SecureTheVillage — Upcoming Conferences
Cybersecure SoCal 2019. Cybersecurity is a Team Sport.
Cybersecure SoCal 2019 Cybersecurity is a Team Sport!
… a joint presentation of SecureTheVillage and the Pepperdine Graziadio Business School’s CyRP Program … Keynote Speaker: Ron Ross, Fellow at the National Institute of Standards and Technology. His focus areas include cybersecurity, systems security engineering, and risk management.
October 17 8:00 am – 3:30 pm
Individuals at Risk
Myth-busting: Unmask these four privacy untruths to protect yourself online … As Will Rogers said, “It’s not what people don’t know that gets them in trouble. It’s what they do know that just ain’t so.”: Oh boy, it’s been a bad year for privacy. According to a recent RiskBased Security report, the first half of 2019 saw nearly 4,000 publicly disclosed breaches, exposing an inconceivable 4.1 billion compromised records. And most of those exposed records were from just eight breaches. USA Today, September 21, 2019
State DMVs Selling Personal Data for Millions of Dollars in Profit: The next time you apply for a driver’s license at your local Department of Motor Vehicles (DMV) office, just be aware that all of the personal information that you provide them might be later packaged up and sold to the highest bidder. That’s the disturbing takeaway from a recent VICE Motherboard investigation, which relied on hundreds of public records requests to track down exactly how much money state DMV offices are making by selling personal data every year. By some estimates, state DMV offices around the nation have made tens of millions of dollars in profit ever since the practice began around 2014. CPO Magazine, September 18, 2019
Why a Credit Freeze Alone Won’t Stop Identity Theft: With identity theft continuing to pose a major threat to consumers, most experts advise putting a credit freeze on your accounts to prevent fraud.No question, a freeze can go a long way toward protecting your finances. But if you have one in place, don’t feel complacent, says Ted Rossman, an industry analyst at Creditcards.com. You need to take additional steps to minimize the risks from hackers and thieves. Consumer Reports, September 16, 2019
Asus, Lenovo and Other Routers Riddled with Remotely Exploitable Bugs. Independent Security Evaluators tested 13 different models, resulting in 125 different vulnerabilities: More than a hundred vulnerabilities have been found in small office/home office (SOHO) routers and network-attached storage devices (NAS) from vendors that include Asus, Zyxel, Lenovo, Netgear and other top names, which open them up to remote attackers. That’s according to Independent Security Evaluators, which pen-tested 13 different models, resulting in 125 different CVEs. ThreatPost, September 16, 2019
Personal data of 21 million passengers exposed by Malindo Airlines’s sister company, Exposure may have been due to Malindo failing to securely configure its servers on Amazon Web Services: Amazon Web Services (AWS) Singapore says all servers containing data of Malindo Air customers are secured “with no further vulnerabilities”, and no payment details leaked. This confirmation follows a reported security breach that compromised personal data of 21 million passengers including that of Malindo’s sister company, Lion Air. ZDNet, September 20, 2019
How to protect yourself from ransomware using Windows 10 … But be prepared to do some fine-tuning: Microsoft offers built-in ransomware protection for Windows 10. Here’s how to make sure you’re protected. Fox News, September 21, 2019
New Android Warning: 500M+ Users Have Installed Apps Hiding Nasty Malware—Uninstall Now: Here we go again—more dangerous, malware-laced apps found lurking in Google’s Play Store. Android’s preeminent storefront has come in for serious criticism in recent months, with multiple warnings about malware-laced apps which have often been on the store for months, or even years, and which have been installed by hundreds of millions of users. This latest warning concerns four VPNs and two selfie apps, with more than 500 million installs between them, all of which contain harmful adware and which seek dangerous system permissions that can inflict serious harm. Forbes, September 20, 2019
Information Security Management in the Organization
Information Security Management and Governance
Key threats and trends SMB IT teams deal with: MSPs are significantly more concerned with internal data breaches and rapidly evolving technology practices, whereas internal IT teams are more concerned with employee behavior/habits, according to a Central by LogMeIn report. HelpNetSecurity, September 20, 2019
Organizations continue to struggle with privacy regulations: Many organizations’ privacy statements fail to meet common privacy principles outlined in GDPR, CCPA, PIPEDA, including the user’s right to request information, to understand how their data is being shared with third parties and the ability of that information to be deleted upon request, according to the Internet Society’s Online Trust Alliance (OTA). HelpNetSecurity, September 20, 2019
Why businesses would rather lose revenue than data: While businesses don’t want to lose data, 66% of business decision makers said their current IT resources do not keep up with growing technological demands. TechRepublic, September 19, 2019
The Future of Cybercrime: Where Are We Headed? IBM Security Intelligence: By 2024, the collective cost of data breaches will reach $5 trillion, according to a study by Juniper Research. The study predicted this astronomical amount will be the result of an increase in fines due, in large part, to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and any other data privacy laws that come up in the next five years. SecurityIntelligence, September 18, 2019
Cybersecurity frameworks hold key to solid security strategy: Cybersecurity frameworks take work, but they help organizations clarify their security strategies. If you don’t have one, here’s what to consider, even for emerging perimeterless security options. SecuritySearch.com, September 2019
