Cybersecurity News of the Week, February 24, 2019

Cybersecurity News of the Week, February 24, 2019

Individuals at Risk

Cyber Privacy

Facebook Is Collecting App Users’ Data Without Consent, Wall Street Journal Finds: An investigation by The Wall Street Journal on Friday found that Facebook is collecting data from smartphone users’ other apps without their consent, adding yet another layer to intensifying concerns about the company’s privacy violations. Huffington Post, February 22, 2019

Sorry, we didn’t mean to keep that secret microphone a secret, says Google: Earlier this month, Google attempted to cozy up to harried commuters with the news that they could thenceforth ask their Nest home security and alarm system if, say, they needed an umbrella, or how gnarly their commute would be. NakedSecurity, February 21, 2019

Identity Theft

Credit Freeze Against Identity Theft: Identity theft protection is a big concern for modern consumers. According to the Identity Theft Resource Center, the number of data breaches dropped by 23% between 2017 and 2018, but the number of personally identifiable information exposed during those breaches increased by 126%. BankRate, February 21, 2019

Cyber Update

19-Year-Old WinRAR Code Execution Flaw Discovered. 500 Million Users Exposed: Users of the popular file-compression tool are urged to immediately update after a serious code-execution flaw was found in WinRAR. ThreatPost, February 21, 2019

Adobe Re-Patches Critical Acrobat Reader Flaw: Adobe has issued yet another patch for a critical vulnerability in its Acrobat Reader – a week after the original fix. ThreatPost, February 21, 2019

Cyber Defense

Another reminder to never let your guard down as the NoRelationship phishing attack gets past Microsoft’s technical defenses: Researchers have described a new phishing attack which is able to bypass Microsoft malicious file filters. ZDNet, February 20, 2019

Another reminder to be wary of opening unexpected or unknown email attachments as new phishing campaign is using malicious PDF documents to steal victims’ browser and email credentials: An ongoing phishing campaign is targeting hundreds of businesses to steal their email and browser credentials using a simply – but effective – malware. ThreatPost, February 20, 2019

Cyber Warning

WhatsApp Flaw Could Enable iOS Message Snooping. Facebook Promises Quick Patch for Face ID and Touch ID Bypassing Problem. Workaround: Set the screen lock option to ‘immediately’: Facebook says it will soon fix a bug in WhatsApp that could allow circumvention of a security feature launched just last month for Apple devices. BankInfoSecurity, February 21, 2019

Cyber Risk

Why IoT devices pose a bigger cybersecurity risk than most realize. Unsecured IoT devices provide an easy gateway for criminals looking to get inside a network: Security risks are increasing as more and more people connect using IoT devices. I talked with Danny Palmer about the threat facing consumers and businesses, the following is an edited transcript of our interview. ZDNet, February 21, 2019

A new study by #IndependentSecurityEvaluators finds bugs in five of the most popular password managers. This should not be surprising as all software has bugs. The good news is these have been found and can now be fixed: Now for some counterintuitive advice: I still think you should use a password manager. So do the ethical hackers with Independent Security Evaluators who came to me with news of the flaws — and other security pros I spoke to about the study, published Tuesday. You wouldn’t stop using a seat belt because it couldn’t protect you from every kind of vehicle accident. The same applies to password managers. The Washington Post, February 19, 2019

Information Security Management in the Organization

Information Security Management and Governance

Mastercard, GCA Create Small Business Cybersecurity Toolkit. A new toolkit developed by the Global Cybersecurity Alliance aims to give small businesses a cookbook for better cybersecurity: Small and mid-sized businesses have most of the same cybersecurity concerns of larger enterprises. What they don’t have are the resources to deal with them. A new initiative, the Cybersecurity Toolkit, is intended to bridge that gulf and give small companies the ability to keep themselves safer in an online environment that is increasingly dangerous. DarkReading, February 20, 2019

Enterprises need to embrace top-down cybersecurity management. CISOs must manage cybersecurity based upon their organization’s mission, goals, and business processes, not the technology underpinnings: When I first entered the cybersecurity market in 2003, I’d already been working in the IT industry for about 16 years in storage, networking, and telecommunications previously. By the early 2000s, all three sectors had moved on from bits and bytes to focusing on how each technology could help organizations meet their business goals. Oh sure, we still talked speeds and feeds, but we led with things like business agility, productivity, and cost cutting. The technology was a means to an end rather than an end in itself. CSO, February 19, 2019

Cyber Defense

You would think IT Managed Service Providers (MSPs) would be sure to keep their own systems patched. These MSPs fell victim to a ransomware attack exploiting a vulnerability for which a patch has been available for over a year!!: GandCrab ransomware infected several managed service providers, thanks to an old a ConnectWise manage plugin vulnerability, but a new decryptor tool is offering relief to victims. SearchSecurity, February 20, 2019

Secure The Human

Workplace Expectations and Personal Exceptions: The Social Flaws of Email Security. “To handle social expectation issues, companies must adopt top-down cultural change that prioritizes safety over speed.”: Even though they’ve been around for quite some time, phishing attacks continue to climb. According to Proofpoint’s 2019 “State of the Phish Report,” 83 percent of businesses experienced a phishing attack and 64 percent of security professionals encountered spear phishing threats in 2018. New vectors are also emerging: As noted by Forbes, software-as-a-service (SaaS) credential theft, messaging app attacks and malicious link embedding within shared files are all on the horizon for 2019. SecurityIntelligence, February 21, 2019

