Roller Coaster
I am reading, watching, listening, learning, trying - failing - trying - succeeding, teaching, sharing and creating for security every day. I want to share my week's highlights via this newsletter, hoping they might trigger an action to create a secure, diverse and inclusive world.
The security journey is never an easy one - every day is a roller coaster ride.
News that caught my eye last week
In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.
A location data firm is selling information related to visits to clinics that provide abortions including Planned Parenthood facilities, showing where groups of people visiting the locations came from, how long they stayed there, and where they then went afterwards, according to sets of the data purchased by Motherboard for just over $160.
A yearslong malicious cyber operation spearheaded by the notorious Chinese state actor, APT 41, has siphoned off an estimated trillions in intellectual property theft from approximately 30 multinational companies within the manufacturing, energy and pharmaceutical sectors.
A newly discovered and uncommonly stealthy Advanced Persistent Threat (APT) group is breaching corporate networks to steal Exchange (on-premise and online) emails from employees involved in corporate transactions such as mergers and acquisitions.
The U.S. Department of Justice (DoJ) has announced the conviction of a resident of California, for multiple counts relating to a phishing operation that caused $23.5 million in damages to the U.S. Department of Defense (DoD). The fraudster managed to divert to his personal bank account DoD funds destined for a jet fuel supplier.
The department has issued its first sanctions against a Bitcoin mixer, Blender.io, for allegedly and "indiscriminately" helping North Korea launder over $20.5 million in crypto from the $620 million Axie Infinity heist and other crimes.
Let's put our thinking hats on...
Log4Shell, Microsoft Exchange and several patchable flaws top the list of 2021’s most commonly exploited vulnerabilities. The lesson may be a well-worn one: patch systems promptly or work with partners that can.
A lot has happened in response to the Colonial Pipeline cyberattack a year ago today that created a crisis for the company and the country.
For most of us, passwords are the most visible security control we deal with on a regular basis, but we are not very good at it.
Standards, frameworks, legislation, regulation and more
NIST recently released Responding to and Recovering from A Cyber Attack: Cyber security for the Manufacturing Sector as manufacturers rely on ICS to monitor and control processes that produce goods for public consumption.
The publication’s revisions form part of NIST’s response to an Executive Order regarding cyber security. Revised publication provides guidance on identifying, assessing and responding to cyber security risks throughout the supply chain at all levels of an organisation.
Recommended by LinkedIn
Since its creation in 2017, the unit has brought more than 80 enforcement actions related to fraudulent and unregistered crypto asset offerings and platforms, resulting in monetary relief totaling more than $2 billion.
The United Kingdom government on Friday outlined the powers it’s planning for its Digital Markets Unit, a regulator set up last year to take on the dominance of tech giants. It didn’t specify when the rules would take effect, saying only that legislation would come “in due course.”
Statistics, reports, surveys, benchmarks and more
Cybercrime is becoming ever bolder. In 2021, Eurojust handled 398 cases covering areas like ransomware, AI & encryption.
The FBI says business email compromise (BEC) and email account compromise (EAC) losses have surpassed $43 billion globally. These losses, which the FBI calls “exposed losses,” include both actual and attempted loss reported between June 2016 and December 2021. In their new report, the IC3 said it received close to 20,000 BEC complaints last year, with estimated adjusted losses of roughly $2.4 billion.
Careers, Women in Security, Inclusion & Diversity and more
The Department of Culture, Media and Sport has released their 2022 "Cyber Security Skills in the UK Labour Market" report. This research into the UK cyber security labour market explores the nature and extent of cyber security skills gaps (people lacking appropriate skills) and skills shortages (a lack of people available to work in cyber security job roles).
This article looks at what has worked, what isn’t working, and whether we can learn from what other countries are doing about gender pay gap reporting.
Interesting stories of the week
Unknown threat actors have been discovered targeting graphic designers and artists with infostealer trojans, security researchers have revealed. Artists from popular sites such as DeviantArt and Pixiv have been getting multiple messages claiming to offer potentially lucrative job roles. However, the job offer is just a disguise, as the sender’s true goal is to distribute an information-stealing trojan with a “good chance” of not being spotted by antivirus solutions.
Hackers are using fake emergency data requests to threaten security researchers online. A hacker has used a fraudulent emergency data request (EDR), a type of subpoena deployed by US law enforcement agencies, to obtain information from Twitter about cybersecurity analysts, before threatening the researchers and their families.
The attack occurs after the FBI warned ransomware gangs have been targeting farming groups during the planting and harvesting seasons.
The creator of the most recognisable NFTs available is again in the news for the wrong reasons. Bored Ape Yacht Club creator Yuga Labs recently made its Otherdeed collection available for purchase. Some users were charged thousands in transaction fees, others were scammed for far more.
Upcoming events
Thank you for reading this newsletter
Sources for visuals: Adobe Stock, Unsplash (and yes, you are right, I am deliberately selecting visual material with women. If I cannot find one that includes women at that time, I choose an object/text version instead.)