Marcel Brown:  November 21st, 1877. Thomas Edison announces his invention of the phonograph, a way to record and play back sound. As often happens with many great inventors, Edison stumbled upon this particular invention while working on a way to record telephone communication at his lab in Menlo Park, New Jersey.

Edwin Kwan: Security researchers have uncovered a malware campaign to steal sensitive information from Android smartphone users in India. Researchers say that the campaign is using social media platforms like WhatsApp and Telegram to lure users into installing a malicious app by impersonating legitimate organizations such as banks, government services, and utilities.

Katy Craig: In light of the recent SEC charges against SolarWinds’ Chief Information Security Officer, or CISO, Timothy G. Brown, there’s a compelling argument for holding company officers accountable for neglecting cybersecurity and failing to report known risks. The charges against Brown for not disclosing significant cybersecurity vulnerabilities before and during the 2020 SUNBURST cyberattack, underline a crucial point: CISOs, like CFOs, must prioritize transparency and honesty in reporting risks.

Ian Garrett: We can learn a lot about the state of the cybersecurity industry through the type of mergers and acquisitions, or M&A, that occur. 2023 has been a cautious yet significant year for mergers and acquisitions in the cybersecurity sector. Despite fears of a recession, rising interest rates, and conservative spending trends, the relentless pace of cyberattacks has maintained steady M&A activity.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Malicious Android Banking Apps Targeting Users in India

Security researchers have uncovered a malware campaign to steal sensitive information from Android smartphone users in India.

This is Edwin Kwan from Sydney, Australia.

Microsoft threat intelligence researchers say that the campaign is using social media platforms like WhatsApp and Telegram to lure users into installing a malicious app by impersonating legitimate organizations such as banks, government services, and utilities.

The malicious app is presented as banking apps, and the attackers would induce a sense of urgency in the users such as claiming that their bank accounts will be blocked unless they update their permanent account number that is issued by the Indian Income Tax Department on the app that they are sharing via social media.

The campaign’s goal is to steal banking information, card payment information, account credentials, and other personal data. Upon installing the app, the user is urged to enter those information, which would then be sent to the attacker’s server.

This is another reminder to only download apps from trusted sources such as Google Play, and to also check the legitimacy of the app developers, scrutinize the reviews, and review the permissions requested by the app.

Resources
– Microsoft: https://www.microsoft.com/en-us/security/blog/2023/11/20/social-engineering-attacks-lure-indian-users-to-install-android-banking-trojans/
– Hacker News: https://thehackernews.com/2023/11/malicious-apps-disguised-as-banks-and.html

 

Katy Craig
SEC Sues SolarWinds: Part II

Security researchers have uncovered a malware campaign to steal sensitive information from Android smartphone users in India.

This is Edwin Kwan from Sydney, Australia.

Microsoft threat intelligence researchers say that the campaign is using social media platforms like WhatsApp and Telegram to lure users into installing a malicious app by impersonating legitimate organizations such as banks, government services, and utilities.

The malicious app is presented as banking apps, and the attackers would induce a sense of urgency in the users such as claiming that their bank accounts will be blocked unless they update their permanent account number that is issued by the Indian Income Tax Department on the app that they are sharing via social media.

The campaign’s goal is to steal banking information, card payment information, account credentials, and other personal data. Upon installing the app, the user is urged to enter those information, which would then be sent to the attacker’s server.

This is another reminder to only download apps from trusted sources such as Google Play, and to also check the legitimacy of the app developers, scrutinize the reviews, and review the permissions requested by the app.

In light of the recent SEC charges against SolarWinds’ Chief Information Security Officer, or CISO, Timothy G. Brown, there’s a compelling argument for holding company officers accountable for neglecting cybersecurity and failing to report known risks. This case is a watershed moment, signaling the need for a stricter enforcement of corporate responsibility in cybersecurity.

This is Katy Craig in San Diego, California.

The charges against Brown for not disclosing significant cybersecurity vulnerabilities before and during the 2020 SUNBURST cyberattack, underline a crucial point: CISOs, like CFOs, must prioritize transparency and honesty in reporting risks. This expectation is not just ethical, but integral to investor trust and the broader security of digital infrastructure.

This SolarWinds incident should serve as a stark reminder to corporate executives. Neglecting cybersecurity and omitting critical information can have severe consequences, not just for the company and its stakeholders, but also personally for the executives involved. It’s a call for a culture shift in how cybersecurity is treated at the highest levels of corporate governance.

