the CalLawyer.com on March 8, 2018 for a day-long CyberForum featuring Board Member, Tom Peistrup and Leadership Council Member, Dave Watts. SecureTheVillage, Event Date: March 8, 2018
CyberFreedom, a presentation to the UCLA Global Security Seminar by SecureTheVillage Founder, Dr. Stan Stahl:
Nina Simone once described freedom as the absence of fear. If so, we are not free on the Internet. We are, instead, in a time of cyber crisis. UCLA Faculty Club, March 15 @ 6:00 pm – 9:00 pm.
Management Webinar: Online Bank Fraud — How To Avoid Being a Victim: Stan’s Guest: Barbara Allen-Watkins, Senior Vice President Treasury Management, City National Bank. April 5 @ 10:00 am – 11:00 am.
Financial Services Cybersecurity Roundtable: Steve Scarince will discuss ATM Jackpotting. Steve is Assistant to the Special Agent in Charge (ATSAIC) at the US Secret Service, Los Angeles. Host: Josh Peplow, American Business Bank: Friday morning, April 13, 2018, 8:00 – 10:00 am.
Cybersecure LA: SecureTheVillage and UCLA Extension are pleased to join together to provide a FREE Cybersecurity event to Downtown LA. April 18 @ 7:30 am – 10:00 am.