Cybersecurity News of the Week, July 28, 2024

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Corner

These three stories – each in its own way – demonstrate the cybercrime challenge small businesses face in preparing for – and trying to prevent – the trauma of disruption.

The first is a PBS story about the lingering impact of the CrowdStrike debacle on smaller businesses. Large enterprise companies have IT and security staff to manage the disruption. Because of costs and the pervasive cybersecurity skills gap outlined in the World Economic Forum report (see Section 3), smaller businesses are too often forced to fix these problems on their own or by reaching out to their IT service providers / MSPs. Either way, the result is a disruption to normal operations, a disruption in their ability to serve customers and clients, a disruption in their growth plans, and added costs that take money away from the other parts of the business.

Adding to this challenge, smaller businesses have more trouble getting the cyber-insurance they need than do larger enterprises. Making the point, Warren Buffett’s Berkshire Hathaway, advised insurance agents to only sell cyber policies if they absolutely had to do so to satisfy a client, and to expect losses. Big insurance companies don’t have to satisfy their small business clients. They don’t make enough revenue from most small businesses to take the risk.

And the third story – important in its own right as a major security challenge that speaks to the need for regulations requiring Security By Design – is also important in that its impact will be felt by smaller businesses much more than larger enterprise clients with deeper pockets.

All three stories, together with the work required to keep business computers patched and updated (See Section 4 below), illustrate a significant resource and financial hit on smaller businesses that they are ill-prepared to absorb.

• Many small businesses struggle to resume normal operations days after global tech outage: NEW YORK (AP) — An owner of a consumer insights research firm couldn’t pay her employees, make Friday’s deadline to sign a contract for a new business or send key research to a key client. A psychiatrist, who runs a virtual mental health practice in Maryland, saw his business hobbled as some of his virtual assistants and therapists couldn’t either make phone calls or log on to their computers. And a restaurant owner in New York City was worried about how he was going to pay his vendors and his workers. … The problem appeared to divide those affected into haves and have-nots. Major customers of Microsoft and CrowdStrike are getting IT support to resolve the issues, but many smaller businesses whose Windows PCs may have received the problematic update are still struggling.
• CrowdStrike losses may be biggest test yet of cybersecurity insurance risk warning from Warren Buffett: Warren Buffett and Berkshire Hathaway’s top insurance executive warned this year about the potential for massive losses from cyber insurance policies— in fact, it advised insurance agents to only sell cyber policies if they absolutely had to do so to satisfy a client, and to expect losses. … The CrowdStrike-caused global IT outage will be a key test for cyber insurance underwriters, with Fitch Ratings expressing confidence that losses will not exceed $10 billion. … Other cyber policy experts say it is still early to assess the volume of claims that insurers are going to see and say it could be “a very bad situation for insurers.”
• Secure Boot is completely broken on 200+ models from 5 big device makers: Keys were labeled “DO NOT TRUST.” Nearly 500 device models use them anyway. … In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did. … On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro.

From SecureTheVillage

• Smaller business? Nonprofit? Take your security to the next level. Apply Now! If you’re a small business or nonprofit in the greater Los Angeles area, apply NOW for LA Cybersecure. Protect your organization with our innovative team-based learn-by-doing program with coaching and guidance that costs less than two cups of coffee a week.
• IT Service Provider / MSP? Take your client’s security to the next level. Apply Now!  If you’re an IT service provider in the greater Los Angeles area, apply NOW for LA Cybersecure. With our innovative team-based learn-by-doing program, you’ll have both that “seat at the table” and the peace of mind that you’re providing your clients with the IT security management they need.
• The LA Cybersecure Program is funded in part by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
• Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 
• How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basic controls and download our free updated 13-step guide.
• Please Support SecureTheVillage: We need your help if we’re to build a world of CyberGuardians ^TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village. ^TM. 

Cybersecurity Nonprofit of the Week … Cyber Readiness Institute

Our kudos this week to the Cyber Readiness Institute (CRI) and the great work they do helping our medium-size and smaller organizations manage their information security challenges. CRI’s Cyber Readiness Program helps organizations protect their data, employees, vendors, and customers. This free, online program is designed to help small and medium-sized enterprises become more secure against today’s most common cyber vulnerabilities. Their free Cyber Leader Certification Program is a personal professional credential for those who have completed the Cyber Readiness Program. Both are highly recommended. The Cyber Readiness Institute plays a major role in LA Cybersecure. Like SecureTheVillage, the Cyber Readiness Institute is a fellow-member of Nonprofit Cyber. Dr. Stahl is a proud member of CRI’s Small Business Advisory Council.

