A quick Saturday digest of cybersecurity news articles from other sources.
Next week, WyzGuys Cybersecurity Blog is having its own Scam Week, and will be focusing on scams we see happening to our clients all the time. A couple are listed below.
Coronavirus warning spreads computer virus
There’s an attachment that you are “strongly recommended to read” on account of coronavirus infections in your area. Don’t open it!
Defending Against COVID-19 Cyber Scams
Original release date: March 6, 2020
The Cybersecurity and Infrastructure Security Agency (CISA) warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.
CISA encourages individuals to remain vigilant and take the following precautions.
- Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
- Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
- Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
- Review CISA Insights on Risk Management for COVID-19 for more information.
Social Security Administration Designates March 5 as National ‘Slam the Scam’ Day
Original release date: March 4, 2020
In association with the Federal Trade Commission’s National Consumer Protection Week, the Social Security Administration (SSA) has designated March 5 as National “Slam the Scam” Day to educate Americans about telephone scammers impersonating government employees. These scammers aim to gain potential victims’ trust and steal their money and personally identifiable information.
The Cybersecurity and Infrastructure Security Agency (CISA) reminds consumers:
- Government agencies will never call or text you unsolicited and demand immediate payment to avoid arrest or other legal action;
- Government agencies will never ask you to pay fines or fees with retail gift cards, prepaid debit cards, wire transfers, internet currency, or by mailing cash; and
- If you receive these calls or texts, hang up or ignore them, and talk to friends and family to make sure they do the same.
CISA encourages all Americans to visit the SSA’s Slam the Scam webpage, review CISA’s Tip on Avoiding Social Engineering and Phishing Attacks, and participate in the online events scheduled throughout the day.
Google purges 600 Android apps for “disruptive” pop-up ads
These apps plunk ads in front of us when we’re trying to do something else, often leading to inadvertent ad clicks and much cursing.
Malware and HTTPS – a growing love affair
HTTPS web encryption – blessing or curse? A new SophosLabs report looks at how much the crooks love TLS.
Courts: Banks $2 Million in Losses From a BEC Attack Aren’t Covered by Cyberinsurance
We reported this last weekend about the BEC email account hijacking aspects of this case. This report is about the cyber-insurance company who refuses to pay the bank’s claim. The bank failed to follow their own procedures for wire transfers, omitting the important step of calling the customer to confirm. The court sided with the insurance firm, and the bank has to absorb the $2 million loss on their own. If you have cyber-insurance, make sure you read both the coverages, and the exclusions. In an unrelated case, an insurance company refused a claim from big pharma company Merck because the NotPetya attack has been revealed to be a cyberwar attack by the Russian GRU. The policy excludes payment for loss due to an act of war.
ICISI Democratizes Cyber-Physical™
ICISI bridges the [cyber] security gaps critical infrastructure is facing. Our primary mission is to act as a “bridge-builder” to inspire and revolutionize imaginative solutions that protect the world’s most critical assets from cyber threats.
The International Critical Infrastructure Security Institute (ICISI) is a 501(c)(6) research and workforce development organization that specializes in cybersecurity and the protection of critical infrastructure from cyber-based threats. By providing access to state of the art labs, ICISI grants access to technologies and training that would otherwise be only accessible by the larger laboratories. “ICISI Democratizes Cyber-Physical”™ for all levels of expertise. We provide the environment, training, and staff to push boundaries and innovate new security technologies.
A US Data Protection Agency
[2020.02.13] The United States is one of the few democracies without some formal data protection agency, and we need one. Senator Gillibrand just proposed creating one.
Suspect who refused to decrypt hard drives released after four years
The US Court of Appeals ruled that he couldn’t continue to be held for refusing to give up his passcodes.
FBI: Cybercrime tore a $3.5b hole in victims’ pockets last year
The FBI’s Internet Crime Report shows that business email comprise is the biggest money-maker for cybercriminals. See FBI’s 2019 Internet Crime Report
Hoping To Combat ISP Snooping, Mozilla Enables Encrypted DNS
from the encrypt-ALL-the-things! dept
Historically, like much of the internet, DNS hasn’t been all that secure. That’s why Mozilla last year announced it would begin testing something called “DNS over HTTPS,” a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in… (full story)
Share
MAR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com