Bing backend server exposed (now secured). Russian influence ops. TikTok Global updates. EU tech regulation.

Cyber Attacks, Threats, and Vulnerabilities

China-linked lending apps on government's radar amid potential data breach threat (The Tech Portal) The Union government has put a host of money lending fintech organizations on a watch list with suspected ties to the Chinese government.

Taidoor - a truly persistent threat (ReversingLabs) When malware lasts longer than your washing machine

Naked Security Live – “The Zerologon hole: are you at risk?” (Naked Security) Naked Security Live – here’s the recorded version of our latest video. Enjoy.

Texas businesses targeted in Department of State Health RFQ phishing (BleepingComputer) Scammers have tried to rip off computer equipment suppliers with a targeted email that impersonated the Commissioner of the Texas Department of State Health Services (DSHS).

Major Activision hack reportedly compromises over 500k CoD accounts (Dexerto.com) Over 500,000 Activision accounts have reportedly been targeted in a major data breach, leaving Call of Duty players at risk of losing all their progress.

Major data breach! Over 5 lakh CoD Mobile accounts hacked? Activision denies compromise (Zee Business) A major data breach at Activision has allowed hackers to acquire the usernames and passwords of hundreds of thousands of its customers' accounts, several creators have claimed. The data breach was reported by a user who goes by the name 'oRemyy', claiming that there was a data breach and urged the Call of Duty: Mobile users to change the passwords to their Activision accounts.

What is WastedLocker? Targeted ransomware extorts millions (CSO Online) WastedLocker is sophisticated ransomware created by Evil Corp, a notorious cyber criminal group.

Data Leak: Unsecured Server Exposed Bing Mobile App Data (WizCase) WizCase uncovered a massive data leak in the Microsoft Bing mobile app, through an unsecured Elastic server. There have been more than 10,000,000 downloads on Google Play alone, and millions of searches performed daily through the mobile app. What’s Going On? The WizCase online security team, led by white hat hacker Ata Hakcil, uncovered ...

Microsoft secures backend server that leaked Bing data (ZDNet) No personal user data was leaked in the incident.

Ray-Ban owner Luxottica reportedly hit with cyberattack (BleepingComputer) Italy-based eyewear and eyecare giant Luxottica has reportedly suffered a cyberattack that has led to the shutdown of operations in Italy and China.

6% of all Google Cloud Buckets are vulnerable to unauthorized access (Comparitech) 131 of 2,064 scanned Google Cloud buckets were vulnerable to unauthorized access by users who could list, download, and/or upload files.

Report: State in India Leaves Data From Covid-19 Surveillance Tool Open, Risking Safety for Millions of People Across the Country (vpnMentor) We can reveal that a surveillance platform built to track and trace COVID-19 patients in India has been compromised due to a lack of data security protocols that inadvertently left access to the platform wide open, along with exposing the data of millions of people from across India.

Ransomware attack foiled, but details of 540,000 sports referees... (HOTforSecurity) The details of approximately 540,000 sports referees, league officials and game officials have been stolen by hackers after an attack on ArbiterSports, a company owned by the National Collegiate Athletic Association (NCAA) to provide match... #ransomware #ransomwareinfection #ransomwarereferees

US cyber attack: Data of more than 500,000 referees STOLEN in botched ransomware hack (Express) ARBITERSPORTS, the official software provider for the NCAA (National Collegiate Athletic Association) and many other US leagues has announced it fended off a ransomware attack.

Enough is enough: Woman's death highlights the need for a ban on ransom payments (Emsisoft | Security Blog) There is only one way to stop ransomware attacks: banning the payment of ransom demands. We take a look at why the time has come for governments to do exactly that.