Cyber Humor

Section 2: Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Another illustration of the importance to always be suspicious.

• Google Ads spread Mac malware disguised as popular browser: Be careful before clicking on those sponsored search results. … Google Ads are mostly harmless, but if you see one promoting a particular web browser, avoid clicking. … Security researchers have discovered new malware for Mac devices that steals passwords, cryptocurrency wallets and other sensitive data. … It masquerades as Arc, a new browser that recently gained popularity due to its unconventional user experience.

A report from think-tank R Street illustrates the complex challenges we face as we implement age-verification laws. As H. L. Mencken said For every complex problem there is an answer that is clear, simple, and wrong.

• 25 percent of kids will face identity theft before turning 18. Age-verification laws will make this worse: Children are prime targets for identity theft. They can’t access credit and don’t check their credit reports, which gives bad actors more time to harm their victims before anyone notices something is amiss. While lawmakers are proposing and enacting social media age-verification laws, this will increase fraud risks by mandating that minors surrender their Social Security numbers and other sensitive information. … A full 25 percent of minors will become victims of “identity fraud or theft” before they turn 18, according to Michael Bruemmer, Experian’s Vice President of Consumer Protection.

Section 3: Cybersecurity and Privacy News for the Cyber-Concerned.

The Senate continues to shine its spotlight on Zelle’s low reimbursement rate. It would seem clear that it’s in everyone’s interest to do a more effective job of warning people about Zell fraud and other kinds of cyber scams. If you’re a bank wanting to lower the incidence of fraud among your customers, email us at info@SecureTheVillage.org and we’ll send you information on our educational programs.

• Senator: Top Banks Only Reimburse 38% of Unauthorized Claims: During a hearing Tuesday, U.S. Sen. Richard Blumenthal, D-Conn., revealed that Bank of America, JPMorgan Chase and Wells Fargo only reimbursed 38% of unauthorized Zelle transaction claims – leaving consumers on the hook for $100 million in fraud losses. The banks disputed the committee’s findings.

A thoughtful interview with the Kansas Secretary of State about how the states are preparing for the 2024 election.

• US election security official warns of ‘significant misinformation’ following Trump assassination attempt, Biden exit: The top group of U.S. election chiefs last week unveiled a new leadership roster ahead of the 2024 presidential race. … Kansas Secretary of State Scott Schwab, who recently led the National Association of Secretaries of State, was named co-chair of the organization’s cybersecurity committee when election executives gathered for their summer meeting in Puerto Rico. … The panel serves as a conduit for election officials to trade ideas and best practices on how to protect their networks, and data, against foreign and domestic malicious actors. … “We don’t know those ideas are out there because we’re just so spread across the continent,” according to Schwab. … First elected secretary of state in 2018, Schwab spoke with Recorded Future News about how digital security has changed since the last presidential race, the current threat landscape and how ransomware has hit his state particularly hard. …This conversation has been edited for length and clarity.

An excellent piece by the World Economic Forum on the opportunity to meet the cybersecurity skills gap through increased collaboration. Illustrating the point, SecureTheVillage is working with IT service providers / MSPs and cybersecurity educators to build a pipeline in the Los Angeles region.

• Why closing the cyber skills gap requires a collaborative approach: There is a global skills shortage of nearly 4 million cybersecurity experts, with this deficit set to grow amid an increase in demand for cyber professionals. … At the same time, almost 90% of organizations experienced a breach in the last year, which they can partially attribute to a lack of cybersecurity skills. … The World Economic Forum’s Strategic Cybersecurity Framework outlines why public-private collaboration is key to closing the cyber skills gap.

The next two stories demonstrate what we’re up against as we battle nation-state adversaries. Our enemies are ruthless and they are creative.

