IT Security News Blast – 8-3-2021
Critical Insight Event: Watch a Live Penetration Test
Pen testing is a key way to test your cyber health, but have you ever see one done? This Wednesday, August 4th at 12pm PT our team will show you both sides of an attack. See how interaction works during the red team/blue team and walk through potential remediation while testing them in real time. Sign up here.
35 million US residents’ personal details exposed on the web: report
A mysterious marketing database containing the personal details of an estimated 35 million people was exposed on the web without a password, Comparitech researchers report. The database included names, contact information, home addresses, ethnicities, and a wealth of demographic information ranging from hobbies and interests to shopping habits and media consumption.
Lower-Level Employees Become Top Spear-Phishing Targets
Results reveal some of the common methods attackers use to breach victims' defenses, such as trying to exploit a widespread interest in cryptocurrency and tailoring attacks to target less suspicious employees in low-profile roles. For example, researchers found one in ten social engineering attacks involve business email compromise (BEC). Of these, 77% of BEC attacks target employees outside of financial and executive roles.
12 most common vulnerabilities exploited by cybercriminals
"Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies," the agencies stated in the report. "Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organizations to conduct rigorous patch management."
PwnedPiper PTS Security Flaws Threaten 80% of Hospitals in the U.S.
Successful exploitation of the issues, therefore, could result in leakage of sensitive information, enable an adversary to manipulate data, and even compromise the PTS network to carry out a man-in-the-middle (MitM) attack and deploy ransomware, thereby effectively halting the operations of the hospital.
Don’t Let Your Healthcare System Be a Hostage
Servers should have endpoint management and protection solutions deployed that are specifically tuned to identify potentially malicious files, processes, and binaries that could contain ransomware. Continuous monitoring of these is key so that teams can react to warnings quickly and isolate infected systems before malware can spread.
Chipotle’s marketing account hacked to send phishing emails
The campaign sent out in three days at least 120 malicious emails from a hacked Mailgun account used by Chipotle for email marketing purposes [mail.chipotle.com]. [...] Almost all malicious emails impersonated Microsoft with the purpose of collecting login information. Email security company Inky says in a blog post today that they caught 105 such emails in this three-day campaign.
Breach ruling shows importance of legal advice early after cyber incident
Companies that think they may have suffered a data security incident should involve their legal advisers as early as possible in the response and investigation process to avoid suffering the same fate as Rutter’s convenience stores, which was ordered to turn over a data breach report to opposing lawyers.
An infrastructure win for state, local cyber needs
But so far, the biggest winner appears to be state, local and tribal governments, which could be able to tap into a $1-billion fund over the next four years to help upgrade their equipment and update their software as they become growing targets of ransomware and other cyberattacks. [...] This is a huge win for a coalition of state and local government groups that have been pushing Congress to include such funds in the package.
Fixing the Fractured Federal Approach to Cybersecurity
As the old saying goes, when everyone is in charge, no one is in charge. Biden and Congress should fundamentally reorganize its disparate efforts into a centralized Department of Cybersecurity. This new department should have the mandate to organize the big-three triad—people, tech and processes—into a cohesive structure.
White House ruffles pipeline sector with cyber rules
The TSA has so far issued two cybersecurity orders for the 100 most "critical" oil and gas pipelines in the US. The first focuses on information gathering, while the second lays out specific requirements and took effect on 26 July. The contents of the second order are confidential, but industry officials say it includes 80 prescriptive rules with deadlines ranging from weeks to months.
A Cold War is raging in cyberspace. Here's how countries are preparing their defenses
The Russian Federation in particular is a bit different in its methods than others. "These are not hackers employed by the state. Instead, we see a direct connection between actual cyber criminals and the secret service. When cyber criminals do something, nobody in Russia stops them and no one is ever extradited. This is unique. If you compare it to North Korea, for example, those are the security services doing the actual hacking."
The Cybersecurity 202: The government’s facing a severe shortage of cyber workers when it needs them the most
The government’s cyber workforce has grown by about 8 percent since 2016. A hiring sprint at the Department of Homeland Security resulted in nearly 300 new cyber hires and about 500 more job offers between May and July. But that’s nowhere near sufficient to meet the threats. By DHS’s own calculations, there are about 1,700 more cybersecurity vacancies it needs to fill at the department.
When ransomware attacks US infrastructure, it’s tricky to know when to return fire
So the issue comes down to is, okay, we can’t have the military, or we don’t think, especially in a democracy like ours, that we want the military to be getting involved in everything, especially criminal things that are homeland security, right? If we’re always turning to the military, they’re never going to be resourced for it.
The U.S. and China Must Rule Out an All-Out Cyberwar
Nations do not typically start looking to settle an arms race until the possibility of mutually assured destruction is an imminent reality. The United States cannot wait this long. Since the 1990s, reliance on digital infrastructure and systems has only increased, meaning the scope and scale of the damage inflicted by criminal or state-based cyber-attacks is set to get worse—fast.
Data Privacy Trends 2021
Data privacy trends in 2021 and beyond will continue reflecting a growing consumer expectation that the organizations they entrust with their data will behave responsibly. Existing and emerging compliance regulations will play a role, as they have for several years, but more and more consumer-facing companies are understanding the link between data privacy and customer loyalty.
How Low-level Hackers Access High-end Malware
Hacking tool downloads from underground forums are increasing, and the tools are becoming more sophisticated; low-level hackers are gaining access to hacked versions of sophisticated tools; access broking is growing; and existing tools are repurposed for more aggressive attacks.
NSA Shares Guidance for Government Employees on Securing Wireless Devices in Public
The guidance is aimed at National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) users, but it can also be useful to the general public. The agency’s infosheet recommends a series of best practices for securing wireless devices when they are used in public places.
Phony Call Centers Tricking Users Into Installing Ransomware and Data-Stealers
The attacks — dubbed "BazaCall" — eschew traditional social engineering techniques that rely on rogue URLs and malware-laced documents in favor of a vishing-like method wherein targeted users are sent email messages informing them of a forthcoming subscription charge unless they call a specific phone number.
Huawei to America: You're not taking cyber-security seriously until you let China vouch for us
To The Register's mind, that's Huawei arguing that if the USA and China had better infosec agreements, China would vouch for Huawei and the USA could therefore shop with confidence. Which sounds great in theory, but also naïve – we know the USA targeted Cisco and Juniper devices to improve its intelligence prospects.