WeWork’s weak Wi-Fi security leaves sensitive documents exposed … Another shocking – but not surprising – example that when it comes to information security management caveat emptor. Trust [maybe] and Always Verify: When Teemu Airamo moved into his company’s new Manhattan office in shared workspace provider WeWork, he had one overriding priority: to run a security scan on the building’s Wi-Fi network. After all, he shared a space with more than 200 companies also co-working in the Financial District hub and didn’t want anyone snooping around. It was May 2015, and Airamo’s digital media company was working with contracts and sensitive documents. He couldn’t afford to get hacked. So when he saw hundreds of other companies’ devices and financial records completely visible on the building’s network, Airamo was stunned. CNet, September 19, 2019
Managed service providers are ransomware hackers’ new gold mine … Is your IT vendor’s lack of security exposing you to additional risk? Trust But Verify: On July 3, employees at Arbor Dental in Longview, Washington, noticed glitches in their computers and couldn’t view X-rays. Arbor was one of dozens of dental clinics in Oregon and Washington stymied by a ransomware attack that disrupted their business and blocked access to patients’ records. Houston Chronicle, September 15, 2019
Ransomware: 11 steps you should take to protect against disaster: Falling victim to ransomware could put your vital business or personal data at risk of being lost forever. These steps can help bolster your defences. ZDNet, September 18, 2019
10 Recent Changes to the CCPA that Businesses Should Know About…Employee rights changed. Encryption is safe harbor for data breach private right of action: The California legislative session is over and the nine-month effort to amend the California Consumer Privacy Act of 2018 (“CCPA”) has concluded. In the end, the California legislature passed five amendments to the CCPA. Although the amendments aren’t final until Governor Newsom signs them into law, the Governor has not given any indication that he intends to veto them and is expected to sign them some time before October 13th. If signed into law, the amendments will go into effect along with the rest of the CCPA effect on January 1, 2020. SecurityBoulevard, September 20, 2019
CCPA Update: Changes, Clarifications, But No Major Overhaul Heading To Governor’s Desk: The California Legislature passed several bills amending the forthcoming California Consumer Privacy Act (CCPA). Although the amendments contain some significant changes, outlined here, the most important and groundbreaking aspects of the law will remain intact when the law takes effect in January 2020. The National Law Review, September 20, 2019
California’s IoT Security Law Causing Confusion. The law, which goes into effect January 1, requires manufacturers to equip devices with ‘reasonable security feature(s).’ What that entails is still an open question: Companies that make connected devices — from Internet routers to connected thermostats to home-monitoring cameras — need to start preparing for the enforcement of California’s Internet of Things (IoT) security law, which goes into effect on January 1, 2020, attorneys said this week. The question is whether a simple authentication fix is enough for most devices or whether companies need to adhere to a more rigorous standard. DarkReading, September 19, 2019
Cybersecurity in Society
Toyota Subsidiary Loses $37 Million Due to BEC Scam – CPO Magazine … Never ever wire money on the basis of an email or fax. Verbally confirm all wire requests: Rogue hackers continue to come up with new attacks designed to infiltrate the cyber defenses of the world’s largest corporations. The latest corporate titan to fall victim to hackers is automotive giant Toyota. A European subsidiary of the company, Toyota Boshoku Corporation, was targeted by hackers as part of a business email compromise (BEC) scam. Total financial losses from the BEC scam are reportedly close to $37 million (¥4 billion), and the company is now trying to recover this money with the help of law enforcement officials. CPO Magazine, September 20, 2019
Payment Card Breach Hits 8 Cities Using Vulnerable Bill Portal: A vulnerable municipality payment software, which previously led to the breach of hundreds of thousands of payment cards in 2017, has been targeted once again. This time it was part of a breach involving of eight cities in August. ThreatPost, September 19, 2019
Saudi IT Providers Hit in Cyber Espionage Operation: In what appears to be a coordinated and targeted cyber espionage campaign, the networks of several major IT providers in Saudi Arabia were attacked in the past year as a stepping-stone to the attackers’ ultimate targets in that region. Researchers at Symantec say the attackers have been operating since July 2018 and appear to be a previously unidentified threat group, which Symantec has christened Tortoiseshell. DarkReading, September 18, 2019
Report: Use of AI surveillance is growing around the world: When you think of nations using artificial intelligence (AI) -enhanced surveillance technologies, China probably comes to mind: the place where facial recognition is used to ration toilet paper, to name and shame jaywalkers, and to outfit police with glasses to help them find suspects. It’s not just China, of course. According to a report from the Carnegie Endowment for International Peace, the use of AI surveillance technologies is spreading faster, to a wider range of countries, than experts have commonly understood. Naked Security, September 20, 2019
Information Security Management
