30 Countries Convene to Address Cybersecurity
US talks global cybersecurity without a key player: Russia
Amid an epidemic of ransomware attacks, the U.S. is discussing cybersecurity strategy this week with 30 countries while leaving out one key player: Russia.

The country that, unwittingly or not, hosts many of the criminal syndicates behind ransomware attacks was not invited to a two-day meeting starting Wednesday to develop new strategies to counter the threat.

White House national security adviser Jake Sullivan called it a gathering of "like-minded" governments in agreement on the urgency of the need to protect citizens and businesses from ransomware. "No one country, no one group can solve this problem," he said in opening remarks.

The virtual discussions will focus in part on efforts to disrupt and prosecute ransomware networks like the one that attacked a major U.S. pipeline company in May, a senior administration official said. The attack on Colonial Pipeline, which led to gas shortages along the East Coast, was attributed to a Russia-based gang of cybercriminals.

The exclusion of a country so closely tied to the global ransomware phenomena reflects the overall poor relations between Moscow and Washington. Despite that, the U.S. has used a "dedicated channel" to address cybersecurity with Russia. apnews.com

Is Your IT Department Prepared?
Ransomware attacks preparedness lagging, despite organizations being aware of the risks
Hornetsecurity released the results of a global study of IT professionals on their preparedness for ransomware attacks. Survey data showed that although companies are increasingly aware of the risks ransomware poses, many organizations lack proper protection and prevention measures.

The state of preparedness for ransomware attacks

1 in every 5 companies falls victim to ransomware attacks - Twenty-one percent of respondents indicated that their organization has suffered a ransomware attack, confirming that it remains one of the most prolific forms of cybercrime. In addition to system downtime, ransomware attacks can be costly. Attacks often require ransom payments, lengthy data recovery efforts, and long-term damage to companies' reputations.

Half of respondents indicated that their management team delegates cyber preparedness to its IT department - Although 86.9% of respondents indicated that their senior leadership team is aware of ransomware risks, nearly half reported that preparation and prevention measures are delegated to the company's IT department.

Because of the significant risks ransomware attacks pose, cyber protection and prevention policies should be company-wide priorities and not relegated to the IT department.

Nearly 1 in 10 companies forced to pay ransom to recover data after ransomware attack - More than 9% of survey participants reported that their company had paid a ransom to recover its data. Conversely, over 90% of respondents indicated that although they were attacked, they were able to recover data from backups; however, many of those that were able to avoid ransom payment still reported losing files during the data recovery process.

15.2% of companies do not protect backups from ransomware - More than 15% of respondents indicated that their companies do not perform regular data backups. Regular backups are recommended to protect data from hardware failures and other operational risks, but they are also imperative to a comprehensive IT security strategy. Most ransomware attacks can be thwarted if the organization's data has recently been backed up.

Nearly 30% of companies fail to provide end-user training on ransomware attacks prevention - End users are one of the biggest threats to any organization. The majority of security breaches result from employees falling victim to successful phishing attacks. As a result, companies should hold regular training on cyberattack trends and warning signs so they are aware of threats and able to avoid putting sensitive data at risk. helpnetsecurity.com

Supply Chain Cybersecurity Breaches
Worldwide supply chains vulnerable as businesses lack visibility into suppliers
BlueVoyant released the findings of its second annual global survey into third-party cyber risk management. The study reveals that 97% of firms surveyed have been negatively impacted by a cybersecurity breach that occurred in their supply chain.

93% admitted that they have suffered a direct cybersecurity breach because of weaknesses in their supply chain and the average number of breaches experienced in the last 12 months grew from 2.7 in 2020 to 3.7 in 2021 - a 37% year-over-year increase.

Companies still not prioritizing their vulnerable supply chains

● Only 13% of companies said that third-party cyber risk was NOT a priority, a drop compared to last year when 22% of companies said that supply chain and third-party cyber risk was not on their radar.

● The frequency with which companies assess their vendors has fallen year-on-year: 47% audited or reported on vendor security no more than twice per year, compared to 32% in 2020.

● 38% of respondents said that they had no way of knowing when or if an issue arises with a third-party supplier's cybersecurity, compared to 29% last year.

● 91% say that budget for third party cyber risk management is increasing in 2021, compared to 81% who said this in 2020.

Commenting on the research findings Adam Bixler, Global Head of Third-Party Cyber Risk Management, BlueVoyant, said: "Even though we are seeing rising awareness around the issue, breaches and the resulting negative impact are still staggeringly high, while the prevalence of continuous monitoring remains concerningly low. Third-party cyber risk can only become a strategic priority through clear and frequent briefings to the senior executive team and the Board. helpnetsecurity.com

Gaps in the Federal Government's Cybersecurity Threat Response
Is the government's response to cybersecurity threats enough for your organization?
With this year's attacks against Colonial Pipeline and Kaseya, ransomware and its impact on infrastructure have been pushed to the forefront of American political consciousness. These cyber attacks brought pain to the public, driving a response from the White House.

