A Review of the Best News of the Week on Cybersecurity Management & Strategy

Illegal Content and the Blockchain (Schneier on Security, Mar 17 2021)
“This openness is also a vulnerability, one that opens the door to asymmetric threats and small-time malicious actors. Anyone can put information in the one and only Bitcoin blockchain. Again, that’s how the system works.”

Foreign Meddling Flooded the 2020 Election—but Not Hackers (Wired, Mar 16 2021)
A new ODNI report shows how extensive Russian and Iranian influence operations were, but it doesn’t mention a single hack-and-leak incident.

Despite Hacks, US Not Seeking Widened Domestic Surveillance (SecurityWeek, Mar 13 2021)
The Biden administration is not planning to step up government surveillance of the U.S. internet even as state-backed foreign hackers and cybercriminals increasingly use it to evade detection, a senior administration official said Friday.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

US Moves Closer to Retaliation Over Hacking as Cyber Woes Grow (SecurityWeek, Mar 12 2021)
A senior US official said Friday the Biden administration is close to a decision on retaliation for state-sponsored hacking as fears grew over the fallout from the latest of two major cyberattacks.

Ransomware attack forces college to tell students to stay at home (Graham Cluley, Mar 16 2021)
A UK college says it has closed its campus buildings for one week, and advised students that all lessons and lectures will be taking place online, following a ransomware attack.

On the Insecurity of ES&S Voting Machines’ Hash Code (Schneier on Security, Mar 16 2021)
“Andrew Appel and Susan Greenhalgh have a blog post on the insecurity of ES&S’s software authentication system:

It turns out that ES&S has bugs in their hash-code checker: if the “reference hashcode” is completely missing, then it’ll say “yes, boss, everything is fine” instead of reporting an error. It’s simultaneously shocking and unsurprising that ES&S’s hashcode checker could contain such a blunder and that it would go unnoticed by the U.S. Election Assistance Commission’s federal certification process. It’s unsurprising because testing naturally tends to focus on “does the system work right when used as intended?” Using the system in unintended ways (which is what hackers would do) is not something anyone will notice.”

Buffalo Public Schools Cancel Classes Due to Ransomware (Dark Reading, Mar 15 2021)
The FBI is investigating the March 12 attack that disrupted the school system’s phased reopening this week.

Fintech Giant Fiserv Used Unclaimed Domain (Krebs on Security, Mar 17 2021)
If you sell Web-based software for a living and ship code that references an unregistered domain name, you are asking for trouble. But when the same mistake is made by a Fortune 500 company, the results can range from costly to disastrous. Here’s the story of one such goof committed by Fiserv [NASDAQ:FISV], a $6 billion firm…

Facebook’s ‘Red Team X’ Hunts Bugs Outside the Social Network (Wired, Mar 18 2021)
The internal hacking team has spent the last year looking for vulnerabilities in the products the company uses, which could in turn make the whole internet safer.

How to Choose the Right Cybersecurity Framework (Dark Reading, Mar 15 2021)
Cybersecurity frameworks can help reduce your risk of supply chain attacks and increase your competitive advantage.

The Cybersecurity 202: Democrats’ new infrastructure bill highlights cybersecurity concerns (Wsahington Post, Mar 12 2021)
The House’s new $312 billion infrastructure bill, as part of that push, aims to secure the country’s most critical infrastructure – and increase the cybersecurity of essential services, including hospitals, broadband and the electric grid.

The dangers of misusing instant messaging and business collaboration tools (Help Net Security, Mar 17 2021)
71% of office workers globally – including 68% in the US – admitted to sharing sensitive and business-critical company data using instant messaging (IM) and business collaboration tools, Veritas Technologies research reveals.

Why is financial cyber risk quantification important? (Help Net Security, Mar 17 2021)
Cyber incidents are a major risk facing organizations and companies of all sizes and industries. These risks have only increased in the past year, with much of the workforce continuing to work from home due to the COVID-19 pandemic.

Russia Threatens to Block Twitter in a Month (SecurityWeek, Mar 16 2021)
Russian authorities said Tuesday they would block Twitter in a month if it doesn’t take steps to remove banned content, a move that escalates the Russian government’s drawn-out standoff with social media platforms that have played a major role in amplifying dissent in Russia.

Microsoft Probes Clue That Hackers Cracked Taiwan Research (IT Pro, Mar 12 2021)
Microsoft Corp. is investigating whether hackers who attacked its email system exploited the findings of Taiwanese researchers who were the first to alert the software company to the vulnerabilities.

Russian Man Pleads Guilty in Thwarted Tesla Hack (Dark Reading, Mar 19 2021)
Egor Kriuchkov will be sentenced in May on conspiracy charge

FBI: Business Email Compromise Cost $1.8B in 2020 (Dark Reading, Mar 18 2021)
The Internet Crime Complaint Center received a record 791,790 complaints last year, with reported losses exceeding $4.1 billion.

3 in 4 companies have experienced account takeover attacks in the last year (Help Net Security, Mar 19 2021)
The COVID-19 pandemic has accelerated cloud migration and digital transformation amongst 88% of companies and that 71% of Microsoft Office 365 deployments have suffered an account takeover of a legitimate user’s account, not once, but on average seven times in the last year, Vectra reveals.

Average Ransom Payment Surged 171% in 2020 (Infosecurity Magazine, Mar 18 2021)
Report claims incident response costs could ruin some firms

White House forms public-private task force to tackle Microsoft Exchange hack (SC Media, Mar 17 2021)
The Unified Coordination Group established by the National Security Council includes officials from the FBI, the Cybersecurity and Infrastructure Security Agency at DHS, the Office of the Director of National Intelligence and the NSA, as well as private sector companies with specific insights to this incident.”