Cyber Attacks, Threats, and Vulnerabilities
The Cybersecurity 202: The next big disinformation fight is coming – over coronavirus vaccines (Washington Post) As false claims continue to fly about the 2020 election, officials and experts are already preparing for the next big disinformation fight over coronavirus vaccines.
Lazarus supply‑chain attack in South Korea (WeLiveSecurity) ESET research uncovers attempts to deploy Lazarus malware via a supply-chain attack that abuses genuine security software and stolen digital certificates.
What Happened to the Deepfake Threat to the Election? (Wired) Lawmakers and researchers had warned that videos altered using AI could disrupt the 2020 vote. But they didn't turn out to be a problem.
U.S. Hospitals are the Target of Ransomware Attacks (Legal Reader) U.S. Hospitals are the Target of Ransomware Attacks
The ransomware landscape is more crowded than you think (ZDNet) More than 25 Ransomware-as-a-Service (RaaS) portals are currently renting ransomware to other criminal groups.
Malsmoke operators abandon exploit kits in favor of social engineering scheme (Malwarebytes Labs) Threat actors behind malsmoke, one of the largest malvertising campaigns we've seen in recent months, have switched malware delivery tactics.
Cybercriminals Use Cloud Technology to Accelerate Business Attacks (AiThority) Trend Micro Incorporated, the leader in cloud security, has identified a new class of cybercrime. Criminals are using cloud services.
Cybercriminal ‘Cloud of Logs’: The Emerging Underground Business of Selling Access to Stolen Data (Trend Micro) We take a closer look at an emerging underground market that is driven by malicious actors who sell access to a gargantuan amount of stolen data, frequently advertised in the underground as “cloud of logs."
Schneider Electric Warns Customers of Drovorub Linux Malware (SecurityWeek) Schneider Electric has warned its customers about Drovorub, a Russia-linked Linux malware that was recently detailed by the NSA and FBI.
How the U.S. Military Buys Location Data from Ordinary Apps (Vice) A Muslim prayer app with over 98 million downloads is one of the apps connected to a wide-ranging supply chain that sends ordinary people's personal data to brokers, contractors, and the military.
Tesla Vulnerability Disclosure: Tesla Backup Gateways (Rapid7 Blog) In this blog, we address Tesla Backup Gateways and identify key areas where Tesla could improve security and privacy to help customers protect themselves.
Jekyll Island Data Breach Update (Jekyll Island) The Jekyll Island-State Park Authority was subject to a recent data privacy event that may have impacted the security of personal information. While there is currently no evidence that any of this information has been misused, we want to provide you with information about the…
Hacked Websites, Hate Speech Hit Suburban Chicago Schools (SecurityWeek) Students at two suburban Chicago school districts were exposed to hate speech and lewd material this week after hackers apparently infiltrated both districts’ websites, school officials said
Biotech Company Miltenyi Biotec Discloses Malware Attack (SecurityWeek) International biotechnology company Miltenyi Biotec says it has fully recovered from a malware attack that affected parts of its network over the past couple of weeks
()
Animal Jam was hacked, and data stolen; here’s what parents need to know (TechCrunch) Some 46 million user records were stolen and published online.
Dating Site Bumble Leaves Swipes Unsecured for 100M Users (Threatpost) Bumble fumble: An API bug exposed personal information of users like political leanings, astrological signs, education, and even height and weight, and their distance away in miles.
University fallen victim to cybersecurity breach (Pipe Dream) During the weekend of Nov. 7, computer servers at Binghamton University became the target of “malicious activity” according to the University’s website, resulting in some...
Human error blamed in Welsh Covid-19 patient data leak (ComputerWeekly) Public Health Wales accepts recommendations of independent probe into data breach that saw PII on 18,105 coronavirus patients leaked.
Expert says odds are against municipalities amid ‘significant cyber attack’ on City of Saint John (Global News) "Our IT teams and our security teams have to be right 100 per cent of the time. A criminal just needs to get right once," says cybersecurity expert David Shipley.
Toledo Public Schools sends cyber attack explanation letter to parents (13ABC) The letter explains what happened, what information was involved, what TPS did, and what it is doing.
