A weekly aggregation of important cybersecurity and privacy news helping you navigate the new world of cybersecurity and privacy.
This week’s lead story is from our friends at Wirecutter. They’ve compiled a list of seven key things everyone should do to help stay safe online. Add SecureTheVillage’s top-recommendation to freeze your credit and you’ve got a solid list of basic steps everyone can take. Please take a few minutes each day this week and implement any of the seven steps that you’ve not yet done. And make sure to freeze your credit.
- Every Step to Simple Online Security: Online security is for everyone. Information about your life is spread across dozens, even hundreds, of services—where you shop, communicate, share information, and store files. Losing control of your digital identity can have real consequences, including embarrassing losses of privacy, devastating financial blows, and risks to personal safety. And whether it’s fair or not, the onus is on you to protect yourself. Although the task can seem overwhelming, just a few simple steps are enough to drastically reduce your risks online. NYT Wirecutter, April 1, 2022
If you still need convincing that cyber crime is a serious national challenge, these next two stories may help. Both are based on the 2021 Internet Crime Report, released recently by the FBI.
The first of these stories—an overview of the FBI report—identifies the most commonly reported cyber crimes as Business Email Compromise (a form of online bank fraud), Investment schemes, romance scams, personal data breaches, and real estate scams.
- FBI: Cybercrime reports saw ‘unprecedented’ rise last year, costing nearly $7B: An FBI center that collects cybercrime complaints said Wednesday that it received 847,376 of them last year, with estimated potential losses totaling $6.9 billion — a 64% increase from 2020. Cyber Scoop, March 23, 2022
The second story on the FBI’s report takes a deep dive on the subject of Business Email Compromise. It tells the story of Sherry Williams, executive director of nonprofit One Treasure Island. The nonprofit lost $650,000 when thieves hacked the email account of the nonprofit’s bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000.
- Accounts deceivable: Email scam costliest type of cybercrime: A shopping spree in Beverly Hills, a luxury vacation in Mexico, a bank account that jumped from $299.77 to $1.4 million overnight. AP News, April 9, 2022
SecureTheVillage strongly recommends that NO bank wires be made without person-to-person confirmation that the wiring instructions are correct. Don’t trust. Verify.
The Front Page
Other front page cybersecurity and privacy stories.
Our next story documents Russia’s continued use of social media, both to sow disinformation and for espionage.
- Russian-backed hackers spreading disinformation on Facebook: A new Facebook report found that government-affiliated hackers from Russia and Belarus attempted to use the social media platform for cyber espionage and disinformation campaigns targeting Ukrainians. The Hill, April 7, 2022
On the flip side, Anonymous is hard at work disclosing private information stolen from Russian companies. The following story is likely the tip of an emerging iceberg. Stay tuned as more of this information gets leaked, translated, and put into context.
- Hacking group claim it has leaked more than 900,000 emails from Russian state media: A group of hackers connected with Anonymous have claimed they have leaked close to one million emails from Russia’s largest state media corporation. The leaked emails reportedly cover more 20 years of communication. Independent, April 7, 2022
Meanwhile the US and European governments have also been active on the cyber front, working to deny the fruits of cybercrime to Putin and his thugs.
