Cybersecurity News of the Week, February 10, 2019

Cybersecurity News of the Week, February 10, 2019


Happy 10th Anniversary, CitadelOnSecurity

This week’s edition of Cybersecurity News of the Week starts the 11th year of Citadel blogging. Citadel’s first blog post was February 10, 2009: Average cost of a data breach in 2008 grew to $202 per record, Ponemon Study Says. Since then, we’ve posted more than 11,000 postings. Our first Weekend Vulnerability & Patch Report was published in October 2010. And we published our first Cybersecurity News of the Week five years ago, in January 2014. Happy Anniversary, Citadel!!!

Individuals at Risk

Cyber Privacy

iPhone snooping: Apple cracks down on apps that secretly record taps, keystrokes. iOS app developers have been capturing how users interact with screens without gaining user consent: Apple plans to crack down on iOS apps that use so-called ‘session replay’, a technology that helps developers understand how people use an app, but also lets the developer see a replay of every tap and swipe users makes on their iPhones. TechRepublic, February 8, 2019

EU Recalls Children’s Smartwatch That Leaks Location Data. The children’s smartwatch allows bad actors to track their location and communicate with them, according to the alert: The European Commission has issued a recall for a popular smartwatch for children, citing “serious” privacy issues that could allow a bad actor to track or communicate with kids remotely. ThreatPost, February 5, 2019

Cyber Update

Apple Update: Drop Everything and Patch iOS. Zero Days Being Exploited; Apple Contributes to ‘FacePalm’ Bug Finder’s Tuition: Patch now. That’s the message security experts have for all iOS users following Apple’s release of a security update on Thursday. BankInfoSecurity, February 8, 2019

Cyber Defense

2 Factor Authentication: The One Gmail Setting You Should Activate Now: Gmail has more than one billion users, and there’s a very good chance that you’re among them. With Google Photos, Google Drive, Google Docs and a myriad of other productivity services, Google’s popularity and reach are nearly unparalleled, particularly if you also use the company’s Android operating system on your mobile device. TomsGuide, February 8, 2019

Another reminder that you need different passwords for different sites. Researchers theorize Bezos extortion attempt commenced when girlfriend’s password was found in a dark web database of compromised email addresses and passwords: Researchers are shooing away theories of an elaborate “deep state” hacking plot against Jeff Bezos tied to the alleged tawdry images of him and girlfriend Lauren Sanchez. They say, alleged images that Bezos claims that the National Enquirer is threatening to release were likely obtained via a “simple hack.” ThreatPost, February 8, 2019

Protect your accounts from data breaches with Password Checkup: Google helps keep your account safe from hijacking with a defense in depth strategy that spans prevention, detection, and mitigation. As part of this, we regularly reset the passwords of Google accounts affected by third-party data breaches in the event of password reuse. This strategy has helped us protect over 110 million users in the last two years alone. Without these safety measures, users would be at ten times the risk of account hijacking. Google, February 5, 2019

Information Security Management in the Organization

Cyber Leadership

We Need More Transparency in Cybersecurity. Security has become a stand-alone part of the corporate IT organization. That must stop, and transparency is the way forward: In college, I was assigned to write a paper for a political science class to argue what would be the greatest national threat our upcoming generation would face. I wrote what I believed to be a solidly reasoned and articulate essay positing that cyber terrorism would be the major issue with which the United States would need to grapple. DarkReading, February 8, 2019

Information Security Management and Governance

6 Steps Every New CISO Should Take to Set Their Organization Up for Success: Congrats! You’ve landed a new job as a chief information security officer (CISO). Now where do you start? SecurityIntelligence, February 7, 2019

Cyber Warning

Business Email Compromise Attacks See Almost 500% Increase: Business email compromised (BEC) attacks have seen an explosive 476% growth between Q4 2017 and Q4 2018, while the number of email fraud attempts against companies increased 226% QoQ. BleepingComputer, February 7, 2019

Cyber Fine

Cottage Health Hit With $3 Million HIPAA Settlement. Latest in a Series of Substantial HHS Penalties for Violations: The U.S. Department of Health and Human Services has hit a California-based healthcare provider with a $3 million HIPAA settlement related to two breaches involving misconfigured IT. It’s the latest in a recent series of hefty penalties issued in HIPAA cases. BankInfoSecurity, February 8, 2019

