Cybersecurity News of the Week, August 14, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Our lead story this week is a follow-up to last week’s story about correctable – but not yet corrected – critical flaws in our 911 system. These flaws were corrected by the manufacturer in 2019 but, according to Brian Kreb’s story, there are still lots of 911 systems that have not updated their equipment. Since the nation’s 911 systems are connected to each other, this creates a system risk where an attack on a vulnerable 911 system anywhere in the country could seriously impact the availability of 911 service in Los Angeles (or wherever you’re reading this from). As readers know, I’m no chicken little, but this is incredibly serious.

  • Sounding the Alarm on Emergency Alert System Flaws: The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system. KrebsOnSecurity, August 12, 2022

The FTC is considering writing new regulations on commercial surveillance and is asking the public for input. Here’s your chance to tell the FTC how you feel about all the data big tech collects and what you think needs to be done.

  • FTC weighs sweeping new rules on ‘commercial surveillance’ and Big Data: Washington (CNN Business)The Federal Trade Commission is considering whether to write sweeping new regulations that could restrict how businesses collect and use consumer data, hinting at a possible crackdown on commercial algorithms and a sprawling economy powered by the personal information of millions of Americans. … On Thursday, the FTC announced it is accepting public input on whether to draft new data privacy rules, a prelude to a possible rulemaking action. CNN, August 11, 2022

Election Security Webinar

SecureTheVillage presents community webinar on election security. September 28, 11:00 am – 12:30 pm PDT Register now!!! Sponsorships available

  • What Every Citizen Needs to Know About Cybersecurity of the 2022 Election: In this community webinar we’ll cover the “election system” – what it is and how it’s intended to work; threats to our election and what we’re doing about them; the extent of local discretion; and how we can all manage the expected deluge of mis/dis-information. … Panelists include Kim Wyman, Senior Election Security Advisor, Cybersecurity and Infrastructure Security Agency (CISA); Kathy Bookvar, Vice President of Election Operations & Support, Center for Internet Security;  Adam Powell III, Executive Director, Election Cybersecurity Initiative, USC Annenberg Center on Communication Leadership and Policy, University of Southern California. Dr. Stan Stahl, SecureTheVillage President and founder will moderate.

Cyber Humor

Security Nonprofit of the Week 

Our kudos this week to the Cybercrime Support Network, a nonprofit that helps individuals and small businesses impacted by cybercrime. As a leading voice for cybercrime victims, Cybercrime Support Network is dedicated to serving those affected by the ever growing impact of cybercrime before, during, and after. Founded in 2017, Cybercrime Support Network (CSN) connects victims to resources, increases cybercrime and online fraud reporting, and decreases revictimization. Since November 2018, CSN has provided help to over 1,000,000 individuals and small businesses via and Kudos to the Cybercrime Support Network for all they do to keep us safe and secure.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Julie and I riff on this week’s privacy story of a woman and her daughter arrested in Nebraska on evidence provided by Facebook under court order.  Listen as Julie and I discuss the privacy challenges represented by this arrest and how it’s a driver to increased interest that ordinary people are showing in data care. See also the stories below for the fall-out we’re already seeing from the use of Facebook data in the arrest.

Roe v Wade: Critical Implications for Our Personal Privacy

Our recent community webinar on the privacy implications of Roe V Wade is now available for viewing on the SecureTheVillage website. In addition to the webinar, we include numerous privacy recommendations.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

A woman and her daughter have been arrested in Nebraska on evidence provided by Facebook under court order. As shown by Facebook’s response, the arrest is adding to people’s concerns about privacy and pushing the technology companies to provide higher levels of privacy … except of course for all the information they collect about us that they use to sell us to their advertisers.