The response was followed more recently by memoranda from NIST and the Office of Management and Budget (OMB) clarifying definitions, procedures, and timeframes for the national security effort. Cybersecurity teams must not mistake following this plan for comprehensive protection from risk; there is a significant threat not addressed by the Government's response.

Here's why: the OMB directs government organizations to focus on standalone systems that are connected to critical infrastructure or sensitive information but neglects a key area - the web applications that the private sector has depended on to conduct business for years. Web applications are often deeply integrated and widely accessed within companies, defying the neatly defined security borders of the standalone systems targeted by the OMB. Neglecting web application security therefore neglects a significant area of cyber risk for companies.

Forrester concludes that web applications are the most used attack vector for breaches, but breaches don't usually originate with novel attacks. Data breaches typically originate with well-understood vulnerabilities (and corresponding exploits) that organizations have failed to address. Some breaches are a result of simple accidents or negligence, such as exposed databases. It's clear, then, that in addition to securing the systems specified by the OMB, companies need to secure their web applications and web assets through comprehensive discovery and continuous scanning for vulnerabilities. helpnetsecurity.com

Cybersecurity Training Is Broken - It's Time To Consider Human Risk Management

Microsoft Fixes Zero-Day Flaw in Win32 Driver
 

RH-ISAC's Security Awareness Symposium

Tue, October 26 | 10:00 AM EST

The Security Awareness Symposium is a one-day, online event that is designed to provide security awareness training to employees within all departments of retail, hospitality, and travel organizations. The event celebrates the RH-ISAC's commitment to Cybersecurity Awareness Month and provides both members and non-members an opportunity to provide education and training to their employees.

Click here to register and learn more

Amazon's 'Imitation Game'
Amazon copied products and rigged search results to promote its own brands, documents show

A trove of internal Amazon documents reveals how the e-commerce giant ran a systematic campaign of creating knockoff goods and manipulating search results to boost its own product lines

Amazon.com Inc has been repeatedly accused of knocking off products it sells on its website and of exploiting its vast trove of internal data to promote its own merchandise at the expense of other sellers. The company has denied the accusations.

But thousands of pages of internal Amazon documents examined by Reuters - including emails, strategy papers and business plans - show the company ran a systematic campaign of creating knockoffs and manipulating search results to boost its own product lines in India, one of the company's largest growth markets.

The documents reveal how Amazon's private-brands team in India secretly exploited internal data from Amazon.in to copy products sold by other companies, and then offered them on its platform. The employees also stoked sales of Amazon private-brand products by rigging Amazon's search results so that the company's products would appear, as one 2016 strategy report for India put it, "in the first 2 or three ... search results" when customers were shopping on Amazon.in.

Among the victims of the strategy: a popular shirt brand in India, John Miller, which is owned by a company whose chief executive is Kishore Biyani, known as the country's "retail king." Amazon decided to "follow the measurements of" John Miller shirts down to the neck circumference and sleeve length, the document states.

The internal documents also show that Amazon employees studied proprietary data about other brands on Amazon.in, including detailed information about customer returns. The aim: to identify and target goods - described as "reference" or "benchmark" products - and "replicate" them. As part of that effort, the 2016 internal report laid out Amazon's strategy for a brand the company originally created for the Indian market called "Solimo." The Solimo strategy, it said, was simple: "use information from Amazon.in to develop products and then leverage the Amazon.in platform to market these products to our customers." reuters.com

Weaning Yourself Off of Amazon
What it's really like to quit Amazon
Hundreds of thousands of Americans work at Amazon fulfillment centers-facing injury rates 80% higher than the rest of the industry, as well as COVID-19 outbreaks and death-so the rest of us can get products delivered quickly. Recent reporting has exposed how Amazon has reshaped the American economy, largely for the worse, building its business on grueling working conditions, accelerating climate change, exacerbating social inequality, and destroying small businesses.

And yet, Amazon keeps getting more powerful. The pandemic created the perfect storm for a year of explosive growth, as consumers were afraid to leave their homes and needed daily necessities shipped to their doorstep. In 2020, Amazon generated $386 billion in revenue, up 38% from the year before, and founder Jeff Bezos saw his personal fortune grow by $75 billion. "To be clear: We made Amazon," says Lauren Bitar, a retail analyst at RetailNext. "Amazon did not just come out of the ether as a villain. Consumers wanted convenience and low prices, and Amazon made it happen for us."

