Pete Recommends Weekly Highlights on Cyber security Issues July 5, 2020

Subject: Report Reveals Credit Card Skimmers Hiding In Image Metadata
Source: Gizmodo
https://gizmodo.com/credit-card-skimmers-can-hide-in-an-icons-metadata-1844181377

The latest trick, uncovered by the security firm Malwarebytes, is sneaking credit card-skimming malware into the metadata of a given image file, which can then be loaded onto the webpage of a hacked ecommerce store with the shopper none the wiser—that is, until they notice someone else using their credit card. The malware in question here, Magecart, has been caught in more than a few credit card-skimming schemes before now , but this is the first time that it’s been caught hiding behind a site’s favicon — another name for those little icons that can show up in the address bar of a given site.

filed under: https://gizmodo.com/tag/scams
RSS: https://gizmodo.com/tag/scams/rss


Subject: Feds to oversee grid supply chain effort
Source: FCW
https://fcw.com/articles/2020/06/26/rockwell-ceser-grid-supply-chain.aspx

The Department of Energy’s cybersecurity agency is set to begin the process of prequalifying vendors of bulk power equipment for the U.S. electric grid.

The agency’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is about to kick off an effort to help prequalify the future acquisition of industrial control system equipment that runs energy critical infrastructure, including bulk power grids, according to Nicholas Andersen, deputy assistant secretary for Infrastructure Security and Energy Restoration.

On May 1, President Donald Trump issued an executive order that would prohibit buying or installing bulk-power system electric equipment that comes from certain “foreign adversary” countries deemed a risk. The order said “unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

…The order has caused a lot of anxiety in the bulk power sector. Power providers, he said, “are afraid of ‘rip and replace'” in regards to their current equipment. “There is no ‘rip and replace,’ authority within the executive order,” he said. “It’s not anticipated to be part of the plan. It’s really future-facing, not necessarily focused exclusively what’s in place now.”


Subject: Industry Calls on Government to Invest Billions for Developing Secure 5G Networks
Source: Nextgov
https://www.nextgov.com/emerging-tech/2020/06/industry-calls-government-invest-billions-developing-secure-5g-networks/166490/

Responding to a request for comment from the National Telecommunications and Information Administration, information and communications technology companies outlined ways for the U.S. government to massively invest in the development of fifth-generation networks.

One suggestion is for the U.S. to change rules governing the Export-Import Bank to allow its support for products that are manufactured and deployed overseas. U.S. efforts to secure the country’s telecommunications networks have largely focused on removing the Chinese company Huawei—the globe’s leading provider of 5G equipment—from the ecosystem. Huawei refutes claims it would use its connection to spy on behalf of the Chinese government or compromise critical infrastructure, as U.S. officials fear.

Apart from the security implications, there’s a lot at stake. A Qualcomm estimate puts the economic output 5G will enable by 2035 at $13.2 trillion. In February, Attorney General William Barr said: …“through ownership of a controlling stake, either directly or through a consortium of American and allied companies” the U.S. needs to back a “horse” and actively support Finnish company Nokia or Swedish company Ericsson, two of Huawei’s few competitors. The Information Technology Industry Council, a trade association representing the largest tech companies in the world, including Ericsson, advises against this. ITI instead supports investment in the development of technology and standards for virtualizing network functions performed by physical equipment. This gives operators the ability to mix and match components of a network by using open-source software instead of relying on a single supplier. A fund dedicated to making the idea a reality is outlined in the annual Intelligence Authorization Act, which recently passed committee.

filed under https://www.nextgov.com/emerging-tech/
BONUS(*) RSS: https://www.nextgov.com/rss/emerging-tech/
(*) I had to interpolate the main RSS feed


Subject: Bill introduced to establish National Cyber Director
Source: Homeland Preparedness News
https://homelandprepnews.com/stories/51525-bill-introduced-to-establish-national-cyber-director/

Lawmakers have introduced a measure creating a National Cyber Director position within the White House, who would serve as the president’s principal advisor on cybersecurity issues. The position would be backed with additional statutory authority to review cybersecurity budgets and coordinate national incident response.

