SecureTheVillage

Cybersecurity News of the Week

Cybersecurity News of the Week, April 16, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

This week’s top stories concern the rollout of the Biden’s National Cybersecurity Strategy. As we have expected, we’re beginning to see the push from the top for improved cybersecurity management by the private sector. The HBR article outlines this while Fedscoop’s piece describes the initial steps of a rollout program.

What Business Needs to Know About the New U.S. Cybersecurity Strategy

  • On March 2, 2023, the Biden administration released its long-awaited National Cybersecurity Strategy. In light of cyberattacks targeting American infrastructure, business, and governmental agencies, the document elevates cybersecurity as a critical component of the United States’ economic prosperity and national security.
  • It also intimates a fundamental dilemma, which is that the private sector — with key stakeholders consisting of software firms, small- and medium-sized businesses, broadband providers, and utility companies — holds the key to the public good of cybersecurity:
  • The strategy notes “Continued disruptions of critical infrastructure and thefts of personal data make clear that market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience.”
  • Voluntary progress toward better cyber hygiene on the part of the private sector is no longer enough. Instead, the new strategy promises to support new regulatory frameworks that will shift liability and create incentives for private firms to defend against critical vulnerabilities. From <https://hbr.org/2023/04/what-business-needs-to-know-about-the-new-u-s-cybersecurity-strategy>

New rule could impose CMMC-like cyber requirements for civilian agency contractors

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

Cyber Humor

Cybersecurity Nonprofit of the Week … Cyber Readiness Institute

Our kudos this week to the Cyber Readiness Institute (CRI) and the great work they do helping our medium-size and smaller organizations manage their information security challenges. CRI’s Cyber Readiness Program helps organizations protect their data, employees, vendors, and customers. This free, online program is designed to help small and medium-sized enterprises become more secure against today’s most common cyber vulnerabilities. Their free Cyber Leader Certification Program is a personal professional credential for those who have completed the Cyber Readiness Program. Both are highly recommended. Like SecureTheVillage, the Cyber Readiness Institute is a fellow-member of Nonprofit Cyber. Dr. Stahl is a proud member of CRI’s Small Business Advisory Council.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

Private information isn’t private: (Video) (Podcast): Last week’s news brought another story that our private health information is far less private than we might think. … Join Stan and Julie as they riff on how the use of third-party tracking code on hospital websites ends up with our personal health information in the databases of Alphabet, Meta, and an unknown number of data brokers who buy and sell our extremely sensitive private information for their profit. We the people have neither privacy nor transparency. … As always, Stan and Julie provide actionable tips and thoughtful wisdom in an engaging conversation on the complexities of cybersecurity and privacy.

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Update now. Update often. Update forever.

Microsoft (& Apple) Patch Tuesday, April 2023 Edition

  • Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.
  • On April 7, Apple issued emergency security updates to fix two weaknesses that are being actively exploited, including CVE-2023-28206, which can be exploited by apps to seize control over a device. CVE-2023-28205 can be used by a malicious or hacked website to install code. From <https://krebsonsecurity.com/2023/04/microsoft-apple-patch-tuesday-april-2023-edition/>

Google Chrome emergency update fixes first zero-day of 2023

The Wall Street Journal has a good primer on personal cyber insurance.

What Is Personal Cyber Insurance—and Should You Buy It?

  • Before you do, make sure you know the answers to these common questions.
  • When deciding about cyber insurance, consider your specific risks. For example, those who invest online could consider it more.
  • With cybercrime spreading, insurers are offering a new kind of product to meet the threat: policies that protect individuals, as opposed to businesses. 
  • Here are answers to questions consumers may have about personal cyber insurance. From <https://www.wsj.com/articles/cyber-liability-insurance-coverage-8afc4fdd>

Section 3 – Cybersecurity News for the Cyber-Concerned.

ChatGPT and AI systems continue in the news with four stories this week. First up is the huge impact AI is having on cybercrime.

Report finds generative AI is lowering the barrier of entry to cybercrime

  • A new report from threat intelligence firm Cybersixgill Ltd. details worrisome current trends in cybercrime, including a falling barrier to entry driven by generative artificial intelligence services such as OpenAI LP’s ChatGPT.
  • The State of the Cybercrime Underground report was based on an analysis of Cybersixgill’s collected intelligence from the clear, deep and dark web in 2022.
  • The key finding in the report relates to how generative AI is lowering the barrier to entry into cybercrime by enabling threat actors to quickly write malicious code and perform other “pre-ransomware” preparatory activities. Added to the mix, initial access brokers, or IABs, and as-a-service offerings are also contributing to lowering the barriers to entry into cybercrime. From <https://siliconangle.com/2023/04/12/report-finds-generative-ai-lowering-barrier-entry-cybercrime/>

‘I didn’t give permission’: Do AI’s backers care about data law breaches?

