Election-related phishing. Data breaches in Australia, the US, Finland. Islamist hacktivists hit French commercial websites.

Cyber Attacks, Threats, and Vulnerabilities

Bangladeshi hackers claim responsibility for attacking French commercial websites (Dhaka Tribune) ‘A dangerous apocalypse is ahead for France Cyberspace and we will continue the assault until you beg for forgiveness,’ Cyber 71 posted on Facebook

Foreign cyber threats to the 2020 US presidential election (Digital Shadows) In 2016, Russian nation-state-linked threat actors infamously compromised the Democratic National Convention (DNC), wedging a divide in the political party by leaking internal emails to Wikileaks that

The Russian Hackers Playing 'Chekov's Gun' With US Infrastructure (Wired) Berserk Bear has had plenty of opportunity to cause serious trouble. So why hasn't it yet?

Disinformation, from Russia and America, hits crescendo as Election Day approaches (The Columbus Dispatch) One week before Election Day, political disinformation is reaching a crescendo in America, and it's coming from both inside and outside the country.

WSJ News Exclusive | Election Officials Warn of Widespread Suspicious Email Campaign (Wall Street Journal) Local U.S. election officials have been receiving suspicious emails that appear to be part of a widespread and potentially malicious campaign targeting several states, according to a private alert about the activity.

Ransomware's Rise Adds New Twist To Election Security (Law360) State-backed cybercriminals are expected to use the havoc that ransomware can wreak on local governments to boost disinformation campaigns aimed at sowing distrust in the 2020 U.S. elections, but it's unlikely that such attacks would affect the ultimate accuracy of the vote tally itself, industry experts say.

Researchers frustrated with finding Facebook spam, bots again and again (CyberScoop) When Facebook said in August it had removed a network of fake accounts that had been trying to amplify criticism of President Donald Trump, it gave some external researchers a sense of déjà vu.

Emotet urges users to upgrade Microsoft Word in latest spam campaign (TechRadar) Upgrading Microsoft Word will add a new feature, says latest Emotet spam campaign

Massive Nitro data breach impacts Microsoft, Google, Apple, more (BleepingComputer) A massive data breach suffered by the Nitro PDF service impacts many well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank.

Nitro PDF maker hit by breach it says is "isolated", sec firm claims otherwise (iTWire) A software firm that had its origins in Melbourne has suffered a data breach that it has described in a notice to the ASX as "an isolated security incident" but which cyber security provider Cyble has claimed is a massive leak that affects companies like Google, Microsoft, Apple, Chase and C...

Nitro Software hacked with customer data offered for sale on the dark web (SiliconANGLE) Nitro Software hacked with customer data offered for sale on the dark web - SiliconANGLE

Trump’s Twitter Hacker Dismisses White House Denials, Says He Has ‘Evidence’ (Forbes) Victor Gevers speaks out after claimed hack on president's account is rejected...

Therapy patients blackmailed for cash after clinic data breach (BBC News) Stolen data appears to have included personal identification records and notes about therapy sessions.

Data breach at Finnish psychotherapy center takes a darker turn with extortion attempts (CyberScoop) The response to a data breach at a prominent Finnish psychotherapy practice intensified over the weekend after cybercriminals reportedly posted batches of patient information on the dark web and claimed that individual people could protect their data by directly paying a ransom.

Vastaamo Breach: Hackers Blackmailing Psychotherapy Patients (Threatpost) Cybercriminals have already reportedly posted the details of 300 Vastaamo patients – and are threatening to release the data of others unless a ransom is paid.

Vastaamo board fires CEO, says he kept data breach secret for year and a half (Yle Uutiset) The CEO was apparently aware of a second data breach and shortcomings in the psychotherapy provider’s data security.

A Hacker Is Threatening to Leak Patients' Therapy Notes (Wired) An extortionist has turned a breach of Finland's Vastaamo mental health services provider into a nightmare for victims.

Fragomen, a law firm used by Google, confirms data breach (TechCrunch) The firm provides employment verification screening services to determine if employees are eligible and authorized to work in the U.S.

Google employees personal info exposed in law firm data breach (BleepingComputer) Immigration law firm Fragomen, Del Rey, Bernsen & Loewy, LLP has disclosed a data breach that exposed current and former Google employees' personal information.

