California Cyber News

Screen Shot 2018 08 20 at 10.18.45 AM

Original article posted on datadriveninvestor.com

Avoid Being Tricked By The Automated Army Of Hackers

Part I: Identifying the Problem

“Phishing” is the practice of fooling unsuspecting people into voluntarily giving away their most sensitive data—user names, passwords, social security number, birth dates, and more—by disguising their communication requests to look authentic. Given how easy it is to digitally copy a corporation’s official communication template, this problem is actually far worse than you could ever imagine. Hackers leverage the power of computers to automate sending phishing scams. Hundreds of millions of phishing emails are sent every day for pennies and only a small percent need to work for the system to be rewarded. And rewarded it has been.

  • In 2016, 85 percent of all organizations had suffered phishing attacks and 30% of all phishing emails were opened.
  • In 2017, fake invoicing emails sky-rocketed, CEO fraud emails total $5 billion in losses, and phishing emails that targeted people filing their W-2 forms increased 870%.
  • In 2018, fake invoices becomes the #1 disguise for distributing malware, Dropbox phishing scams surge and DocuSign lures are the most effective.
security mistake

Original article posted on informationweek.com

Cybersecurity is more painful to manage as technology architectures become more complex. Simplify your approach by avoiding these major security mistakes.

Effective cybersecurity is becoming a tougher problem as organizations embrace more types of devices and hardware. Protecting organizations requires more than tools, which companies tend to learn the hard way. Granted, as the technology stack changes, new cybersecurity tools become necessary. However, the problem has become so complex that no organization can afford all the tools, all the people, and all of the other resources it would need to protect itself against everything.

“You need to take a risk-based approach to security,” said Garrett Bekker, principal analyst, Information Security at 451 Research. “You have to figure out what is an acceptable level of risk, which is easier said than done.”

Bay Area Cyber Camps

Over the past three months, Irvin Lemus logged more than 7,000 miles and 70 hours on the road. He wasn’t taking a summer vacation road trip — he was checking in on more than 1,000 students who participated in 29 cyber camps throughout the Bay Area.

The 28 Bay Region community colleges voted overwhelmingly to support the summer CyberCamp program over the past two summers. Strong Workforce Program Regional Funding was dedicated to this effort. 

Lemus is the cybersecurity instructor at Cabrillo College and the Bay Area Cyber Competitions Regional Coordinator for the Western Academy Support and Training Center. In that role, he’s built the Bay Area Cyber Competitions program from the ground up and said he does not plan to stop any time soon.

The state wants to add every city and county government to its automated threat feed program in the next three to four years.

The California Cybersecurity Integration Center alerted its partners to the Thomas Fire along Interstate 5, before the largest wildfire in the state’s modern history was phoned in last December.

Someone had taken to Twitter to first report the blaze, and Cal-CSIC’s media scrapers—which plug into its automated threat feed—noticed.

Cal-CSIC, pronounced “cal-sick,” was created by Gov. Jerry Brown’s executive order in August 2015 to prioritize cyber threats to public sector agencies and expand into the private sector.

Study documents growing need for qualified cybersecurity workers in the marketplace.

Sacramento, Calif. – Today, the Governor’s Office of Business and Economic Development (GO-Biz), in conjunction with the Governor’s Office of Planning and Research (OPR), released the results of a California Cybersecurity Labor Market Analysis and Statewide Survey. This document details the findings of a study done by the California Community Colleges Centers of Excellence for Labor Market Research and demonstrates that there is much work to be done in order to adequately prepare Californians for the demands of the digital and cyber economy.

Conducted as part of the California Advanced Supply Chain Analysis & Diversification Effort (CASCADE) initiative funded by the U.S. Department of Defense, the study gathered information about workforce needs in California and the scope of training being provided by educational providers across the state. It found an alarming gap in the supply of qualified cybersecurity workers prepared to fill the 35,000 cybersecurity-related annual job openings that exist in California.

GSCH

GenCyber Camp Brings Technology to Underserved Groups

Carrie Raleigh didn’t know the first thing about cybersecurity when she started working for the Girl Scouts of San Gorgonio Council. And, who could blame her? It’s a far cry from the things traditionally associated with the scouting program.

Over the past three years, Raleigh and colleague Knea Hawley brought the GenCyber program under the Girl Scouts umbrella and opened the doors for even more young women to learn about cybersecurity.

“I’ve learned so much and it’s been an amazing journey. Now it’s one of those things I talk about all the time,” Raleigh said. “It’s been so eye opening to me realizing the potential in the field for these girls. We can connect them with the training they need for this large opportunity in front of them.”

GenCyber is a nationwide program with camps in nearly all 50 states. The San Bernardino camps were held June 18-22 at CSU San Bernardino. The program was funded by a National Science Foundation grant received by CSUSB that made it free to all attendees. CSUSB has invited the Girl Scouts of San Gorgonio Council to participate in their GenCyber camp since 2015.

Beyond learning the basics of cybersecurity, girls had the opportunity to meet with industry professionals from Google, Facebook and Bank of America just to name a few. While it took a lot of coordination from the GenCyber planning team, Raleigh said it was worth it for the students and the employers.

CompTIA Infrastructure

Original article posted on CompTIA

Stackable certifications demonstrate that you’ve earned multiple CompTIA certifications and have the knowledge and experience needed to grow your IT career. They validate the skills of various IT roles and show a deeper mastery, opening up more job opportunities for you. Stackable certifications require active CE certifications. Good-for-life certification holders may earn these stackable certifications by re-certifying and validating that their skills are up to date.

CompTIA Career Pathway CompTIA certifications align with IT infrastructure and cybersecurity career paths, with each added certification representing a deepening of your expertise. Core certifications, like CompTIA A+, lay the groundwork for the specialized pathway certifications, and additional professional certifications cover necessary IT skills like project management. For more information visit CompTIA IT Certifications

For the first time, DOJ describes how it will respond to influence plots like Russia’s interference in the 2016 presidential race.

Original article posted on Politico.com by ERIC GELLER 07/19/2018 08:57 PM EDT

“That policy reflects an effort to articulate neutral principles so that when the issue that the government confronted in 2016 arises again — as it surely will — there will be a framework to address it,” said Deputy Attorney General Rod Rosenstein.

The Justice Department on Thursday issued a wide-ranging report (Cyber Digital Task Force) describing the cyber threats facing the United States and the department’s tactics for investigating, disrupting and deterring those risks.

Most significantly, the report contains the first public description of how the DOJ will assess and respond to foreign influence operations like Russia’s 2016 election meddling.

IoT 3

Original article posted on ThreatPost.com

Two vulnerabilities were discovered on Dongguan Diqee-branded vacuum cleaners, Thursday.

Researchers have uncovered vulnerabilities in an connected vacuum cleaner lineup that could allow attackers to eavesdrop, perform video surveillance and steal private data from victims.

Two vulnerabilities were discovered in Dongguan Diqee 360 vacuum cleaners, which tout Wi-Fi capabilities, a webcam with night vision, and smartphone-controlled navigation controls. These would allow control over the device as well as the ability to intercept data on a home Wi-Fi network.

“Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners,” Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, said on Thursday.

The first member of the Proton malware family?

Original article on SecureList By Mikhail Kuzin, Sergey Zelensky on July 20, 2018. 10:00 am

An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

Girl Scouts unveils 30 new STEM-related badges, including space exploration and cybersecurity

Original article posted on theverge.com

Girl Scouts of the USA announced today that it will introduce a slew of new badges that address what it called “some of society’s most pressing needs” by homing in on STEM and technology-related issues and advocacy for girls.

The 30 badges will be available exclusively for girls between the ages of five and 18 for efforts and advocacy in cybersecurity, robotics, computer science, space exploration, and the environment. The badges will be earned when girls learn how to code or design robots, take action to protect the environment, or learn how to spot crimes being committed online. The new offerings are among a number of badges the organization has introduced over the past years to boost interest and participation in fields where women are traditionally underrepresented.

In November of last year, the Girl Scouts announced that it would integrate STEM-related programs into its organization to help reduce the gender gap in those fields in the future.

Original article posted on WeGoBusiness

California’s new law on consumer privacy that is scheduled to come into effect on 1st January 2020 is not compliant with the provisions of the GDPR. This is despite the fact that the law is being viewed as the US’s most aggressive and strongest step in the sphere of privacy protection.

AB-375 vs GDPR

The new law stipulates that from 1st January 2020 onwards, companies will need to inform California state residents what information they are collecting about state residents and also how they propose to use it in the future.

The law will also people to direct such companies to stop selling or delete such private information. However, neither will the statute prevent businesses from collecting information about people nor give California residents the choice to legally order a company to acquire their information.

A new report from Positive Technologies details the top threats facing businesses in a variety of sectors.

Original article posted on techrepublic.com

On Tuesday, Positive Technologies released a report revealing an increase in the number of cyber incidents occurring between Q1 2017 and Q1 2018. According to the report, analysts identified a 32% jump in unique cyber incidents.

While a general growth of cybersecurity issues could be considered typical, the report found that several other cybersecurity related concerns have also increased over the year as well.

Hackers, according to the report, have an increased interest in personal data such as account credentials. Data theft also makes up for a large share of the total cybersecurity threatscape— 13% more than the 2017 average.

In an age where businesses falling victim to cyberattacks is a daily occurrence, it’s essential that firms have proactive incident response teams that can help to lessen the threat to reputation.

Original article on itproportal.com

We live and do business in a world fraught with cyber risks. Every day, companies and consumers are targeted with attacks of varying sophistication, and it has become increasingly apparent that everyone is considered fair game. Organisations of all sizes and industries are falling victim, and the cyber risk is quickly becoming one of the most prevalent threats.

When disruptions do occur from cyberattacks or other data incidents they not only have a direct financial impact, but an ongoing effect on reputation. For example, Carphone Warehouse fell victim to a cyberattack in 2015, which resulted in the compromising of data belonging to more than three million customers and 1,000 employees. While it suffered financial losses from the remedial costs, which included a £400,000 fine from the Information Commissioner’s Office (ICO), it also led to consumers questioning whether their data was truly secure with the retailer and if it was simply safer to shop elsewhere. That loss in consumer confidence is incredibly difficult to claw back, particularly at a time when grievances can be aired on social media and be shared hundreds or thousands of times.

Article originally posted on https://apnews.com/

SACRAMENTO, Calif. (AP) — Journalists, researchers and political campaigns that receive voter data must tell California officials if it may have been stolen under a new law Gov. Jerry Brown announced he signed Monday.

It requires people and organizations that have California voter registration data to report security breaches affecting the storage of that information, which can include names, birth dates and addresses.

Counties and the secretary of state’s office provide voter registration information to people and organizations who agree to use the data only for journalistic, scholarly, political or government purposes.

The new law directs the secretary of state to develop guidelines for how such information should be securely stored.