Why Reporting Security Bugs Can Be Fraught With Tension

Jeremy Kirk • October 20, 2021

Reporting security vulnerabilities to organizations with no disclosure policies can be fraught with tension. In the worst conflicts, security researchers could face lawsuits or even prosecution. Experts say laws should provide a safe harbor for responsible security research.

Business Continuity Management / Disaster Recovery

Ransomware: No Decline in Victims Posted to Data Leak Sites

Latest

3rd Party Risk Management

Ransomware Warning: Are Businesses Stepping Up?

Anna Delaney • October 22, 2021

The latest edition of the ISMG Security Report features an analysis of whether businesses are stepping up their ransomware defenses in response to several warnings released by the U.S. and U.K. governments highlighting the threat posed to infrastructure. Also featured are the Thingiverse data breach and airline fraud...

Cyberwarfare / Nation-State Attacks

US Cracks Down on Sale of Offensive Cybersecurity Tools

Mihir Bagwe • October 21, 2021

The U.S. Bureau of Industry and Security has issued an interim final rule to curb and control the export, reexport, or in-country transfer of certain offensive cyber tools that are used in surveillance of private citizens and other malicious activities that undermine the nation's security.

3rd Party Risk Management

House Passes Bills on Both Supply Chain, Telecom Security

Dan Gunderman • October 21, 2021

In a busy congressional day for cybersecurity legislation, the U.S. House of Representatives passed several bills on Wednesday, targeting both software supply chain and telecommunication system security. One observer describes them as "a win-win for the government and U.S. citizens."

Breach Notification

Lyceum Group Targets Two Tunisia-Based Entities

Prajeet Nair • October 21, 2021

Researchers at Kaspersky report that Lyceum group, known for targeting organizations in the energy and telecommunications sectors across the Middle East, has attacked two entities in Tunisia with an updated malware arsenal.

3rd Party Risk Management

Dental Alliance Reports Vendor Breach Affecting 170,000

Marianne Kolbasuk McGee • October 21, 2021

The Professional Dental Alliance is notifying more than 170,000 individuals in about a dozen states of a phishing breach involving an affiliated vendor that provides nonclinical management services to dental practices owned by PDA. Why is breach notification so complicated?

3rd Party Risk Management

Ransomware: Average Ransom Payment Stays Steady at $140,000

Mathew J. Schwartz • October 21, 2021

When a business, government agency or other organization hit by ransomware opted to pay a ransom to its attacker in Q3, the average payment was $140,000, reports ransomware incident response firm Coveware. It says the attack landscape has seen some notable shifts since the Colonial Pipeline attack.

Leadership & Executive Communication

Diversity, Equity and Inclusion Challenges in Cybersecurity

Rashmi Ramesh • October 21, 2021

In a report published earlier this week, (ISC)² - the international non-profit association that certifies cybersecurity professionals - says minority security practitioners, including people of color and women, are underrepresented in the field and offers practical steps to address the issues.

Cybercrime

4 Bulletproof Hosting Provider Admins Getting Sentenced

Mathew J. Schwartz • October 21, 2021

Four extradited Eastern European men have pleaded guilty in U.S. court to one count of conspiring to serve as administrators of a bulletproof hosting service that facilitated online attacks using the Zeus, SpyEye and Citadel Trojans and the Blackhole exploit kit, says the U.S. Department of Justice.

Blockchain & Cryptocurrency

TeamTNT Deploys Malicious Docker Image on Docker Hub

Prajeet Nair • October 21, 2021

Researchers at Uptycs Threat Research have uncovered a campaign in which the cloud-focused cryptojacking group TeamTNT is deploying malicious container images hosted on Docker Hub with an embedded script to download testing tools used for banner grabbing and port scanning.

3rd Party Risk Management

CISA Leader Backs 24-Hour Timeline for Incident Reporting

Dan Gunderman • October 20, 2021

A top leader of the U.S. Cybersecurity and Infrastructure Security Agency has voiced support for a 24-hour timeline for cyber incident reporting involving critical infrastructure, signaling a push by the Biden administration to implement a rapid mechanism for federal response.

3rd Party Risk Management

Ransomware Soap Opera Continues With REvil’s Latest Outage

Mathew J. Schwartz • October 20, 2021

Is there any bigger cybercrime soap opera than the life and times of ransomware operators? Take the REvil, aka Sodinokibi, ransomware-as-a-service operation, which feels like it's disappeared and reappeared more times than the secret, identical twin of the protagonist in your favorite melodrama.

Blockchain & Cryptocurrency

New York Tells 2 Cryptocurrency Firms to Cease and Desist

Dan Gunderman • October 19, 2021

New York State AG Letitia James served cease and desist letters to two cryptocurrency lending platforms that her office says engage in "unregistered and unlawful activities." Three other platforms were told by the OAG to "immediately provide information about their activities and products."