Notice of Data Breach (Fragomen) We, Fragomen, Del Rey, Bernsen & Loewy, LLP (Fragomen) provide I-9 employment verification compliance services to Google. We are writing to inform you of an incident impacting a limited number of Googlers (and former Googlers) in which an unauthorized third party accessed a file containing your information.

Over 100 irrigation systems left exposed online without protection (Security Affairs) Researchers found more than 100 smart irrigation systems running ICC PRO that were left exposed online without a password last month. Security experts from the Israeli security firm Security Joes discovered more than 100 irrigation systems running ICC PRO that were left exposed online without protection. ICC PRO is a top-shelf smart irrigation system designed by Motorola. […]

Could Oil Ship Wakashio Been Hacked Before Mauritius Spill? (Forbes) With cyber attacks on global shipping up 400% this year and several major ship operators already hacked, could the MOL-chartered Wakashio that ran aground in Mauritius in August causing a major oil spill, have also been a victim? Cyber security experts give their views.

Beware: Latest Ledger Email Phishing Scam Making The Rounds (CryptoPotato) The latest scam attempt is to dupe hardware wallet Ledger consumers into revealing their credentials or downloading malware.

Phone scamming – friends don’t let friends get vished! (Naked Security) You probably back yourself not to be flattered or scared by a voice scammer – but what about vulnerable friends or relatives?

Backups as a last line of defence are under threat (Security Brief) Malware can incrementally overwrite and encrypt backups, rendering them inadequate as an insurance policy against ransomware.

The security threat of adversarial machine learning is real (TechTalks) The Adversarial ML Threat Matrix provides guidelines that help detect and prevent attacks on machine learning systems.

Four types of cyber-attack that could take down your data center (TechHQ) Scour the homepage of any company selling data center services, and you’ll probably find the phrase ‘security’ appears more than a few times. As

Vulnerability Summary for the Week of October 19, 2020 (CISA) The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Newhall district submits reopening waiver paperwork (Santa Clarita Valley Signal) During an engagement night event, officials at the Newhall School District reported they had submitted reopening waivers for grades TK-2 to return to in-person instruction and provided parents with an update on a recent ransomware attack. The district met the requirements set by the Los Angeles County Department of Public Health in order to submit […]

Hennepin County Sheriff’s Office Responds to Data Breach (Government Technology) The Minnesota law enforcement agency is responding to a Web service data breach that has exposed the information of 1,400 people, officials confirmed. The office was initially notified of the exposure in June.

Surveillance Startup Used Own Cameras to Harass Coworkers (Vice) Employees at Verkada accessed the company's facial recognition system to take photos of women colleagues and make sexually explicit jokes.

Security Patches, Mitigations, and Software Updates

Vulnerability fixed in Rapid7 Nexpose security scanner after discovery by Positive Technologies expert (PT Security) Positive Technologies expert Mikhail Klyuchnikov has identified a vulnerability in Rapid7's Nexpose tool which attackers can exploit to escalate low system privileges to obtain unauthorized access to resources and data. The vulnerability is present in Security Console versions 6.6.48 and earlier versions of the product.

Microsoft upgrades password spray attack detection capabilities (BleepingComputer) Microsoft has improved password spray detection in Azure Active Directory (Azure AD) by doubling the number of compromised accounts it detects using a new machine learning (ML) system.

Microsoft will forcibly open some websites in Edge instead of Internet Explorer (ZDNet) Here's the list of 1,156 sites you won't be able to open in Internet Explorer anymore.

Microsoft IE Browser Death March Hastens (Threatpost) Internet Explorer redirects more traffic to Edge Chromium browser as Microsoft warns of the upcoming demise of the once dominant browser.

How to turn on Zoom’s new end-to-end encryption—and why you may not want to (Fortune) Zoom's newest feature makes calls more secure. But it also requires jumping through some hoops.

Cyber Trends

FTC Validates Social Media Scams Are on the Rise (ZeroFOX) On October 21, 2020, the Federal Trade Commission (FTC) posted a data spotlight blog about scams on social media. In the piece, the FTC data demonstrates

Global Survey Results 2020 – Identity Governance and Administration (IGA) for the New Computing Normal (One Identity) Read our global survey executive summary to see the highlights and compare how well your organization transitioned to remote workforce and how prepared you are to return to the new version of normal.