• How Russia-Linked Malware Cut Heat to 600 Ukrainian Buildings in Deep Winter: The code, the first of its kind, was used to sabotage a heating utility in Lviv at the coldest point in the year—what appears to be yet another innovation in Russia’s torment of Ukrainian civilians. … As Russia has tested every form of attack on Ukraine’s civilians over the past decade, both digital and physical, it’s often used winter as one of its weapons—launching cyberattacks on electric utilities to trigger December blackouts and ruthlessly bombing heating infrastructure. Now it appears Russia-based hackers last January tried yet another approach to leave Ukrainians in the cold: a specimen of malicious software that, for the first time, allowed hackers to reach directly into a Ukrainian heating utility, switching off heat and hot water to hundreds of buildings in the midst of a winter freeze.
• KnowBe4 Hires Fake North Korean IT Worker, Catches New Employee Planting Malware:  … Florida security awareness training firm KnowBe4 on Tuesday said a North Korean operative posing as a software engineer slipped past its hiring background checks and spent the first 25 minutes on the job attempting to plant malware on a company workstation. … KnowBe4 chief executive Stu Sjouwerman: “We sent them their Mac workstation, and the moment it was received, it immediately started to load malware.”

Another illustration – as if it’s needed – of profits over privacy. One more illustration of America’s need for GDPR-style laws. It must be made clear as a matter of law that we own our information and that it can’t be sold or transferred or used (or any of the thousands of other synonyms that lawyers know how to write) without our explicit approval. The default must be Opt-Out.

• Automakers Sold Driver Data for Pennies, Senators Say: Ron Wyden and Edward Markey urged the F.T.C. to investigate how car companies handled the data from millions of car owners. … If you drive a car made by General Motors and it has an internet connection, your car’s movements and exact location are being collected and shared anonymously with a data broker. … This practice, disclosed in a letter sent by Senators Ron Wyden of Oregon and Edward J. Markey of Massachusetts to the Federal Trade Commission on Friday, is yet another way in which automakers are tracking drivers, often without their knowledge.

This week in cybercrime.

• Columbus reports cyber incident as multiple cities recover from ransomware attacks: The city of Columbus, Ohio said it is working to restore its systems after a cybersecurity incident forced the government to sever internet connectivity.  … City officials did not respond to requests for comment but released a statement this week explaining that while its 911 and employee payroll systems remain operational, several resident-facing IT services are dealing with outages that “may take time to restore.” … Columbus, the capital of Ohio and home to nearly 1 million residents, is one of several cities to report cybersecurity incidents or ransomware attacks over the last week. 
  Jefferson Co. Clerk: Russians behind cyberattack, other offices will help out: JEFFERSON COUNTY, Ky. —
• A cyberattack is still impacting the Jefferson County Clerk’s Office days later, and now surrounding branches are stepping up to help. … According to Clerk Bobbie Holsclaw, Russians are behind an attack on their systems and the FBI is involved, but no personal information was compromised.
• FBCS data breach impact now reaches 4.2 million people: Debt collection agency Financial Business and Consumer Solutions (FBCS) has again increased the number of people impacted by a February data breach, now saying it affects 4.2 million people in the US. … FBCS is a US debt collection agency that collects unpaid debts from consumer credit, healthcare, commercial, auto loans and leases, student loans, and utilities.
• Sibanye says US operation recovering from cyberattack impact: Multinational mining and metals processing group Sibanye-Stillwater confirmed on July 25 that the Columbus metallurgical complex at its US platinum group metals operations has experienced some short-term operational delays as a result of the cybersecurity attack earlier this month

Section 4: Securing the Technology.

Capturing the essence of the update challenge IT has is the quote by Minnesota Secretary of State Steve Simon (See our Section 3 story about election security):  Cybersecurity is like running a marathon that you have to win every day and the race never ends. We all need to be grateful for the work IT does in keeping their organizations safe.

• U.S. CISA adds Microsoft Internet Explorer and Twilio Authy bugs to its Known Exploited Vulnerabilities catalog: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
• Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugin: Docker is warning of a critical flaw impacting certain versions of Docker Engine that could allow an attacker to sidestep authorization plugins (AuthZ) under specific circumstances. … Tracked as CVE-2024-41110, the bypass and privilege escalation vulnerability carries a CVSS score of 10.0, indicating maximum severity.
• Acronis warns of Cyber Infrastructure default password abused in attacks: ​Acronis warned customers to patch a critical Cyber Infrastructure security flaw that lets attackers bypass authentication on vulnerable servers using default credentials. … The CVE-2023-45249 flaw was patched nine months ago
• Critical ServiceNow RCE flaws actively exploited to steal credentials: Threat actors are chaining together ServiceNow flaws using publicly available exploits to breach government agencies and private firms in data theft attacks. … Although the vendor released security updates for the flaws on July 10, 2024, tens of thousands of systems potentially remain vulnerable to attacks.