Hackers Exploit Known VA Cybersecurity Weaknesses In Massive Data Breach (DISABLED VETERANS.ORG) The Department of Veterans Affairs admitted by press release that 46,000 veterans were victims of an agency data breach while withholding details that fired up some in Congress. The agency’s press …

Data breaches intensify cyber security threats in New Zealand (Indian News Link) Recent attacks on Stock Exchange pose serious challenges

The Cybersecurity Threat No One Talks About Is A Simple Code (Forbes) What makes QR codes such a stealthy, dangerous threat vector is how trusted and misunderstood they are.

Vulnerability Summary for the Week of September 14, 2020 (CISA) The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA.

Security Patches, Mitigations, and Software Updates

Google Chrome trying to be more like Antivirus software, gets new features (TheWindowsClub News) Courtesy of Google's Advanced Protection Program, Chrome has added a new safety mechanism that allows users to scan downloads.

Verizon says ‘NO’ to more than 7 billion robocalls and counting (Verizon) Verizon adds support for Silence Junk Callers feature in iOS 14, leading the industry in robocall prevention.

Cyber Trends

Research Reveals that 75% of AppSec Practitioners See a Growing Cultural Divide Between AppSec and Developers (ZeroNorth) New Study Reveals Cultural Divide between AppSec and Dev Teams Capable of Increasing Organizational Risk; Current COVID-19 Environment Contributes to Diminished Levels of Collaboration and Innovation Boston, MA – September 22, 2020 – ZeroNorth, the only company to unite security, DevOps and the business through application security automation and orchestration, and Ponemon Institute announced today …

Why Contextual Ads Are Generating More Interest (Street Fight) Increased attention to consumer privacy is shifting the way advertisers do business. One of these shifts is the increased embrace of contextual advertising, which shows Internet users ads based on …

Survey: 85% of CISOs admit they sacrificed cybersecurity to enable employees to work remotely (Netwrix) Netwrix research also revealed that every fourth organization believes they are at greater cybersecurity risk now than before the pandemic.

Cybrary Survey Finds Cybersecurity Skills Gap Threatens Job Effectiveness Amidst Increasing Global Cyber Attacks (PR Newswire) Cybrary, the world's largest online cybersecurity career development platform, today released the findings from the "Cybrary Skills Gap...

The 4th Hacker-Powered Security Report (HackerOne) The 4th Hacker-Powered Security Report

TAG Cyber Releases 2021 Security Annual (GlobeNewswire) Comprehensive report provides security pros with a checklist of security controls to consider implementing in 2021 and analysis on market drivers and trends

DDoS attacks are on the rise in India, says cyber security firm Radware (The Economic Times) In August 2020 the number of Distributed Denial of Service (DDoS) incidents in India hit a record high in terms of total DDOS packets, which were well in excess of 10 billion as per a study by global cyber security firm Radware. DDoS attack makes an online service unavailable to users by interrupting them or suspending the hosting servers.

Shift to remote work and heavy reliance on service providers for security leaves blind spots (Help Net Security) The sudden shift to remote work has opened a variety of security blind spots that security leaders now have to pay attention to.

Cyber attacks on schools increasing amid remote learning shift (SearchSecurity) An increase in school cyber attacks this fall has seen ransomware and DDoS attacks disrupt operations and force some school districts to postpone classes. Experts say that attacks will only increase since weak security postures and remote learning make schools a prime target.

How Work Became an Inescapable Hellhole (Wired) Instead of optimizing work, technology has created a nonstop barrage of notifications and interactions. Six months into a pandemic, it's worse than ever.

Marketplace

Huawei Turns To Russia For Its Game-Changing New Android Alternative (Forbes) The more America isolates Huawei, the more Russia fills the gap.,,

Following TechCrunch reporting, Palantir rapidly removes language allowing founders to ‘unilaterally adjust their total voting power’ (TechCrunch) Well, that was fast. This morning, I analyzed Palantir’s newly published fifth amendment of its S-1 filing with the SEC as it pursues a public direct listing on the NYSE. I called the company “not a democracy” after it added new provisions to create a special mechanism called “Stockholder Party Exc…

ForgeRock Joins Microsoft Intelligent Security Association (GlobeNewswire) ForgeRock Identity Platform Now Integrates with Microsoft Endpoint Manager, Microsoft Azure Active Directory and Azure Sentinel to Support Compliance and Reduce Risk

BlackBerry Partners with American Red Cross on Community Safety and Resilience (PR Newswire) BlackBerry Limited (NYSE: BB; TSX: BB) announced today that it is extending its partnership with the American Red Cross, with the purpose of...

