the near future: the latest about the next few months.
IAITAM 2021 Forecast: Remote Work is Here to Stay, Time to Consider Ditching “Disposal Boxes” & Snitch Software to Surge (IAITAM) Organization That Warned Throughout 2020 That Companies Were Ill Prepared for Work-From-Home Device Management, Security Issues Looks Ahead to New Year
Ransomware attacks a pressing threat to world in 2021 (Taiwan News) Cybersecurity firm FireEye sounds alarm on increasingly sophisticated malware campaigns
Eye-Opening Password Predictions: Remote Work Will Increase Risk for Data Breaches (KnowBe4) What can we predict about 2021 password security based on Ponemon Institute's past State of Password and Authentication Security Behaviors Reports?
Cybersecurity, Communication Lead 2021 Top Five Technology Trends (PR Newswire) Information technology (IT) underwent a major change in 2020 as organizations were forced to quickly adopt strategies to handle new...
Cybersecurity stocks will see further acceleration in 2021 as more companies ramp up protection following the SolarWinds hack, says Wedbush (Business Insider) Wedbush's Dan Ives anticipates sees a 20% 'seismic increase' in cyber spending next year that will lift cybersecurity stocks.
Cybersecurity To Remain Hot In The New Year (Crunchbase News) Despite a pandemic that raged around the globe for the better part of the year, the cybersecurity market retained investor interest in 2020 and many in the sector expect next year to be no different
Revisited After a Decade: The Optimist's Cybercrime Predictions for 2011 (SecurityWeek) A decade later, Iran Aharoni analyzes his cybercrime predictions made in 2011 over the entire decade.
Cyber Attacks, Threats, and Vulnerabilities
Treasury Department’s Senior Leaders Were Targeted by Hacking (New York Times) The disclosure was the first acknowledgment of a specific intrusion in the vast cyberattack. At the White House, national security leaders met to assess how to deal with the situation.
NSA, CISA Warn of Attacks on Federated Authentication (Dark Reading) While incident responders focus on attacks using SolarWinds Orion, government cyber defenders highlight other methods likely being used as well.
SolarWinds is the perfect storm attack on the US (TheHill) Federal agencies need a new approach to address the perfect storm of cyberattacks on our software supply chain.
Hacked Networks Will Need to be Burned 'Down to the Ground' (SecurityWeek) Experts say it’s going to take months to kick elite hackers widely believed to be Russian out of U.S. government networks, after a complex supply chain attack allowed access to thousands of organizations.
The fallout from the SolarWinds hack that infiltrated the US Treasury and Homeland Security will get worse before it gets better (Business Insider) Attackers were able to gain access for a long time without being detected — and determining exactly what's been compromised will take even more time.
VMware, Cisco Reveal Impact of SolarWinds Incident (SecurityWeek) VMware and Cisco have shared information on the impact of the SolarWinds incident on their systems, and VMware has responded to reports that one of its products was exploited in the attack.
Partial lists of organizations infected with Sunburst malware released online (ZDNet) As security researchers dig through forensic evidence in the aftermath of the SolarWinds supply chain attack, victim names are slowly starting to surface.
Russian cyber attack may have reached Kent State (Record-Courier) Kent State University may have computers infected by Russian malware in an attack through popular server software from SolarWinds Corp.
Russia has allegedly hit the US with an unprecedented malware attack: Here's what you need to know (CNET) Blamed on Russia, the hack infiltrated federal agencies and private companies. More targets keep emerging.
Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident (DomainTools) Multiple entities disclosed a supply chain attack via SolarWinds Orion network monitoring software on 13 December 2020. DomainTools provided initial analysis of network infrastructure and implications on 14 December. Since then, multiple entities have released reports including additional malware analysis, Command and Control (C2) identification, and details on the possible scope of the incident.
SolarWinds Adviser Warned of Lax Security Years Before Hack (Bloomberg) Cybersecurity researchers also cite several security lapses. Texas company’s software targeted by suspected Russian hackers.
SolarWinds Orion Security Breach: Cyberattack Timeline and Hacking Incident Details (ChannelE2E) How the SolarWinds Orion security breach occurred, and a timeline of events involving FireEye, Microsoft, the National Security Council (NSC) & more.
Urgent Case for Cyber-Attack Prevention (v. Detect) in OT/ICS Networks (Mission Secure) The FireEye-SolarWinds hacks illuminate one key takeaway: the urgent case for cyber-attack prevention (not just detection) in industrial OT/ICS networks
CyberMDX Research Team Discovers Vulnerability in Dell Wyse Thin Clients (Cyber MDX) This page covers two vulnerabilities discovered by CyberMDX and published by Dell on the 21st of December 2020 as CVE-2020-29491 and CVE-2020-29492. The vulnerabilities affect Dell Wyse Thin client devices and once exploited allow attackers to, among other things, remotely run malicious code and access arbitrary files on affected devices.
