A quick Saturday digest of cybersecurity news articles from other sources.
[WordPress Security] Large Scale Attack Campaign Targets Database Credentials
The Wordfence Threat Intelligence Team just published details of an attack harvesting database credentials, targeting over 1 million WordPress sites. For 24 hours, attacks from this campaign accounted for 75% of all exploit attempts on plugins and themes across all of WordPress.
Both the free and paid versions of Wordfence protect you from this attack campaign.
The Wordfence blog has full details…
Regards, Ram Gall – Senior QA Engineer
Apple and Google launch COVID-19 contact tracing API
Also read Bruce Schneier’s article Global Surveillance in the Wake of COVID-19
Is this the kind of power we want to give the government? Contact tracing can be used to keep track of your friends and travels for purposes that have nothing to do with disease control. The first phase of Apple and Google’s contact tracing framework to help identify people at risk from coronavirus.
Ransomware Group Now Demands $42 Million Not to Release Donald Trump’s Files
OUCH! BBC News was one of the many major media sites who reported May 12 that a media and entertainment law firm used by A-list stars including Rod Stewart, Robert De Niro, Sir Elton John, Lady Gaga, and apparently Donald Trump has been hacked.
The website for New York Grubman Shire Meiselas & Sacks is down and hackers claim to have 756 gigabytes of data including contracts and personal emails. News of the hack surfaced May 9 on Variety.com. The law firm said in a press statement: “We can confirm that we’ve been victimized by a cyber-attack. We have notified our clients and our staff. We have hired the world’s experts who specialize in this area, and we are working around the clock to address these matters.”
Fox News reports:
Also at the KnowBe4 blog with links:
CISA, IRS, USSS, and Treasury Release Joint Alert on Scams Related to Coronavirus Economic Impact Payments
Original release date: May 21, 2020
The Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of the Treasury, Internal Revenue Service (IRS), and United States Secret Service (USSS) have released a Joint Alert with mitigations to help Americans avoid scams related to coronavirus economic impact payments—particularly attempts to steal payments, personal and financial information, and disrupt payment efforts.
CISA encourages consumers to review the Joint Alert, Avoid Scams Related to Economic Payments, COVID-19, and www.cisa.gov/coronavirus for more information.
State Unemployment Systems Looted by Nigerian Hackers, Secret Service Warns
At the start of COVID-19, much of cybersecurity focused on a rise in attacks against the healthcare industry. Now another significant cybercrime target is emerging: state unemployment benefit systems. Hackers are taking advantage of the unprecedented rise in unemployed Americans and the expanded benefits available. “This is a gut punch,” said Suzi LeVine, Commissioner of Washington’s Employment Security Department. Washington State is the epicenter of the attacks, and the federal government has revealed evidence of similar attacks in Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, and Wyoming. An alert issued by the U.S. Secret Service indicates that the scheme is coming from a well-organized Nigerian fraud ring… Read more
Hacktivist Launches Attack on COVID-19 Unemployment Snitch Site
Unemployment is a particularly touchy subject surrounding COVID-19. The Ohio unemployment insurance website, and particularly the site’s “fraud reporting” form, was a perfect example of these tensions. The fraud form was supposed to prevent employees who refused to work from receiving unemployment benefits during a global pandemic. So one hacker decided to advocate for labor rights by doing exactly… Read more
CISA, DOE, and UK’s NCSC Issue Guidance on Protecting Industrial Control Systems
Original release date: May 22, 2020
The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Energy (DOE), and the UK’s National Cyber Security Centre (NCSC) have released Cybersecurity Best Practices for Industrial Control Systems, an infographic providing recommended cybersecurity practices for industrial control systems (ICS). The two-page infographic summarizes common ICS risk considerations, short- and long-term cybersecurity event impacts, best practices to defend ICS processes, and highlights NCSC’s product on Secure Design Principles and Operational Technology. CISA, DOE, and NCSC encourage users to review Cybersecurity Best Practices for Industrial Control Systems. For more in-depth information, visit CISA’s ICS Recommended Practices webpage and DOE’s Cybersecurity Capability Maturity Model (C2M2) Program webpage. For information on CISA Assessments, visit https://www.cisa.gov/cyber-resource-hub.
Firefox to tell you if sites are shortening your passwords
Mozilla is fixing a longstanding password problem to alert users when their password exceeds the maximum length allowed.
Microsoft Releases Security Advisory for Windows DNS Servers
Original release date: May 20, 2020
Microsoft has released a security advisory that addresses a vulnerability affecting Windows DNS Servers. An attacker could exploit this vulnerability to cause a denial-of-service condition. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft Advisory ADV200009 for more information and to apply the necessary mitigation or workaround.
Getting started with Firefox Lockwise
I am a big proponent of password managers, and recommend them to everyone. Not everybody is comfortable using full-fledged products such as last pass. I do run across my clients saving their passwords in their browser though. If you are a Firefox user, check out Lockwise. Firefox Lockwise syncs passwords from the browser so that you can use them to easily sign in to your apps on Android and iOS. This article helps you get started quickly.
Signal secure messaging can now identify you without a phone number
I am a big fan and a user of the encrypted SMS service Signal. Signal is a US-registered non-profit organisation that was founded entirely around making and supporting the messaging app. Signal decoupled its secure messaging service from your phone number – a bit.
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com