Kraken is launching a crypto bank in Wyoming, paving the way for possible stock offerings (The Block) Kraken is launching its own bank thanks to some help from Wyoming.

Booz Allen Hamilton: Still More Upside For This Mission-Critical Play (NYSE:BAH) (Seeking Alpha) Booz Allen Hamilton is a leading consultancy firm with key, mission-critical engagements with the U.S. government.

American Cyber Awards Names Safeguard Cyber "Innovative Cloud-Based Product Of The Year" (PR Newswire) SafeGuard Cyber, the leading SaaS platform offering digital risk protection for modern communications, today announced that it has been...

New Net Technologies (NNT) Ramps Up Channel Investment with Launch of Partner First Program and Key Channel Hires (PR Newswire) New Net Technologies (NNT), a leader in cybersecurity and compliance software, today announced its global Partner First Program to expand its...

Southern California Cybersecurity Firm Expands and Moves HQ During COVID (PR Newswire) Milton Security, a Cybersecurity firm specializing in Managed Detection and Response, SOC As A Service, Incident Response and Threat Hunting...

Omada Extends Global Team to Support Increased Growth (PR Newswire) Omada A/S ("Omada"), a global leader in Identity Governance and Administration (IGA), today announced four strategic hires, as the company...

SentinelOne Appoints David Bernhardt as Chief Financial Officer (BusinessWire) Private Hyper-Growth Cybersecurity Company Adds Public Market Financial Leadership

SolarWinds Appoints Dennis Howard, EVP and CIO, Charles Schwab, to Board of Directors (Odessa American) SolarWinds (NYSE:SWI), a leading provider of powerful and affordable IT management software, today announced the appointment of Dennis Howard, Executive Vice President and Chief Information Officer for Schwab Technology Services, Charles Schwab & Co, to its Board of Directors, effective September 17, 2020. Howard replaces Paul Cormier, President and CEO, Red Hat, who resigned from SolarWinds’ Board to open up a vacancy for the appointment of Howard.

Products, Services, and Solutions

Respond Analyst XDR Engine Accelerates Cybersecurity (Respond Software) Respond Software marks a new milestone in innovation with the latest release of its Extended Detection and Response (XDR) Engine.

XDR Solution Vendor | Next-Gen Cyber Security Monitoring (Respond Software) Respond Software announces strong momentum for its partner program with the addition of 23 VAR and MSP/MSSP partners reaching over 100 customers.

KnowBe4 Kicks Off Stay Safe Online Campaign With New Video Release (PR Newswire) KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, today announced it has launched a...

NetSfere Brings The Power of Secure Communication to the Workplace by Enabling Encrypted Group Video Calling and Real-Time Communication Tools on its Messaging Platform (GlobeNewswire) Company unveils its most advanced product update with secure, regulatory compliant communications tools that enable instantaneous, contextual team collaboration while reducing the need for formal, time-consuming meetings

Cybersecurity skills gap: How this startup aims to solve the talent crisis (ZDNet) With security analysts hard to find, startup RangeForce reckons training and building skills are top priorities.

Singapore Government Extends National Digital Identity Programme With Face Verification Solution From iProov and Toppan Ecquaria (BusinessWire) Four million Singaporeans can now access digital government services online using facial verification implemented by iProov and Toppan Ecquaria for th

IBM Brings Risk Analytics to Security Decision Making (PR Newswire) IBM (NYSE: IBM) Security today announced a new risk-based service designed to help organizations apply the same analytics used for traditional...