- How Russia’s Invasion Triggered a US Crackdown on Its Hackers: The Biden White House is using “all of the levers of national power” to counter—or preempt—cyberattacks by Russia’s most dangerous hacker groups. … Since Russia launched its full-blown invasion of Ukraine in late February, a wave of predictable cyberattacks has accompanied that offensive, striking everything from Ukrainian government agencies to satellite networks, with mixed results. Less expected, however, was the cyber counteroffensive from the US government—not in the form of retaliatory hacking, but in a broad collection of aggressive legal and policy moves designed to call out the Kremlin’s most brazen cyberattack groups, box them in, and even directly disrupt their hacking capabilities. Wired, April 8, 2022
- U.S. Says It Secretly Removed Malware Worldwide, Pre-empting Russian Cyberattacks: The operation is the latest effort by the Biden administration to thwart actions by Russia by making them public before Moscow can strike. … The United States said on Wednesday that it had secretly removed malware from computer networks around the world in recent weeks, a step to pre-empt Russian cyberattacks and send a message to President Vladimir V. Putin of Russia. New York Times, April 6, 2022
- World’s biggest darknet marketplace, Russia-linked Hydra Market, seized and shut down, DOJ says: Hydra Market, the world’s largest and oldest darknet marketplace of illegal items and services, was seized and shut down by German authorities in coordination with U.S. law enforcement. … The U.S. Department of Justice also announced criminal charges against one of Hydra Market’s alleged operators. … German Federal Criminal Police seized cryptocurrency wallets containing $25 million in bitcoin from the marketplace, the DOJ said. CNBC, April 5, 2022
Our final stories on this week’s Front Page both deal with privacy.
The first documents how miscreants are using Apple Air Tags to stalk women. This is a serious problem that is only going to get worse until and unless we the people do something about it.
- Police Records Show Women Are Being Stalked With Apple AirTags Across the Country: Motherboard obtained reports of stalking, harassment, and abuse using Airtags, targeting victims of intimate partner violence. Vice, April 6, 2022
And this next story should dispel any naïve notions you might have about not being tracked online. The methods and the details may change but the tracking continues. There’s just too much money and influence involved for it to be anything else.
- You’re Still Being Tracked on the Internet, Just in a Different Way: Apple and Google are pushing privacy changes, but a shift in digital tracking is giving some platforms a bigger advertising advantage. New York Times, April 6, 2022
Security Nonprofit of the Week
Our kudos this week to the Cybercrime Support Network, a nonprofit that helps individuals and small businesses impacted by cybercrime. As a leading voice for cybercrime victims, Cybercrime Support Network is dedicated to serving those affected by the ever growing impact of cybercrime before, during, and after.
Founded in 2017, Cybercrime Support Network (CSN) connects victims to resources, increases cybercrime and online fraud reporting, and decreases revictimization. Since November 2018, CSN has provided help to over 1,000,000 individuals and small businesses via FightCybercrime.org and ScamSpotter.org. Kudos to the Cybercrime Support Network for all they do to keep us safe and secure.
Cyber Live with Dr. Stan Stahl – Live on LinkedIn
Live on Cyber with Dr. Stan Stahl: Julie Morris and I didn’t get a chance to record last week so the link is to our recording on March 30. Online bank fraud. Ransomware. Extortion. Your personal social media breached. Often the personal consequence of a lack of cybersecurity isn’t real – until it is. Let’s explore what can happen if we don’t have measures in place. SecureTheVillage, March 30, 2022
Register Now. Invitation to Sponsor.
SecureTheVillage presents Nicole Perlroth, Award-winning Cybersecurity Journalist and New York Times Bestselling Author. A Virtual Learning Opportunity By & For Leaders in Cybersecurity. May 4, 11:00AM Pacific. Registration now open. Sponsorships still available.
Section 2 – Personal Security and Privacy
Important stories for protecting yourself and your family.
Let’s be careful out there.
Our first story details the rise of a new kind of malicious text . My sister called me last week that she’d received this text. It asked her to enter credit card information. Fortunately she’s my sister so she knew enough to forward the text to #7726 and delete it.
- Did You Receive a Text Message From Yourself? You’re Not Alone: Text spam is on the rise. The latest version involves scammers sending messages to you seemingly from your own phone number. Here’s what to do. New York Times, April 6, 2022
These next two stories illustrate again how you’re being threatened by the programs you use.