I had been wanting to detangle myself from Amazon for a long time. And judging from the many blogs offering advice about how to stop using the platform, I wasn't alone. A CNBC poll found that 59% of people say Amazon is bad for small business, and it's not uncommon for residents to protest when Amazon opens a new warehouse (or proposes a new headquarters). Meanwhile, lawmakers like Bernie Sanders and Elizabeth Warren have used their platform to call out the company's poor treatment of workers and its failure to pay its fair share in taxes. But so far, none of this has made a dent in Amazon's growth.

I wasn't sure I'd be able to wean myself off a service that felt so integral to my life. But in March, after long conversations with my editors about Amazon's negative effect on workers and the planet, I decided to see what it would take to cut the cord. And for the past six months, far from feeling deprived, my new shopping habits have made me feel more fulfilled and empowered. fastcompany.com

Nine Steps Every Entrepreneur Can Take To Scale Up Their E-Commerce Business

DOJ: Florida Man Pleads Guilty to Payment Processing Fraud Scheme
A Florida man pleaded guilty today in the U.S. District Court for the District of Massachusetts to conspiracy to commit wire fraud in connection with a scheme to deceive banks and credit card companies into processing credit and debit card payments on behalf of merchants involved in prohibited and high-risk businesses, including online gambling, debt collection, payday lending, and prescription drugs.

According to court documents and statements made during the plea proceeding, Thomas Wells, 74, of Martin County, fraudulently represented that his merchant clients were engaged in the sale of low-risk retail goods to obtain debit and credit card payment processing for those clients from banks and credit card companies. Wells, through his company Priority Payout, introduced merchant clients seeking payment processing to Allied Wallet Inc., a payment processing company that served as an intermediary between merchants seeking to accept debit and credit cards and financial institutions that were members of the global electronic payment networks run by credit card companies such as Visa, Mastercard, American Express, and Discover. Wells' clients included merchants engaged in prohibited or high-risk transactions and merchants that had already been terminated from card payment processing networks such as Visa and Mastercard for fraud, chargeback, or other compliance concerns. Wells accomplished this with his co-conspirators by, among other means, creating shell companies, designing fake websites that purported to sell low-risk retail goods, and using industry-standard codes that miscategorized the true nature of the transactions. Wells admitted that he earned approximately $700,000 from the scheme. Wells faces a maximum penalty of 20 years in prison, a $250,000 fine, three years' supervised release, restitution, and forfeiture.  justice.gov

Troy IL : Game shop owner says he lost $100k in rare trading cards to bi-state burglar
A Troy businessman says $100,000 worth of collectible trading cards were stolen from his game store as part of what other store owners believe was part of a bi-state crime spree Sunday night. Sam Bozarth, who co-owns Realms of Gaming with David McGonagall, said the front door of their store at 300 Edwardsville Road was smashed in at around 3 a.m. Monday morning by a lone individual. Bozarth said the man cleaned out the store's display cases where valuable cards were kept and snatched other sealed Magic: The Gathering products. ksdk.com

Albuquerque, NM: Shoplifter hits Target stores 20+ times, taking thousands in goods
Police are looking for the crook responsible for a string of shoplifting cases across the metro, stealing thousands in merchandise from area Target stores. Putting a laser focus on shoplifters, Albuquerque Police are teaming up with big-box stores to curb crime. One of those crooks has a taste for Target. Police say 28-year-old Gabriel Quintana - who already boasts a lengthy criminal history - is striking Albuquerque-area Target stores, often striking the same store days in a row or hitting multiple stores in one day. From pricey items like big-screen TVs and gaming gear to smaller ones like cleaning products and donuts, criminal complaints detail how he racks up each item at the checkout, then continues out the door without paying. From June through September - spawning at least three criminal cases - court records report he struck the Lomas Target at least 17 times, stealing more than $16,000 in goods. They also show he hit the Paseo and I-25 Target three times with more than $1,800 in merch, the Coors and Paseo Target three times with more than $2,700 taken in items, and the Montgomery Target once, taking $550 worth of stuff. krqe.com

Calcasieu Parish, LA: Three arrested for alleged theft from Lake Charles store, prior thefts
Three people were arrested Wedensday, accused of stealing more than $4,600 dollars from a store in Lake Charles. The Calcasieu Parish Sheriff's Office says that on October 6 at around 5:00 p.m. Calcasieu Parish Sheriff's Office deputies were dispatched to a store on Derek Drive in Lake Charles in reference to a theft. When deputies arrived they say they made contact with three suspects, 26, 25, and a 16 year old juvenile, all of Beaumont, Texas. According to deputies, an investigation revealed the suspects entered the store two separate times that day and stole approximately $4,600 worth of merchandise. They found that earlier the same day the suspects stole approximately $2,000 worth of merchandise from the same store in Beaumont, Texas. Deputies also find that Robinson and Bean were also allegedly responsible for stealing over $1,000 worth of merchandise from the same store on Derek Drive on September 9. katc.com

Huntsville, AL: Jewelry Store thief wanted in $250,000 Grab & Run