Curated news for professionals, and the general public, about topics that are helpful for them to know, and that can help to prevent security incidents and privacy breaches not only at work, but also away from work!
US Senators Are Concerned About Amazon Storing Palm Signatures in the Cloud. How exactly is Amazon ensuring our biometric data never leaks?
August 13, 2021
Fake Covid Vaccination Cards Are on the Rise in the U.S., Europe – WSJ
August 7, 2021
Hospitals try to stamp down COVID-19 misinformation as it grows globally: 6 things to know
August 24th, 2021
Microsoft catches hackers using Morse Code to help cover their tracks.
August 12
Peterborough, N.H. Loses $2.3 Million To Cyber Criminals. “Town officials say the theft came in two parts. First, thieves posed as local school district staff, using forged documents and email accounts to access a million-dollar transfer from the town to the district. The town says it then notified the U.S. Secret Service and a cyber security consulting firm through its liability coverage. Several weeks later, thieves used the same approach to steal a payment intended for contractors working on the Main Street Bridge project.”
August 23, 2021
https://www.nhpr.org/nh-news/2021-08-23/peterborough-nh-loses-2-3-million-to-cyber-criminals
Attack on AWS S3 via SSRF. “This article is based on a true incident that happened with Capital One, where almost 106 million customer accounts were breached. Paige Thompson was accused of the following incident. We are going to understand how the attack happened and where the vulnerability resides so that you can find and report similar in your next voyage to safely secure the firms.”
August 24, 2021
https://sagartiwari1220.medium.com/attack-on-aws-s3-via-ssrf-c047c3a7edde
Cyber Attacks on IoT Devices Are Growing at Alarming Rates [Encryption Digest 64]
August 6, 2021
Can A.I. Outwit Your Buying Habits? In a bid to fight inflation, more firms are turning to computerized pricing. Will it affect customer loyalty?
August 26, 2021
https://www.kornferry.com/insights/this-week-in-leadership/can-ai-outwit-your-buying-habits?
Software supply chains and security - will the Software Bill of Materials approach work?
August 3, 2021
Software supply chains and security - will the Software Bill of Materials approach work?
August 3, 2021
August 5, 2021
The BOM Episode! DBOMs! SBOMs! And...Supply Chain Cybersecurity! With special guest Chris Blask, inventor of the Digital Bill of Materials (DBOMs).
Data Security & Privacy with the Privacy Professor
August 7, 2021
Sensitive government data could be another casualty of Afghan pullout. “The vast majority of classified information that lived on U.S. embassy computers was almost certainly flown out of Afghanistan or destroyed. A lot of government's highly sensitive data is also housed in computer clouds rather than on hard drives and protected with multiple security controls. But reams of unclassified but sensitive material will probably remain in the country, both in digital forms and on paper.”
August 17, 2021
German Marshall Fund Study on Facebook Interactions. “Sites that gather and present information irresponsibly (according to the news-rating service NewsGuard) accounted for a record-high one-fifth of Facebook interactions with U.S.-based sites in the second quarter of 2021, while engagement with articles from outlets that repeatedly publish false content plummeted on Twitter and Facebook. This occurred amidst an overall decline in engagement with all types of sites. After all-time highs in engagement with both types of deceptive news outlets in 2020, sites that publish false content have seen their engagement drop at much higher rates than U.S.-based sites in general, likely as a result of account takedowns and changes in policies around COVID-19 misinformation and content moderation.”
Aug 23, 2021
Reddit User Agreement, Privacy Policy, and Premium and Virtual Goods Agreement were updated.
They will take effect “after September 12.”
https://www.redditinc.com/policies/user-agreement
https://www.redditinc.com/policies/privacy-policy
https://www.redditinc.com/policies/premium-and-virtual-goods-agreement
US, Singapore Sign Cybersecurity Agreements. Nations Agree to Collaborate on Information Sharing, Training
August 23, 2021
https://www.bankinfosecurity.com/us-singapore-sign-cybersecurity-agreements-a-17349?
Russian Disinformation Targets Vaccines and the Biden Administration. A new campaign appears to be spreading falsehoods about the potential for forced inoculations against Covid-19.