Forcepoint Announces Launch of Forcepoint Data Diode to Safeguard One-Way Data Flow (Yahoo Finance) Diodes ensure regulatory compliance with GDPR and Raise The Bar guidelines

Dashlane Launches New iOS App With Improved Performance (PR Newswire) Dashlane today announced the completion of a bottom-to-top rewrite of its iOS app, improving efficiency, speed, and performance. The rewrite...

Zerologon: How Bitdefender Protects Customers from this No-Credential Post-Exploit Technique - Security Boulevard (Security Boulevard) Zerologon is a zero-credential vulnerability that exploits Windows Netlogon to allow adversaries access to the Active Directory domain controllers, first reported in August 2020 “This attack has a huge impact” according to researchers, as attackers on the local network can launch this exploit to compromise the Windows domain controller with no authentication Bitdefender customers are protected from this post-exploit technique via our Network Attack Defense, Anti-Malware SDK and Indicator of Risk (IOR) technologies

Telefónica doubles the capacity of its secure connection service to help companies protect spanish SMBS (WebWire) In the months of March and April alone, the new service prevented the download of more tan 1 million computer viruses, 168,000 pieces of malware and 1.2 million-page locks...

Druva Delivers Industry’s First SaaS-Based Data Protection for Kubernetes (Druva) Introducing simplified, enterprise-grade backup and disaster recovery support for the leading container orchestration platform

Nuspire and SentinelOne Enhance Endpoint Service to Help Clients Improve Their SecOps Efficiencies and Effectiveness (PR Newswire) Nuspire, a leading and trusted managed security services provider (MSSP), in partnership with SentinelOne, the autonomous cybersecurity...

AttackIQ Announces Integration with LogRhythm NextGen SIEM Platform (AttackIQ) Enabling customers to optimize security control effectiveness with better insights.

Akamai and AT&T are extending their business relationship through 2023. (Akamai) State's Largest Technology Group Requires Members to Commit to Measurable Race Parity Targets

Gigamon Partners with Nokia to Deliver Breakthrough Network Visibility and Customer Experience Solution to Accelerate 5G Adoption (Gigamon) Industry first, purpose-built joint 5G solution delivers real-time analytics required to significantly enhance the customer experience and maximize investment impact

Ordr Announces IoT Discovery Program To Uncover Shadow IoT (Ordr) Ordr announces IoT Discovery Program —cloud-managed IoT sensor and Ordr Core software -- to get organizations visibiilty into connected devices and their risks within minutes.

Auth0 Marketplace Launches and Provides Even Greater Extensibility for Building Identity Solutions (GlobeNewswire) Trusted integrations from industry-leading third-party solutions extend Auth0's functionality to solve increasingly complex identity needs

Technologies, Techniques, and Standards

How to secure K-12 remote learning in the midst of a pandemic (Security Info Watch) The risks have been there all along—COVID-19 made them obvious

Build Your AI Incident Response Plan… Before It’s Too Late (Cyber Defense Magazine) By Patrick Hall* and Andrew Burt** * Patrick Hall is a principal scientist at bnh.ai, a boutique law firm focused on AI and analytics, and an adjunct professor in the Department of Decision Sciences at GWU. ** Andrew Burt is a managing partner at bnh.ai and chief legal officer at Immuta. Artificial intelligence can fail. […]

Why a think tank is connecting cybersecurity volunteers with election officials (StateScoop) Maya Worman, executive director of the University of Chicago Harris School’s Election Cyber Surge says the program aims to let election officials “know they are not out to sea.”

NSA Issues Cybersecurity Guidance for Remote Workers, System Admins (SecurityWeek) The NSA has published two cybersecurity information sheets with recommendations for NSS and DoD workers and system administrators on securing networks and responding to incidents during the work-from-home period

Corporate Compliance Programs Hit Refresh With Data-Analytics Tools (Wall Street Journal) The slow shift toward data-driven corporate compliance programs has a new accelerant: the government. Now, companies are scrambling to figure out how to meet the latest expectations.

