BuzzSec

The International Committee of the Red Cross has just published a report: " The Potential Human Cost of Cyber-Operations ." It's the result of an "ICRC Expert Meeting" from last year, but was published this week. Here's a shorter blog post if you don't want to read the whole thing. And commentary by one of the authors. from Schneier on Security https://www.schneier.com/blog/archives/2019/05/the_human_cost_.html

This is a really interesting find . As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2019/05/friday_squid_bl_678.html

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxi/43

“Statistics suggest the average human being falls for a social engineering attack about four times — with training — before they become ‘inoculated’ against that type of attack,” “ Helpful people are a real target,” said David Trepp, IT assurance partner at BPM, a Top 100 Firm in California that also provides pen testing and other security services. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/it-only-takes-three-seconds

New York regulators are investigating a weakness that exposed 885 million mortgage records at First American Financial Corp. [NYSE:FAF] as the first test of the state’s strict new cybersecurity regulation. That measure, which went into effect in March 2019 and is considered among the toughest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful. On May 24, KrebsOnSecurity broke the news that First American had just fixed a weakness in its Web site that exposed approximately 885 million documents — many of them with Social Security and bank account numbers — going back at least 16 years. No authentication was needed to access the digitized records. On May 29, The New York Times reported that the inquiry by New York’s Department of Financial Services is likely to be followed by other investigations from regulators and law enforcement. First American s

Firing employees for failing phishing tests can be extremely counterproductive and can damage an organization’s overall security posture. That, at any rate, is what two security experts told Brian Krebs recently, and we agree with them.  from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/policy-template-should-failing-phishing-tests-be-a-fireable-offense

Attackers are posing as Office 365 support in emails that warn users about an “unusual volume of file deletion” on their accounts, BleepingComputer has found. The emails claim that a medium-severity alert was triggered by fifteen file deletions within five minutes. If victims click on the link to view the alert’s details, they’ll be taken to a spoofed Microsoft login page. The attackers will then collect their credentials before forwarding them to the legitimate Microsoft login portal. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/delete-notification-as-office-365-phishbait

Citrix last month confirmed the FBI’s suspicions that hackers had used a technique known as “password spraying” to compromise the company’s networks before stealing a massive amount of sensitive information. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/a-case-of-password-spraying

Social engineering attacks using impersonation tactics increased by 67% over the past twelve months, according to Mimecast’s annual State of Email Security report. Mimecast surveyed more than a thousand organizations around the world and found that 94% of them had been targeted by phishing attacks in the past year. More than half of the organizations said these attacks were increasing, and 41% observed a rise in internal malicious emails due to compromised accounts. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/impersonation-phishing-attacks-up-67-in-last-12-months

Original release date: May 30, 2019 Apple has released AirPort Base Station Firmware Update 7.91 to address vulnerabilities in AirPort Extreme and AirPort Time Capsule wireless routers. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Information Security Agency (CISA) encourages users and administrators to review the Apple security page for AirPort Base Station Firmware Update 7.9.1 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy. from US-CERT: The United States Computer Emergency Readiness Team https://www.us-cert.gov/ncas/current-activity/2019/05/30/Apple-Releases-Security-Updates-AirPort-Extreme-AirPort-Time

Canadian government regulators are using the country’s powerful new anti-spam law to pursue hefty fines of up to a million dollars against Canadian citizens suspected of helping to spread malicious software. In March 2019, the Canadian Radio-television and Telecommunications Commission (CRTC) — Canada’s equivalent of the U.S. Federal Communications Commission (FCC), executed a search warrant in tandem with the Royal Canadian Mounted Police (RCMP) at the home of a Toronto software developer behind the Orcus RAT , a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. The CRTC was flexing relatively new administrative muscles gained from the passage of Canada’s Anti-Spam Legislation (CASL), which covers far more than just junk email. Section 7 of CASL deals with the alteration of transmission data, including botnet activity. Section 8 involves the surreptitious installation of computer programs on computers or network

Original release date: May 30, 2019 As the 2019 hurricane season approaches, the Cybersecurity and Infrastructure Security Agency (CISA) warns users to remain vigilant for malicious cyber activity targeting disaster victims and potential donors. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a hurricane-related subject line, attachments, or hyperlinks. In addition, users should be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events. To avoid becoming victims of malicious activity, users and administrators should review the following resources and take preventative measures: Staying Alert to Disaster-related Scams Before Giving to a Charity Staying Safe on Social Networking Sites Avoiding Social Engineering and Phishing Attacks If you believe you have been a victim of cybercrime, 

Download slides: http://bit.ly/2MavEMt In this webcast we walk through the step-by-step defenses to stop the attackers in every step of the way we showed in Attack Tactics Part 5!!! Originally recorded as a live webcast on May 16th, 2019Presented by: John Strand, Jordan Drysdale, Kent Ickler Join the BHIS Blog Mailing List – get notified when […] The post Podcast: Attack Tactics 6! Return of the Blue Team appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/podcast-attack-tactics-6-return-of-the-blue-team/

The term "fake news" has lost much of its meaning, but it describes a real and dangerous Internet trend. Because it's hard for many people to differentiate a real news site from a fraudulent one, they can be hoodwinked by fictitious news stories pretending to be real. The result is that otherwise reasonable people believe lies. The trends fostering fake news are more general, though, and we need to start thinking about how it could affect different areas of our lives. In particular, I worry about how it will affect academia. In addition to fake news, I worry about fake research. An example of this seems to have happened recently in the cryptography field. SIMON is a block cipher designed by the National Security Agency (NSA) and made public in 2013. It's a general design optimized for hardware implementation, with a variety of block sizes and key lengths. Academic cryptanalysts have been trying to break the cipher since then, with some pretty good results , altho