This scenario also underscores the importance of federal whistleblower protections. These protections are vital for encouraging and safeguarding employees who come forward to report unethical practices, including cybersecurity negligence. Whistleblowers play a crucial role in exposing hidden risks and preventing potential disasters, and their actions should be supported and protected under federal law.

Finally, the SEC’s action against Brown isn’t just about one company or one executive. It’s about setting a precedent that emphasizes the importance of executive accountability and cybersecurity. This case could lead to more stringent regulations and expectations for corporate officers, ensuring that cybersecurity is treated with the seriousness it deserves at the executive level.

This is Katy Craig. Stay safe out there.

Resources
– NY Times: https://www.nytimes.com/2023/11/18/business/dealbook/solarwinds-sec-lawsuit.html
– SEC: https://www.sec.gov/news/press-release/2023-227

 

Ian Garrett
M&A Deals that Look into the Future of the Cybersecurity Industry

We can learn a lot about the state of the cybersecurity industry through the type of mergers and acquisitions, or M&A, that occur. 2023 has been a year marked by economic uncertainty paired with an escalation in complexity of cyber threats. Through all this, we’ve seen some interesting M&A activity that could be a look into the future of the cybersecurity industry.

Hey folks, this is Ian Garrett in Arlington, Virginia.

2023 has been a cautious yet significant year for mergers and acquisitions in the cybersecurity sector. Despite fears of a recession, rising interest rates, and conservative spending trends, the relentless pace of cyberattacks has maintained steady M&A activity.

Early in the year, the tech sector experienced instability and mass layoffs, fueled by the prolonged war in Ukraine and global economic pressures. However, the urgency to fortify against cyber threats has not waned. A significant 65% of organizations plan to increase cybersecurity spending this year, underscoring the sector’s resilience and growth potential amid broader market volatility.

Some of the many key deals this year that have shaped the cybersecurity landscape include the following:

– Palo Alto Networks’ acquisition of Talon Cyber Security, integrating Talon’s Enterprise Browser Platform with Palo Alto’s Prisma SASE for enhanced security across devices.

– Proofpoint’s agreement to acquire Tessian, bolstering its email protection capabilities with Tessian’s advanced AI.

– Snyk’s acquisition of Reviewpad, a move that enhanced Snyk’s code vulnerability scanning platform.

-Quintus’s intent to acquire a stake in World Health Energy Holdings, leveraging their threat screening technology.

These transactions reflect a strategic focus on enhancing security capabilities and expanding market reach. For instance, Palo Alto Networks and Proofpoint are bolstering their portfolios with solutions addressing specific cybersecurity challenges, such as secure browsing technology and advanced email threat protection. Snyk’s acquisition of Reviewpad aligns with the growing emphasis on securing software development processes.

The overall market analysis indicates a cautious yet opportunistic approach among cybersecurity firms. The demand for innovative solutions remains high, driven by emerging security risks like those posed by advanced AI technologies. Companies are balancing the need to expand and strengthen their cybersecurity offerings with the economic realities of a potentially receding market.

This balancing act is evident in the careful selection of acquisitions focusing on strategic value rather than sheer volume of transactions.

Resources
– CSO Online: https://www.csoonline.com/article/574521/top-cybersecurity-manda-deals-for-2023.html

 

Marcel Brown
This Day, November 21, in Tech History

This is Marcel Brown bringing you some technology history for November 21st.

November 21st, 1877. Thomas Edison announces his invention of the phonograph, a way to record and play back sound. As often happens with many great inventors, Edison stumbled upon this particular invention while working on a way to record telephone communication at his lab in Menlo Park, New Jersey.

While experimenting with a stylus on a tinfoil cylinder, he was surprised when he was successfully able to play back the short song he had recorded, Mary Had a Little Lamb. Public demonstrations of the phonograph made Edison world-famous, and he was dubbed “the Wizard of Menlo Park.” Edison set aside his invention in the next year to work on the light bulb, and it wasn’t until nine years later that he resumed work on improving the phonograph, eventually releasing the Edison Disc Phonograph in 1912, competing with a number of other disc players in the early recording industry.

November 21st, 1969. A little less than a month after the first test message was sent, the first permanent link on the ARPANet is established between UCLA and the Stanford Research Institute. As the ARPANet was the foundation of the modern internet, this connection can now be considered the very first link of what we now know as the internet.

That’s your technology history for today. For more, tune in tomorrow and visit my website, thisdayintechhistory.com.

Resources
– https://thisdayintechhistory.com/11/21