A Review of the Best News of the Week on Cybersecurity Management & Strategy
U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack (Krebs on Security, Feb 10 2020)
“The U.S. Justice Department today unsealed indictments against four Chinese officers of the People’s Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.”
The CIA secretly bought a company that sold encryption devices across the world. Then its spies sat back and listened. (Washington Post, Feb 11 2020)
U.S. and German intelligence agencies partnered on a scheme to dupe dozens of nations into buying rigged encryption systems — taking their money and stealing their secrets.
Half of cybercrime losses in 2019 were the result of BEC scams (Help Net Security, Feb 12 2020)
Business email compromise (BEC) and email account compromise (EAC) scams are still the most lucrative schemes for cybercriminals: the FBI’s Internet Crime Complaint Center (IC3) has calculated that, in 2019, the average monetary loss per BEC/EAC scam complaint reached $75,000.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
These 20 ‘Hackers’ Helped Shape The Cybersecurity Landscape Forever (Forbes, Feb 10 2020)
“I asked cybersecurity experts to name the hackers who have had the biggest impact, good or bad, across the years. This is the result.”
Huawei Hit With New US Charges of Trade Secrets Theft (SecurityWeek, Feb 13 2020)
Chinese tech giant Huawei was hit Thursday with fresh US criminal charges alleging a “decades-long” effort to steal trade secrets from American companies.
Dangerous Domain Corp.com Goes Up for Sale (Krebs on Security, Feb 08 2020)
“corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe.”
Security in 2020: Revisited (Schneier on Security, Feb 07 2020)
“Ten years ago, I wrote an essay: “Security in 2020.” Well, it’s finally 2020. I think I did pretty well. Here’s what I said back then…”
In 2019, a total of 7,098 reported breaches exposed 15.1 billion records (Help Net Security, Feb 11 2020)
In 2019 the total number of records exposed increased by 284% compared to 2018, according to Risk Based Security.
Meet the Guy Selling Wireless Tech to Steal Luxury Cars in Seconds (VICE, Feb 11 2020)
The keyfob sees this low frequency, and goes through the normal challenge response it would as if it was physically next to the car.
DoD to Require Cybersecurity Certification From Defense Contractors (Bleeping Computer, Feb 10 2020)
The United States Department of Defense (DoD) announced that defense contractors will have to meet a basic level of cybersecurity standards when replying to a government acquisition program’s request for proposals by 2026. The Cybersecurity Maturity Model Certification (CMMC) framework version 1.0 was released on January 31 and it is “a unified cybersecurity standard for future DoD acquisitions.”
The future of DNS security: From extremes to a new equilibrium (Help Net Security, Feb 10 2020)
In anticipation of his keynote at HITB Security Conference 2020 in Amsterdam, we talked to internet pioneer Dr. Paul Vixie, Farsight Security Chairman and CEO. Dr. Vixie was inducted into the internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies.
A tail of two ransomware attacks (SC Media, Feb 07 2020)
The Allegheny Intermediate Unit school system was able to fend off a recent ransomware attack using back up files, meanwhile the University of Maastricht just disclosed it paid 30 bitcoins to regain control of its encrypted computer network.
Iran Says Foils Cyberattack Targeting Internet Providers (SecurityWeek, Feb 10 2020)
Iran repelled a cyberattack on Saturday that disrupted the country’s internet services for an hour, a telecommunications ministry official said.
OWASP SAMM version 2: Analyze and improve organizational security posture (Help Net Security, Feb 12 2020)
The OWASP SAMM (Software Assurance Maturity Model) is a community-led open-sourced framework that allows teams and developers to assess, formulate, and implement strategies for better security which can be easily integrated into an existing organizational Software Development Lifecycle (SDLC).
US Bank Slammed for “Vague and Deceptive” Breach Disclosure (Infosecurity Magazine, Feb 12 2020)
Fifth Third bank has been criticized for writing a cryptic data breach notification letter to its customers
Report Finds Cybersecurity Issues with US 2020 Census (Infosecurity Magazine, Feb 13 2020)
US Census Bureau has not fixed cybersecurity weaknesses, according to Government Accountability Office report
Healthcare Ransomware Damage Passes $157M Since 2016 (Dark Reading, Feb 11 2020)
Researchers found the total cost far exceeded the amount of ransom paid to attackers.
Great Britain at Odds over Police Use of Facial Recognition Technology (Infosecurity Magazine, Feb 12 2020)
No consensus over police use of live facial recognition technology in Great Britain
What’s It Like for a New CISO? (Lenny Zeltser, Feb 13 2020)
“As of this writing, I’ve spent six months in the role of Chief Information Security Officer (CISO) at Axonius, a rapidly growing technology company. Though I’ve held a variety of leadership positions over the years, working in this capacity and setting is new for me. I’ve been capturing aspects of my journey in talks and articles so that others might learn from my experiences.”
A US Data Protection Agency (Schneier on Security, Feb 13 2020)
The United States is one of the few democracies without some formal data protection agency, and we need one. Senator Gillibrand just proposed creating one.