How Agencies Are Approaching Cybersecurity Automation (Fed Tech) Automating certain functions of a cybersecurity response can free up agency resources.

Phishing awareness training wears off after a few months (ZDNet) Retraining employees after six months is recommended.

Design and Innovation

Akamai CTO discusses the impact of AI on Internet performance (Information Age) James Kretchmar, CTO of Akamai, spoke to Information Age about how AI and automation impact Internet performance

Think Twice Before Using Facebook, Google, or Apple to Sign In Everywhere (Wired) So-called single sign-on options offer a lot of convenience. But they have downsides that a good old fashioned password manager doesn't.

Inside the Tech Industry’s Decades-Long Failure to Reckon with Risk (Medium) The nuclear, auto, and food industries are forced to account for risk. Why should Silicon Valley’s most prominent companies get a pass?

The Supply of Disinformation Will Soon Be Infinite (The Atlantic) Disinformation campaigns used to require a lot of human effort, but artificial intelligence will take them to a whole new level.

The Psychological High Ground: The Surprising Key to Accelerating Change (War on the Rocks) In his book Work Rules!, Google’s former head of People Operations, Laszlo Bock, details an interaction he had with a fellow human resources leader about

Research and Development

CIA launches first federal lab (C4ISRNET) CIA Labs will allow officers to register and patent intellectual property they create while working at the agency.

CIA Labs — Central Intelligence Agency (CIA) CIA Labs is a chartered member of the Federal Laboratory Consortium that brings CIA officers together with the private sector and academia to research and develop science and technology solutions in support of CIA’s mission. Through this work, CIA officers have access to leading researchers and unique facilities as well as exposure to stimulating national security challenges.

Army mints new cyber research and development agreement with Estonia (C4ISRNET) The Army and Estonia will work to identify and develop technologies of mutual interest.

Academia

Purdue Northwest Awarded Nearly $6M Grant (Inside Indiana Business) Purdue University Northwest's College of Technology has been awarded a nearly $6 million grant for Cybersecurity Workforce Development from the National Security Agency. The two-year grant will allow

Legislation, Policy and Regulation

EU seeks sweeping powers to tame tech giants (Computing) The European Union says the powers it wants, including the ability to break up large tech firms, would only be used in extreme circumstances

Facebook Says it Will Stop Operating in Europe If Regulators Don’t Back Down (Vice) European regulators are cracking down on Facebook's ability to transfer data across the Atlantic. Now the tech giant is threatening to pull its services from more than 400 million European users.

EU companies selling surveillance tools to China's human rights abusers (Amnesty International) New Amnesty investigation highlights why EU export rules for surveillance technology need fixing fast.

Russia wants to ban the use of secure protocols such as TLS 1.3, DoH, DoT, ESNI (ZDNet) Amendment to IT law would make it illegal to use encryption protocols that fully hide the traffic's destination.

Secret CIA assessment: Putin ‘probably directing’ influence operation to denigrate Biden (Washington Post) Russian President Vladimir Putin and his top aides are “probably directing” a Russian foreign influence operation to interfere in the 2020 presidential election against former vice president Joe Biden, which involves a prominent Ukrainian lawmaker connected to President Trump’s personal lawyer Rudolph W. Giuliani, a top-secret CIA assessment concluded, according to two sources who reviewed it.

WSJ News Exclusive | Chinese Leaders Split Over Releasing Blacklist of U.S. Companies (Wall Street Journal) Beijing has sped up development of a list that could be used to punish American technology firms, but some Chinese officials are mindful of moving too aggressively and say a decision should wait till after the U.S. election.

U.S. Joins Global Bid to Carve Up the Internet With TikTok Move (Wall Street Journal) The Trump administration’s campaign to make Chinese-owned video-sharing app TikTok relocate to the U.S. is the latest example of the global fracturing of the internet.