Cybersecurity education: How HR can plan for the inevitable. Cybersecurity is a major concern for any organization and employees continue to be a top threat. HR can help mitigate insider risks by providing regular training and reminders: CEOs perceived cybersecurity as the global economic or social trend most likely to affect their organizations in the near future, according to Mercer’s “2018 Global Talent Trends” report. With this concern lies a mandate for HR professionals everywhere: If you are not regularly engaging your workforce in its responsibility for cybersecurity, you are doing your organization a disservice. TechTarget, February 21, 2019

Cyber Insurance

Insurer Offers GDPR-Specific Coverage for SMBs: Companies covered under the EU mandate can get policies for up to $10 million for fines, penalties, and other costs. DarkReading, February 20, 2019

Are You Really Covered by Your Cyber Insurance?: The whole point of IT security is to minimize risk, and risk is, ultimately, a financial reality. A well-run organization practices risk mitigation by not only using the best tools, services and methods for maximizing data security, but also increasingly by augmenting great security with the right cyber insurance. SecurityIntelligence, February 15, 2019

Cyber Talent

California Encourages Next Generation of Cybersecurity Experts. CA CyberHub Leads the Way with Annual California Mayor’s Cup Competition, February 23. Citadel Information Group & SecureTheVillage Presenting at Awards Ceremony: Cybersecurity is increasingly an important issue. From personal computer use to large corporations the threats from cybersecurity are more and more potentially damaging. InterestingEnginerring, February 20, 2019

Cyber Humor

Cybersecurity in Society

Cyber Crime

New Breed of Fuel Pump Skimmer? Not Really: Fraud investigators say they’ve uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message. KrebsOnSecurity has since learned those claims simply don’t hold water. KrebsOnSecurity, February 21, 2019

Cyber Attack

Massive Cyber Attack Targets Brokers’ Leads and Data. The virus was discovered by cybersecurity experts at Panda Trading Systems: A trojan horse virus has been spreading across firms working in the retail trading industry, with hackers stealing swathes of data and selling it on the dark web. FinanceMagnates, February 21, 2019

A Deep Dive on the Recent Widespread DNS Hijacking Attacks: The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy. KrebsOnSecurity, February 18, 2019

Know Your Enemy

How much does it cost to launch a cyberattack? A new report from Deloitte has found the cost of committing cyber crime is incredibly low while the return on investment can be spectacular: Companies spend big to defend their networks and assets from cyber threats. Kaspersky Labs has found security budgets within enterprises average around $9 million per year. On top of that, data breaches cost companies millions of dollars. Yet, cheap, relatively easy-to-use off-the-shelf hacking tools make the barrier to entry for cybercriminals incredibly low. CSO, February 20, 2019

Navigating the murky waters of Android banking malware. An interview with ESET malware researcher Lukáš Štefanko about Android banking malware, the topic of his latest white paper: Banking malware continued to plague the Android platform throughout 2018, with cybercrooks relentlessly targeting users with banking Trojans and fake banking apps, but also experimenting with new money-stealing techniques. WeLiveSecurity, February 15, 2019

Cyber Freedom

The Cybersecurity 202: Election security is going to be the hot new Democratic campaign issue in 2020: Russian hacking upended Hillary Clinton’s 2016 campaign. And it’s already impacting the way 2020 Democrats are campaigning this time around. The Washington Post, February 21, 2019

Microsoft warns of increased attacks ahead of European elections, expands AccountGuard cybersecurity program: European leaders are on high alert for potential cyberattacks ahead of major elections, and Microsoft reports hackers are also targeting groups focused on democracy, electoral integrity and public policy. To combat this threat, Microsoft is expanding a cybersecurity program called AccountGuard to 12 European countries. GeekWire, February 19, 2019

National Cybersecurity

The cyber attack on Parliament was done by a ‘state actor’ — here’s how experts figure that out: Whether it’s hackers stealing files from defence contractors or Federal Parliament’s computer network being undermined, Australia has for years come under attack from cyber criminals and foreign governments. ABC, February 19, 2019

Cyber Law

The cybersecurity legislation agenda: 5 areas to watch: The 116th Congress is only a few months old, but far-reaching cybersecurity bills to protect infrastructure and the supply chain, ensure election integrity, and build a security workforce are now being considered. Here’s the list. CSO, February 21, 2019

Smart Cities

New global cybersecurity standard for smart cities and critical infrastructure released: The Internet of Things (IoT) Security Institute (IoTSI) has released a framework to help governments, corporates and stakeholders in the smart city industry to address IoT security challenges. Smart Energy, February 20, 2019


Once hailed as unhackable, blockchains are now getting hacked. More and more security holes are appearing in cryptocurrency and smart contract platforms, and some are fundamental to the way they were built: Early last month, the security team at Coinbase noticed something strange going on in Ethereum Classic, one of the cryptocurrencies people can buy and sell using Coinbase’s popular exchange platform. Its blockchain, the history of all its transactions, was under attack. TechnologyReview, February 19, 2019

SecureTheVillage Calendar

Join SecureTheVillage at Daily Journal’s Cybersecurity/Privacy Forum 2019
February 26 @ 8:00 am5:00 pm

Webinar: SecureTheVillage March Webinar
March 7 @ 10:00 am – 11:00 am

Webinar: SecureTheVillage April Webinar
April 4 @ 10:00 am – 11:00 am

Financial Services Cybersecurity Roundtable – April 2019
April 12 @ 8:00 am – 10:00 am

The post Cybersecurity News of the Week, February 24, 2019 appeared first on Citadel Information Group.

from Citadel Information Group
via Citadel Information Group