- Beloved VLC Media Player Exploited By Chinese Hackers In Long Running Malware Campaign: There is a strong possibility that if you’re reading this website, you are familiar with VLC Media Player. The popular application, which bundles important codecs along with the player rather than relying on the OS to provide them, is the video player of choice for millions of people who became tired of fussing with “codec packs” and older versions of Windows’ poor video playback support. Hot Hardware, April 6, 2022
- Thousands of Android users downloaded this password-stealing malware disguised as anti-virus from Google Play: Users looking to protect their smartphone from hackers found their devices infected with Sharkbot malware. … Six phony anti-virus apps have been removed from the Google Play app store because instead of protecting users from cyber criminals, they were actually being used to deliver malware to steal passwords, bank details and other personal information from Android users. ZD Net, April 7, 2022
Section 3 – General Cybersecurity and Privacy Stories
Cybersecurity and privacy stories for those wanting a deeper look.
This Week in Cyber Crime.
- Over 8 million Cash App users possibly affected by data breach from a former employee: Over 8 million users of the mobile payment app Cash App could be affected by a data breach after a former employee of the company downloaded reports containing the personal information of U.S. users. USA Today, April 6, 2022
- Hackers breached Mailchimp to phish cryptocurrency wallets: Users of the Trezor hardware wallet were sent sophisticated phishing emails after the hack, with other crypto mailing lists potentially affected … Mailchimp, the veteran email marketing platform, has confirmed that hackers used an internal tool to steal data from more than 100 of its clients — with the data being used to mount phishing attacks on the users of cryptocurrency services. The Verge, April 4, 2022
- Snap-on discloses data breach claimed by Conti ransomware gang: American automotive tools manufacturer Snap-on announced a data breach exposing associate and franchisee data after the Conti ransomware gang began leaking the company’s data in March. Bleeping Computer, April 8, 2022
- Ransomware Gang Leaks Files Stolen From Industrial Giant Parker Hannifin: A notorious cybercrime group has leaked several gigabytes of files allegedly stolen from US industrial components giant Parker Hannifin. Security Week, April 5, 2022
The week also features two stories of nation-state surveillance. The first of these is a new story about NSO Group’s Pegasus spyware being found on the phones of four human rights defenders, all Jordanian women. Nicole Perlroth, SecureTheVillage’s guest at our May 4 learning event, tells the early story of the NSO Group in her best-seller This is How They Tell Me the World Ends. The second story, also from the middle-East, is the story of a new cyber attack by Hamas targeted towards “high-ranking Israeli officials.”
- Spyware Pegasus found on hacked mobile phones of four human rights defenders: Inclusion of several Jordanian women among targets ‘merits special attention’ … The controversial commercial spyware program Pegasus has been found on hacked mobile phones belonging to four human rights defenders in Jordan, according to a report released today by Dublin-based human rights organisation Front Line Defenders (FLD) and Canadian digital forensics experts Citizen Lab. The Irish Times, April 5, 2022
- Hamas-linked cyber-spies ‘target high-ranking Israelis’: Sensitive info swiped from Windows and Android devices, according to report. … A prolific Middle East team with links to Hamas is said to be using malware and infrastructure to target high-ranking Israeli officials and steal sensitive data from Windows and Android devices. The Register, April 6, 2022
One of the cybersecurity challenges we face is the lack of effective regulations to ensure that companies properly manage the cybersecurity vulnerabilities in their products. There’s a well-defined protocol for companies to use in alerting customers and others of discovered flaws and of breaches, but their implementation is left up to the companies. These next two stories illustrate the dangers of a failure to communicate. Both companies are security vendors which makes these breaches of protocol even more significant.