Recently I wrote a blog post for Netskope, my employer, discussing the implications of cloud services in the cyber kill from HACKMAGEDDON https://www.hackmageddon.com/2019/05/30/the-cyber-kill-chain/

We're extremely pleased to have won UK's prestigious Network Computing Security Training And Consultancy Provider Of The Year. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/knowbe4-is-uks-security-training-and-consultancy-provider-of-the-year

Security awareness, by its very nature, relies on communication. And that communication, in turn, relies on clarity so that it can be fully understood and applied by the learner. To be effective, your security awareness communications must get the following three components right: from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/why-knowbe4-is-the-only-true-global-security-awareness-training-vendor

There are plenty of different roles and responsibilities a financial institution has to consider; however, one of the more difficult roles to address is that of the Information Security Officer (ISO). Even though all financial institutions have been expected to assign the role of ISO for nearly two decades, many organizations are seemingly still working to flesh out the specific responsibilities that an Information Security Officer should handle.   from SBS CyberSecurity https://sbscyber.com/resources/building-out-the-core-responsibilities-of-an-iso

Would your average Internet user would be any more vigilant against phishing scams if he or she faced the real possibility of losing their job after falling for one too many of these emails? Recently, I met someone at a conference who said his employer had in fact terminated employees for such repeated infractions. As this was the first time I’d ever heard of an organization actually doing this, I asked some phishing experts what they thought (spoiler alert: they’re not fans of this particular teaching approach). John LaCour is founder and chief technology officer of PhishLabs , a Charleston, S.C. based firm that helps companies educate and test employees on how not to fall for phishing scams. The company’s training courses offer customers a way to track how many employees open the phishing email tests and how many fall for the lure. LaCour says enacting punitive measures for employees who repeatedly fall for phishing tests is counterproductive. “We’ve heard from some of our client

Original release date: May 29, 2019 The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released a Cybersecurity Spotlight on the 2019 Verizon Data Breach Report to raise awareness of data breach incidents and provide recommended best practices for election officials. The report—produced annually by the Verizon Threat Research Advisory Center (VTRAC)—provides analysis on data breach trends affecting a variety of sectors, including public administration, healthcare, and education. The Cybersecurity and Infrastructure Security Agency (CISA) encourages election officials to review MS-ISAC’s Cybersecurity Spotlight and Verizon’s 2019 Data Brach Investigations Report for more information and recommendations. This product is provided subject to this Notification and this Privacy & Use policy. from US-CERT: The United States Computer Emergency Readiness Team https://www.us-cert.gov/ncas/current-activity/2019/05/29/MS-ISAC-Highlights-Verizon-Data-Breach-Repo

The easiest way to avoid falling for scams and other social engineering attacks is to have an understanding of the tactics employed by attackers, according to Roger A. Grimes, writing in CSO. Grimes outlines some of the most common scams and points out the warning signs that are usually present in these schemes. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/red-flags-warn-of-social-engineering

Really interesting talk by former Facebook CISO Alex Stamos about the problems inherent in content moderation by social media platforms. Well worth watching. from Schneier on Security https://www.schneier.com/blog/archives/2019/05/alex_stamos_on.html

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxi/42

We have recently blogged about KrebsOnSecurity's story on compromised Canadian business email addresses. Here is some updated background on threats to Canadian organizations. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/phishing-canadian-targets

Download slides: http://bit.ly/2MavEMt In this webcast we walk through the step-by-step defenses to stop the attackers in every step of the way we showed in Attack Tactics Part 5!!! Timecode links take you to YouTube: 2:53 Introduction, password spray toolkit, account lockout, honey accounts, canary tokens, and two factor authorization 12:00 PCI #fixthefuture , two […] The post Webcast: Attack Tactics 6! Return of the Blue Team appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/webcast-attack-tactics-6-return-of-the-blue-team/

Krebs on Security is reporting a massive data leak by the real estate title insurance company First American Financial Corp. "The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you're a small business. You give them all kinds of private information and you expect that to stay private." Shoval shared a document link he'd been given by First American from a recent transaction, which referenced a record number that was nine digits long and dated April 2019. Modifying the document number in his link by numbers in either direction yielded other peoples' records before or after the same date and time, indicating the document numbers may have been issued sequentially. The earliest document number available on the site -- 000000075 -- referenced a real estate transaction from 2003. From there, the dates on the docum

After the statistics of April, and those of the first quarter of this troubled 2019, it's time to publish the first timeline of May, covering the main cyber events occurred between May 1st and 15th. In this timeline I have collected a total of 73 events (including 4, that took place in April), so despite the average level remains high, the trend is slightly decreasing compared to the previous two timelines. from HACKMAGEDDON https://www.hackmageddon.com/2019/05/28/1-15-may-2019-cyber-attacks-timeline/

  from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cyberheistnews-vol-9-23-heads-up-scary-phishing-attack-uses-legal-threats-from-law-firm

Dean Dunham at The Mirror in the UK reported: "Social media is often disgruntled customers first port of call when they want to make a complaint about goods or services these days, but after hearing Andrea’s story this week I would urge caution when doing this. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/a-single-tweet-saw-one-womans-bank-account-entirely-wiped-out

    In The Wild - CyberSecurity Newsletter Welcome to the 120 th  issue of In The Wild, SBS’ weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information you may find helpful. Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the Internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. Reporting Critical Information Security Areas Upstream SBS Educational Resources One of the most critical aspects of any Information Security Program is communication and sharing information. This is especially true with Executives and Board of Directors, who need to be educated and in