President Trump says China must cede control of TikTok or he ‘won’t make the deal.’ (New York Times) President Trump said on Monday that he would not approve a deal for TikTok if its Chinese owner did not fully sell its interest in the product, a move that would scuttle an arrangement that was expected to help the app avoid a federal ban.

3 Lingering Questions About Oracle's Deal With TikTok (Law360) Oracle's deal with TikTok makes it the social media app's "secure cloud technology provider," but questions remain, including how ByteDance will be walled off from TikTok's user data and whether future situations will be handled in the same unusual fashion. Here, Law360 explores three questions that persist in the wake of the announcement from Oracle and TikTok.

FBI hopes a more aggressive cyber strategy will disrupt foreign hackers (CyberScoop) Last week saw a flurry of U.S. indictments of alleged Chinese and Iranian hackers as part of a multi-agency crackdown on foreign intelligence services.

SEC, OCC Issue First Regulatory Clarifications for Stablecoins (CoinDesk) The OCC has published fresh guidance, officially clarifying national banks can provide services to stablecoin issuers in the U.S.

Leaked Treasury Documents Prompt Fresh Calls for Updated Anti-Money-Laundering Regulations (Wall Street Journal) A leak of Treasury Department records on red-flagged financial transactions underscores a message that national security officials, banks and regulators have been sending for more than a decade: Anti-money-laundering rules need to be updated.

House approves legislation making hacking voting systems a federal crime (TheHill) The House on Monday unanimously approved legislation that would make hacking federal voting systems a federal crime.

FERC, NERC Conduct Study on Cyber Incident Response at Electric Utilities (SecurityWeek) U.S. FERC and NERC release a report outlining cyber incident response and recovery best practices for electric utilities

Pentagon Opens Door to 5G Network Shared With Civilian Cellphones (Wall Street Journal) U.S. officials are exploring concepts for a new 5G wireless network that would let Silicon Valley giants and other businesses tap valuable Pentagon airwaves, setting up a potential clash over how to deploy the next-generation technology.

The Fight Over the Fight Over California’s Privacy Future (Wired) Prop. 24 is designed to make the California Consumer Privacy Act stronger. Why do so many privacy advocates oppose it?

Litigation, Investigation, and Enforcement

Commerce Adds Five Scientists Involved in Iran’s Nuclear Weapons Development Program to the Entity List (U.S. Department of Commerce) U.S. Secretary of Commerce Wilbur Ross today announced that the Department is adding five Iranian scientists to the Entity List for enabling or assisting Iran’s nuclear development program, which is contrary to the national security and foreign policy interests of the United States.

What CCPA-affected businesses need to know about California’s next privacy initiative (Compliance Week) Businesses with operations in California should expect their data privacy compliance obligations to get a lot more complicated next year with the California Privacy Rights Act expected to pass in November.

Patient Breach Victims File Lawsuits Against Assured Imaging, BJC Health (HealthITSecurity) The patient breach victims impacted by the ransomware attack on Assured Imaging and the phishing incident at BJC Healthcare have filed two separate lawsuits, shining a light on patient privacy issues.

British man sentenced to 5 years for hacking US companies (Washington Post) A British man who was part of a hacking collective called The Dark Overlord was sentenced Monday to five years in prison for helping the group steal information from several companies in the U.S., including Missouri, Illinois and Georgia.

Potential data breach at top Australian tenancy blacklist firm under investigation (the Guardian) Exclusive: Trading Reference Australia obtains injunction to not hand over details to information commissioner

Home Office suffered over 4,000 data loss incidents in 2019-20 (teiss) Data loss incidents suffered by the Home Office more than doubled in 2019-20 compared to the previous year, with a majority of incidents involving inadequately protected electronic equipment, devices, and documents.

Edward Snowden agrees to give up more than $5 million from book and speeches (WRAL) Edward Snowden, the former CIA contractor who leaked intelligence secrets in 2013, has agreed to forfeit more than $5 million he earned from his book and speaking fees to the US government, according to court records.