- The Okta Mess Is Even Worse Than It Appears: On March 1, 2022, Okta, the cloud-based identity management company, was going great guns. Okta’s fiscal year 2022 revenue had just come in and it totaled $1.30 billion and had grown 56% year-over-year. Its customers included FedEx, Moody’s, T-Mobile, JetBlue, and ITV and it was Federal Risk and Authorization Management Program (FedRAMP) approved. What could go wrong? Three weeks later we found out. Steven J. Vaughan-Nichols, Newstack, March 29, 2022
- WatchGuard failed to explicitly disclose critical flaw exploited by Russian hackers: Security vendor WatchGuard quietly fixed a critical vulnerability in a line of its firewall devices and didn’t explicitly disclose the flaw for at least seven months, following revelations hackers from Russia’s military apparatus exploited the flaw en masse to assemble a giant botnet. Ars technica, April 6, 2022
This next story illustrates a cybersecurity problem we continue to see, the virtual equivalent of leaving boxes of sensitive information sitting unprotected on the sidewalk. All too often IT staff will fail to properly configure the technology they’re using with the result that information is available to anyone who stumbles across it … or goes looking for it. It may not be a cyber crime but the impact is still real. IT staff need to double check their security configurations. Measure twice. Cut once. Don’t trust. Verify.
- Fox Data Leak Exposes Employee Details Among 13 Million Documents: The personal details of Fox employees could have been accessed by an easily exposed database containing millions of records, according to a report. … A configuration error meant that a huge trove of nearly 13 million content management records at the network could be accessed in an open and non-password protected database, according to Website Planet, a U.K.-based website consultancy. Newsweek, April 7, 2022
More good news from the Justice Department as it continues to aggressively go after the cybercrime underground.
- US Seizes $34M in Crypto Tied to Hacked HBO, Netflix, Uber Account Data Sold on Dark Web: The Justice Department calls it “one of the largest cryptocurrency forfeiture actions ever filed by the United States.” … US authorities in Florida seized approximately $34 million in cryptocurrency, which was allegedly used to launder proceeds from the illicit sale on the dark web of hacked account information from popular online offerings such as HBO, Netflix and Uber, the US Department of Justice said Monday. The “South Florida resident” involved in the sales wasn’t identified by the DOJ, and the press release didn’t specify whether the agency is pursuing an indictment.
- FIN7 hacking group ‘pen tester’ sentenced to 5 years in prison: Denys Larmak, a “pen tester” for the FIN7 financially-motivated hacking group, was sentenced on Thursday to 5 years in prison for breaching victims’ networks and stealing credit card information for roughly two years, between November 2016 and November 2018. Bleeping Computer, April 7, 2022
The good news in this story is that the courts may have another opportunity to add to the emerging cybersecurity case law on “reasonable security?” Given that there is no perfect security, how much security must a company implement before it’s responsible for damages in the event of a breach (or other cyber loss) that impacts others?
- Shopify facing another lawsuit from crypto holders over Ledger data breach: The e-commerce giant is in the hot seat again for its alleged role in making the hacked Ledger user data available to malicious actors. … Global e-commerce platform Shopify and hardware wallet maker Ledger face a major legal hurdle as a group of Ledger users have filed a class-action lawsuit for its part in failing to prevent a massive data breach in 2020. Cointelegraph, April 5, 2022
Section 4 – Securing the Organization
Stories to support executives and top management in securing their organizations.
An analysis by law firm BakerHostetler illustrates that in cybersecurity like in life “a stitch in time saves 9.”
- Broader investment in cybersecurity beginning to pay dividends: Improved defenses give organizations more room to negotiate but won’t protect from lawsuits, says law firm. … An increased willingness on the part of enterprises to invest in cybersecurity may finally be starting to make a difference, according to US law giant BakerHostetler. The Register, April 7, 2022
Just in case it isn’t already abundantly clear, here’s another voice saying that cybersecurity is not a compliance problem. Cybersecurity is an engineering and technology management challenge. It is a management / leadership imperative. And it requires hitting the cultural challenges head on. One thing cybersecurity is not is a compliance problem.
- The US Navy had cybersecurity wrong. Expect change.: The U.S. Navy has framed cybersecurity incorrectly for years and is now chipping away at a new approach that better suits the contemporary environment, the service’s chief information officer said Tuesday. Defense News, April 5, 2022