A newsletter on cybersecurity news, resources and much more. Curated and written by Dominique West. Don’t miss out , subscribe below!
The short version:
Celebrating National Cybersecurity Awareness Month
Latest news in cybersecurity
Tech Events happening around the world
Cybersecurity Job Postings
We are almost halfway through October, which means we are in full swing of National Cybersecurity Month. If you aren't familiar - held every October, National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to ensure everyone has the resources they need to stay safe and secure online while increasing the resilience of the Nation against cyber threats.
If you’ve been following me for awhile you know I love this month because all I do is evangelize about security awareness. If you are interested in learning more about NCSAM, I did a blog post and podcast episode explaining this worldwide initiative. There are 4 sub themes for this month and I plan to release an episode each week coinciding with each of the following themes, so be sure to follow along and share with your family and colleagues on how we can all be more security aware and own our protection. Last Thursday I released an episode on week one’s theme: If you connect it, protect it. The episode breaks down the Internet of Things (IoT), how this technology has affected our lives and some simple tips you can do today to keep yourself protected. You can listen to that by clicking here. The next one comes out this Thursday and will be about educating users in the workforce about best practices and the threats organizations are currently facing.
Latest News in Cybersecurity
The latest happening in cybersecurity and technology. Click the title link to read more about the article topic.
Robinhood Users Lose Money Due to Possible Password Reuse Attack: This past Friday was the close of yet another rocky market for the financial industry but also a really scary one for some investors who use the Robinhood investment app. Full disclaimer, the issues I am about to describe are not due to a security breach of Robinhood systems but because of a compromise that happened outside of the platform. In a press statement by the company, "a limited number of customers appear to have had their Robinhood account targeted by cyber criminals because of their personal email account (that which is associated with their Robinhood account) being compromised outside of Robinhood" The company is actively working with the impacted users but it can definitely be accurately speculated that cyber criminals were able figure out the password of the victims emails and used it to probably do a password reset on the Robinhood app. Once successful, the cyber criminals were then able to do what they please in the victim’s Robinhood accounts, including initiating sell offs of stocks and draining their accounts. Why is this important? It emphasizes the risk of not having extra verification protocols placed on your accounts. While MFA doesn't need to be activated on every account you sign up for, simply because your use experience will diminish and lets be honest the average user isn't going to do it, but at the very minimum, strong passwords and MFA should be enabled on all your high risk accounts. By high risk i mean you financial accounts, so your bank, credit cards, and trade accounts such as this story. You should also put MFA on account that have a lot of data on you - so social media, your email accounts, things that store information you wouldn't want to be altered or leaked. Email account compromise is a really big payoff for cyber criminals because our emails are treasure troves of information. If you use one email account for everything, an attacker can do espionage and figure out how to further make your life hell for their profit gain. So let’s not allow them the opportunity to do that. Go do a inventory check of all of your high risk accounts and make sure they have strong passwords and MFA enabled.
Fitbit Applications Can Possibly Steal Personal Data: If you are a Fitbit watch wearer, please be weary about the types of apps you download onto your device as a security research created a proof of concept that shows how Fitbit allows any application to access user data and send that data to any server. Let me explain how. So API, also known as application programming interfaces, are a set of tools that takes data and information and makes it universally accessible. So for example if you've ever ordered food, a waiter or waitress would take your order, communicates it to the kitchen and return with your order. API are the same concept - API makes a call to a server or database, executes the request and returns a response. APIs are a handy tool for app developers and are used basically everywhere, you the user just don’t know it. So in the case of Fitbit, the allow app developers to built widgets and applications for users to install on their Fitbit watch or device. These applications are designed to enhance your usability experience. Unfortunately, if API building doesn't have proper checks and balances, an attacker could take advantage of this nifty tool set and get access to a plethora of data - such as gender, age, height, heart rate, weight and even calendar information. And that's exactly what happened - the security researcher built a fake malicious app to test this out and was able to successfully publish the application to be downloaded in the fitbit gallery (a place thats similar to like the apple store). While a small set of information, it is yet another example of privacy and security flaws built into the everyday hardware and software we consumers bring into our lives. Why is this important? Well, the calendar information is what’s most notable here - now I am not sure about you but I am pretty detailed when it comes to calendar invites. Simply because it’s easy for me to keep track of things in one place and I like to make sure the other calendar guests know what is happening. Now while I would never place super sensitive information in a calendar invite, I know that there are users out there who do. And this calendar information can contain things like personal identifiable information such as name, address, numbers and more or something more serious like a link to a sensitive document with social security numbers. Luckily, Fitbit was responsive to the security researcher who informed them of this flaw and vowed to make the necessary changes to mitigate future breaches. As of this recording there is no definite time frame on when they plan to do so or create a more stringent application review program so in the meantime, be careful about what you download onto you fit-bit and smart fit devices.
Watchdog Blows Whistle on Lack on Cybersecurity Awareness and Governance for FAA: A government watchdog agency has recently reported that Federal Regulators have not taken adequate steps to protect airline computer systems from hackers.In a detailed report last Friday, the agency called the Government Accountability Office, stated that the Federal Aviation Administration has not developed a cybersecurity training program or tested airline computer systems for resiliency against attacks. Without this, they believe the FAA may not be able to ensure sufficient oversight to guard against the evolving cybersecurity risk. While the aircraft manufacturers have built in safeguards and there have thankfully been no report of successful hacker attacks, the auditors noted that the ever-growing use of technology and increasingly complex systems have created “new opportunities for persons with malicious intentions to target commercial transport airplanes.” The data in focus here is the ones automatically transmitted to air traffic controllers, airline maintenance crews and others on the ground, such as data to track planes, data that tells pilots about weather ahead and more. Why is this important? Cybersecurity is a growing risk for every single industry out there. It is evident the need for redesigning and enacting independent cybersecurity testing on new airplanes is of vital importance and the aviation industry has our lives at stake. They need a 0 fail rate and unfortunately we know from previous stories and experience that cyber attackers are willing to compromise anything. Hopefully this new report will invite massive change in Cybersecurity programs for the aviation industry as well as open up job opportunities for those interested in that line of work.
Upcoming Events in Cybersecurity
Did you know Security in Color has a one-view event calendar? Click here to see a month’s view of events and click the event to add to your own Google Calendar. If you see something you are interested in below, click the register here link.
How To Become A Pentester AMA (Part 2). October 14, 8 pm EST. Register here.
Self Care for Security Leaders. October 15, 6 pm EST. Register here.
Cybersecurity Best Practices Seminar. October 16, 7 pm EST. Register here.
VIRTUAL THREAT DEFENSE CHALLENGE. October 17, 11 am EST. Register here.
Cybersecurity Job Postings
I know everyone is trying to secure the bag, so here are some recent job postings for cybersecurity.
Title: Security Analyst - Compliance Operations. Company: Datadog Location: NYC/Remote. Apply here. (Note: If interested in this job, please contact me so I can refer you directly)
Title: Security Analyst Company: Varonis Location: New York, NY. Apply here.
Title: Information Security Analyst (GRC) Company: Intercontinental Exchange Location: Atlanta, GA. Apply here.
Title: Cyber Security Engineer Company: PINPOINT Resource Group Location: Atlanta, GA/Remote. Apply here.
Title: Application Security Engineer Company: Greylock Location: San Francisco, CA/Remote. Apply here.
Thats a wrap for this weeks newsletter. Thanks for being a subscriber. I am forever grateful for your support. See you next time!
Contact Us & Support Info
If you have something you’d like to be featured in the newsletter? Email me at firstname.lastname@example.org
Ready to take your cybersecurity career to the next level, schedule a call.