CyberJudicata Weekly Debrief (2/17–21)
This week's Weekly Debrief covers a lot of interesting topics spanning cyber and privacy, including the MGM breach, DHS warning industry following pipeline ransomware incident, commentary on malware's new age, CCPA, and wearable privacy tech.
"The amount of time hackers spend inside the networks of compromised organisations before being uncovered has massively declined across Europe -- and GDPR is a key reason for the drop.Analysis of cyberattacks by researchers at cybersecurity company FireEye reveals that the median dwell time from the start of an intrusion to it being identified has fallen from 177 days last year to 54 days now -- a 70% decrease."
"A hacking forum this week published details of more than 10.6 million guests who stayed at MGM Resorts, the result of a breach due to unauthorized access to a cloud server that occurred at the famous Las Vegas hotel and casino last summer. The incident—revealed in a published report on ZDNet Wednesday–once again highlights the importance of securing data stored on the cloud as well as the ripple effect breaches can have for companies and victims even long after they’ve occurred."
"The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) earlier today issued a warning to all industries operating critical infrastructures about a new ransomware threat that if left unaddressed could have severe consequences. The advisory comes in response to a cyberattack targeting an unnamed natural gas compression facility that employed spear-phishing to deliver ransomware to the company's internal network, encrypting critical data and knocking servers out of operation for almost two days."
"A proposed class-action lawsuit has been filed against New Jersey's largest hospital health network over a ransomware attack that happened in December. Threat actors infected the computer systems of Hackensack Meridian Health, causing a system-wide shutdown on December 2. The attack disrupted services at 17 urgent care centers, hospitals, and nursing homes operated by the network."
"Ransomware, a type of malware that holds data for ransom, has been around for years. In 1991, a biologist spread PC Cyborg, the first ransomware, by sending floppy disks via surface mail to other AIDS researchers, for instance. In the mid '00s Archiveus was the first ransomware to use encryption, though it's long ago been defeated and you can find its password on its Wikipedia page. In the early 2010s, a series of "police" ransomware packages appeared, so called because they purported to be warnings from law enforcement about the victims' illicit activities and demanded payment of "fines"; they began to exploit the new generation of anonymous payment services to better harvest payments without getting caught."
"With the launch of the latest version of Edge, a new browser race has kicked off, and one of its main focuses is privacy. Some browsers boast a wide range of privacy tools, while others provide only some types of protection. The differences could be worth choosing (or dropping) a browser over."
"On January 1, the California Consumer Privacy Act (CCPA) went into into effect, and it could have big ramifications for any netizen in the United States—even if you don't live in California. That's because this new privacy act in California means other states will be unable to completely skirt the rules."
"Privacy has never been fashionable in this country. The Europeans and Canadians seem to care so much about it, and, as well documented in my earlier Heydatadata posts this month, Americans by the millions are sending their DNA to private companies or weight loss factories without any concern at all."
. . .