Report: Retail-focused Used Electronics Business Leaks Customers' IDs & Fingerprints in Data Breach (Website Planet) Company name and location: TronicsXchange, Inc based in California, US. Leak size: Over 2.6 million files (including 80,000 identification
Micropayments company Coil distributes new privacy policy with email that puts users' addresses in the ‘To:’ field (Register) Hundreds of email addresses exposed, customers predictably less-than-thrilled
Vulnerability Summary for the Week of November 9, 2020 (CISA) The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Security Patches, Mitigations, and Software Updates
macOS Big Sur 11.0.1 Patches 60 Vulnerabilities (SecurityWeek) The first update released by Apple for macOS Big Sur 11.0 patches 60 vulnerabilities.
New Zoom feature can alert room owners of possible Zoombombing disruptions (ZDNet) The new "At-Risk Meeting Notifier" Zoom feature scans the internet and alerts conference organizers when a link to their Zoom meeting has been posted online.
Cyber Trends
SEGs Struggle to Mitigate Most Phishing Attacks (IRONSCALES) New Research: Nearly Half of Phishing Emulations Bypass Microsoft ATP and Top SEGs at nearly 50% clip
Online Shoppers Undeterred by COVID as Holiday Shopping Season Shifts Earlier (Akamai) Holiday shoppers are overcoming worries and restrictions and easily adapting to new shopping norms as the COVID-19 pandemic has invaded our lives and made us overwhelmingly dependent on online and mobile activity. According to an Akamai-commissioned survey of more than 1,000 U.S. consumers conducted between October 31 and November 2, 2020, 73% of shoppers who have started gift hunting have done half to all their shopping online to date.
2 in 3 Concerned About Data Breaches During the Holiday Shopping Season This Year (Iris Identity) The Holiday Shopping ID Theft survey examines consumer sentiment on retail data breaches and the identity theft risks holiday shopping poses.
Holiday Shopping Warning: Simple Typos Can Lead Consumers and Brands to Online Fraud, Counterfeit Goods, and Cyber Crime (BusinessWire) Over 70% of misspelled domain names for 10 major online brands are registered to third parties, making consumers susceptible to cyber crime.
CrowdStrike Global Survey Reveals Fear of State-Sponsored and Ransomware Attacks Pose Danger of Stifling Future Business Growth in Post COVID-19 World (AP NEWS) CrowdStrike, Inc. (Nasdaq: CRWD), a leader in cloud-delivered endpoint and workload protection, today announced the release of the 2020 CrowdStrike Global Security Attitude Survey, produced by independent research firm Vanson Bourne.
53% of Manufacturing Organizations Say Operational Technology is Vulnerable to Cyber Attacks (PR Newswire) TrapX Security, the global leader in Deception-based cyber defense solutions, has today released findings of a research survey in partnership...
The 2021 Financial Data Risk Report Reveals Every Employee Can Access Nearly 11 Million Files (Inside Out Security) Financial services organizations must safeguard tons of highly sensitive information, but data is often left exposed to far too many people. If just one employee clicks on a phishing email,...
F5 Labs report reveals increasing attacker sophistication raises global cybersecurity stakes (Intelligent CIO Europe) COVID-19 continues to significantly embolden cybercriminals’ phishing and fraud efforts, according to new research from F5 Labs. The fourth edition of the Phishing and Fraud Report found that phishing incidents rose 220% during the height of the global pandemic compared to the yearly average. Based on data from F5’s Security Operations Center (SOC), the number […]
India Hit By 375 Cyberattacks Daily In 2020, Says Cyber Security Coordinator (Inc42 Media) People should be very careful about hoax calls and click-baits whose sole intention is to dig information from an internet user, he suggested.
Marketplace
Siqura becomes part of TKH Security Solutions (Security World Market) Siqura B.V. is now part of TKH Security Solutions, a close-knit collection of five companies working together to provide integrated and complete security management systems for critical infrastructure, traffic, public transit, healthcare, financial institution, public building, and government applications.
Covid heightens need for cybersecurity in digital world, says Hampleton Partners' M&A report (Private Equity Wire) Hampleton’s latest Cybersecurity M&A report highlights the importance of cybersecurity vendors as all industries seek protection from cyber-attacks, now that millions more people are working and learning from home using VPN networks and potentially suboptimal computer equipment and inadequate cybersecurity.
Top 5 Security Innovators (Pipeline Magazine) The Top 5 security and cybersecurity innovators are explored in this Pipeline article, which leverage advanced encryption, AI, and managed security service innovation to help enterprises and CSPs.
