SecureTheVillage

Cybersecurity News of the Week

Cybersecurity News of the Week, April 9, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

This week’s top of the news is another story that our private health information is far less protected than we might think it is. In a new study, conducted by researchers at the University of Pennsylvania, researchers found that hospitals’ widespread use of third-party tracking code allows companies not subject to the HIPAA privacy protections to observe people’s browsing behavior across hospital websites. As a result, by including third-party tracking code on their websites, hospitals are facilitating patient profiling. The result is companies like Alphabet, Meta, and others have access to our health information. The result includes targeted advertising based on health information that advertisers have no right to. The result also includes increased legal exposure for hospitals.

Save the Date when SecureTheVillage will explore the data broker invasion on our upcoming webinar Invasion of the Body & Mind (Data) Snatchers. May 25, 11:00 am – 12:30 pm PT. Registration opens soon.

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

  • Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, May 2, 1:00 pm – 2:00 pm PT
  • Save the Date. Invasion of the Body & Mind (Data) Snatchers: What you need to know. What you need to do. May 25, 11:00 am – 12:30 pm PT. Registration opens soon.

Cyber Humor

Cybersecurity Nonprofit of the Week … Sightline Security

Our kudos this week to Sightline Security, a nonprofit that helps nonprofits secure and protect their critical information. Sightline’s mission is to equip, empower, and support nonprofits to navigate and embed cybersecurity into their organizations with confidence. Kudos to Sightline Security for their cyber support to the vital under-served nonprofit community. Like SecureTheVillage, Sightline Security is a fellow-member of Nonprofit Cyber. SecureTheVillage is proud to have Sightline Security founder and President Kelley Misata on our Board.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

Danger and Opportunity: (Video) (Podcast): John F. Kennedy said that a crisis represents both danger and opportunity. And so it is with the rush to embed large language models into everything. What a great opportunity for Stan and Julie to riff on the complex challenges of the cyber-incunabula. … immense cybersecurity implications … immense implications  to society and democracy … a Chatbot that writes an opinion piece recommending that the way to solve the problem of homelessness is to shoot unhoused people!!! … There’s much to talk about and lots to explore. As always, Stan and Julie provide actionable tips and thoughtful wisdom in a fun conversation on the complexities of cybersecurity and privacy.

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

The security and privacy implications of Chatbot continue in the news. This makes it more important than ever to keep Ben Franklin’s wisdom in mind: Distrust and caution are the parents of security.

  • Novel social engineering attacks soar 135% amid uptake of generative AI: Researchers from Darktrace have seen a 135% increase in novel social engineering attack emails in the first two months of 2023. … The cyber security firm said the email attacks targeted thousands of its customers in January and February 2023, an increase which it said matches the adoption rate of ChatGPT. IT Pro, April 3, 2023
  • Cybercrime: be careful what you tell your chatbot helper…: Most people are aware of the privacy risks posed by search engines such as Google, but experts think chatbots could be even more data-hungry. Their conversational nature can catch people off guard and encourage them to give away more information than they would have entered into a search engine. “The human-like style can be disarming to users,” warns Ali Vaziri, a legal director in the data and privacy team at law firm Lewis Silkin. The Guardian, April 9, 2023

Companies spy on us to be able to sell to us. Is this what we the people want? Save the Date of SecureTheVillage’s webinar exploring the data broker invasion Invasion of the Body & Mind (Data) Snatchers. May 25, 11:00 am – 12:30 pm PT. Registration opens soon.

  • If It’s Advertised to You Online, You Probably Shouldn’t Buy It. Here’s Why: If you saw a Facebook ad recently for Jeremy’s Razors, which bills itself as a “woke-free” razor for men, you may well be a father of school-age children who likes Ultimate Fighting, Hershey’s chocolate, hunting or Johnny Cash. This is according to Facebook’s ad library, which describes the audiences to whom marketers target their advertisements. … Isn’t it time that we considered a future that didn’t involve companies spying on us? The New York Times, April 6, 2023

Section 3 – Cybersecurity News for the Cyber-Concerned.

