Stay in the know with “The week in cybersecurity news,” a weekly report on all the industry headlines released every Friday. Sign up to get the report in your inbox every week.

Customer sues AT&T over SIM hijacking in $23.8 million cryptotheft

Entrepreneur and cryptocurrency investor Michael Terpin is suing AT&T for negligence and fraud over a SIM hijacking, which led him to lose $23.8 million in cryptocurrency.

Terpin claims he was a victim of a SIM swap fraud, in which his AT&T phone number was transferred to a different SIM card without his authorization. With access to his phone number, attackers were able to hack his digital accounts and steal the cryptocurrency. SIM card fraud is a growing threat in the US.

The entrepreneur is suing AT&T for $23.8 million plus $200 million in punitive damages. The story is worth following as it sets the tone for the civil liability companies can face when security breaches lead to cryptocurrency theft.

Read the full story at The Verge.

Study: Only 5% of enterprises have mature vulnerability assessment strategies

According to a study of 2,100 organizations across 66 countries, only 5% of enterprises have mature vulnerability assessment strategies.

The study found that one third of enterprises conduct few vulnerability assessments, with many organizations having more work to do to protect themselves in the event of a cyberattack.

Read the full story at TechRepublic.

Cryptocurrency scammers stole $2.3 million in Q2

According to a report from Kaspersky Lab, malicious actors earned more than $2.3 million from cryptocurrency scams during the second quarter of 2018.

The attackers gained the funds by getting victims to send their coins to fake ICOs and token distributions. Websites mirroring popular cryptocurrency service companies were also used to lure victims into providing their login details for use in theft.

Read the full story at Coindesk.

Survey: 59% of UK companies have faced cryptomining attacks

According to a survey of UK organizations by Citrix, 59% of organizations reported having found cryptomining malware on their networks, with 30% of companies facing cryptojacking attacks in just the last month.

When an organization is hit by a cryptojacking attack, computers on the network are infected with malware that steals the devices’ processing power for mining cryptocurrency. Often this malware goes unnoticed on infected networks, allowing the attackers to earn cryptocurrency without detection for long periods of time.

The survey results suggest that cryptomining malware attacks are rising in popularity globally. Read the full story at ZDNet.

Threat Alert: (Unused) fax machines can lead to a network breach

A story in Fortune this week highlighted work from Check Point Research which found that faxes can be used to breach an organization’s network.

The article said researchers were able to gain access to every computer connected to an HP all-in-one printer (with fax capabilities) by sending “a fax of malicious code disguised as an image file to the printer.” In an organization where faxes are no longer monitored, this means an attack could occur without detection.

The research highlights the risk of keeping infrequently-used and unmonitored technology connected to an organization’s network.

HP has fixed the flaw now, but researchers say a similar vulnerability could exist in other brands of all-in-one printers. Read the full story here.

Flaw found in most secure element of Intel chips

Researchers have found a vulnerability in the Software Guard Extension (SGX) feature of Intel chips.

According to the Wired story, a vulnerability called Foreshadow can be exploited to penetrate the defenses of an Intel processor’s SGX feature, which creates “secure enclaves” in the chips where code can run that the computer’s operating system can’t access or change. It essentially means that this safe haven for a computer’s most sensitive data could be penetrated.

The researchers, which presented their findings at the Usenix security conference on Thursday, stressed that carrying out this attack would be difficult and expensive when compared to traditional hacking techniques likes phishing and malware.

Work is in place to mitigate the Foreshadow vulnerability. Intel says improvements for its chip architecture will hit the market at the end of the year.

Read the full story at Wired.

What to do when a CEO refuses cybersecurity best practices

SearchSecurity this week addressed how an IT leader can handle a CEO’s refusal to accept cybersecurity measures applied to the rest of the organization.

Steps to take when a CEO refuses cybersecurity best practices:

The cybersecurity professional should:

1) educate the CEO on the risks and liabilities associated with the measures they don’t want to take. If the CEO still refuses the security suggestions, then
2) document the executive’s acceptance of business risk. If the CEO refuses to document the increased risk, the article advises
3) reconsidering current employment.

According to the story, some laws and regulations makes the CEO personally responsible if an organization is negligent in securing critical information and assets.

Read the full story here.

Election security: An 11-year-old can hack Florida’s election system, DHS hosts cybersecurity exercise, and more

Last weekend an 11-year-old successfully hacked into a replica of a website used by the Florida Secretary of State to report election results.

The hack, which took place at the DefCon conference, took only 10 minutes.

“These websites are so easy to hack, we couldn’t give them to adult hackers — they’d be laughed off stage,” said Jack Braun, a former White House liaison for the Department of Homeland Security.

The Florida Department of State claimed that the replica website used in the demonstration likely didn’t have any security measures in place, unlike in a real-life scenario. Read the full story in USA Today.

According to a statement from the Department of Homeland Security, the DHS hosted a 3-day exercise to identify “best practices and areas for improvement in cyber incident planning, preparedness, identification, response, and recovery” as it relates to elections.

The exercise, “Tabletop the Vote 2018: DHS,” included federal partners, state and local election officials, as well as private companies. The scenario covered:

  • News and social media influence campaigns,

  • Spearphishing campaigns targeting election personnel,

  • Denial of service attacks on board of election websites and apps, and

  • Malware impact on voting machines and election software.

At the same time, the FBI has investigated sustained cyberattacks on an election campaign for Dr. Hans Keirstead, who had been running against Dana Rohrabacher, a pro-Russia Republican congressman in California. According to the story, attacks had taken place over the course of a year.

Keirstead ultimately finished third in the June primary. His campaign manager said this: “It is clear from speaking with campaign professionals around the country that the sustained attacks the Keirstead for Congress campaign faced were not unique, but have become the new normal for political campaigns in 2018.” Read the full story here.

In other news:

Facebook announced it recently shut down 32 pages aimed at sowing discord among Americans.

CyberScoop gave grades of “A” for website security to 55% of House candidates and 81% of Senate candidates running in the midterm election.

Last Friday the House introduced a bill called Secure Elections Act, which would allow state and local authorities to apply for federal funding for strengthening the security of their election systems.