Cybersecurity Risk Management: How Companies Are Responding to COVID-19 and Remote Work (Visual Objects) Learn how companies are practicing cybersecurity risk management during COVID-19. Data from a survey of 500 full-time employees in the U.S.

New Survey Finds Most Industrial Organizations Are Inadequately Prepared for an OT Cybersecurity Attack (PAS) Survey results to be discussed at PAS OptICS 2020 conference along with more than two dozen sessions featuring industry executives, experts, and practitioners

Cybersecurity to be a crucial priority in power utilities’ agenda as threats continue to grow amid Covid-19, says GlobalData (Power Technology) Cybersecurity has been a major concern area for utilities for decades due to roles played by them as operators of critical infrastructure systems.

The Largest Data Breaches in U.S. History (Global Trade Magazine) Between 2013 and 2019, companies involved in social networking and media, such as Yahoo and Facebook, were the most vulnerable to data breaches.

DDoS attacks a wake up call for complacent businesses (Imperva) When distributed denial of service attacks created mayhem around the world in August, they left many organisations scrambling to protect themselves.

2020 Unisys Security Index™ (Unisys) For more than a decade, the Unisys Security Index™ has measured global consumer concerns related to national, personal, financial and Internet security.

Cisco: Long-Term Cybersecurity Changes Afoot (SDxCentral) The COVID-19 pandemic will usher in long-term changes to corporate cybersecurity policies and investments, according to a new Cisco report.

New LogMeIn Report Reveals 7 Key IT Trends During the Shift to Remote Work (GlobeNewswire) Web meetings, remote access, and managing security threats among top tasks IT professionals are spending more time on

34% of Employees Say Their Company Doesn't Follow Basic Cybersecurity Protocols During COVID-19, Despite Increased Risk Due to Remote Work (PR Newswire) More than one-third (34%) of full-time employees at companies in the U.S. admitted to not practicing basic cybersecurity protocols during...

Consumer Concerns About Home Data Security and Privacy Breaches Key Focus at CONNECTIONS™ Conference, Featuring CUJO AI, F-Secure, Firedome, and NETGEAR (PR Newswire) CUJO AI, NETGEAR, Firedome, and F-Secure will share their insights on consumer privacy and security at Parks Associates' upcoming CONNECTIONS™...

Arab countries are the top 5 VPN adopters worldwide with 24% penetration (Atlas VPN) According to data gathered and analyzed by the Atlas VPN research team, VPN (Virtual Private Network) downloads reached 134 million in 2020 H1, taking 85 selected countries into account. Atlas VPN report found that the top 10 VPN adopters are: The United Arab Emirates, Qatar, Oman, Saudi Arabia, Kuwait, Singapore, Turkey, Indonesia, Panama, and Great Britain

Marketplace

Grayshift, The Startup That Breaks Into Unlocked iPhones For The Feds, Raises $47 Million (Forbes) Grayshift boasts doubling of revenue as cops across America buy into its powerful but possibly controversial iPhone forensics tech.

StackHawk Raises $10 Million Series A Funding Round (StackHawk) Application security startup StackHawk announced today that it has raised a $10 million in Series A funding.

The Story of McAfee: How the Security Giant Arrived at a Second IPO (Dark Reading) Industry watchers explore the story of McAfee, from its founding in 1987, to its spinoff from Intel, to how it's keeping up with competitors.

Raytheon Technologies Selling Forcepoint Cyber Business To Investment Firm (Defense Daily) Raytheon Technologies on Monday said it has agreed to sell its commercial cyber security business Forcepoint to the investment firm Francisco Partners, end

Pondurance Secures Strategic Investment from Newlight Partners to Accelerate Growth and Fuel Innovation in Managed Detection & Response Offerings (BusinessWire) Pondurance a leader in MDR services, today announced a new strategic investment from affiliates of Newlight Partners LP, a private investment firm.

Akamai Technologies Advances 5G Security Strategy with Acquisition of Asavie (Akamai) Akamai Technologies announced today that it has acquired Asavie, whose global platform manages the security, performance and access policies for mobile and internet-connected devices.