We have three stories on the national cybersecurity news this week. The Electronic Frontier Foundation is concerned that a new proposed U.N. Cybercrime Treaty will provide cover for autocratic governments to stifle free speech and dissent. The U.S. Government continues to play on the edges of banning potentially dangerous applications like TiKTok.

  • Decoding the U.N. Cybercrime Treaty: Negotiations for a proposed U.N.Cybercrime Treaty commenced in 2017 but began to take shape in 2022—and there’s a lot at stake. The draft treaty has the potential to rewrite criminal laws around the world, possibly adding over 30 criminal offenses and new expansive police powers for both domestic and international criminal investigations. … Rather than focusing on core cybercrimes like network intrusion and computing system interference, the draft treaty’s emphasis on content-related crimes could likely result in overly broad and easily abused laws that stifle free expression and association rights of people around the world. Electronic Frontier Foundation, April 7, 2023
  • Biden Administration Weighs Action Against Russian Cybersecurity Firm: President Biden’s Commerce Department is weighing an enforcement action under its online-security rules against Kaspersky Lab, a Russian cybersecurity company that has long faced accusations of posing a threat to the U.S., according to people familiar with the matter. … The action—if it materializes—could become a test case for the Commerce Department’s growing role in policing threats online, according to some of the people, who said the U.S. might deploy the same online-security rules against Chinese-controlled technologies, possibly including TikTok. The Wall Street Journal, April 7, 2023
  • Leaders Say TikTok Is Potential Cybersecurity Risk to U.S.: TikTok is a “potential threat vector” to the United States, said John F. Plumb, assistant secretary of defense for space policy and principal cyber advisor to the secretary of defense.  U.S. Department of Defense News, April 6, 2023

Small businesses are on notice that the U.S. Justice Department’s new Civil-Cyber Fraud Initiative will take action against small businesses failing to implement reasonable information security practices.

  • DOJ Cybercrime Watchdog’s First Settlement Signals Crackdown on Small Businesses: The U.S. Justice Department’s new Civil-Cyber Fraud Initiative announced its first settlement last month in a novel action that brought false claims allegations over infosec failures against, notably, a sole proprietor. The case, which resulted in a nearly $300,000 penalty for the Florida-based web hosting company Jelly Bean Communications Design and its one full-time employee, suggests that the federal government’s clampdown on cybersecurity lapses and misdeeds will spare no offenders, irrespective of size.  Security Boulevard, April 7, 2023

In the never-ending game of whack a cyber-mole, the FBI shut down one cybercrime marketplace and another surfaces. Meanwhile the cybercrime industry continues to evolve like other business ecosystems as organizations contend with fierce competition to claim a bigger stake in this highly lucrative market.

  • FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers: Several domain names tied to Genesis Market, a bustling cybercrime store that sold access to passwords and other data stolen from millions of computers infected with malicious software, were seized by the Federal Bureau of Investigation (FBI) today. The domain seizures coincided with more than a hundred arrests in the United States and abroad targeting those who allegedly operated the service, as well as suppliers who continuously fed Genesis Market with freshly-stolen data. Krebs on Security, April 4, 2023
  • Styx Marketplace Provides Hub for Financial Cybercrime: An emerging, illicit marketplace proves that financial cybercrime is still on the rise, with a need for countries to collectively put safeguards in place. DARK Reading, April 6, 2023
  • Unpacking the Structure of Modern Cybercrime Organizations: We examine three differently sized criminal groups to know how they compare to similarly sized legitimate businesses in terms of how they are organized. We also discuss how threat researchers can use their knowledge of the size and structure of a target criminal organization to aid their investigation. … The last 20 years have seen the cyberthreat landscape transform markedly: From an era of cyberattacks with damaging payloads, the cybercrime space has evolved to one where malicious actors have organized themselves into groups, mainly driven by financial gain. … Consequently, organizations now contend with a new breed of cybercriminals fiercely competing among themselves to claim a bigger stake in a highly lucrative market. Given present circumstances, malicious actors have organized themselves in ways that show a remarkable resemblance to legitimate corporations. Our research findings show that as revenues and membership of cybercriminal groups expand, their organizational structure becomes more complex because new tiers in the hierarchy inevitably arise in the process. Trend Business, April 3, 2023

