Individuals at Risk
Cyber Surveillance
They See You When You’re Shopping … How Sephora, Gucci, Kiehl’s and more track about 20 million online shoppers every day. (Spoiler: with cartoons.): For months you’ve been casing a Gucci shoulder bag online, adding it to your virtual cart, only to close the tab before buying it. One weekend, lounging in your pajamas, you decide to go for it, and back you go to the Gucci website. The New York Times, November 26, 2019
Cyber Danger
Beware of Thanksgiving eCard Emails Distributing Malware: With Thanksgiving being celebrated in the United States, malware distributors are sending out holiday themed emails to distribute the Emotet Trojan and other malware. BleepingComputer, November 28, 2019
Hidden Cam Above Bluetooth Pump Skimmer: Tiny hidden spy cameras are a common sight at ATMs that have been tampered with by crooks who specialize in retrofitting the machines with card skimmers. But until this past week I’d never heard of hidden cameras being used at gas pumps in tandem with Bluetooth-based card skimming devices. KrebsOnSecurity, November 28, 2019
Stop! Don’t Charge Your Phone This Way: You might want to think twice before plugging in at an airport or on the train. The New York Times, November 18, 2019
Cyber Defense
New Disney Plus Streaming Service Hit By Credential Stuffing Cyber Attack … Another Reminder To Use Different Passwords on Different Accounts: Just hours after the eagerly anticipated rollout of the Disney+ streaming service, customers began complaining on social media that they were being locked out of their accounts or experiencing other disruptions in the streaming of Disney movies and shows. The initial concern was that perhaps cyber criminals had launched a massive cyber attack on the new streaming service, bringing it to its knees almost before it had even launched. However, Disney says that there is “no indication” of a security breach on Disney+, and that the source of the problem might be a so-called “credential stuffing” attack, in which hackers obtain passwords and usernames from Dark Web databases, and then use a brute force method to see if those passwords and usernames will work on new sites as well. CPO, November 29, 2019
Cyber Humor
Information Security Management in the Organization
Information Security Management and Governance
The top cybersecurity mistakes companies are making (and how to avoid them): There’s not a one-size-fits-all approach to cybersecurity. Learn some of the common mistakes and how you can get on the right path. TechRepublic, November 26, 2019
Cybersecurity in the C-Suite
Companies Need to Rethink What Cybersecurity Leadership Is: For businesses today, cyber risk is everywhere. Yet for all the investments they’ve made to secure their systems and protect customers, companies are still struggling to make cybersecurity a vibrant, proactive part of strategy, operations, and culture. The root cause is twofold: (1) Cybersecurity is treated as a back-office job and (2) most cyber leaders are ill-equipped to exert strategic influence. Given that a cyber leader’s average tenure is just 18 months, it’s clear that something needs to change. HBR, November 27, 2019
Secure The Human
How Cybersecurity Can Forge Stronger Bonds Between Employees: Human beings are instinctively tribal. We identify with members of our own groups and often distrust, shun or even attack members of other groups. While this fact is responsible for many of the problems in the world (political polarization, for instance), there are times when group solidarity is a powerful force for good — for example, when a community comes together to address problems like crime and poverty or one family member makes a sacrifice for another. Forbes, November 27, 2019
Managing the Human Security Factor in the Age of Ransomware: Convincing employees to take security seriously takes more than awareness campaigns. ThreatPost, November 26, 2019
Cyber Insurance
The Future of Cybersecurity Insurance: Cybersecurity incidents and data breaches have become a normal part of the news cycle. It feels like every day you hear about a big corporation or organization suffering an attack that has put customer or user data in jeopardy. Sometimes this is because a security strategy was lacking; sometimes, the criminal’s attack was simply too powerful. Tripwire, November 27, 2019
Cybersecurity in Society
Cyber Privacy
Hey Congress, How’s That Privacy Bill Coming Along?: As the year winds down without any federal online privacy law to show for it, Senate Democrats introduce new legislation and a set of “privacy principles.” Wired, November 29, 2019
New US Federal Privacy Bill Gets Proposed … Consumer Online Privacy Rights Act Modeled After California Consumer Privacy Act (CCPA): U.S. Sen. Maria Cantwell (D-Washington) has introduced a federal privacy bill called the Consumer Online Privacy Rights Act, or COPRA, that could expand the rights of people when it comes to how personal data is collected, shared and used. Senators Amy Klobuchar (D-Minn.), Ed Markey (D-Mass.), and Brian Schatz (D-Hawaii) also co-sponsored the Bill. BankInfoSecurity, November 28, 2019
Data Privacy Will Be The Most Important Issue In The Next Decade: It’s been an information con job. Companies lulled us into thinking we were simply connecting with our friends, finding our way around town, or locating the perfect sweater. While we were extolling the virtues of each new digital tool and talking up the latest apps to each other, companies were building a multi-billion dollar war chest of information to use against us. As the saying goes, “you are the product.” Forbes, November 26, 2019
Cyber Crime
Ransomware: Big paydays and little chance of getting caught means boom time for crooks: File-encrypting malware is proving to be extremely lucrative for cyber attackers, who can continue large-scale ransomware campaigns – making hundreds of thousands of dollars – almost risk-free. ZDNet, November 27, 2019
Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains: On Nov. 23, one of the cybercrime underground’s largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and eastern United States. KrebsOnSecurity, November 26, 2019
Cyber Attack
Multiple hotels hit by targeted malware attacks: Guest credit card details could also be exposed. ITPROPortal, November 28, 2019
NYPD Fingerprint Database Taken Offline to Thwart Ransomware After Contractor Infects Network With Malware: The malware was introduced to the police network via a contractor who was installing a digital display. ThreatPost, November 25, 2019
110 Nursing Homes Cut Off from Health Records in Ransomware Attack: A ransomware outbreak has besieged a Wisconsin based IT company that provides cloud data hosting, security and access management to more than 100 nursing homes across the United States. The ongoing attack is preventing these care centers from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients. KrebsOnSecurity, November 23, 2019
National Cybersecurity
The Cybersecurity 202: The Sony hack ushered in a dangerous era in cyberspace: Five years ago this week, Sony Pictures Entertainment was hit with the most brazen cyberattack against a U.S. target to date. It riveted public attention, assaulted the First Amendment and prompted President Barack Obama to threaten retaliation for the first time against a cyberspace adversary. The Washington Post, November 27, 2019
It’s Way Too Easy to Get a .gov Domain Name: Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But a recent experience suggests this trust may be severely misplaced, and that it is relatively straightforward for anyone to obtain their very own .gov domain. KrebsOnSecurity, November 26, 2019
It Takes a Village
A Cause You Care About Needs Your Cybersecurity Help: By donating their security expertise, infosec professionals are supporting non-profits, advocacy groups, and communities in-need. DarkReading, November 27, 2019
Cyber Freedom
The sinister timing of deepfakes and the 2020 election: Education and legislation are needed to combat the significant threat of deepfakes. TechRepublic, November 28, 2019
Cyber Gov
States are at a crossroads when it comes to cybersecurity: A few weeks ago, I participated in a cybersecurity panel at the National Association of State Technology Directors Annual Conference. The theme of the event, “The Crossroads of Technology,” was very fitting from my perspective because it was clear that state and local government organizations are, in fact, at a major crossroads when it comes to cybersecurity. These enterprises are clearly feeling the wear-and-tear of phishing, malware, and ransomware attacks that must feel like a daily occurrence. In fact, during the conference, news broke about the state of Texas being hit with a coordinated ransomware attack that disrupted systems of 22 local governments. CyberScoop, November 27, 2019
Cyber Law
Facebook Breach Victims Can Sue For ‘Reasonable’ Security … But Judge Rules Plaintiff in 2018 Breach Case Not Eligible for Compensation: Victims of a Facebook data breach can continue a class-action lawsuit to try and force the social network to improve its security practices, a federal judge has ruled. BankInfoSecurity, November 28, 2019
Cyber Surveillance
TikTok owner ByteDance and Huawei are helping China’s campaign to repress Uighur Muslims, report finds: A new leak of highly classified Chinese government documents has uncovered the operations manual for running the mass detention camps in Xinjiang and exposed the mechanics of the region’s Orwellian system of mass surveillance and “predictive policing.” ICIJ, November 24, 2019
Internet of Things
European Cybersecurity Agency Publishes Report on Smart Car Security: The European Union Agency for Cybersecurity (ENISA) yesterday published a report on the cybersecurity of smart cars. Info Security, November 26, 2019