Copy
Get the latest cybersecurity, privacy, and surveillance news for information security professionals

IT Security News Blast – 3-31-2021

Whistleblower: Ubiquiti Breach “Catastrophic”
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/
 
Healthcare Data on Dark Web: How Threat Actors Exploit Covid-19
After months of terrorizing the healthcare industry, cyber criminals have also shifted their focus towards the individuals accessing the Covid vaccines. Personal data of these individuals is being sold on the Dark Web. With the expansion of the Covid vaccine rollout, more data will be available for cyber attackers to sell and trade.
https://securityboulevard.com/2021/03/healthcare-data-on-dark-web-how-threat-actors-exploit-covid-19/
 
Deploying Healthcare Technology: How Vulnerable Are You?
These probes or “pings” force health systems and physicians who “bolt” on tech offerings to juggle, manage, and protect multiple systems from hackers and other e-intruders. As one might surmise, with all of this tech there are reasonable security concerns, from mApps to electronic health records (EHRs).
https://www.forbes.com/sites/jeffgorke/2021/03/29/deploying-healthcare-technology-how-vulnerable-are-you/?sh=6638174efd05
 
Report: Healthcare haunted by account security
While there was substantial variation by the size of the company, risky account practices were pervasive across enterprises of all shapes and sizes. Small companies – those with 500 employees or fewer — had 22% of their files with sensitive information accessible by anyone with an account.
https://www.scmagazine.com/home/security-news/privacy-compliance/report-healthcare-haunted-by-account-security/
 
Manufacturing Cybersecurity: Critical Components for Risk Assessment
Cybersecurity for manufacturers encompasses more than log-in security and email scams. Every sensor connected to a machine, every machine connected to a network, and every network connected to a centralized control system are potential pathways for cyber criminals.
https://www.healthcarepackaging.com/home/article/21354334/manufacturing-cybersecurity-critical-components-for-risk-assessment
 
Hacker team-ups pose 2021 threat to financial industry, group cautions
“Wittingly or otherwise, criminals will support nation-state operations through selling initial access or tools to achieve those ends,” the report states. “Nation-state cyber actors will benefit from the mass ‘workforce’ of the cybercriminal underworld constantly seeking to compromise networks who will handle the first step of a kill chain that they can then take advantage of.”
https://www.cyberscoop.com/fs-isac-flagstar-accellion-solarwinds/
 
Google Faces Class Action for Allegedly "Selling Users' Data"
The lawsuit centers around Google's use of so-called real-time bidding, where companies place bids to win advertising space in peoples' web browsing sessions. As part of that, companies obtain sensitive information about the users, even if they don't win, or even intend to win, the ad placement, the suit claims.
https://www.vice.com/en/article/93we9z/google-class-action-lawsuit-real-time-bidding-selling-data
 
Cybersecurity: The Latest Challenge for Local Water Utilities
“You still have to figure out how to secure it, when the vendor that originally created it may not even be around anymore … A lot of times there’s no patches available,” Sanders detailed. “Sometimes when these entities are trying to secure it, they find that there’s not even a way to really change usernames or passwords or hardened systems, just because it wasn’t ever designed with security in mind.
https://www.govtech.com/security/Cybersecurity-The-Latest-Challenge-for-Local-Water-Utilities.html
 
Think tank launches cybersecurity training for state officials
“We want to make it as relevant as possible,” Senti told StateScoop last month. “Overwhelmingly, legislatures don’t get their cyber knowledge from the cyber community. They get it from the news. It’s not a bad thing, but we need a deeper level of understanding.”
https://statescoop.com/national-cybersecurity-center-training-state-officials/
 
UN makes critical progress on cybersecurity
First, it elevates and affirms the authority of international law in cyberspace and the set of norms for responsible behavior that were adopted as voluntary standards in 2015. These norms set apart things like critical infrastructure and computer emergency response teams (CERTs) as being off limits to cyberattacks by governments.
https://blogs.microsoft.com/on-the-issues/2021/03/29/un-working-group-cybersecurity-report/
 
The US military must plan for encounters with private military companies
The DoD should be prepared to support an interagency and coalition effort to counter PMC activity; that could include efforts in the domains of information, cyber, space, security cooperation, and special warfare capabilities, among others.
https://www.brookings.edu/blog/order-from-chaos/2021/03/30/the-us-military-must-plan-for-encounters-with-private-military-companies/
 
