Roller coaster

I read, watch, listen, learn, try-fail-try-succeed, teach, share, and create for security each day. I want to share my week's highlights via this newsletter, hoping they might trigger an action to create a more secure, diverse and inclusive world.

The security journey is never an easy one - every day is a roller coaster ride.

News that caught my eye last week

Leak of California gun owners’ private data far wider than originally reported - The California department of justice admitted it had exposed the personal information of as many as hundreds of thousands of gun owners in the state, in a controversial data breach that appears of a far broader scale than the agency first reported.

Cyberattack Shuts Down Unemployment Services Across US - The incident risks stopping tens of thousands of Americans from claiming their unemployment benefits on time.

Hacker gang broke into Silicon Valley chipmaker AMD because of workers’ terrible passwords - A Silicon Valley tech powerhouse has reportedly faced a data breach, in part, due to employees’ purported use of terrible passwords like, er, “password” and “123456.”

Microsoft finds Raspberry Robin worm in hundreds of Windows networks - Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organisations from various industry sectors. The malware, dubbed Raspberry Robin, spreads via infected USB devices.

Zero-Day ‘Follina’ Bug Lays Microsoft Office Open to Attack - A zero-day vulnerability in Microsoft Office allows adversaries to run malicious code on targeted systems via a flaw a remote Word template feature.

Users of biggest NFT marketplace warned over phishing after data leak - OpenSea, where traders exchange the crypto assets, told customers and newsletter subscribers not to open emails and files “sent by strangers” after revealing the breach. It said its email database had been passed to an unnamed “unauthorised external party” by an employee at a firm used by OpenSea to send automated emails. “We recently learned that an employee of Customer.io, our email delivery vendor, misused their employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorised external party,” said OpenSea.

Shutdown Leaves Macmillan Unable to Handle Book Orders - Macmillan Publishers US once again said that due to a “security incident, which involves the encryption of certain files on our network” the publisher will close its virtual and physical offices through June 28. On Monday, the company first reported the incident, noting that to prevent further damage to its network, it took all of its systems offline.

Wiltshire Farm Foods hit by 'cyber attack' - A large ready meal food company has been hit by a cyber attack. Apetitio is based in Trowbridge and owns Wiltshire Farm Foods which supplies thousands of people across the West, including several hospitals. The firm said it could not call customers as they did not have access to their phone numbers.

Canadian admits to hacking spree with Russian cyber-gang - An ex-Canadian government IT worker has admitted to being a high-level hacker with a Russian cyber-crime group. When he was arrested, police discovered he was in possession of $27m (￡22.2m) in Bitcoin.

A Fintech Horror Story: How one company prioritises cyber security - A password link that didn't expire leads to the discovery of exposed personal information at a payments service.

Let's put our thinking hats on...

A REUTERS SPECIAL REPORT: How mercenary hackers sway litigation battles - A trove of thousands of email records uncovered by Reuters reveals Indian cyber mercenaries hacking parties involved in lawsuits around the world – showing how hired spies have become the secret weapon of litigants seeking an edge.

Is Your New Car a Threat to National Security? - Could putting sensor-packed Chinese cars on Western roads be a privacy issue?

Standards, frameworks, legislation, regulation and more

MITRE ATT&CK mappings for Google Cloud security capabilities has just been published - Google Cloud users can now evaluate the effectiveness of native security controls against specific ATT&CK? techniques.?

What is the EU’s Digital Operational Resilience Act (DORA)? - Although DORA mostly affects the financial sector, these regulations - which aim to boost cyber resilience - will have huge knock-on effects on IT roles and tech companies.

TikTok Tells US Senators It’s Working on Data-Sharing Practices - TikTok Inc., in a letter to nine US senators who accused it of monitoring US citizens, said it is working to meet concerns over its data-sharing practices.

What Business Leaders Need To Know About NATO’s New Cyber Initiative - A new initiative announced by NATO at its summit this week in Madrid has important implications for business leaders who are concerned about cyberattacks. The multinational organization said it will launch a rapid response force that will ramp up collaborations with military and civilian organizations to help meet cyber threats.

Statistics, reports, surveys, benchmarks and more

API Security Losses Total Billions, But It's Complicated - US companies face a combined $12 billion to $23 billion in losses in 2022 from compromises linked to Web application programming interfaces (APIs), which have proliferated with the increased adoption of cloud services and DevOps-style development methodologies, according to an analysis of breach data.

The 7th Annual SANS 2022 Security Awareness Report?: Managing Human Risk?is now available for download - https://go.sans.org/lp-wp-2022-sans-security-awareness-report

Careers, Women in Security, Inclusion & Diversity and more

Cybersecurity leaders are anticipating mass resignations within the year - The growing threat of attacks combined with industry skill gaps is leading to sky-high burnout rates among cybersecurity professionals.

How security leaders can help their teams avoid burnout - In this blog post, Maria (CEO of Azeria Labs) talks about the industry’s growing interest in Arm assembly and how to help security professionals avoid burnout.

Study of 500,000 students indicates stereotypes associating men with talent are stronger in more developed countries - Despite the strides women have taken in modern society, sexist stereotypes still linger and can have monumental, detrimental effects. A study published in Social Sciences seeks to investigate the relationship between stereotypes that men are smarter and more talented than women and gender gaps.

Interesting stories of the week

HackerOne disclosed on HackerOne - ".. we discovered a then-employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties."

This co-worker does not exist: FBI warns of deepfakes interviewing for tech jobs - The FBI has warned of an uptick in cases where “deepfakes” and stolen personal information are being used to apply for jobs in the U.S. — including faking video interviews.?

China lured graduate jobseekers into digital espionage - FT investigation reveals student translators were targeted by front company for Beijing-backed hacking group APT40.

Canada’s national police force admits use of spyware to hack phones - Canada’s national police force has described for the first time how it uses spyware to infiltrate mobile devices and collect data, including by remotely turning on the camera and microphone of a suspect’s phone or laptop.

Kids are earning pocket money selling malware on Discord! - A group of minors has been spotted building, advertising and selling various malware and ransomware strains on Discord, earning pocket money for themselves in the process.

Google made a rookie error and forgot to renew a domain name - Google seemingly let its South African domain name expire on the 1st of July. Google.co.za was unavailable for several hours as a result.

Upcoming events

• SANS Government Security Solutions Forum 2022 - 21 July 2022 - https://www.sans.org/webcasts/government-solutions-forum-2022/
• SANS Security Awareness Summit & Training 2022 Live Online - 3rd/4th August 2022 -?https://www.sans.org/cyber-security-training-events/security-awareness-summit-2022
• Gartner Security & Risk Management Summit - 12 – 14 September 2022 - https://www.gartner.com/en/conferences/emea/security-risk-management-uk
• International Cyber Expo - 27th/28th September 2022 -?https://www.internationalcyberexpo.com
• Cyber Security and Cloud Expo - 1-2 December 2022 - https://www.cybersecuritycloudexpo.com/global/

Thank you for reading this newsletter

Sources for visual materials: Adobe Stock, Unsplash (and yes, you are right, I am deliberately selecting visual material with women. If I cannot find one that includes women at that time, I choose an object/text version instead)