  • Regulators around world are cracking down on content being hoovered up by ChatGPT, Stable Diffusion and others.
  • The virtual libraries behind this breathtaking technology are vast – and there are concerns they are operating in breach of personal data and copyright laws.
  • The enormous datasets used to train the latest generation of these AI systems, like those behind ChatGPT and Stable Diffusion, are likely to contain billions of images scraped from the internet, millions of pirated ebooks, the entire proceedings of 16 years of the European parliament and the whole of English-language Wikipedia. From <https://www.theguardian.com/technology/2023/apr/10/i-didnt-give-permission-do-ais-backers-care-about-data-law-breaches>

Biden Administration Weighs Possible Rules for AI Tools Like ChatGPT

  • Fears grow over the potential use of artificial intelligence to commit crimes and spread falsehoods. The Biden administration has begun examining whether checks need to be placed on artificial-intelligence tools such as ChatGPT, amid growing concerns that the technology could be used to discriminate or spread harmful information.
  • In a first step toward potential regulation, the Commerce Department on Tuesday put out a formal public request for comment on what it called accountability measures, including whether potentially risky new AI models should go through a certification process before they are released.  From <https://www.wsj.com/articles/biden-administration-weighs-possible-rules-for-ai-tools-like-chatgpt-46f8257b>

Finally, a realistic roadmap for getting AI companies in check

  • In a new report, the AI Now Institute — a research center studying the social implications of artificial intelligence — offers a roadmap that specifies exactly which steps policymakers can take.
  • The big argument is that if we want to curb AI harms, we need to curb the concentration of power in Big Tech.
  • “A handful of private actors have accrued power and resources that rival nation-states while developing and evangelizing artificial intelligence as critical social infrastructure,” the report notes.
  • One of the absurdities of the current situation is that when AI systems produce harm, it falls to researchers, investigative journalists, and the public to document the harms and push for change. But that means society is always carrying a heavy burden and scrambling to play catch-up after the fact.
  • The report’s top recommendation is to create policies that place the burden on the companies themselves to demonstrate that they’re not doing harm. Just as a drugmaker has to prove to the FDA that a new medication is safe enough to go to market, tech companies should have to prove that their AI systems are safe before they’re released. From <https://www.vox.com/future-perfect/2023/4/12/23677917/ai-artificial-intelligence-regulation-big-tech-microsoft-openai>

Following up last week’s story from the Electronic Frontier Foundation, here’s one from the Register on the UN Cybercrime Treaty being drafted. As of now, it’s a resounding “no.”

Russia-pushed UN Cybercrime Treaty may rewrite global law. It’s … not great

  • Special report United Nations negotiators convened this week in Vienna, Austria, to formulate a draft cybercrime treaty, and civil society groups are worried.
  • The UN Cybercrime Treaty, to the extent it gets adopted, is expected to define global norms for lawful surveillance and legal processes available to investigate and prosecute cybercriminals.
  • What has emerged so far contemplates more than 30 new cybercrime offenses, with few concessions to free speech or human rights. From <https://www.theregister.com/2023/04/14/un_cybercrime_treaty/>

The Department of Justice had a good week. The “Cookie Monster” story is an update from last week.

The U.S. Cracked a $3.4 Billion Crypto Heist—and Bitcoin’s Anonymity

  • Federal authorities are making arrests and seizing funds with the help of new tools to identify criminals through cryptocurrency transactions.
  • James Zhong appeared to have pulled off the perfect crime.
  • In December 2012, he stumbled upon a software bug while withdrawing money from his account on Silk Road, an online marketplace used to hide criminal dealings behind the seemingly bulletproof anonymity of blockchain transactions and the dark web. From <https://www.wsj.com/articles/bitcoin-blockchain-hacking-arrests-93a4cb29>

Nigerian man extradited to US over alleged $6 million BEC scam:

How ‘Operation Cookie Monster’ took down a major dark web marketplace:

  • Genesis Market, one the world’s largest illicit online marketplaces, was shut down this month in a police operation that involved over a dozen international law enforcement agencies.
  • Dubbed “Operation Cookie Monster,” the crackdown resulted in the seizure of hundreds of thousands of stolen identities and online access credentials that were for sale on the platform.
  • The operation, which also led to over 100 arrests worldwide, was headed by the US FBI and the Dutch National Police and served a major blow to global cybercrime efforts, according to officials and experts. From <https://www.weforum.org/agenda/2023/04/how-operation-cookie-monster-took-down-a-major-dark-web-marketplace/>

This week in cybercrime.