Vietnam Government Suffers Supply-Chain Attack: All you need to know (TheDigitalHacker) Only a few weeks after the supply chain assault on Able Desktop applications, another similar attack occurred on the website of the Vietnam Government
Email Address of Instagram Users Exposed via Facebook Business Suite (SecurityWeek) A researcher earned over $13,000 from Facebook for a flaw that exposed the email address and birth date of Instagram users via the Facebook Business Suite.
Blog: Dark web indexing service QUO (Digital Shadows) Understand Quo a smart dark web indexing service.
Important! Security Incident Update (EXMO Info Hub) Attention! We detected suspicious withdrawal activity on December 21st, 2020. All withdrawals are temporarily suspended.
Flavors designer Symrise halts production after Clop ransomware attack (BleepingComputer) Flavor and fragrance developer Symrise has suffered a Clop ransomware attack where the attackers allegedly stole 500 GB of unencrypted files and encrypted close to 1,000 devices.
How U.K. Racing Team McLaren Almost Got Phished
(Wall Street Journal) On a Grand Prix race weekend, McLaren’s CEO received an email requesting payment with a click-through link. But the supplier wasn’t real, nor was the link.
Bulletin (SB20-356) Vulnerability Summary for the Week of December 14, 2020 (CISA) The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.
Google Explains YouTube, Gmail, Cloud Service Outage (SecurityWeek) Google said one of its automated tools used to manage the quota of various resources allocated for services contained a bug that caused error in authentication results, leading to the service outage.
Huntsville City Schools issues cyber attack update on Monday (WAFF) Huntsville City Schools will host a media briefing this afternoon regarding the cyber attack.
Baltimore County principals, teachers feel ‘disrespected’ by communication gaps following ransomware attack (Baltimore Sun) The Teachers Association of Baltimore County and the Council of Administrative and Supervisory Employees said their members have “had enough” and demanded more information from Baltimore County school officials in the wake of the catastrophic ransomware attack.
Cyber Trends
Privacy And Cybersecurity Developments That Shaped 2020 (Law360) The past year has delivered big changes in the privacy and cybersecurity world, from the COVID-19 pandemic spurring a spike in ransomware attacks to an uptick in data collection questions to voters in California backing changes to enhance the state's landmark privacy law.
Insurance fraud trends in 2020: Much the same, yet completely new (BAE Systems) Discover the best practices insurance leaders can take to counter the evolving, evasive world of financial services fraud as we begin a new decade.
Amateur hackers are poking holes in Israel’s image as a cyber superpower (CTECH) Personal details of one of the country’s leading cyber professionals were exposed in the latest Iranian-linked breach of IAI’s Elta Systems
Just 8% of Firms Offer Regular Security Training (Infosecurity Magazine) Just 8% of Firms Offer Regular Security Training. Remote workers exposed as businesses prioritize other things
Infrascale Survey Reveals that SMB and Mid-Market Business Executives Feel More Competitive With the Aid of Managed Service Providers (Infrascale) Research from Infrascale, a cloud-based data protection company that provides industry-leading cloud backup and disaster recovery solutions, indicates that most SMB and mid-market business executives (68%) believe working with a managed service provider (MSP) helps them stay ahead of their competition.
Marketplace
Wall Street Scrambles to Find Security Plays Amid Unfolding SolarWinds Hack (Barron's) Analysts issued a flurry of notes, upping price targets, adjusting recommendations and aggressively bidding up shares of SolarWinds itself.
Some Very Good News: VGS Raises $60M Series C (Very Good Security) VGS is delighted to announce that we have raised $60M in Series C financing led by Vertex Ventures US with participation from existing investors Andreessen Horowitz (a16z) and Goldman Sachs Growth (GS Growth).
OneTrust raises $300 million to automate data governance and compliance (VentureBeat) Data compliance startup OneTrust has raised $300 million, at a $5.1 billion valuation, for product development and global expansion.
OneLogin Expands Its C-Suite with Key Executive Hires (News Break) OneLogin, a global leader in identity and access management (IAM), announced the appointment of two new members to its leadership team, strengthened at the end of a landmark year for OneLogin which saw it named a leader in the 2020 Gartner Magic Quadrant for Access Management. Damon Dean, appointed as...
Google Cloud Nabs Former Cisco Security Leader Jeff Reed (CRN) Jeff Reed, Cisco's former SVP and GM of cloud and network security for Cisco Security is now vice president of product for Google Anthos.