What Would Happen If States Started Looking at Cyber Operations as a “Threat” to Use Force?
[Discovering] a data breach today is no guarantee against a more malicious activity coming in (or already distributed) via the same means. If that malicious activity would itself clearly constitute a use of force, international lawyers must ask if the original cyber operation is itself a threat to use such force.
https://www.lawfareblog.com/what-would-happen-if-states-started-looking-cyber-operations-threat-use-force
 
Inter-Parliamentary Alliance on China’s website suffers cyber attack
The global coalition of MPs pushing their governments to take a firmer stance against China suffered a major cyber attack on Monday (UK time). The Inter-Parliamentary Alliance on China’s website was out for around nine hours on Monday after suffering a distributed denial-of-service or DDoS attack.
https://www.smh.com.au/world/europe/inter-parliamentary-alliance-on-china-s-website-suffers-cyber-attack-20210331-p57ffd.html
 
How Russia and China are attempting to rewrite cyberworld order [Subscription]
Yang’s March 18 riposte in Anchorage is worth studying, because it reveals a broader strategic design: “What China and the international community follow or uphold is the United Nations-centered system and the international order underpinned by international law, not what is advocated by a small number of countries of the so-called rules-based international order.”
https://www.washingtonpost.com/opinions/global-opinions/how-russia-and-china-are-attempting-to-rewrite-cyberworld-order/2021/03/30/16030226-9190-11eb-a74e-1f4cf89fd948_story.html
 
Iranians developing the cyber capabilities of Hezbollah
The Quds Force of the Revolutionary Guard Corps set up a new cyber unit for Hezbollah that will deal with attacks and collection of intelligence using capabilities to attack cellular telephones, intercept Wi-Fi signals, collect information from social networks, penetrate networks of government agencies, and more.
https://www.israeldefense.co.il/en/node/49094
 
Watch Out for These Cyber-Risks
Last year, we learned more about the pervasiveness of influence operations, which we must consider moving forward. Activities such as misinformation, disinformation, and leaking compromised information will continue and professionals should be ready to address these in the context of their organizations.
https://www.darkreading.com/threat-intelligence/watch-out-for-these-cyber-risks-/a/d-id/1340453
 
Intel Sued Under Wiretapping Laws for Tracking User Activity on its Website
The suit claims that this activity by Intel violates the 2020 Florida Security of Communications Act, which makes it illegal to intentionally intercept another person’s electronic communications without first letting the person know and asking for his or her consent.
https://threatpost.com/intel-sued-under-wiretapping-laws/165104/
 
Flaws in Ovarro TBox RTUs Could Open Industrial Systems to Remote Attacks
"Successful exploitation of these vulnerabilities could result in remote code execution, which may cause a denial-of-service condition," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory published on March 23.
https://thehackernews.com/2021/03/flaws-in-ovarro-tbox-rtus-could-open.html
 
US Strategic Command’s cryptic nuclear code tweet sent by ‘very young’ child
On Sunday, the US Strategic Command within the Department of Defence shared a strange post on its verified Twitter page that read “;l;;gmlxzssaw” – a meaningless string of characters some jokingly or otherwise mistook for a nuclear launch code. [...] “His very young child took advantage of the situation and started playing with the keys and unfortunately, and unknowingly, posted the tweet.”
https://www.themercury.com.au/technology/online/us-strategic-commands-cryptic-nuclear-code-tweet-sent-by-very-young-child/news-story/0f1d96f26805716f9c0778ad5fc0528f

You are receiving this email because you are subscribed to receive the IT Security Daily Blast email from Michael Hamilton, Founder, President, and CISO of CI Security, formerly Critical Informatics.

Archived articles are available at https://ci.security/news/daily-news.

CI Security and the CI Security logo are the trademarks of CI Security, Inc. All other brand names, trademarks, service marks, and copyrights are the property of their respective owners.

© 2020 CI Security. All rights reserved.


 

CI Security

245 4th St, Suite 405  Bremerton, WA   98337

About Us   |   CI Security News   |   Contact Us 


We host NEVER BORING free security awareness training every other Friday.
Register and/or send your colleagues and friends. Let's educate users together! 

Add this Email to Your Address Book





unsubscribe