Seczetta Announces Strong Third Quarter: Continued Growth Fueled By Record Sales, New Partnerships, And Key Product Enhancements (SecZetta) SecZetta, the leading provider of third-party identity risk solutions, today announced record sales in Q3 2020 driven by significant customer wins, successful ...
Aveshka Named a Best Small Firm to Work For (PR Newswire) Aveshka, a leading professional services and information technology firm, has been named a 2020 Best Firm to Work For by Consulting Magazine,...
VMware adds Sydney data centre presence in AWS for Carbon Black (CRN Australia) Sydney Facility brings local access for endpoint and workload protection.
Coalfire Named Grand Winner In SVUS Women World Awards (PR Newswire) Coalfire, a provider of cybersecurity advisory and assessment services, has been named a Grand Winner in the SVUS Women World Awards thanks to...
ID.me to Hire 1000 New Employees in Northern Virginia Over the Next Year (ID.me) Expanded Workforce to Enable Identity Provider to Continue Hypergrowth
Mainak Mazumdar, Nielsen’s Chief Data Officer, joins Satori's Board of Advisors (Security Boulevard) Mainak Mazumdar joins Satori’s advisory board to help companies simplify security, privacy and compliance for data in the cloud
CyberSN Acquires Cybersecurity Staffing Leader Matt Donato to Expand Reach Into the Southeast & Mid-Atlantic Region (PR Newswire) CyberSN, a technology-empowered talent acquisition firm in the U.S. focused exclusively on cybersecurity professionals has announced its...
Twitter names famed hacker 'Mudge' as head of security (Reuters) Social media giant Twitter <TWTR.N> Inc, under increased threat of regulation and plagued by serious security breaches, is appointing one of the world's best-regarded hackers to tackle everything from engineering missteps to misinformation.
Twitter hires influential hacker Peiter ‘Mudge’ Zatko as security boss (CyberScoop) Facing some of the most persistent security challenges of its 14-year existence, Twitter has turned to Peiter “Mudge” Zatko, a renowned computer security expert, and given him a broad mandate to bolster security at the social media platform.
Products, Services, and Solutions
Collibra Introduces Unparalleled Access to Trusted Data with Collibra Data Intelligence Cloud (Markets Insider) Collibra, the Data Intelligence company, today announced new enhancements to the Collibra Data Intelligence...
Shift5 Awarded $2.6M Army RCCTO Agreement for Enhanced Vehicle Security System Prototype Project (PR Newswire) Shift5, Inc., a cybersecurity company, has been selected by the Army's Rapid Capabilities and Critical Technologies Office (RCCTO) to deliver a...
Apple Unveils Security Features in New M1 Chip (SecurityWeek) Apple’s new M1 chip includes several security features, including the latest generation of Secure Enclave, AES encryption hardware for SSDs, and hardware‑verified secure boot.
Point3 Security Offers Non-Profits, SMBs 80% Discount on New Cybersecurity Talent Screening Service to Assess and Hire Top Cybersecurity Talent (BusinessWire) Point3 Security intros discounted Talent Screening service to help SMBs & non-profit orgs identify optimal cybersecurity talent for their challenges
Data Security Leader, Appsian, Announces Security and Compliance Analytics Platform for Oracle E-Business Suite (Yahoo) Appsian, the global leader in Enterprise Resource Planning (ERP) data security and compliance, today announced their security and compliance analytics platform, Appsian360, will feature support for Oracle E-Business Suite (Oracle EBS). Appsian360 will provide Oracle EBS customers with the ability to gain deep insight into who is accessing business data – when, how, and why. This insight closes a critical visibility gap that can leave organizations exposed to security and compliance threats.
VMware Stuffs Security Into SmartNICs (SDxCentral) VMware plans to run distributed firewalls in smartNICs in a move that will allow enterprises to attach security to sensitive applications.
buguroo Launches Policy Manager for Customisable Automated Fraud Detection and Prevention (Financial IT) buguroo, the leading provider of customer identification solutions to prevent online fraud for the financial sector, today announced the launch of Policy Manager as part of its latest product update. The new capability of buguroo’s fraudster identification tool, Fraudster Hunter, allows fraud analysts to provide extensive detection and prevention coverage by leveraging previously identified fraud threats.
Corsight AI Launches Real-Time Facial Recognition Technology that Accurately Identifies Individuals at an Unmatched Speed Under Any Condition (PR Newswire) Corsight AI, a leading facial recognition technology provider, announced today the launch of its facial recognition technology. The technology...
