Cyber News Roundup: Give the Gift of Encryption and Two-Factor Authentication

Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

‘Tis the season for shopping. Alas, ‘tis the season for cybercriminals. In his Dark Reading article, Jai Vijayan writes that criminals have begun ramping up their efforts to divert dollars their way via malicious domains, coupons, gift card scams, and counterfeit goods. “Domain-based attacks top the list of threat that retailers face this shopping season,” writes Vijayan. Brand impersonation is another big issue, often used to promote phishing campaigns to direct users to sites that download malware, according to Ashlee Benge, a threat researcher at ZeroFox.

As we are headed into the holiday shopping blitz, it’s not all baubles and glitz. Major retailer, Macy’s, has already experienced a data breach, exposing customer credit card information. According to the TechRepublic article, hackers injected malicious card-skimming code into Macy’s website, resulting in criminals accessing thousands of customer names, credit card information, and addresses. Criminals may have used the information themselves or sold it on the dark web, according to the article. “These types of attacks, called Magecart, are becoming increasingly common as more people open small online businesses and fail to encrypt their sites while recording customer information,” writes reporter Jonathan Greig.

What’s the one thing that retailers can do? Encrypt. Says Charity Wright, cyber threat intelligence advisor, “So many retailers don’t have their point-of-sale processors encrypted and they’re storing credit card data unencrypted, which we can guarantee is the source of most of these breaches.” The article cites experts’ tips for retailers to protect themselves from data breaches:

1. Widespread encryption
2. Have an SSL certificate installed to protect consumers
3. Do frequent audits of their security systems, websites, content management systems, and software
4. Establish policies and procedures to verify that Internet-facing infrastructure is securely configured
5. Restrict third-party vendors’ access to sensitive data

Retailers, banks, even Disney

If it’s not retailers, it’s banks. In the CSO article, “How a bank got hacked (a study in how not to secure your networks), reporter J.M. Porup covers the vigilante hacker Phineas Phisher and the intrusion of Cayman National Bank. The article is a study in how vulnerable our financial institutions are to attackers. Phisher boasts, “Give a person an exploit and they’ll have access for a day, teach them to phish and they’ll have access the rest of their lives.” The heist involved hacking tools – off-the-shelf penetration testing tools, in fact – phishing, malware, and a malicious email. It turns out that Phisher was in the bank’s networks for five months, without being discovered.

Just as soon as Disney Plus, the new streaming service, was rolled out, hackers were busy hacking. Thousands of Disney Plus accounts were hacked and sold online for as little as $3, reports Washington Post. “It’s no surprise that cybercriminals jump on the same bandwagon as everyone else when there’s a big consumer launch,” says Niels Schweisshelm, technical program manager at HackerOne. The article states that other streaming services including Amazon Prime, Hulu, and Netflix have faced similar struggles with hackers. “One thing Disney+ could do to help users would be to roll out support for multi-factor authentication, a simple solution that would prevent attacks relying on password reuse,” states Catalin Cimpanu in his ZDNet article.

Cyber Oregon in the news

In Cyber Oregon-related news, the Oregon State University Security Club (OSUSEC) completed in the U.S. Department of Energy (DOE)’s CyberForce Competition. The team, which includes Zander Work, placed first regionally for the third time in a row — and sixth nationwide.

In other news, Peggy Miller, CEO of PacStar, a cybersecurity pioneer with the company’s advanced communications solutions for the U.S. Department of Defense and a Cyber Oregon sponsor, wins Gold Stevie Award for Executive of the Year. News release here.

Cyber Oregon partner news of interest and a special shoutout to Charlie Kawasaki, Oregon Cybersecurity Advisory Council leader, who is the first inventor of this new cybersecurity patent: PacStar Awarded Patent for IQ-Core Crypto Manager Encryption Management and Setup Software