Products, Services, and Solutions
Cybereason and Oracle Team Up for Security at Scale from the Endpoint to the Cloud (Cybereason) Cybereason has entered a strategic partnership with Oracle to protect global enterprises against advanced cybersecurity threats at every endpoint and across the enterprise.
StrikeForce Unveils SafeVchat Delivering Video Conferencing Platform (AiThority) StrikeForce Technologies, Inc., a U.S. based company, announced the controlled rollout of SafeVchat, the first video conferencing platform
BlackBerry CEO: Cyber Suite to Support Microsoft, IBM, VMware UEM (MSSP Alert) BlackBerry CEO John Chen: Cyber Suite gaining UEM integrations with Microsoft Endpoint Manager, VMware Workspace ONE, IBM MaaS360 & more.
IBM Leverages Cloud To Push The Encryption Envelope (The Next Platform) The rapid adoption by enterprises of hybrid cloud and multicloud environments along with the rise of the Internet of Things, a much more remote workforce
Point3 Security’s ESCALATE Platform Wins 2020 CyberSecured Award (BusinessWire) Point3 Security’s ESCALATE Platform Wins 2020 CyberSecured Award; Award-winning Platform Helps Companies Assess Job Candidates' Cybersecurity Skills
Technologies, Techniques, and Standards
6 board of directors security concerns every CISO should be prepared to address (CSO Online) The COVID pandemic and spike in cybercriminal activity has raised interest in security among corporate boards. These are the concerns and questions CISOs say they are now hearing from them.
Cyber Experts Race to Secure Networks Following Broad Cyber Attack on U.S. (Insurance Journal) Russian hackers who broke into U.S. government agencies also spied on less high-profile organizations, including groups in Britain, a U.S. internet
Why Security As A Service Makes Common Sense... (ComputerWeekly) Let us go back in time to 2019 – a time when we could actually attend IT events in a physical way. There I am, on the top level of a stand, having a coffee and scanning the hall, seeing “me too” ...
Marine Corps builds tactical cyber force to help with growing threats (Defense News) MARFORCYBER is sharing its offensive and defensive expertise with the fleet to build a more holistic cyber force.
Legislation, Policy, and Regulation
Ahead of first anniversary of Soleimani’s death, Iran still eyeing retaliation against the United States (Washington Post) Nearly a year after the U.S. airstrike that killed a revered Iranian military leader, a senior American general said that Tehran is still considering retaliatory steps, raising the possibility of renewed confrontation with Iran in the Trump administration’s final days.
Facebook child abuse detection hit by new EU rules (BBC News) A new ban on the scanning of private messages is hampering child protection efforts online.
Liberals won’t commit to date for 5G, Huawei review (thestar.com) Ottawa first expected to make a call about Huawei’s participation in Canada’s 5G networks before the 2019 election. Fourteen months later, the Liberal...
Attorney General Barr breaks with Trump, says SolarWinds hack ‘certainly appears to be the Russians’ (CNBC) By singling out Russia, Barr sided with Secretary of State Mike Pompeo and the rest of the national security establishment but contradicted Trump.
Sen. King: American Credibility Has Failed in Cyberspace (Barron's) The SolarWinds hack makes it obvious: No one in Moscow is afraid they’ll get hit back.
SolarWinds incident should be a catalyst to rethink federal cybersecurity (Federal News Network) Current and former federal cyber experts say lawmakers and the White House should focus on how federal cybersecurity needs to change.
We Have a National Cybersecurity Emergency -- Here's How We Can Respond (Dark Reading) Let's prioritize bipartisan strategic actions that can ensure our national security and strengthen the economy. Here are five ideas for how to do that.
Can Biden whack Russia for its latest big hack? (POLITICO) Retaliation is the easy part. Calibrating the entire U.S. response will be far more delicate task.
How Should the U.S. Respond to Russia’s Cyberattack? (Slate Magazine) The rules of cyberwarfare are still pretty fuzzy.
Trump's bizarre defense of Russian hacks becomes dangerous - comment (The Jerusalem Post) Trump has declared that “everything is under control” when all experts have said that the damage may take months or years to calculate.
Trump’s acting Pentagon chief unlikely to advance plan for splitting NSA, Cyber Command leadership (Washington Post) Some lawmakers suspected that the Trump administration was seeking to install a political loyalist atop the National Security Agency.
Lawmakers throw cold water on splitting Cyber Command from NSA (CyberScoop) DOD officials have suggested the NSA and Cyber Command split, a bipartisan group of lawmakers says the DOD hasn't met standards to do so yet.
Ending the “Dual-Hat” Arrangement for NSA and Cyber Command? (Lawfare) Are big changes afoot at Cyber Command? What are the relevant legal constraints?