  • This Is the Data Facebook Gave Police to Prosecute a Teenager for Abortion: Motherboard has obtained court documents that show Facebook gave police a teenager’s private chats about her abortion. Cops then used those chats to seize her phone and computer. … A 17-year-old girl and her mother have been charged with a series of felonies and misdemeanors after an apparent medication abortion at home in Nebraska. The state’s case relies on evidence from the teenager’s private Facebook messages, obtained directly from Facebook by court order, which show the mother and daughter allegedly bought medication to induce abortion online, and then disposed of the body of the fetus. Motherboard, August 9, 2022
  • Online privacy in a post-Roe world: The case of a Nebraska woman charged with helping her teenage daughter end her pregnancy after investigators obtained Facebook messages between the two has raised fresh concerns about data privacy in the post-Roe world. Los Angeles, Times, August 11, 2022
  • Facebook rolls out new privacy test for messages after facing backlash for handing over chats to Nebraska police of girl accused of having an illegal abortion: Facebook announced Thursday that it would test end-to-end encryption as the default setting in Messenger. … This comes after Facebook faced backlash for turning over chats to Nebraska cops investigating an alleged illegal abortion. … End-to-end encryption is a way to securely communicate so that Facebook can no longer see people’s messages. Insider, August 11, 2022

For things you can do to better protect your privacy, see the privacy recommendations on our recent Privacy Implications of Roe V Wade community webinar.

Data Care means both managing your privacy and managing your security. The next two stories are on the security-side of data care. It’s time for your monthly Windows update. Check your computers and confirm it’s been done. Also remember to check our Weekend Patch and Update Report for available updates for other common programs. If you’re reading this on email, the Report is at the bottom, after the news. It’s also available on LinkedIn, Twitter, and our website.

  • Microsoft Patch Tuesday, August 2022 Edition: Microsoft today released updates to fix a record 141 security vulnerabilities in its Windows operating systems and related software. Once again, Microsoft is patching a zero-day vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows. Redmond also addressed multiple flaws in Exchange Server — including one that was disclosed publicly prior to today — and it is urging organizations that use Exchange for email to update as soon as possible and to enable additional protections. KrebsOnSecurity, August 9, 2022

And always always always always always be careful of those emails, texts, and voicemails. Are they real? Don’t Trust. Always Verify.

  • I’m a security reporter and got fooled by a blatant phish: Think you’re too smart to be fooled by a phisher? Think again. … There has been a recent flurry of phishing attacks so surgically precise and well-executed that they’ve managed to fool some of the most aware people working in the cybersecurity industry. On Monday, Tuesday, and Wednesday, two-factor authentication provider Twilio, content delivery network Cloudflare, and network equipment maker Cisco said phishers in possession of phone numbers belonging to employees and employee family members had tricked their employees into revealing their credentials. The phishers gained access to internal systems of Twilio and Cisco. Cloudflare’s hardware-based 2FA keys prevented the phishers from accessing its systems. Ars technica, August 11, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity and privacy stories to keep you informed.

Key patient services of the UK NHS (National Health Service) are unavailable as a key vendor is hit with a serious ransomware attack. Services in Northern Ireland are also unavailable as NI has disconnected the vendor from its health system as a precaution.

  • NHS ransomware attack: what happened and how bad is it?: A ransomware attack on a software supplier has hit the NHS across the UK and there are fears that patient data may have been the target. … Advanced, the UK company hit by the attack last week, said it was working with government agencies, including the National Cyber Security Centre and the Information Commissioner’s Office, in the aftermath of the incident. … Details such as the identity of the attacker(s) and the scale of the damage have yet to emerge, but here is a guide to what we know so far and how ransomware gangs operate. The Guardian, August 11, 2022
  • Fears for patient data after ransomware attack on NHS software supplier: Attack being investigated for potential data theft as experts warn criminals could use stolen details as leverage. … Patient data could have been stolen in a cyber-attack on an NHS software supplier, experts have warned, as an internal memo reveals the incident has badly disrupted the functioning of several key health services. … Areas of the health service affected include the 111 telephone advice service, GP surgeries and some specialist mental health trusts. The Guardian, August 11, 2022
  • Cyber-attack targets IT firm used by Northern Ireland’s health service: NI health officials have shut down the health system’s access to an IT company’s services after the firm was affected by a cyber-attack. … The Department of Health said “contingency measures” are in place after the ransomware attack on Advanced. … The firm provides digital services like patient check-in. BBC News, August 11, 2022

Be careful out there. This week’s breaches and breach attempts include several technology and cybersecurity companies. A reminder that no one is immune.