RSS feed: https://homelandprepnews.com/rss


Subject: What is a credit bureau?
Source: Reviewed Credit Cards
https://www.reviewed.com/credit-cards/features/what-is-a-credit-bureau

…But credit bureaus are just one type of consumer reporting agency, also called “specialty agencies.” There are dozens of specialty agencies that collect specific types of information about consumers. For example, some track information that’s used for employment and tenant screening, while others look at your utility accounts and insurance claims history. The Consumer Financial Protection Bureau (CFPB) created a list of consumer reporting companies with details about information they collect and how to request your own reports. Here are a few:

  • National Consumer Telecom & Utilities Exchange may have information about
    your utility accounts, such as when you set up an account and made payments.
  • ChexSystems has information on consumer checking and savings accounts.
  • C.L.U.E., or the Comprehensive Loss Underwriting Exchange, collects insurance
    policy and claims information. Insurance companies can use this information when
    setting your premiums.
  • Who reports information to credit bureaus? Rent payments aren’t automatically reported to credit bureaus. But within the past few years, the credit industry started incorporating alternative data, like rent information, into credit reports and credit scores.

Services like RentTrack report rent payments to the credit bureaus, or your landlord can report them directly to Experian RentBureau. Certain credit scores include this information in your score calculations, so consistently paying on time may help boost your credit.


Subject: Beware Of Scammers Using Fake Coronavirus Antibody Tests To Steal Personal Information, Pittsburgh FBI Says
Source: CBS Pittsburgh
https://pittsburgh.cbslocal.com/2020/06/30/fbi-warns-of-fake-coronavirus-antibody-test/

PITTSBURGH (KDKA) — Scammers have found another way to run schemes on people during the
coronavirus pandemic. According to the FBI, scammers are selling fake and or unapproved COVID-19 antibody tests, which can potentially provide phony or faulty results. Supervisory Special Agent Matt Solomon with the Pittsburgh FBI said they haven’t seen the bogus tests in this area, but they are on the lookout. Solomon said if the scheme is done right, the fake tests can look identical to the ones found at the doctor’s office, with results as fake as a sugar pill, leaving people with no legitimate answer as to whether or not they have coronavirus.

But money isn’t all scammers are after. “Fraudsters are also after your personal information. That could be date of birth, name, address, social security information, as well as your personal health information,” said Solomon. Scammers selling the tests may also ask for Medicare and health insurance information, which can be sold for profit or used in other schemes, according to the FBI.


Subject: Key questions about enforcement of California’s privacy law
Source: Business Insider
https://www.businessinsider.com/enforcement-ccpa-california-privacy-law-2020-6

  • Enforcement of California’s privacy law begins today, and many questions linger about how the state will handle it.
  • The law calls for fines against companies that fail to protect consumers’ data, but it’s not clear where the attorney general will focus enforcement.
  • The attorney general has said of offenders “I will descend on them and make an example of them.”
  • Experts say companies need to show they’re making an effort to comply, and pay particular attention to the rules around selling data and data breaches.

Attorney Miriam Wugmeister of the law firm Morrison & Foerster ‘s pre-eminent Global Privacy and Data Security Group, says, “The big question is, where is the attorney general going to focus his attention? It’s likely to be the key provision on companies not selling consumer data, and the ability for people to exercise their individual rights. That’s what we have to wait and see.”

Like Europe’s stringent General Data Protection Regulation, the CCPA provides for sanctions against companies that leak, fail to protect, or mishandle consumer’s personal information, such as their addresses, Social Security numbers, credit information, and other data. The law also allows consumers to demand access to the data a company has extracted and stored about them.


Subject: Companies are paying IBM hackers to target their own remote employees
Source: Business Insider
https://www.businessinsider.com/ibm-cybersecurity-remote-companies-paying-hackers-target-employees-2020-7

  • Cybersecurity is a major challenge for companies with remote workers – and companies are addressing the issue in different ways.
  • Seventy percent of IT pros worry remote workers will expose their companies to hackers, and half of workers admit breaking rules.
  • IBM hires out a team of elite hackers to test remote employees’ defenses.
  • Other experts suggest holding emotional discussions about being hacked or using the subtle power of peer-shaming.
  • The hacking team has tested companies’ employees for years in the office. Now the team is trying the same ploys on remote workers, one of many unusual ways companies are seeking to address security vulnerabilities as remote work continues into the summer and perhaps beyond.

More than 70% of IT professionals surveyed by Black Hat security events worry that quarantined workers breaking company policy could expose enterprise systems and data. And nearly half of remote employees polled by email security firm Tessian cite “not being watched by IT” as a reason for not following safe data practices.

Posted in: Business Research, Competitive Intelligence, Cybercrime, Cybersecurity, E-Commerce, Economy, Encryption, Energy, Health, Healthcare, KM, Legal Research, Technology Trends