Sontiq™ and Breach Clarity Strike Exclusive Industry Partnership (BusinessWire) Exclusive Sontiq and Breach Clarity partnership empowers consumers with personalized solution to combat individual risk from compounding data breaches
Zerto Continues Momentum with Data Protection and Disaster Recovery Capabilities for Containerized Applications (BusinessWire) With containers becoming the go-to choice for production deployment, Zerto today announced the beta program of Zerto for Kubernetes.
Kubernetes Security Specialist Certification Now Available (Yahoo) Kubernetes Security Specialist Certification Now AvailablePR NewswireSAN FRANCISCO, Nov. 17, 2020Advanced certification from CNCF and The Linux Foundation demonstrates expertise in securing Kubernetes based platforms and applicationsSAN FRANCISCO, Nov.
Humio Accelerates Cloud Management And Extends Security With Humio Operator (PR Newswire) Humio, the only log management platform enabling complete observability for all streaming logs in real time and at scale, self-hosted or in the...
Technologies, Techniques, and Standards
Back to the Basics: Announcing the New NICE Framework (NIST) Three years ago, NIST published the first version of Special Publication (SP) 800-181, the National Initiative for Cybersecurity Education (NICE)
()
How to Spot Retail Scams | Black Friday Scams (2020) (Tessian) Hackers take advantage of Black Friday and holiday shopping every year. Learn which retailers they impersonate and how to avoid scams.
Leading Research Firm Details Vision and Roadmap to Digital Policing Transformation (Cellebrite) Cellebrite, the global leader in Digital Intelligence (DI) solutions for public and private sectors, recently published a new white paper with IDC, “Policing 2025: Envisioning a New Framework for Investigations.” In the IDC Whitepaper, IDC … Continue reading "Leading Research Firm Details Vision and Roadmap to Digital Policing Transformation"
Ransomware Payments Sanctions Avoided with Risk-based Compliance Program (eMazzanti Technologies) NYC area IT security consultant discusses U.S. Treasury Department Advisory and the risk of sanctions to those who facilitate ransomware payments
Lawyer Checker to Host Crucial Panel Discussion as Cybercrime Reaches New Heights (Today's Wills and Probate) The Solicitors Regulation Authority have recently publicised their first thematic review investigating the impact of cybercrime. The review has highlighted a number of troublesome statistics making it definitively apparent that cyber related incidents leading to fraud remain one of the largest threats the legal sector faces. The SRA conducted the review by selecting a randomised …
Holiday Shoppers Beware: Tips for Global Brand Owners and Consumers to Safeguard Against Domain Security Threats (Digital Brand Services Blog) With the COVID-19 pandemic persisting, online shopping will be the preferred method for the 2020 holiday shopping season. While staying home to shop is the safest option right now, it means consumers are more vulnerable to online fraud, counterfeits, and cyber crime.
Are phoneless deployments the future for Marines? (Marine Corps Times)
Design and Innovation
SourceFinder software stalks malware in the wild (UC Riverside News) UC Riverside computer scientists develop tool to locate malware source code repositories
Huawei, 5G, and the Man Who Conquered Noise (Wired) How an obscure Turkish scientist’s obscure theoretical breakthrough helped the Chinese tech giant gain control of the future. US telecoms never had a chance.
The quest for a single source of the truth, and the modern data warehouse (Computing) Computing's editorial director Stuart Sumner speaks to Michael Connaughton, head of analytics and data innovation at Oracle EMEA, discussing the modern data warehouse
Research and Development
The Commonwealth Cyber Initiative 5G testbed is where researchers come to play (Virginia Tech News) The Commonwealth Cyber Initiative's 5G testbed promises to be one of the most advanced in the U.S. and will help Virginia become a leader in this new technology. Newly appointed 5G testbed director Aloizio Pereira da Silva is creating a testbed where students, researchers, government, and industry can test new ideas.
Academia
Naval Academy cyber operations awarded NSA designation (Capital Gazette) The Naval Academy is now one of 22 educational institutions to be granted a Center of Academic Excellence in Cyber Operations by the National Security Agency.
Legislation, Policy, and Regulation
EU Restrictions Could Force Companies to Change Data Transfer Practices (Wall Street Journal) Businesses could be forced to adopt strict encryption practices and ensure the personal data of Europeans can’t be decrypted if companies move that information to the U.S. and other countries outside the EU, the draft rules said.
