A Review of the Best News of the Week on Cybersecurity Management & Strategy

Supreme Court narrows interpretation of CFAA, to the relief of ethical hackers (SC Media, Jun 03 2021)
Individuals do not exceed authorized computer access if they obtain data to which they are entitled for improper reasons, 6-3 majority rules.

Chinese Actors Reportedly Breached America’s Largest Transport Network (Infosecurity Magazine, Jun 04 2021)
The attack compromised three computer systems belonging to New York’s Metropolitan Transporation Authority’s (MTA).

US seizes $2.3 million Colonial Pipeline paid to ransomware attackers (Ars Technica, Jun 07 2021)
Funds seized after Justice Department IDs Bitcoin wallet and obtains its private key.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

How Can I Test the Security of My Home-Office Employees’ Routers? (Dark Reading, Jun 07 2021)
From the most accurate to the most practical, here are a few ways to ensure both employees and organizations are protected from risk.

White House urges private sector to enhance their ransomware defenses (Help Net Security, Jun 04 2021)
In light of the ransomware attacks hitting high-profile targets such as the Colonial Pipeline and JBS, the White House has issued an open letter to private sector companies, urging them to do their part to stymie the threat.

Fujifilm confirms ransomware attack on systems in Japan (SC Media, Jun 04 2021)
In a statement today, the company also said that the impact of the unauthorized access was confined to a specific network in Japan and that they had started to bring network, servers and computers confirmed as safe back into operation.

Ransomware Hit Another Pipeline Firm—and 70GB of Data Leaked (Wired, Jun 07 2021)
LineStar Integrity Services was hacked around the same time as Colonial Pipeline, but radical transparency activists have brought the attack to light.

Colonial Pipeline CEO: Ransomware Attack Started via Pilfered ‘Legacy’ VPN Account (Dark Reading, Jun 08 2021)
No multifactor authentication was attached to the stolen VPN password used by the attackers, Colonial Pipeline president & CEO Joseph Blount told a Senate committee today.

Meat Company JBS Confirms it Paid $11M Ransom in Cyberattack (SecurityWeek, Jun 09 2021)
The world’s largest meat processing company says it paid the equivalent of $11 million to hackers who broken into its computer system late last month.

Security and Human Behavior (SHB) 2021 (Schneier on Security, Jun 04 2021)
“Today is the second day of the fourteenth Workshop on Security and Human Behavior. The University of Cambridge is the host, but we’re all on Zoom.

SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself.”

Latvian Woman Charged for Role In Crafting Trickbot Malware (Dark Reading, Jun 07 2021)
Alla Witte and her associates are accused of using Trickbot to infect tens of millions of computers around the world, the Justice Department reports.

Guidance to help cyber threat intelligence analysts apply MITRE ATT&CK (Help Net Security, Jun 07 2021)
CISA has partnered with the Homeland Security Systems Engineering and Development Institute (HSSEDI), which worked with the MITRE ATT&CK team, to issue guidance to help cyber threat intelligence analysts make better use of MITRE ATT&CK.

DHS chooses companies to run civilian agency vulnerability disclosure programs (SC Media, Jun 08 2021)
The Department of Homeland Security announced Tuesday that it will partner with vulnerability disclosure platform Bugcrowd and government technology, environmental and safety services contractor EnDyna to provide a civilian agency vulnerability disclosure program platform.

NYC’s 1,000-Lawyer Law Department Targeted by Cyberattack (SecurityWeek, Jun 08 2021)
New York City’s law department was been hit with a cyberattack that forced officials to take the 1,000-lawyer agency offline, but Mayor Bill de Blasio said he believes no data was compromised in the hack.

Hackers Force Iowa College to Cancel Classes for Four Days (VICE, Jun 09 2021)
A “cyberattack” is disrupting classes at the Des Moines Area Community College, where the school has cancelled in-person classes for four days and counting.

Information Flows and Democracy (Schneier on Security, Jun 09 2021)
“Henry Farrell and I published a paper on fixing American democracy: “Rechanneling Beliefs: How Information Flows Hinder or Help Democracy.”

It’s much easier for democratic stability to break down than most people realize, but this doesn’t mean we must despair over the future. It’s possible, though very difficult, to back away from our current situation towards one of greater democratic stability.”

54% of all employees reuse passwords across multiple work accounts (Help Net Security, Jun 10 2021)
Yubico released the results of a study into current attitudes and adaptability to at-home corporate cybersecurity, employee training, and support in the current global hybrid working era.

Dawn Cappelli: ‘A CISO needs to bring business value to the company’ (SC Media, Jun 10 2021)
Dawn Cappelli, CISO at Rockwell Automation, says security leaders need to balance passion for the mission with deep understanding of the business environment.

Colonial CEO touts corporate cyber transparency, defends his own (SC Media, Jun 09 2021)
The hearing touched on the internal and external debates that face most executives during a crippling cyberattack: How fast should a company act, and what decisions should be made internally versus in consultation with external advisers or the federal government.

‘We Have to Run a Good Company’: How the FBI Sold Its Encryption Honeypot (VICE, Jun 09 2021)
The FBI had to run its Anom encrypted phone company just like any other, a former Department of Justice official who worked on the case told Motherboard.