A Review of the Best News of the Week on Cybersecurity Management & Strategy

U.S. Targets Russian ‘Evil Corp’ Hacker Group With Sanctions, Indictments (WSJ, Dec 06 2019)
The Trump administration placed a $5 million bounty on the leader of a Russian hacker group called Evil Corp for his alleged work for Moscow’s intelligence agency, part of what U.S. officials say is a broader reprisal for a Kremlin-directed cyber offensive against the U.S.

The fall and rise of a spyware empire (MIT Technology Review, Dec 02 2019)
Human rights abuse and a decimated reputation killed Hacking Team. The new owners want to rebuild.

2020 U.S. census plagued by hacking threats, cost overruns (Reuters, Dec 05 2019)
The Pega-built website was hacked from IP addresses in Russia during 2018 testing of census systems, according to two security sources with direct knowledge of the incident. One of the sources said an intruder bypassed a “firewall” and accessed parts of the system that should have been restricted to census developers.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

US tightens rules on drone use in policy update (Naked Security – Sophos, Nov 29 2019)
When it comes to managing drones (Unmanned Aircraft Systems, or UAS) the US Department of Justice wants Americans to know it’s on the case.

NYPD avoids data disaster after close shave with ransomware (SC Magazine, Nov 27 2019)
The New York Police Department reportedly had a close call with ransomware after its LiveScan fingerprint-tracking system was infected and spread a malicious program to 23 machines. Fortunately, the ransomware did not execute.

DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy (Schneier on Security, Nov 27 2019)
“The DHS is requiring all federal agencies to develop a vulnerability disclosure policy. The goal is that people who discover vulnerabilities in government systems have a mechanism for reporting them to someone who might actually do something about it. The devil is in the details, of course, but this is a welcome development.”

US Hospitals Fined $2.175M for “Refusal to Properly Report” Data Breach (Infosecurity Magazine, Dec 02 2019)
Sentara Hospitals left with hefty fine after refusal to correctly report breach

Putin signs law making Russian apps mandatory on smartphones, computers (NBC News, Dec 03 2019)
Russia has introduced tougher internet laws in recent years including requiring messaging services to share encryption keys.

Inside Mastercard’s Push for Continuous Security (SecurityWeek, Dec 03 2019)
The Verizon 2019 Payment Security Report, published in November 2019, points out that while PCI DSS conformance at the time of an audit is increasing, PCI sustainability between audits is declining. Verizon notes that in its own forensic breach investigations, no single relevant company was PCI compliant at the time of the breach.

New crypto-cracking record reached, with less help than usual from Moore’s Law (Ars Technica, Dec 03 2019)
795-bit factoring and discrete logarithms achieved using more efficient algorithms.

RSA-240 Factored (Schneier on Security, Dec 03 2019)
“We are pleased to announce the factorization of RSA-240, from RSA’s challenge list, and the computation of a discrete logarithm of the same size (795 bits)”

Insight into NIS Directive sectoral incident response capabilities (Help Net Security, Dec 02 2019)
An analysis of current operational incident response (IR) set-up within the NIS Directive sectors has been released by ENISA. The EU’s NIS Directive (Directive on security of network and information systems) was the first piece of EU-wide cybersecurity legislation.

United States Post Office Faces Cybersecurity Challenges (Infosecurity Magazine, Nov 29 2019)
Report lists narcotics and cybersecurity as challenges faced by modern postal service

Googlers Fired for Breaking Security Policy (Infosecurity Magazine, Nov 28 2019)
Supporters say sacking was motivated by their union activity

What Security Leaders Can Learn from Marketing (Dark Reading, Dec 03 2019)
Employees can no longer be pawns who must be protected all the time. They must become partners in the battle against threats.

RSA Conference 2020 unveils keynote line-up with world-class experts (Help Net Security, Dec 03 2019)
Acclaimed speakers include Mary Barra, Chair and Chief Executive Officer of General Motors Company, Tracy Edwards MBE, Round-the-World Sailor, Author and Social Activist, Kara Swisher, Co-founder and Editor-at-Large of Recode, and Dr. Peggy Whitson, Record-Breaking Astronaut, as well as dozens of prominent cybersecurity experts and innovators.

What’s in a Botnet? Researchers Spy on Geost Operators (Dark Reading, Dec 04 2019)
The investigation of a major Android banking botnet yields insights about how cybercriminals structure and run an illicit business.

McAfee Labs 2020 Threats Predictions Report (McAfee Blogs, Dec 05 2019)
With 2019’s headlines of ransomware, malware, and RDP attacks almost behind us, we shift our focus to the cybercrime threats ahead. Cybercriminals are

The U.N. passed a Russia-backed cybercrime resolution. That’s not good news for Internet freedom. (Washington Post, Dec 05 2019)
Moscow is becoming far more skilled in advancing its agenda at the U.N.

American SMBs Fear Cyber-Attacks from Foreign Countries (Infosecurity Magazine, Dec 03 2019)
Small and medium-sized businesses in the US feel at risk from foreign cyber-attackers