In another illustration of the abject failure to properly build security into our products, researchers at a recent Pwn2Own conference were able to mess with Tesla.

  • Hackers could remotely turn off lights, honk, mess with Tesla’s infotainment system: Thanks to three vulnerabilities chained together, malicious hackers could remotely hack into a Tesla, turn off the lights, honk the horn, open the trunk, activate the windshield wipers and mess with the infotainment system, according to security researchers. … The researchers, who work for security firm Synacktiv, found the vulnerabilities and showcased them at the Pwn2Own conference in Vancouver last week. Tech Crunch, March 28, 2023

This week in cybercrime. Continued fallout from Oakland, CA ransomware attack. A new targeted second stage of the 3CX breach.

  • Group behind Oakland, Calif., ransomware posts second, bigger data dump: It’s the second time hackers have leaked data stolen from the city, and now police officers are demanding compensation. … The ransomware gang linked to a February attack on the City of Oakland, California, published a second trove of stolen municipal data this week, releasing about 600 gigabytes of files, potentially exposing sensitive information on thousands of city employees. Statescoop, April 5, 2023
  • 3CX Breach Widens as Cyberattackers Drop Second-Stage Backdoor: The threat actor — believed to be the  North Korea’s Lazarus Group — that recently compromised 3CX’s VoIP desktop application to distribute information-stealing software to the company’s customers has also dropped a second-stage backdoor on systems belonging to a small number of them. DARK Reading, April 3, 2003
  • SanDisk maker announces ongoing cyberattack after data stolen by hackers: Data storage giant Western Digital said hackers have gained access to its systems and company data in an ongoing cyberattack that began last week. … In a statement released Monday morning, the company said its IT team initially discovered the network security incident on March 26. The hackers have been able to steal data, the statement said, but Western Digital is still determining how much was taken. The Record, April 3, 2023
  • Royal Dutch Football Association says hackers stole employee data: The governing body for soccer in the Netherlands said Tuesday that hackers were able to steal the personal information of its employees during a cyberattack. The Record, April 5, 2023
  • Criminal records office yanks web portal offline amid ‘cyber security incident’: ACRO, the UK’s criminal records office, is combing over a “cyber security incident” that forced it to pull its customer portal offline. … As the name implies, the government agency manages people’s criminal record information, running checks as needed on individuals for any convictions, cautions, or ongoing prosecutions. It doesn’t just work with British police and businesses: it exchanges this data with other countries. The Register, April 6, 2023

Section 4 – Managing  Information Security and Privacy in Your Organization. H3

New research from NIST, the National Institute of Standards and Technology, confirms that in cybersecurity as in life, one catches more flies with honey than vinegar.

  • Is Your Cybersecurity Strategy Falling Victim to These 6 Common Pitfalls?: NIST research reveals misconceptions that can affect security professionals — and offers solutions. … Here’s a pop quiz for cybersecurity pros: Does your security team consider your organization’s employees to be your allies or your enemies? Do they think employees are the weakest link in the security chain? Let’s put that last one more broadly and bluntly: Does your team assume users are clueless? NIST, March 20, 2023

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge

SUPPORT US

SecureTheVillage is a community-based response to the cybersecurity and privacy crisis. We are a 501c(3) nonprofit with a vision of a cybersecure global village. We invite you to join with us as together we make the vision a reality. It takes the village.

Be a CyberPartnerDonate