August 5, 2021
Homeland Security warns of potential conspiracy theory-fueled violence in August.
August 9, 2021
Facebook pulls down fake accounts that spread COVID-19 vaccine disinformation. The social network says the operation was based in Russia and posted about the AstraZeneca and Pfizer COVID-19 vaccines.
August 10, 2021
Enhanced Drug Distribution Security at the Package Level Under the Drug Supply Chain Security Act; Draft Guidance for Industry; Availability; Extension of Comment Period. A Notice by the Food and Drug Administration. FDA is extending the comment period for the notice of availability published on June 4, 2021 (86 FR 30053).
August 3, 2021
Industry, FDA Advance Drug Supply-Chain Security Plan
August 4, 2021
https://www.dcatvci.org/7262-industry-fda-advance-drug-supply-chain-security-plan
John Deere privacy notice. No date on the notice.
???
U.S. FTC says Facebook misused privacy decree to shut down ad research.
August 5, 2021
https://finance.yahoo.com/news/u-ftc-says-facebook-misused-011828449.html
WhatsApp privacy policy: The controversy so for alarming the need of data protection law in India
August 9, 2021
Uber asked contractor to allow video surveillance in employee homes, bedrooms. Employee contract lets company install video cameras in personal spaces.
August 9, 2021
Accenture report shows volume of cyber-intrusion activity globally jumped 125%. The security company found that 54% of all ransomware or extortion victims were companies with annual revenues between $1 billion and $9.9 billion.
August 4, 2021
https://www.zdnet.com/article/volume-of-cyber-intrusion-activity-globally-jumped-125-accenture/
Accenture says Lockbit ransomware attack caused 'no impact'. The IT giant was listed on Lockbit's leak website, and the group said the data came from an "insider", but there was 'no impact' on operations or clients.
August 11, 2021
Ransomware: These four rising gangs could be your next major cybersecurity threat. Cybersecurity researchers at Palo Alto Networks detail four extortion groups that have gained traction in recent months, as the threat of ransomware continues to plague businesses.
August 25, 2021
Kaseya ransomware attack sets off race to hack service providers -researchers
August 3, 2021
A Silicon Valley VC firm with $1.8B in assets was hit by ransomware
August 3, 2021
https://techcrunch.com/2021/08/03/atv-venture-capital-ransomware/
Ransomware is a growing threat: US companies and infrastructure providers need to be ready
August 4, 2021
August 4, 2021
https://www.cnn.com/2021/08/04/politics/neuberger-ransomware-blackmatter/index.html
Joplin: City computer shutdown was ransomware attack
August 5, 2021
Joplin, Missouri, says cybersecurity incident was due to ransomware. Small and mid-sized city government agencies being increasingly targeted.
August 5, 2021
https://www.koamnewsnow.com/joplin-says-cybersecurity-incident-was-due-to-ransomware/
U.S. Taps Amazon, Google, Microsoft, Others to Help Fight Ransomware, Cyber Threats. Creation of Joint Cyber Defense Collaborative follows high-profile cyberattacks on U.S. infrastructure
August 5, 2021
CISA launches new initiative to combat ransomware
August 5, 2021
https://fcw.com/articles/2021/08/05/cisa-jcdc-ransomware-cyber.aspx?m=1
August 6, 2021
https://www.cutimes.com/2021/08/06/7-steps-to-prevent-ransomware/?slreturn=20210707153755
Ransomware payments surge by 82%. Latest Unit 42 figures confirm the ransomware crisis continues to intensify, with the rise of quadruple extortion
August 9, 2021
https://www.strategic-risk-europe.com/home/ransomware-payments-surge-by-82/1438419.article
Hackers reportedly threaten to leak data from Gigabyte ransomware attack. They reportedly claim to have 112GB of AMD, Intel, and other documents.
August 9, 2021
Big Tech Is Coming to Small-Town America, But There's a Catch. "The drive in these big tech companies is to get the workers off their books and have someone [contracted] managing, hiring and firing them."
August 4, 2021
Cyber Security and the Digital Supply Chain!