Bluefin Announces $25 Million in Growth Financing Led by Macquarie Capital Principal Finance (BusinessWire) Bluefin has announced $25 million in growth financing led by Macquarie Capital Principal Finance to fuel product and US / international expansion.

New Israeli cyber startup AirEye goes above & beyond standard network security (Geektime) Unknowingly, many organizations leave themselves vulnerable to breach from access points that are not under the surveillance of in-company security measures. This is where the new Israeli cyber startup aims to operate, by securing the airspace around your organization...

Zscaler the 'first mover' in $20B cloud network security market, JPMorgan says (SeekingAlpha) JPMorgan views Zscaler (NASDAQ:ZS) as the "first mover disrupting force" behind the network security in the pandemic's cloud migration acceleration.

Collaborative bug hunting ‘could be very lucrative’ – security pro Alex Chapman on the future of ethical hacking (The Daily Swig) ‘Persistence is key, and so is not expecting a huge payout on day one’

Campaigns Rush to Submit Facebook Ads Ahead of Limits (Wall Street Journal) Republican and Democratic political advertisers are scrambling to submit their ads to the social-media giant before the end of Monday after the company moved to ban new political ads in the week before Election Day.

Home to Proud Boys domain, Gab, and other right-wing sites posts unhinged letters after PayPal cuts ties (Mashable) A story about domain names, white nationalists, and accusations of money laundering.

Blue Ridge Energy supports Cybersecurity Awareness Month (WataugaOnline) Blue Ridge Energy is proud to announce its commitment to National Cybersecurity Awareness Month, held annually in October. This year’s Cybersecurity Awareness Month theme is “Do Your Part. #BeCyberSmart,” aimed to empower individuals and organizations to own their role in protecting their part of cyberspace. “By increasing awareness …

Bishop Fox Taps Former Facebook CSO and Cybersecurity/Data Privacy Trailblazer for Board of Advisors (GlobeNewswire) Alex Stamos and Evan Wolff to Help Advance Bishop Fox Offensive Security Testing

SentinelOne Appoints Ken Marks as VP of Worldwide Channels (BusinessWire) SentinelOne, the autonomous cybersecurity platform company, today announced the appointment of Ken Marks as Vice President of Worldwide Channels. A ve

Axis Security Names New Channel Leader (PR Newswire) Axis Security, the leader in Zero Trust access, today announced that Kimber Garrett has joined the company as head of channel sales. In this...

Products, Services, and Solutions

Socure Unveils Sigma Synthetic Fraud, a New Way to Identify and Combat Synthetic Identity Fraud (BusinessWire) Socure, the leader in Day Zero digital identity verification, today announced the launch of Sigma Synthetic Fraud, its latest addition to the Socure I

Privafy Collaborates with Micron to Deliver Complete End-to-End IoT Security-as-a-Service Solution (PR Newswire) Privafy, the cloud-native cybersecurity company redefining how to secure Data-in-Motion, today announced that it is collaborating with Micron...

HackerOne introduces integrations and partnerships to connect and defend customers (Help Net Security) HackerOne introduced integrations and partnerships that make it easy to integrate its data with existing security and development workflows.

Atomicorp & EstateSpace Join Forces with RunSafe Security to Supercharge Cyber Defenses (PR Newswire) RunSafe Security, the pioneer of a patented process to immunize software from cyber attacks without developer friction, today announced...

Aqua Announces the Most Advanced Kubernetes Security Solution (Aqua) Introducing KSPM (Kubernetes Security Posture Management), agentless runtime protection capabilities to deploy security controls into pods.

Computex Technology Solutions Partners with Datadobi for Major Data Migration Project (BusinessWire) Datadobi today announced it has partnered with Computex Technology Solutions.

Offensive Security Continues to Expand Security Training and Certification Offerings with New Advanced Pentest Training Course (BusinessWire) Offensive Security, the leading provider of hands-on cybersecurity training and certification, today announced the launch of Evasion Techniques and Br

Axio Offers Free Cybersecurity Program Assessment Tools (Citizen Tribune) Axio, a leading cyber risk management Software-as-a-Service company, today announced the availability of four free cyber risk program assessment tools that will give organizations visibility into their cyber posture.