A Methodology for Conducting Data Transfers in a Post Schrems II World (cyber/data/privacy insights) On November 10, 2020, the European Data Protection Board issued two new pieces of guidance. Read together, they outline a detailed methodology to follow when conducting data transfers under the EU General Data Protection Regulation – such guidance has been keenly anticipated following the Court of J
Jack Dorsey and Mark Zuckerberg will face Congress again, this time about the election (TechCrunch) After giving in to the looming threat of subpoenas, two of tech’s most high profile CEOs will again be grilled by Congress. On Tuesday, the Senate Judiciary Committee will host Twitter’s Jack Dorsey and Facebook’s Mark Zuckerberg for what’s likely to be another multi-hour ai…
Huawei threat 'No. 1 concern' moving forward, Trump national security adviser says (TheHill) National security adviser Robert O’Brien said that Chinese telecommunications company Huawei is the “number one concern” for democracy moving forward.
Biden likely to remain tough on Chinese tech like Huawei, but with more help from allies (Washington Post) President-elect has called TikTok a “concern,” but experts think he’ll have other priorities
Defense contractors are putting together self-assessments of their cybersecurity (Federal News Network) Defense contractors are or should be busy putting together self-assessments of their cybersecurity. Under the Cybersecurity Maturity Model Certification program, those self-assessments are due at the end of the month.
Two top Homeland Security officials forced to resign by White House (ABC17NEWS) Two senior Department of Homeland Security officials have been forced to resign by the White House, according to sources familiar with the resignations. Among them was a top official in DHS’s cyber arm, who resigned amid a national security shakeup by the Trump administration. Bryan Ware served as assistant director for cybersecurity at DHS’ Cybersecurity
Litigation, Investigation, and Law Enforcement
Election Security Experts Contradict Trump’s Voting Claims (New York Times) In a public letter, 59 top specialists called the president’s fraud assertions “unsubstantiated” and “technically incoherent.”
Scientists say no credible evidence of computer fraud in the 2020 election outcome, but policymakers must work with experts to improve confidence (Matt Blaze) We are specialists in election security, having studied the security of voting machines, voting systems, and technology used for government elections for decades.
Portugal: Cyberattack on Brazilian electoral court was from Portugal (Macau Business) International, MNA | The Brazilian Federal Police identified Portugal as the origin of a cyberattack on the computer system of the Brazilian Supreme Electoral Court
Austria Privacy NGO Takes on Apple Over 'Tracking Code' (SecurityWeek) An Austrian online privacy group is filing complaints over Apple's use of a so-called IDFA ("identifier for advertisers") which NOYB says are used on phones "without user's knowledge or consent".
Apple hit with two privacy complaints in Europe over its mobile tracking tool for advertisers (CNBC) Austrian privacy activist Max Schrems' non-profit group Noyb alleges Apple's use of a tracking code on iPhones breaches European law.
Privacy advocates call for European probe into Palantir (ComputerWeekly) Dutch group SOMI is trying to raise awareness of Palantir’s data privacy practices and how it works with European government agencies.
NSA Spied On Denmark As It Chose Its Future Fighter Aircraft: Report (The Drive) The allegations suggest that European fighter manufacturers were also among the U.S. intelligence agency’s targets.
Hemmelige rapporter: USA spionerede mod danske ministerier og forsvarsindustri (DR) Finansministeriet, Udenrigsministeriet og forsvarsvirksomheden Terma var mål for amerikansk spionage, siger kilder.
STEPHEN ADKINS, on behalf of himself and those similarly situated, Plaintiffs, v. FACEBOOK, INC., Defendant. (United States District Court, Northern District of California) In this data-breach class action, plaintiffs move for preliminary approval of a class settlement agreement. The proposal appearing non-collusive and within the realm of approvable, the motion is GRANTED.
H&M hit with €35.3m fine for GDPR employee breach (Lexology) How did H&M’s internal data collection processes land it with the second largest fine in data breach history…
Losses In $6M Phishing Suit Were Indirect, Insurers Argue (Law360) Two insurance companies have asked a Texas federal court to throw out RealPage Inc.'s suit accusing them of wrongfully denying coverage on the software firm's claims of $6 million in losses due to a phishing scheme, arguing they're not liable because the losses were indirect.