August 1, 2021
https://supplychaingamechanger.com/cyber-security-and-the-digital-supply-chain/
5 Key Questions When Evaluating Software Supply Chain Security. Knowing what to ask a potential supplier can minimize risks associated with third-party software vulnerabilities and breaches.
August 2, 2021
DOD’s Supply Chain Security Should be Strategic Priority, Congressional Task Force Says
August 2, 2021
Five Developments in ICT Supply Chain Security in July
August 3, 2021
https://www.rstreet.org/2021/08/03/five-developments-in-ict-supply-chain-security-in-july/
Supply chain attacks are getting worse, and you are not ready for them. EU cybersecurity think tank looks at 24 recent supply chain attacks, and warns that defences against them are not good enough.
August 3, 2021
https://www.zdnet.com/article/supply-chain-attacks-are-getting-worse-and-you-are-not-ready-for-them/
Supply Chain Security: “The Government is Not Going to Fix This”
August 4, 2021
https://duo.com/decipher/supply-chain-security-the-government-is-not-going-to-fix-this
Supply Chain Security – Not As Easy As it Looks
August 6, 2021
https://securityboulevard.com/2021/08/supply-chain-security-not-as-easy-as-it-looks/
11 Tactics to Prevent Supply Chain Attacks (Highly Effective)
August 7, 2021
https://www.upguard.com/blog/how-to-prevent-supply-chain-attacks
200 Cybersecurity Influencers On Twitter Making a Difference in 2021. Our CEO, Rebecca Herold, is on the list! From Perimeter 81. “We’ve compiled the largest list of cybersecurity influencers on Twitter to date. 200 amazing and inspiring people that are making the interconnected world a safer place. The list includes hackers, journalists, founders, service providers, and industry thought leaders from all across the globe.”
August 2, 2021
https://www.perimeter81.com/blog/people-in-cyber/200-cybersecurity-influencers-twitter?
Crypto mining scams targeting tens of thousands of victims using hundreds of android apps. “Lookout, Inc. announced the discovery of major crypto mining scams using hundreds of Android apps.”
July 7, 2021
Google requires app developers to use 2FA — boosting Android security. “Google is introducing two new measures to improve security on the Play Store, requiring Android app developers to use two-factor authentication (2FA) and additional identification requirements.”
July 7, 2021
https://www.laptopmag.com/news/google-requires-app-developers-to-use-2fa-boosting-android-security
Reduce open source software risks in your supply chain
July 12, 2021
https://securityboulevard.com/2021/07/reduce-open-source-software-risks-in-your-supply-chain/
Ring beefs up security for its video devices and apps. End-to-end video encryption is finally getting a full rollout, along with a handful of other security measures.
July 13, 2021
https://www.cnet.com/home/security/ring-beefs-up-security-for-its-video-devices-and-apps/
Apps Built Better: Why DevSecOps is Your Security Team’s Silver Bullet. Phil Richards, vice president and CSO at Ivanti, explains how organizations can design DevOps processes and systems to thwart cyberattacks.
July 14, 2021
https://threatpost.com/apps-built-better-devsecops-security-silver-bullet/167793/
The Android apps on your phone each have 39 security vulnerabilities on average. And it's not just games, but important stuff like banking and payment apps.
July 20, 2021
10 Tech Experts Share Their Selections For Security-Forward Messaging Apps.
July 20, 2021
Securing UX in Open Banking Apps. “Customer consent is the basis of building trust between a business and a user. The open banking industry won’t be able to reach its predicted size of $43.15 billion by 2026 if customers don’t believe the platforms are trustworthy.”
July 22, 2021
https://securityboulevard.com/2021/07/securing-ux-in-open-banking-apps/
The Physicality Of Data And The Road To Personal Data Ownership.
July 2, 2021.
The Privacy Risks of Your Fitness Tracker
July 12, 2021
https://vpnoverview.com/privacy/devices/privacy-risks-fitness-tracker/
HIPAA: Controlling Access to ePHI: For Whose Eyes Only? Summer 2021 Cybersecurity Newsletter
July 14, 2021
https://www.hhs.gov/sites/default/files/controlling-access-ephi-newsletter.pdf
50-State Survey of Health Care Information Privacy Laws. From Seyfarth Law Firm.
July 2021.