Industry Experts Enhance CyberSense Software to Stay Ahead of Advancing Ransomware (BusinessWire) Data integrity experts Index Engines today announced the latest enhancements to its ransomware detection and recovery software, CyberSense, to help or

Nozomi Networks Pioneers SaaS Security and Visibility Solution for Dynamic IoT and OT Networks (Nozomi Networks) Nozomi Networks Vantage empowers a new generation of cyber and physical system security with the SaaS simplicity, scale and TCO control that the converging worlds of IT and OT require

Red Canary enters cloud workload protection space, launches Red Canary Cloud Workload Protection - Red Canary (Red Canary) Red Canary Cloud Workload Protection secures cloud environments with a lightweight sensor, proven threat detection platform, and security expertise

Technologies, Techniques, and Standards

Teach Your Employees Well: How to Spot Smishing & Vishing Scams (Dark Reading) One of the best ways to keep employees from falling victim to these social-engineering attacks is to teach them the signs.

Council Post: From Muddlers To Modelers: Measuring What Matters In Security (Forbes) There is much fascination with pen testing and the art of "breaking things." But this fascination can obscure the ultimate purpose of pen testing: better decision making.

Essential Cybersecurity for the Hotel Tech Community (NIST) In recent years criminals and other attackers have compromised the networks of several major hospitality companies, exposing the informatio

Cybersecurity Challenges for the Charity Sector (CPO Magazine) UK charities hold financial and personal information that cybercriminals increasingly target but only half of charities think cybercrime is a risk for to the sector.

Charities warned over ‘Robin Hood’ cyber criminals (ComputerWeekly) Accepting donations from cyber criminal groups could be deemed as profiting from crime, money laundering or handling stolen goods – so don’t do it.

Myth #4: Real-Time Visibility Is Impossible (FireMon) Real-time, global visibility is possible. Visibility across your entire network reduces your attack surface, eliminates data leaks, and ensures compliance

Council Post: How To Shore Up Existing Investments To Modernize Information Security (Forbes) The future of business and app development is in hybrid cloud environments, and security will have to follow.

Breathing insider fraud requires a new culture (PaymentsSource) Business leaders have come to understand the role that people play in cybersecurity fiercely working to establish a strong security culture within their own organizations, says KnowBe4's Javvad Malik..

Prevent spyware through user awareness and technical controls (SearchSecurity) The process of preventing spyware infections depends on the nature of the spyware and the type of device involved, but often, the most important step is educating users about phishing attacks, installing apps from official sources and being aware of software overstepping privacy bounds.

Cybersecurity Awareness Month: 5G and the Future of Connected Devices (IGI) With proper caution and attention to the potential risks, 5G is on track to make our increasingly mobile world more secure.

Treat the Whole Patient: Cybersecurity Amid COVID-19 (ISACA) Treat the whole patient. Public health practitioners have long known that the symptoms a patient presents in the doctor’s office tell only a portion of the story.

Design and Innovation

Twitter launches 'pre-bunks' to get ahead of voting misinformation (NBC News) Twitter will begin placing messages at the top of users’ feeds to pre-emptively debunk false information about voting by mail and election results.

Twitter adds new warnings about misinformation in run up to election (Washington Post) Twitter has started pushing notices to warn users to be on the lookout for misinformation to people’s timelines

Finally: a usable and secure password policy backed by science (TechXplore) After nearly a decade of studies, the passwords research group in Carnegie Mellon's CyLab Security and Privacy Institute has developed a policy for creating passwords that maintains balance between security and usability—one backed by hard science.

How to Successfully Integrate Security and DevOps (DevOps.com) The pace and frequency of application releases in DevOps can conflict with established practices of handling security and compliance.

Academia

WGU Missouri students eligible for Fast Track Workforce Incentive Grant (Lincoln News Now!) WGU Missouri is pleased to announce that the Fast Track Workforce Incentive Grant – which was introduced by the State of Missouri last year as a way to help adults

UWF to announce major cybersecurity workforce development initiative (University of West Florida Newsroom) The University of West Florida will host a virtual press conference to make a major announcement regarding cybersecurity workforce development. Speakers include: UWF President Martha D. Saunders; Diane M. Janosek, Commandant, National Security Agency’s National Cryptologic School; Dr. George Ellenberg, UWF Provost and Senior Vice President; and Dr. Eman El-Sheikh, Director of the UWF […]

Help Wanted: Cybersecurity Workforce of Future Starts with Students Today (Mirage News) Today's critical infrastructure systems from farm fields planted with digital sensors that track soil moisture and nutrient levels to electric power...