FCC affirms ZTE poses U.S. national security threat (ETTelecom) The Federal Communications Commission (FCC) said on Tuesday it had rejected a petition from ZTE Corp asking the agency to reconsider its decision desi..
Commerce Department Will Publish the First Military End User List Naming More Than 100 Chinese and Russian Companies (U.S. Department of Commerce) The Bureau of Industry and Security (BIS) will amend the Export Administration Regulations (EAR) by adding a new ‘Military End User’ (MEU) List, as well as the first tranche of 103 entities, which includes 58 Chinese and 45 Russian companies. The U.S.
What's Next For Cybersecurity Maturity Model Certification (Law360) Companies in the defense supply chain should have confidence their efforts to comply with interim U.S. Department of Defense cybersecurity certification rules won't be for naught in 2021, while those expecting relief from program requirements may be disappointed, because dramatic changes under the Biden administration are unlikely, say attorneys at Rogers Joseph.
Congress (Once Again) Sells Out To Hollywood: Sneaks CASE Act And Felony Streaming Bill Into Government Funding Omnibus (Techdirt.) As we warned about earlier this month, it appears that Congress has in fact put two very controversial copyright provisions into the government funding "omnibus" bill that will be voted on later today. As you may have heard, last night...
CPRA explained: New California privacy law ramps up restrictions on data use (CSO Online) The California Privacy Rights Act (CPRA) is a new law that toughens some data security requirements, brings California more in line with Europe's General Data Protection Regulation, and creates a new state agency—the California Privacy Protection Agency.
Litigation, Investigation, and Law Enforcement
Microsoft, Google, Cisco, Dell join legal battle against hacking company NSO (Reuters) Tech giants including Microsoft and Google on Monday joined Facebook's legal battle against hacking company NSO, filing an amicus brief in federal court that warned that the Israeli firm's tools were "powerful, and dangerous."
Justices Should Narrow CFAA Scope In Van Buren (Law360) In Van Buren v. U.S., the U.S. Supreme Court should consider a narrower definition for the Computer Fraud and Abuse Act's phrase "exceeds authorized access," because the statute section is so broad that it leaves room for theoretically absurd results, says Anthony Volini at DePaul University College of Law.
"If it Hadn't Been for the Prompt Work of the Medics": FSB Officer Inadvertently Confesses Murder Plot to Navalny (bellingcat) Bellingcat and its partners reported that Russia’s Federal Security Service (FSB) was implicated in the near-fatal nerve-agent poisoning of Alexey Navalny on 20 August 2020. The report identified eight clandestine operatives with medical and chemical/biological warfare expertise working under the guise of the FSB’s Criminalistics Institute who had tailed Alexey Navalny on more than 30 …
WSJ News Exclusive | Google, Facebook Agreed to Team Up Against Possible Antitrust Action, Draft Lawsuit Says (Wall Street Journal) Facebook and Google agreed to “cooperate and assist one another” if they ever faced an investigation into their pact to work together in online advertising, according to an unredacted version of a lawsuit filed by 10 states against Google last week.
Zoom Says It’s Being Probed by SEC, Two U.S. Attorneys Offices (Bloomberg) Company says data security, privacy actions under review. Videoconferencing firm’s contacts with China spur scrutiny.
A Little Gloom for the Zoom Boom: FTC Settlement for Unfair and Deceptive Security Practices (JD Supra) Zoom Out: An Overview - The COVID-19 pandemic has prompted an unprecedented uptick in remote work and the need to stay connected from...
FTC Rips Bannon's 'Bluster' In Avoiding Data Harvest Hearing (Law360) Allowing former White House adviser Steve Bannon to continue turning to "bluster" in his bid to avoid testifying about his role in the Cambridge Analytica data-harvesting scandal is not in the public interest, the U.S. Federal Trade Commission said Friday.
Exclusive: Delhi Police has the tools to extract data from smartphones, including iPhones (Medianama) Delhi Police has the tools to extract data from locked smartphones, including iPhones but their effectiveness remains under question.
Google Says Consent Sinks App Users' Data Privacy Suit (Law360) Google is urging a California federal judge to toss a putative class action accusing the tech giant of secretly tracking consumers' browsing activity on third-party mobile apps, arguing that users were clearly aware of and consented to app developers sharing their information with Google.
Privacy watchdog releases damning report into massive Desjardins data breach (Finextra Research) A data breach at Desjardins – the largest ever in the Canadian financial services sector – was caused by a series of gaps in administrative and technological safeguards, according to an investigation by the Office of the Privacy Commissioner of Canada (OPC).
Experian Insists $18M Legal Liabilities Covered By Insurance (Law360) Experian has denied that its policy with two insurers includes an exclusion that should block the consumer reporting giant's High Court attempts to recoup more than $18 million in legal fees.