Almost Two-Thirds Of Firms Are Not In Full Compliance With Privacy Laws.
July 21, 2021
July 30 2021
July 4, 2021
Up to 1500 businesses affected by Kaseya supply chain ransomware attack
July 6, 2021
Bill targets supply chain security training
July 6, 2021
https://homelandprepnews.com/stories/70904-bill-targets-supply-chain-security-training/
REvil Ransomware Gang Launches Major Supply Chain Attack Through Kaseya
July 7, 2021
https://securityintelligence.com/posts/revil-ransomware-kaseya-supply-chain-attack/
Making cities naturally safe from supply chain shocks
July 7, 2021
https://news.nau.edu/nature-supply-chain-shocks/#.YQVyAI5Kg6Y
Non-profit Global Business Alliance launches supply chain subsidiary
July 13, 2021
Senate Panel Approves K-12 Cyber Protection, Supply Chain Security Bills
July 14, 2021
Homeland Security orders pipeline operators to beef up cybersecurity to protect fuel supply chain
July 20, 2021
House E&C Approves Cyber, Supply Chain Bills
July 22, 2021
https://www.meritalk.com/articles/house-ec-approves-cyber-supply-chain-bills/
House task force pushes Pentagon to wean itself off Chinese sources
July 22, 2021
Lack of cyber in Australian supply chain resilience plan has IBM concerned. The federal government on Thursday received the Productivity Commission's final report on vulnerable supply chains, which the likes of IBM hope will contain more focus on 'cyber' than its interim report did.
July 22, 2021
https://www.zdnet.com/article/cyber-is-lacking-in-australias-supply-chain-resilience-plan/
DOD’s Supply Chain Security Should be Strategic Priority, Congressional Task Force Says
July 23, 2021
Supply Chain Security Market worth $1,227 million by 2026
July 23, 2021
GitHub boosts supply chain security for Go modules. Go is now one of the most popular programming languages on the platform.
July 23, 2021
https://www.zdnet.com/article/github-boosts-supply-chain-security-for-go-modules/
2021 breaches illustrate cybersecurity as an urgent critical infrastructure priority
July 29, 2021
Why Supply Chain Security Affects Organizations Everywhere?
July 29, 2021
https://techbullion.com/why-supply-chain-security-affects-organizations-everywhere/
July 30, 2021
https://finance.yahoo.com/news/global-supply-chain-security-market-165200192.html
Regulations.gov: Make a difference. Submit your comments and let your voice be heard.
https://www.wired.com/story/voila-cartoonify-face-privacy-security
https://www.washingtonpost.com/technology/2021/07/15/contacts-sharing-privacy/
Researchers try different approaches to solve problem of amplifying negative stereotypes.
https://arstechnica.com/science/2021/06/the-efforts-to-make-text-based-ai-less-racist-and-terrible
https://www.bbc.com/news/technology-57122120
https://www.statnews.com/2021/06/21/algorithm-bias-playbook-hospitals/
A majority worries that the evolution of artificial intelligence by 2030 will continue to be primarily focused on optimizing profits and social control. They also cite the difficulty of achieving consensus about ethics. Many who expect progress say it is not likely within the next decade. Still, a portion celebrate coming AI breakthroughs that will improve life
https://www.pewresearch.org/internet/2021/06/16/experts-doubt-ethical-ai-design-will-be-broadly-adopted-as-the-norm-within-the-next-decade/?mod=djemAIPro
Researchers have discovered that even sophisticated AI technology designed to create synthetic content can leave ’fingerprints’
June 16, 2021
https://www.wsj.com/articles/facebook-michigan-state-develop-deepfake-detection-technique-11623859200?st=da6t6chng3syvyd&reflink=desktopwebshare_permalink
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/you-might-want-to-audit-your-laps-permissions/ba-p/2280785
https://itspmagazinepodcast.com/episodes/safe-to-drink-cyber-attacks-and-the-water-supply-what-you-need-to-know-a-conversation-with-bryson-bort-your-everyday-cyber-with-limor-kessem-and-diana-kelley-nakjfYAi
"If you could imagine a community center run by two old guys who are plumbers, that's your average water plant," one cybersecurity consultant said.
https://www.nbcnews.com/tech/security/50000-security-disasters-waiting-happen-problem-americas-water-supplie-rcna1206
https://katu.com/news/local/school-districts-say-cyber-security-attacks-are-a-growing-risk
https://beta-ctvnews-ca.cdn.ampproject.org/c/s/beta.ctvnews.ca/local/toronto/2021/6/15/1_5471742.html
Hospitals and other covered entities are striking a growing number of agreements to use de-identified patient data for research or to develop AI tools. But they should carefully weigh the risks of sharing this data, experts said.