Cyber Talent

Cybersecurity Skills for Top Performance: Beyond Technical Skills: As the number of interconnected digital devices grows exponentially, and since computer infrastructure has come to underlie almost every organizational, business, and government function, the complexity of maintaining cybersecurity in all corners of society has become staggering. Protecting digital data requires constant innovation, iteration, vigilance, monitoring, and stakeholder input and feedback. Forbes, February 7, 2019

Cyber Humor


Cybersecurity in Society

Cyber Attack

Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions: A highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week. The missives are raising eyebrows because they were sent only to specific anti-money laundering contacts at credit unions, and many credit union sources say they suspect the non-public data may have been somehow obtained from the National Credit Union Administration (NCUA), an independent federal agency that insures deposits at federally insured credit unions. KrebsOnSecurity, February 8, 2019

Hack Attack Breaches Australian Parliament Network. No Signs of Data Theft; Password Resets Ordered: Hackers have breached the Australian Parliament’s network, although investigators say they have found no evidence that attackers stole any data. BankInfoSecurity, February 8, 2019

Ransomware Attack Via MSP Locks Customers Out of Systems. Vulnerable plugin for a remote management tool gave attackers a way to encrypt systems belonging to all customers of a US-based MSP: An attacker this week simultaneously encrypted endpoint systems and servers belonging to all customers of a US-based managed service provider by exploiting a vulnerable plugin for a remote monitoring and management tool used by the MSP. DarkReading, February 7, 2019

Cyber Defense

‘Internet of things’ or ‘vulnerability of everything’? Japan will hack its own citizens to find out: (CNN)Children playing in a middle school gym in Indonesia; a man getting ready for bed in a Moscow apartment; an Australian family coming and going from their garage; and a woman feeding her cat in Japan. CNN, February 1, 2019

Know Your Enemy

Modern Cybercrime: It Takes a Village: Today’s financial cyber-rings have corporate insider and management roles — cybercrime is not just just for hackers and coders anymore. ThreatPost, February 6, 2019

Crooks Continue to Exploit GoDaddy Hole:, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal. KrebsOnSecurity, February 4, 2019

Two hacker groups responsible for 60 percent of all publicly reported hacks. The two hacker groups suspected of stealing around $1 billion worth of cryptocurrency: Two hacker groups are behind 60% of all publicly reported cryptocurrency exchange hacks and are believed to have stolen around $1 billion worth of cryptocurrency, according to a report published last week by blockchain analysis firm Chainalysis. ZDNet, February 4, 2019

Bomb Threat, Sextortion Spammers Abused Weakness at Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at, the world’s largest domain name registrar, KrebsOnSecurity has learned. KrebsOnSecurity, January 22, 2019

Cyber Freedom

Add cybersecurity to Doomsday Clock concerns, says Bulletin of Atomic Scientists. The Doomsday Clock, once a ritual feature of the Cold War, warns that cybersecurity issues like IoT and cyber-enabled information warfare endanger humanity: The human race is closer to herd suicide than it has been in history, the Bulletin of Atomic Scientists warns — in part, because of cybersecurity issues, including both information warfare and insecure IoT devices. Founded by the Manhattan Project scientists who built America’s nuclear weapons program, the Doomsday Clock is a regular reminder of the existential threats to the species that humanity has created for itself. The Doomsday Clock stands at two minutes to midnight, the same as 1953, at the height of the Cold War. CSO, February 6, 2019

The Cybersecurity 202: State officials want election security cash. But some don’t like the strings attached: State election officials want the latest round of election security money included in a major bill proposed by House Democrats – but they’re divided on whether they want to accept a slew of voting mandates that come along with it. The Washington Post, February 4, 2019

The Public-Interest Technologist Track at the RSA Conference: Our work in cybersecurity is inexorably intertwined with public policy and—more generally—the public interest. It’s obvious in the debates on encryption and vulnerability disclosure, but it’s also part of the policy discussions about the Internet of Things, cryptocurrencies, artificial intelligence, social media platforms, and pretty much everything else related to IT. Schneier On Security, January 29, 2019