  • Ransomware Attack Costs Hanes brands $100 Million in Lost Sales: The attack prevented the apparel company from fulfilling orders during a three-week period in Q2. … It’s clear ransomware attacks can force victims to pay up, but they can also crater a company’s earnings potential. Case in point: apparel maker Hanesbrands estimates it lost $100 million in sales last quarter after suffering a ransomware attack. … Hanesbrands originally reported the attack in late May. But on Thursday, the company revealed in an earnings statement(Opens in a new window) that the incident prevented it from fulfilling product orders for three weeks during Q2. This derailed its ability to purchase new supplies, ship orders, and process payments for brands including Hanes, Champion, and Playtex. PC Magazine, August, 12, 2022
  • Twilio: 125 customers affected by data breach, no passwords stolen: Cloud communications giant Twilio, the owner of the highly popular two-factor authentication (2FA) provider Authy, says that it has so far identified 125 customers who had their data accessed during a security breach discovered last week. … The company added the attackers behind this incident weren’t able to gain access to the affected clients’ authentication information. Bleeping Computer, August 12, 2022
  • Cisco Confirms Network Breach Via Hacked Employee Google Account: Networking giant says attackers gained initial access to an employee’s VPN client via a compromised Google account. … Cisco Systems revealed details of a May hack by the Yanluowang ransomware group that leveraged a compromised employee’s Google account. … The networking giant is calling the attack a “potential compromise” in a Wednesday post by the company’s own Cisco Talos threat research arm. Threatpost, August 11, 2022
  • Twitter admits breach that exposed phone numbers, email addresses: Twitter said Friday that a security flaw in its system allowed a hacker to collect the phone number and email address information associated with some user accounts. … Twitter said the security flaw was on its system for six months before it was discovered in January 2022, potentially exposing the information tied to pseudonymous accounts — some of which may have belonged to whistleblowers, human rights activists and other dissidents. … The flaw in Twitter’s systems allowed hackers with access to submit an email address or phone number and see if it was associated with an existing account. … Twitter patched the flaw in January, but Friday’s announcement acknowledges that at least one hacker took advantage of the flaw before then. Axios, August, 5, 2022
  • Automotive supplier breached by 3 ransomware gangs in 2 weeks: An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over two weeks in May, two of the attacks happening within just two hours. … The attacks followed an initial breach of the company’s systems by a likely initial access broker (IAB) in December 2021, who exploited a firewall misconfiguration to breach the domain controller server using a Remote Desktop Protocol (RDP) connection. Bleeping Computer, August 10, 2022
  • Cloudflare Foils SMS Phishing Attack With Security Keys: Cloudflare is warning the culprits have targeted multiple companies, including Twillo, which reported a breach from the SMS phishing scheme. … Internet infrastructure provider Cloudflare says it stopped a phishing scheme from compromising the company’s network, thanks to the hardware-based security keys it issued to all employees.  According to Cloudflare, the attempted hack was likely part of the same SMS phishing scheme that breached Twilio, which the company publicly disclosed(Opens in a new window) on Monday. PC Magazine, August, 9, 2022

On the positive side several leading technology companies have formed an alliance to cooperate on a common framework for cyber-alerts. The result will be increased security for all of us as these companies will be better able to electronically share cybersecurity data. Think of it like Electronic Health Records that lets all doctors use the same codes for the same situations. This lets everyone know what everyone’s finding. It will take some time for this system to get up and running but it has the opportunity to make an enormous difference in the country’s cyber-preparedness.

  • Tech, Cyber Companies Launch Security Standard to Monitor Hacking Attempts: Amazon’s AWS, Splunk, IBM and others cooperate on format for cyber alerts. … A group of 18 tech and cyber companies said Wednesday they are building a common data standard for sharing cybersecurity information. They aim to fix a problem for corporate security chiefs who say that cyber products often don’t integrate, making it hard to fully assess hacking threats. … Amazon. com Inc.’s AWS cloud business, cybersecurity company Splunk Inc. and International Business Machines Corp.’s security unit, among others, launched the Open Cybersecurity Schema Framework, or OCSF, Wednesday at the Black Hat USA cybersecurity conference in Las Vegas. … Products and services that support the OCSF specifications would be able to collate and standardize alerts from different cyber monitoring tools, network loggers and other software, to simplify and speed up the interpretation of that data, said Patrick Coughlin, Splunk’s group vice president of the security market. “Folks expect us to figure this out. They’re saying, ‘We’re tired of complaining about the same challenges.’” … Other companies involved in the initiative are CrowdStrike Holdings Inc., Rapid7 Inc., Palo Alto Networks Inc., Cloudflare Inc., DTEX Systems Inc., IronNet Inc., JupiterOne Inc., Okta Inc., Salesforce Inc., Securonix Inc., Sumo Logic Inc., Tanium Inc., Zscaler Inc. and Trend Micro Inc. WSJ Pro Cybersecurity, August 10, 2022

The government continues its work, both warning organizations of new attacks by the Zeppelin ransomware gang and offering large rewards to those who help bring down the Russian Conti gang.