Jun 17, 2021
https://medcitynews.com/2021/06/researchers-flag-privacy-risks-with-de-identified-health-data/?rf=1
Unique IDs linked to phones are supposed to be anonymous. But there’s an entire industry that links them to real people and their address.
https://www.vice.com/en/article/epnmvz/industry-unmasks-at-scale-maid-to-pii
https://www.theladders.com/career-advice/billions-of-emails-and-passwords-appear-in-largest-data-leak-ever-consumers-should-change-passwords
Over 1 billion search records were accidentally posted online in a CVS Health data breach in late March, as reported by an independent cybersecurity researcher.
https://healthitsecurity.com/news/cvs-health-faces-data-breach1b-search-records-exposed
https://www.rsaconference.com/library/blog/supply-chain-security-awareness-part-3-how-to-fend-off-supply-chain-risks
https://www.ntia.doc.gov/files/ntia/publications/isa_bps_wg_-_2021.06.06.pdf
In a 4-3 decision, the court ruled a police search of garbage left outside of homes for collection is an “unreasonable and thus unconstitutional seizure and search” unless a judge had approved a warrant. "
Consider that, generally in many/most US locations, items put into trash is considered public property and others can, and do, take items from it.
See actual court decision here: https://www.iowacourts.gov/courtcases/8892/embed/SupremeCourtOpinion
https://www.washingtonpost.com/politics/2021/06/16/cybersecurity-202-justice-department-is-racking-up-wins-despite-encryption-concerns/
The agency spent years running a secure phone network for criminals. So much for “going dark.”
https://www.wired.com/story/fbi-anom-phone-network-encryption-debate/
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/06/information-commissioner-s-opinion-live-facial-recognition-technology/
https://www.bbc.com/news/technology-57504717
ID.me's says unemployment fraud is costing taxpayers $400 billion, but his own company is denying claims because of problems with its tech, users say.
https://www.vice.com/en/article/5dbywn/facial-recognition-failures-are-locking-people-out-of-unemployment-systems
The measure would make private use of the technology illegal but would not apply to police. It awaits the mayor's signature.
https://www.wired.com/story/baltimore-ban-facial-recognition-everyone-but-cops
The bill, which only has Democratic support, would bar federal agencies from using the technology without approval from Congress
June 16, 2021
https://www.wsj.com/articles/lawmakers-re-introduce-bill-that-would-ban-facial-recognition-technology-11623854310?reflink=desktopwebshare_permalink
“Press the cone icon on the screen of the Taylor C602 digital ice cream machine, he explains, then tap the buttons that show a snowflake and a milkshake to set the digits on the screen to 5, then 2, then 3, then 1. After that precise series of no fewer than 16 button presses, a menu magically unlocks. Only with this cheat code can you access the machine’s vital signs: everything from the viscosity setting for its milk and sugar ingredients to the temperature of the glycol flowing through its heating element to the meanings of its many sphinxlike error messages.
“No one at McDonald’s or Taylor will explain why there’s a secret, undisclosed menu," O’Sullivan wrote in one of the first, cryptic text messages I received from him earlier this year.””
https://www.wired.com/story/they-hacked-mcdonalds-ice-cream-makers-started-cold-war
https://www.beckershospitalreview.com/cybersecurity/hacker-removes-files-from-new-mexico-hospital-s-computers-exposes-69-000-patients-info.html
Experts Say Odd Case Offers Forewarning to Others
https://www.govinfosecurity.com/security-firm-coo-charged-in-attack-on-medical-center-a-16866
June 16, 2021
https://www.wsj.com/articles/smart-tires-hit-the-road-11623875808?st=vac7e9w3wsnd95j&reflink=desktopwebshare_permalink
https://www.nbcnews.com/news/amp/ncna1270941
https://www.washingtonpost.com/politics/2021/06/16/technology-202-amy-klobuchar-gets-personal-smart-speakers/
Smart thermostats can be remotely adjusted during periods of high energy demand.
https://www.dailydot.com/debug/texas-remote-controlled-smart-thermostats
https://www.marketwatch.com/story/amazon-may-face-425-million-fine-over-alleged-eu-privacy-violations-report-11623339505
Bills Address Criminal Penalties, School District Protection and More
June 21, 2021
https://www.bankinfosecurity.com/lawmakers-unveil-cybersecurity-legislation-a-16918
SEC: Executives Left in Dark About Vulnerability in File-Sharing System
June 21, 2021
https://www.databreachtoday.com/first-american-financials-sec-breach-settlement-488000-a-16912
https://www.reuters.com/lifestyle/sports/german-firms-air-taxi-aims-be-operational-paris-2024-olympics-2021-06-21
https://www.npr.org/2021/06/12/1002908327/5-ways-for-seniors-to-protect-themselves-from-online-misinformation
https://www.technologyreview.com/2021/06/30/1026338/gen-z-online-misinformation/
https://mitsloan.mit.edu/press/technology-companies-testing-anti-misinformation-accuracy-prompts-developed-mit-research-team
https://theconversation.com/punitive-laws-are-failing-to-curb-misinformation-in-africa-time-for-a-rethink-162961
https://www.scmagazine.com/home/security-news/ransomware/c-suites-adapt-to-ransomware-as-a-cost-of-doing-business/
https://venturebeat.com/2021/06/16/cybereason-80-of-orgs-that-paid-the-ransom-were-hit-again/
https://arstechnica.com/information-technology/2021/06/ukraine-arrests-ransomware-gang-in-global-cybercriminal-crackdown/?amp=1
The trend toward self-driving and electric vehicles will add hundreds of millions of lines of code to cars. Can the auto industry cope?
https://spectrum.ieee.org/cars-that-think/transportation/advanced-cars/software-eating-car
June 18, 2021
https://www.techrepublic.com/article/microsofts-new-security-tool-will-discover-firmware-vulnerabilities-and-more-in-pcs-and-iot-devices/
Flaws in a firmware security tool affect as many as 30 million desktops, laptops, and tablets.
https://www.wired.com/story/dell-firmware-vulnerabilities/
https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
https://www.securitymagazine.com/articles/95444-firmware-security-requires-firm-supply-chain-agreements
https://www.cdc.gov/coronavirus/2019-ncov/variants/variant-surveillance.html
Vicious cycle of monitoring and overwork is fuelling productivity — and a backlash
JUNE 15 2021
https://www.ft.com/content/b74b6ad6-3b8d-4cd8-9dd6-3b49754aa1c7
https://www.amnesty.org/en/latest/news/2021/06/scale-new-york-police-facial-recognition-revealed/
https://www.secureworldexpo.com/industry-news/ohio-decides-to-air-gap-votes
https://spectrum.ieee.org/consumer-electronics/audiovideo/skin-displays-will-give-wearables-their-independence
In a 4-3 decision, the court ruled a police search of garbage left outside of homes for collection is an “unreasonable and thus unconstitutional seizure and search” unless a judge had approved a warrant. "
Consider that, generally in many/most US locations, items put into trash is considered public property and others can, and do, take items from it. This is a significant issue that information assurance practitioners must consider: How w work from home employees and contractors dispose of items that are business related.
See actual court decision here: https://www.iowacourts.gov/courtcases/8892/embed/SupremeCourtOpinion
https://www.scmagazine.com/home/security-news/researchers-offer-advice-on-how-to-block-wfh-employees-from-downloading-pirated-software/
https://www.cityam.com/deloitte-tells-staff-they-can-work-from-home-forever/
HHS Proposal Aims to Improve Patient Record Matching, But What Are the Risks? - June 17, 2021
https://www.govinfosecurity.com/standardizing-patient-addresses-privacy-security-issues-a-16894
https://edps.europa.eu/_en