National Cybersecurity

Foundation for Defense of Democracies & Chertoff Group Report says the United States “will find itself flat-footed during a major cyber event” unless government & private sector decision makers begin joint preparation for an attack: In October 2018, the Foundation for Defense of Democracies and The Chertoff Group conducted a cyber-enabled economic warfare (CEEW) tabletop exercise with former senior government officials and private sector leaders. The purpose of the exercise was to identify points of alignment and divergence between what the private sector and government may want, need, and demand from each other in the immediate aftermath of a major cyber incident. FDD, February 5, 2019

Cyber Law

Illinois Expands Protection of Biometric Information – Who’s Next? Opening the gates to expensive class actions and “sue and settle” lawsuits: A new ruling by the Illinois Supreme Court could trigger expensive class action lawsuits and private litigation against businesses, even where plaintiffs do not allege actual injury. The case demands attention, not only from those doing business in Illinois, but throughout the nation. JMBM Cybersecurity Lawyer Forum, January 30, 2019

Cyber Enforcement

More Alleged SIM Swappers Face Justice: Prosecutors in Northern California have charged two men with using unauthorized SIM swaps to steal and extort money from victims. One of the individuals charged allegedly used a hacker nickname belonging to a key figure in the underground who’s built a solid reputation hijacking mobile phone numbers for profit. KrebsOnSecurity, February 6, 2019

Content Security

CDSA Releases First Film and Television Production Security Guidelines: Guidelines for protecting film and television productions against cyber and physical breaches have been released by the Content Delivery and Security Association (CDSA), the worldwide media and entertainment security association. MESA, February 7, 2019

Financial Cybersecurity

The Cybersecurity 202: A bank wants to recover the $81 million North Korea allegedly stole. It won’t be easy: The New York Federal Reserve is assisting Bangladesh’s central bank in a lawsuit filed Thursday to claw back $81 million in funds stolen during a 2016 North Korean hacking campaign. But they’re not going after Pyongyang directly. The Washinton Post, February 5, 2019

Internet of Things

Your New Car Is A Hacker Magnet — Automotive Industry Disconnect To Blame. New Ponemon Institute research reveals just how far behind the game many car makers are when it comes to cybersecurity: The car that you drive today is a far cry from those of just a decade ago and in many ways is now an internet-connected computer on wheels. This push towards connectivity and smart-motoring has seen the automotive manufacturing industry shift towards becoming as much about software as they are transportation. And that means it faces much the same security challenges as the software industry, but with the distinct disadvantage of being way behind the game. Newly published Ponemon Institute research suggests that automotive software security is simply not keeping up with the pace of technology and supply chain postures in particular present a major risk not only to the cars of today but also the self-driving vehicles of tomorrow. FOrbes, February 4, 2019

Cyber Miscellany

Child abuse imagery found in cryptocurrency blockchain: For the second time in a year, illegal child abuse images have been spotted inside a blockchain. NakedSecurity, February 8, 2019

The Age of Big Leaks. A terabyte of data — 100 million pages or 1,000 hours of video — can be shared on a thumb drive. But stolen secrets come with complications: On the very day that Roger Stone was charged with lying about a momentous set of leaks that originated with Russian hackers, a feisty band of transparency activists led by a Boston woman posted a voluminous collection of leaks from inside Russia. The New York Times, February 2, 2019

SecureTheVillage Calendar

Join SecureTheVillage at Daily Journal’s Cybersecurity/Privacy Forum 2019
February 26 @ 8:00 am5:00 pm

Webinar: SecureTheVillage March Webinar
SecureTheHuman: Tactics That Drive Cultural Adaptation
March 7 @ 10:00 am – 11:00 am

Webinar: SecureTheVillage April Webinar
April 4 @ 10:00 am – 11:00 am

Financial Services Cybersecurity Roundtable – April 2019
April 12 @ 8:00 am – 10:00 am

The post Cybersecurity News of the Week, February 10, 2019 appeared first on Citadel Information Group.

from Citadel Information Group
via Citadel Information Group