August is here … wait what? It seems like just yesterday we were quarantining in March, and now we’re … well, we’re still quarantining in August. Time shows no sign of slowing down despite all our “normal” lives seemingly coming to a halt.
However, despite our lives seemingly being on standby, the world of cybersecurity is just as fast-moving as ever before. All of this just goes to show that we’ve got a great installment of Byte Sized News for you this week. This week’s installment of news is focused heavily on the United States.. Top stories of the week include the highest and lowest cybersecurity breaches by state, a cyber-bounty placed on those who have sabotaged U.S. elections, and a warning from the NSA about tracking via smartphones.
As always, this series isn’t intended to provide readers with details on every story and topic but rather to fill busy professionals in on the most compelling developments in the field.
Without further ado, let’s get to this week’s top news stories!
The first article this week is from InfoSecurity Magazine and focuses on a group of researchers under the name Comparitech who looked into the history of data breaches in the U.S. over the past 15 years. A major conclusion they drew is that North Dakota has suffered from fewer data breaches over the past 15 years than any other state. North Dakota, coined as the Peace Garden State, only suffered 19 breaches from 2005-2020, reaching a total of 440,698 records. To counter this, California was named as the state with the most data breaches over the same time period. The Sunshine State experienced 1,777 data breaches with a total reach of over 5.6 billion records. California was far and away the worst state for breaches. New York came in second place with less than half the number of breaches compared with California (863 vs. 1,777). Overall, they determined that 12,098 data breaches have occurred in the country since 2005, with more than 11.1 billion records exposed in total. Further breaking the research down by year, researchers found that 2017 was the worst year for breaches, with 1,683 taking place. However, the highest year for total records exposed was actually 2016, with 4.6 billion records exposed during that time. You can view more of the statistics by navigating to the link below.
The next article comes from HelpNet Security. This article focuses on an important statistic: 42% of organizations are taking disciplinary action against staff who make cybersecurity errors. This statistic was calculated by a team of researchers led by Dr. John Blythe, Head of Behavioral Science at CybSafe. This team conducted a survey of cybersecurity awareness professionals and a lab study that was designed to mimic the real-world outcomes when employees click on phishing emails. While the headline of the story is that over 40% of organizations punish these individuals, there are plenty of other interesting statistics to dissect:
Dr. Blythe discussed many of the research findings. “People fall for phishing attacks and other cybersecurity mistakes because they’re human and because they have been trained to click links. Bad habits are difficult to shake, especially when today’s phishing attacks can be highly convincing,” Blythe stated. In addition, Blythe believes that disciplining employees is a questionable-at-best decision. “Formally punishing staff for making cybersecurity slips is, in the vast majority of instances, a problematic approach. It’s unfair and diminishes productivity. It can cause heightened levels of resentment, stress, and skepticism about cybersecurity. It may also trigger legal challenges. And people are much less likely to report quickly, if at all, when they are frightened of being punished for doing so.”
Moving on with our next article of the week, we have an interesting one from Threatpost. This article details a cyber-bounty of sorts that the United States has put out to acquire information on election meddlers. Rather than focusing this search on the past, the government hopes that information gained from this bounty will help avoid interference in the upcoming Presidential Election in November. The U.S. Department of State’s Rewards for Justice (RFJ) program, which is overseen by the Diplomatic Security Service, will pay for info that can identify or locate someone working with or for a foreign government “for the purpose of interfering with U.S. elections through certain illegal cyber activities,” according to a press release posted on the department’s website. The department is encouraging anyone with information on foreign interference in U.S. elections to contact them via their website or contact a U.S. Regional Security Officer at the nearest U.S. embassy or consulate. This bounty is being put out in response to recent election breach attempts that have already been uncovered. For example, Google identified two separate phishing campaigns targeting staffers of both President Trump and democratic candidate Joe Biden by persistent threat (APT) groups. Google reported a China-linked APT group targeted Biden’s campaign staff, while an Iran-linked APT targeted Trump’s.
Our second to last article also comes from Threatpost and covers the “agency known for its own questionable surveillance activity.” That’s right, the NSA is warning the public about the ability for smartphones to track our locations unknowingly. The company advised smartphone users to take a look at their settings. Many mobile device users know that turning off 1st-party applications like Find My Phone, Wi-Fi, and Bluetooth can help mitigate tracking. However, the NSA wants to bring attention to 3rd-party applications who are able to track your location with little-to-no consent necessary. The NSA released an advisory PDF this week to inform users on the many ways that mobile devices, by design, give up personal information. This personal information has informed attackers on how to accurately target individuals through stalker ware, spyware, socially-engineered phishing schemes, and much more. This article is an interesting read, as the NSA had their reputation trashed primarily by whistleblower Edward Snowden. Snowden shared details on the NSA’s questionable tactics, including the collection of surveillance on U.S. citizens by accessing telephone and computer activity. Based on this fact, the company appears to have taken a 180-degree turn through education, trying to help people help themselves.
Our last article of the week is also from Threatpost and details Emotet’s return after a five-month hiatus. However, this return is not without its fair share of pests. One of these pests has been identified as a “mysterious vigilante,” akin to a virtual Batman. Researchers are saying that this vigilante is fighting threat actors behind the malware’s comeback by replacing malicious Emotet payloads with an overload of GIFs and memes. “Emotet was finding default username and password WordPress installs and hosting its payload there. What our vigilante hero is doing is they’re going around finding those WordPress installs where the Emotet payload has been hosted,” Sherrod DeGrippo, senior director of threat research and detection for Proofpoint, told Threatpost in an interview during Black Hat USA 2020.
The interview between Threatpost’s Lindsey O’Donnell-Welch and Proofpoint’s Sherrod Degrippo is absolutely worth the watch.