New Jersey last week officially passed Bill S-52, which amends its previous data breach notification law. Governor Phil Murphy signed the bipartisan legislation into law on May 10, after the bill sailed through the state’s General Assembly and Senate last February. The new law expands the definition of what constitutes personal information that, if exposed in…
A recent malware campaign targeting investment companies and diplomatic agencies has shed light on some of the newest practices and tools of reputed North Korean APT group ScarCruft. While investigating this campaign, researchers from Kaspersky Lab observed a tool for harvesting Bluetooth device data and were able to analyze the group’s multistage binary infection procedure.…
The Department of Homeland Security’s U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued a directive that now gives federal agencies a 15-day deadline to remediate critical-level vulnerabilities that are detected on their internet-accessible systems by CISA’s Cyber Hygiene scanning service. Binding Operational Directive 19-02 supersedes BOD 15-01, which when enacted in 2015 gave…
Twenty-four financial organizations from countries comprising the Group of Seven (G7) nations will reportedly simulate a major cross-border cyberattack on the financial sector next month. The exercise will present a scenario in which malware infects a technical component that is commonly used in the financial sector, according to a Reuters report citing Nathalie Aufauvre, director…
The FBI and Department Homeland Security have jointly issued a new Malware Analysis Report (MAR) warning of the dangers of ELECTRICFISH, a tunneling tool used for traffic funneling and data exfiltration by the North Korea government hacking group Hidden Cobra. ELECTRICFISH is attributed to North Korea. The 32-bit Windows executable file is a command-line utility…
The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by “password spray” attacks. In these attacks brute force login attacks, attempt to break into accounts using these simple passwords with the goal of stealing sensitive information and unlike social engineering, these…
Google on Wednesday announced an upcoming, privacy-friendly feature that will automatically delete user location history and web and app activity data after a specified period of time. The new controls will be rolled out in the coming weeks, Google revealed in a blog post authored by David Monsees, “Search” product manager, and Marlo McGriff, “Maps”…
A misconfiguration in the search tool on the city of Columbia, S.C. website had a security flaw that could have exposed database and SMPT server passwords. Independent Researcher Arif Khan discovered the flaw in the fall and began trying to contact the city to disclose, tweeting in November, “Hi @CityofColumbia, A security issue has been detected…
The Washington state legislature went one-for-two this month in its attempt to pass major data breach and privacy regulations. Yesterday, lawmakers unanimously passed HB 1071, which firms up and expands requirements for public breach notifications, but the state apparently has failed to approve a sweeping new state privacy law, SB 5367, after the House declined…
Municipalities took a beating this week with at least four reporting being shut down from new ransomware attacks or struggling to recover from an older incident. Augusta, Maine; Imperial County, Calif.; Stuart, Fla.; and Greenville, N.C. were all in different stages of recovering from ransomware attacks over the last seven days. Augusta City Center operations…