  • FBI, CISA warn over ransomware gang that can make million dollar demands: Zeppelin is a well organized ransomware actor that spends two weeks mapping a network – before infecting it with multiple instances of malware. … The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released details of the tactics of a ransomware group called Zeppelin which has been targeting large organizations in the US and Europe with huge ransom demands. ZD Net, August 12, 2022
  • U.S. Government Offers $10 Million Reward for Information on Conti Ransomware Gang: The U.S. State Department on Thursday announced a $10 million reward for information related to five individuals associated with the Conti ransomware group. … The reward offer is also notable for the fact that it marks the first time the face of a Conti associate, known as “Target,” has been unmasked. The four other alleged members have been referred to as “Tramp,” “Dandis,” “Professor,” and “Reshaev.” The Hacker News, August, 12, 2022

Meanwhile the insurance markets continue their struggle to close the cyber-insurance gap. The answer, as we’ve often pointed out lies in organizations improving the quality of their information security management programs. See, for example, the SecureTheVillage Information Security Management ResourceKit.

  • Higher risks and premiums are creating critical gap in cyber insurance: Most organizations don’t have the financial resources necessary to address ransomware and other cyberattacks, BlackBerry says. … Black Hat Many organizations are increasingly unprepared to deal with the skyrocketing costs of a ransomware attacks, at a time when the number of incidents and the payments demanded by cybercriminals are rising rapidly. The Register, August 11, 2022

If you’re a cybercriminal. It appears you have several new dark web marketplaces on which to buy and sell everything from drugs and hitmen to illegitimate computer access.

  • New dark web markets claim association with criminal cartels: Several new marketplaces have appeared on the dark web, claiming to be the dedicated online portals for notorious criminal cartels from Mexico. … Those markets offer drugs and hitman services just like they would in the real world and attempt to add legitimacy to their listed goods by alleging to be backed by “experienced” actors in their respective fields. … The emergence of these markets was spotted by DarkOwl analysts, who identified a trend, shifting from large markets that drew law enforcement attention to smaller, less publicized sites. Bleeping Computer, August 10, 2022

If you’re not yet familiar with the concept of “bug bounties,” this story is for you.

  • Starlink Got Hacked And SpaceX’s Response Was Incredible: Who would have thought that all it would take to hack Starlink, SpaceX’s worldwide internet service, would be a $25 modchip? Lennert Wouters, a security researcher from Belgium, was able to hack into Starlink’s network as well as its communication links and explore the entire system freely. While that sounds pretty scary, he didn’t do it maliciously. Before he ever talked about the hack in public, he made sure to report it to Starlink in full, and SpaceX’s response to the hack was nothing short of incredible. Slash Gear, August 12, 2022

And, last but not least, here’s the latest in our ongoing coverage of the challenge governments are facing following exposure of their surveillance practices.

  • A Greek Scandal Reverberates as Eavesdropping Expands in Europe: Revelations that the cellphone of a top opposition politician was tapped have shaken the government and stoked concerns over just how widespread such surveillance is. … In a tense and highly confidential meeting in the senate chamber of the Greek Parliament, the prime minister’s smooth, handpicked spy chief politely evaded the questions of opposition lawmakers. They were demanding to know if he had surveilled a rival politician and a financial journalist investigating powerful business interests close to the prime minister. … But the inquiries mostly went nowhere. The New York Times, August 12, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in securing their organizations and protecting  privacy.

This one’s a bit technical but good reading for the CISO, CIO, CTO crowd.

  • The Truth About False Positives in Security:  As weird as it might sound, seeing a few false positives reported by a security scanner is probably a good sign and certainly better than seeing none. Let’s explain why. The Hacker News, August 9, 2022

This one also is for the techies. CISA’s US-CERT current activity page needs to be reviewed every week.

  • US-CERT Current Activity Page: The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT. CISA.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge