If you use Office365 think about this - about 40% of Organizations are not doing enough to protect Office365 Data!

Darkreading.com reported that “Based on responses from more than 1,000 IT professionals, business executives, and backup administrators, Barracuda found that 40% of IT organizations surveyed don’t use third-party backup tools to protect Office 365 data.” The March 28, 2019 article entitled “40% of Organizations Not Doing Enough to Protect Office 365 Data” included these comments according to the Barracuda study:

…deleted emails are not backed up on Office 365 in the traditional sense. Rather, they are kept in the recycle bin for a maximum of 93 days before they’re deleted forever.

For SharePoint and OneDrive, deleted information gets retained for a maximum of 14 days by Microsoft, and individuals must open a support ticket to retrieve it.

SharePoint and OneDrive are unable to retrieve single items/files; they must restore an entire instance.

It’s unlikely that such short retention policies meet most compliance requirements.

What are you doing to protect Office 365 data?

$100M+ guilty plea for Spearphishing (BEC – Business Email Compromise)!

The Department of Justice reported that “a Lithuanian citizen, pled guilty today to wire fraud arising out of his orchestration of a fraudulent business email compromise scheme that induced two U.S.-based Internet companies (the “Victim Companies”) to wire a total of over $100 million to bank accounts he controlled.”  The March 20, 2019 press release entitled “Lithuanian Man Pleads Guilty To Wire Fraud For Theft Of Over $100 Million In Fraudulent Business Email Compromise Scheme” included these details about the defendant Evaldas Rimasauskas admitted that:

….he devised a blatant scheme to fleece U.S. companies out of $100 million, and then siphoned those funds to bank accounts around the globe.  Rimasauskas thought he could hide behind a computer screen halfway across the world while he conducted his fraudulent scheme, but as he has learned, the arms of American justice are long, and he now faces significant time in a U.S. prison.

As I blogged earlier this month “Only 47% companies train employees to recognize spear phishing!” so until there is more training spear-phishing will continue to a great business!

The Indictment included these allegations:

From 2013 through 2015, RIMASAUSKAS orchestrated a fraudulent scheme designed to deceive the Victim Companies, including a multinational technology company and a multinational online social media company, into wiring funds to bank accounts controlled by RIMASAUSKAS.  Specifically, RIMASAUSKAS registered and incorporated a company in Latvia (“Company-2”) that bore the same name as an Asian-based computer hardware manufacturer (“Company-1”), and opened, maintained, and controlled various accounts at banks located in Latvia and Cyprus in the name of Company-2.  Thereafter, fraudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multimillion-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which were controlled by RIMASAUSKAS.  These emails purported to be from employees and agents of Company-1, and were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1, but in truth and in fact, were neither sent nor authorized by Company-1.  This scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.

After the Victim Companies wired funds intended for Company-1 to Company-2’s bank accounts in Latvia and Cyprus, RIMASAUSKAS caused the stolen funds to be quickly wired into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.  RIMASAUSKAS also caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.

Through these false and deceptive representations over the course of the scheme, RIMASAUSKAS caused the Victim Companies to transfer a total of over $100 million in U.S. currency from the Victim Companies’ bank accounts to Company-2’s bank accounts.

What do you think?

Don’t we need Federal Privacy Laws for IoT?

Darkreading.com reported “For the third time in as many years, lawmakers have introduced a bill that would require Internet of Things (IoT) products sold by federal contractors and vendors to abide by government guidelines to ensure a baseline of cybersecurity.”  The March 18, 2019 article entitled “New IoT Security Bill: Third Time’s the Charm?” included these comments about the proposed law called “Internet of Things Cybersecurity Improvement Act of 2019” that the “National Institute of Standards and Technology (NIST) to develop security guidelines for IoT devices sold to the US government”:

…tasks NIST with creating requirements for federal agencies that consider the secure development, identity management, patching and configuration management of IoT devices. In addition, NIST is also tasked with developing recommendations on the management and use of IoT devices by March 31, 2020.

What do you think?

15 Easy Steps to Vanish (including only carrying cash)!

The New York Times reported that a Bitcoin security person “had long been obsessed with the value of privacy, and he set out to learn how thoroughly a person can escape the all-seeing eyes of corporate America and the government. But he wanted to do it without giving up internet access and moving to a shack in the woods.”  The March 12, 2019 article entitled “How a Bitcoin Evangelist Made Himself Vanish, in 15 (Not So Easy) Steps” included these comments about #3 to “Carry cash”:

The most anonymous way to buy things, of course, is to simply use cash…. enough to handle most daily transactions.

Here are details on #8 to “Create a V.P.N. for home internet use”:

In order to shield his internet address and his location, he turned his home internet router into a virtual private network, or V.P.N., that made all his internet traffic appear to come from different internet addresses in different places.

All 15 Easy Steps:

  1. Create a new corporate identity.
  2. Set up new bank accounts and payment cards.
  3. Carry cash.
  4. Get a new phone number.
  5. Stop using the phone for directions.
  6. Move.
  7. Make up a fake name for casual interactions.
  8. Create a V.P.N. for home internet use.
  9. Buy a boring car.
  10. Buy a decoy house to fool the D.M.V.
  11. Set up a private mailbox and remailing service.
  12. Master the art of disguise.
  13. Work remotely.
  14. Encrypt devices when traveling remotely.
  15. Hire private investigators to check your work.

Does this give you any ideas?

Privacy Concerns- Should facial recognition tracking your buying habits in stores be regulated?

eMarketer.com reported “that more than 60% of respondents thought the technology was “creepy””…that was used in…”tracking buying habits, and alerting sales people to shoppers’ preferences and previous purchases as soon as they enter stores.” The March 7, 2019 article entitled “Facial Recognition Brings Opportunity … and Privacy Concerns” included these comments:

Regulators and advocacy groups have also voiced opposition.

Lawmakers haven’t needed encouragement to begin regulating the technology; in February, San Francisco became the first US city to impose a ban on the use of facial recognition by government agencies.

Washington state Sen. Reuven Carlyle proposed a bill to require companies that make facial recognition tech to obtain consumer consent, and notify those consumers when they walk into a store or access a website where it’s in use.

What do you think?