Hackers claim vast access to Western Digital systems

  • One of the hackers claimed to have stolen customer data and said they are asking for a ‘minim 8 figures’ as a ransom
  • The hackers who breached data storage giant Western Digital claim to have stolen around 10 terabytes of data from the company, including reams of customer information. The extortionists are pushing the company to negotiate a ransom — of a “minimum 8 figures” — in exchange for not publishing the stolen data. From <https://techcrunch.com/2023/04/13/hackers-claim-vast-access-to-western-digital-systems/>

Cyberattack causing treatment delays at Canadian hospital

  • A cyberattack on a hospital in Ontario, Canada, is causing delays to scheduled and non-urgent care.
  • Cornwall Community Hospital — a healthcare facility serving the residents of Cornwall and several other counties — said it discovered a “network issue” on Tuesday that was later revealed to be a cyberattack. From <https://therecord.media/canadian-hospital-treatment-delays-cyberattack-ontario>

Crypto platform Bitrue has $23 million stolen in cyberattack

  • Singapore-based cryptocurrency trading platform Bitrue said Friday that $23 million was stolen from one of its own digital wallets.
  • The affected wallet was “hot,” meaning it was accessible through the open internet, Bitrue said.
  • “Please note that the affected hot wallet only contained less than 5% of Bitrue’s overall funds. The rest of our wallets continue to remain secure and have not been compromised,” the company said in a statement. From <https://therecord.media/bitrue-23million-stolen-cryptocurrency>

As expected, Montana has moved forward with banning TikTok. It’s unlikely to be successful and, as the second story illustrates, will likely have the unintended consequence of weakening personal cybersecurity.

Montana becomes 1st state to approve a full ban of TikTok:

  • Montana lawmakers on Friday passed a bill to ban TikTok over the app’s suspected connections to the Chinese government.
  • Montana has become the first state to approve a bill that would ban TikTok over the possibility that the Chinese government could request Americans’ data from the wildly popular video-streaming app. The GOP-controlled Montana House of Representatives sent the bill on Friday to Republican Gov. Greg Gianforte, who can now sign the measure into law.
  • The bill makes it illegal to download TikTok in the state, with penalties of up to $10,000 a day for any entity, such as Apple and Google’s app stores or TikTok itself, that makes the popular video-streaming app available.
  • If enacted, the ban in the state would not start until January 2024.
  • A federal court challenge from TikTok is expected well before then, likely teeing up a legal brawl that supporters of the law in Montana say could eventually wind up in front of the U.S. Supreme Court. From <https://www.npr.org/2023/04/14/1170204627/montana-becomes-1st-state-to-approve-a-full-ban-of-tiktok>

Banning TikTok Could Weaken Personal Cybersecurity

  • TikTok restrictions could lead to individuals engaging in risky digital behavior to circumvent mobile app bans, potentially exposing their networks and data to bad actors, an expert warns.
  • There has been little discussion of whether TikTok could be banned, and there has been almost no discussion of the effects on cybersecurity that a TikTok ban could cause, including encouraging users to sidestep built-in security mechanisms to bypass a ban and access the app. From <https://www.govexec.com/technology/2023/04/banning-tiktok-could-weaken-personal-cybersecurity/385191/>

One of the things the IRS can do with its larger budget is strengthen its ability to protect the private information of American taxpayers.

Taxpayer data at risk due to cybersecurity deficiencies at IRS, report warns

Section 4 – Managing  Information Security and Privacy in Your Organization.

An interesting analysis of cybersecurity expectations of of our small and medium-sized organizations. A caveat: In more than 20 years of providing information security management services to SMBs, I have always found them to overestimate their cybersecurity controls.

What are the cybersecurity concerns of SMBs by sector?

  • Some sectors have high confidence in their in-house cybersecurity expertise, while others prefer to enlist the support of an external provider to keep their systems and data secured
  • While threat detections continue to rise, the widening cybersecurity skills gap is leaving businesses exposed. It is an issue particularly felt by SMBs forced to rein in their spending due to the current economic climate.
  • We recently surveyed over 700 SMBs across a variety of sectors to ascertain their ability to detect and respond to the latest cyber threats. The differences are stark. While some sectors have high confidence in their in-house cybersecurity skills, others prefer to significantly outsource cybersecurity to an external expert to ensure they are protected. From <https://www.welivesecurity.com/2023/04/12/what-are-cybersecurity-concerns-smbs-sector/>

The next article speaks to the extreme cybersecurity workforce shortage.

If businesses are to get a grip on their cybersecurity, they need to close the gender gap

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge

SUPPORT US

SecureTheVillage is a community-based response to the cybersecurity and privacy crisis. We are a 501c(3) nonprofit with a vision of a cybersecure global village. We invite you to join with us as together we make the vision a reality. It takes the village.

Be a CyberPartnerDonate