How Louisiana Responded to Its Recent Ransomware Attacks. Through quick response & existing cyberthreat response system, state managed to stave off what could have been a much more disastrous attack affecting twice as many communities: In July, after a large-scale ransomware attack struck school districts throughout Louisiana, Governor John Bel Edwards issued a first-ever statewide emergency declaration related to a cyberincident. The attack — which state CIO Dickie Howze describes as a “single, coordinated” one — infected five separate districts and could have brought down more than half a dozen others were it not for officials’ quick response. Government Technology, September 20, 2019
Secret F.B.I. Subpoenas Scoop Up Personal Data From Scores of Companies: The F.B.I. has used secret subpoenas to obtain personal data from far more companies than previously disclosed, newly released documents show.The requests, which the F.B.I. says are critical to its counterterrorism efforts, have raised privacy concerns for years but have been associated mainly with tech companies. Now, records show how far beyond Silicon Valley the practice extends — encompassing scores of banks, credit agencies, cellphone carriers and even universities. The New York Times, September 20, 2019
CISA stepping into cybersecurity coordinator role as agencies improve cyber hygiene: Federal Chief Information Security Officer Grant Schneider, speaking Thursday at the Cybersecurity and Infrastructure Security Agency’s summit, said agencies have “come a long way” on cybersecurity.He pointed to overall higher Federal Information Security Management Act, and Federal Information Technology Acquisition Reform Act scores as evidence that government has turned a corner on cyber. Federal News Network, September 20, 2019
Edward Snowden Discusses His New Book – “Permanent Record” & Life as an Exiled NSA Whistleblower with Trevor Noah: Edward Snowden discusses how his book “Permanent Record” sheds light on the evolving intelligence industry. The Daily Show with Trevor Noah, September 20, 2019
Russia and China Are Trying to Set the U.N.’s Rules on Cybercrime. At the United Nations General Assembly, the United States must push back against their agenda: As world leaders gather in New York next week for another session of the United Nations General Assembly, they’ll have a number of pressing global security challenges on their minds. But on one key topic—cybercrime—the United States risks losing to Russia and China if it doesn’t have a clear strategy for pushing back against their attempts to prevail on the issue. By failing to articulate its own vision for cybersecurity, it would let two countries that have sponsored and harbored cybercriminals set the rules of the game. Foreign Policy Group, September 16, 2019
New clues show how Russia’s grid hackers aimed for physical destruction. 2016 Russian cyberattack on Ukraine intended to cause far more damage than it did: For nearly three years, the December 2016 cyberattack on the Ukrainian power grid has presented a menacing puzzle. Two days before Christmas that year, Russian hackers planted a unique specimen of malware in the network of Ukraine’s national grid operator, Ukrenergo. Just before midnight, they used it to open every circuit breaker in a transmission station north of Kyiv. The result was one of the most dramatic attacks in Russia’s years-long cyberwar against its western neighbor, an unprecedented, automated blackout across a broad swath of Ukraine’s capital. ARS Technica, September 14, 2019
After Resisting, McConnell and Senate G.O.P. Back Election Security Funding: WASHINGTON — Facing mounting criticism for blocking proposals to bolster election security, Senator Mitch McConnell on Thursday threw his weight behind a new infusion of $250 million to help states guard against outside interference in the 2020 voting. The New York Times, September 19, 2019
Man Who Hired Deadly Swatting Gets 15 Months: An Ohio teen who recruited a convicted serial “swatter” to fake a distress call that ended in the police shooting an innocent Kansas man in 2017 has been sentenced to 15 months in prison. “Swatting” is a dangerous hoax that involves making false claims to emergency responders about phony hostage situations or bomb threats, with the intention of prompting a heavily-armed police response to the location of the claimed incident. KrebsOnSecurity, September 17, 2019
JPMorgan Hacker Will Plead Guilty Over Role in Vast Cyber-Attack: A Russian hacker at the center of an alleged scheme to steal financial data on more than 80 million JP Morgan Chase & Co. clients will plead guilty later this month, according to a U.S. court filing. Bloomberg, September 16, 2019
Facebook Removed Tens of Thousands of Apps Post-Cambridge Analytica: Facebook said it has suspended tens of thousands of apps as part of its ongoing investigation into how third-party apps on its platform collect, handle and utilize users’ personal data. The results of the investigation, launched in March 2018 in response to Facebook’s infamous Cambridge Analytica incident, sharpen the spotlight on the social media platform’s data collection policies. ThreatPost, September 20, 2019
SecureTheVillage Calendar — Register Now
Webinar: SecureTheVillage October Webinar
Securing the Network—Lessons Learned From Breach Investigations
Guest Panelist: Joe Greenfield, Managing Director, Maryman & Associates; Associate Professor, USC Viterbi
October 3 @ 10:00 am – 11:00 am
Financial Services Cybersecurity Roundtable – October 2019
Title: Recent Trends in Financial and Electronic Crimes … And How the Secret Service Can Help.
Speaker: Deronda Dubose, Special Agent, Technical Staff Assistance. United States Secret Service.
October 11 @ 8:00 am – 10:00 am
Cybersecure SoCal 2019 Cybersecurity is a Team Sport!
… a joint presentation of SecureTheVillage and the Pepperdine Graziadio Business School’s CyRP Program
Keynote Speaker: Ron Ross, Fellow at the National Institute of Standards and Technology. His focus areas include cybersecurity, systems security engineering, and risk management.
October 17 8:00 am – 3:30 pm