Legislation, Policy and Regulation

China to sanction Boeing, Lockheed and Raytheon over Taiwan arms sales (Defense News) Chinese-U.S. relations have plunged to their lowest level in decades amid disputes about security, technology, the coronavirus pandemic and human rights.

Russia’s Internet Freedom Shrinks as Kremlin Seizes Control of Homegrown Tech (Foreign Policy) Corporate mergers and backstage coercion have expanded Putin’s control.

Cooperation between Norway’s security agencies planned following cyber attack on parliament (ComputerWeekly.com) Government seeks to develop enhanced national IT infrastructure with an embedded early warning system and defence shield to protect the IT systems of public and private organisations.

Australia Proposes Security Law to Protect Critical Infrastructure (The State of Security) The Australian Department of Home Affairs has published a consultation paper for proposed national security laws aimed at protecting critical infrastructure

Germany: New case-law on immaterial damages for GDPR infringements (JD Supra) When it comes to infringements of the EU General Data Protection Regulation (GDPR), the first thing that comes to mind are proceedings and fines...

U.S. Sanctions Russian Institute for Triton Malware (Decipher) The Office of Foreign Assets Control announced sanctions against a Russian research institute for deploying the Triton ICS malware.

Understanding The Internet of Things (IoT) Cybersecurity Improvement Act (Security InfoWatch) With the House passing this minimum standard bill, the security community awaits the Senate’s decision

A Future Internet for Democracies: Contesting China’s Push for Dominance in 5G, 6G, and the Internet of Everything (Alliance For Securing Democracy) Executive Summary Democracies and Authoritarian Regimes in Competition for the Future Internet The United States and its democratic allies are engaged in a contest for the soul of the Future Internet. Conceived as a beacon of free expression with the power to tear down communication barriers across free and

Veterans have been targets of foreign manipulation. Now they’re fighting it before the election. (Washington Post) A joint effort by the Department of Homeland Security and a leading veterans group seeks to combat foreign disinformation in the final days before the election, more than a year after a report issued to lawmakers concluded that veterans are economically efficient targets of such efforts.

After investigation found foreign actors targeting vets online, VVA and Homeland Security join forces (Connecting Vets) After two-year investigation revealed malicious foreign entities targeting veterans, service members and their families online, Vietnam Veterans of America and the Department of Homeland Security are joining forces to fight disinformation.

NSW government sets up cyber and privacy resilience group to keep customer data safe (ZDNet) As part of a response to a cyber breach from earlier this year.

National Guard deploying cyber unit on federal mission (Wisconsin Examiner) The National Guard's cyber protection unit is being deployed on a federal mission to Maryland. For the Guard, 2020 has been a very busy year.

Litigation, Investigation, and Enforcement

Tech Lobby Asks for EU Liability Cover to Tackle Hate Speech (Bloomberg) Companies risk legal liability for actively removing content. Call comes as European Commission prepares digital policy.

U.S. Has Authority to Ban TikTok, Government Lawyers Say (Wall Street Journal) The Trump administration defended its attempt to ban Americans from using Chinese-owned TikTok over national security concerns, saying in court papers the app makes U.S. user data susceptible to influence by Chinese leaders.

US Calls Death of al-Qaida Official a Major Setback for Terror Group (Voice of America) The United States has confirmed the death of a high-ranking al-Qaida official in Afghanistan, describing it as a major setback for the group despite some initial confusion in reporting about his seniority. A U.S. official, speaking on the condition of anonymity, confirmed the death of al-Qaida’s Abu Muhsin al-Masri on Monday, saying U.S. forces provided support during the Afghan-led operation in the country’s eastern Ghazni province.

U.S. intelligence won’t brief Florida delegation on ‘spoofed’ emails tied to Iran (Miami Herald) The office of the Director of National Intelligence on Monday turned down the Florida congressional delegation’s request to be briefed on the claim that foreign governments have targeted voters to sow disinformation in the upcoming election, including through hundreds of emails sent to Florida voters last week.