Cybersecurity News of the Week, August 21, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

#CyberSurveillance stories lead the news this week.

• We’re Suing DHS to Uncover Its Use of Social Media Surveillance Tools: Our FOIA lawsuit is essential to ensure accountability and safeguard against discriminatory and invasive online monitoring by the Department of Homeland Security. … The Bren­nan Center sued the Depart­ment of Home­land Secur­ity on Thursday to force the govern­ment to hand over records on its use of vari­ous social media surveil­lance tools. The agency has refused to comply with a Free­dom of Inform­a­tion Act request seek­ing docu­ments about products from three compan­ies: Shad­ow­Dragon, Logic­ally Inc., and Voyager Labs.  Brennan Center for Justice, August 18, 2022
• LexisNexis illegally collected and sold people’s personal data, lawsuit alleges: Data broker LexisNexis Risk Solutions allegedly violated Illinois law by collecting and combining extensive personal information and selling it to third parties including federal immigration authorities, according to a lawsuit filed Tuesday by immigration advocates. … The result is “a grave threat to civil liberties,” the activists and two immigration advocacy groups argued. The lawsuit asks a Cook County judge to prevent the data broker from selling personal information without consent. CBS News, August 16, 2022
• British judge rules dissident can sue Saudi Arabia for Pegasus hacking: A British judge has ruled that a case against the kingdom of Saudi Arabia brought by a dissident satirist who was targeted with spyware can proceed, a decision that has been hailed as precedent-setting and one that could allow other hacking victims in Britain to sue foreign governments who order such attacks. The Guardian, August 19, 2022

Election Security Webinar

SecureTheVillage presents a community webinar on election security. September 28, 11:00 am – 12:30 pm PDT Register now!!! Sponsorships available!!!

• What Every Citizen Needs to Know About Cybersecurity of the 2022 Election: In this community webinar we’ll cover the “election system” – what it is and how it’s intended to work; threats to our election and what we’re doing about them; the extent of local discretion; and how we can all manage the expected deluge of mis/dis-information. … Panelists include Kim Wyman, Senior Election Security Advisor, Cybersecurity and Infrastructure Security Agency (CISA); Kathy Bookvar, Vice President of Election Operations & Support, Center for Internet Security;  Adam Powell III, Executive Director, Election Cybersecurity Initiative, USC Annenberg Center on Communication Leadership and Policy, University of Southern California. Dr. Stan Stahl, SecureTheVillage President and founder will moderate.

Cyber Humor

Security Nonprofit of the Week  … Be A Champion. Support Cybersecurity Awareness Month.

Kudos this week to the National Cybersecurity Alliance, a non-profit organization on a mission to create a more secure, interconnected world. The Alliance is an advocate for the safe use of technology, educating everyone on how we can protect ourselves, our families, and our organizations from cybercrime. They create strong partnerships between governments and corporations to amplify their message and to foster a greater “digital” good, encouraging everyone to do their part to prevent digital wrongdoing of any kind. As they say, the real solution to cybercrime isn’t technology, it’s all of us doing our part. With Cybersecurity Awareness Month coming soon, SecureTheVillage encourages cybersecurity and data care professionals to sign up as a Champion: https://staysafeonline.org/programs/cybersecurity-champion/

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we riff on the metaphor of the “Blind Men and the Elephant” and how it applies to #DataCare, #Cybersecurity, #InformationSecurity, and #Privacy. … It’s #Operations. It’s #IT. It’s #Leadership and #BoardGovernance. It’s #Legal. It’s #Compliance. It’s #InformationRiskManagement. It’s #LawEnforcement. It’s #CybersecurityWorkforce. It’s #Education. #It’s #NationalSecurity … Yes. It’s all of these things and more. Another illustration that #ItTakesAVillage.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

#UpdateNow. All three of these updates patch vulnerabilities that are being actively exploited.

• You Need to Download Apple’s 15.6.1 Updates. Here’s How: Apple released back-to-back updates for iOS and Safari this week, both numbered 15.6.1. The iOS update was released on Wednesday and the Safari update was released Thursday, and both address security vulnerabilities. Apple wrote that it’s aware these vulnerabilities may have been exploited so people should update their iOS and Safari as soon as they can. CNET, August 20, 2022
• Google Patches Chrome’s Fifth Zero-Day of the Year: Google has patched the fifth actively exploited zero-day vulnerability discovered in Chrome this year as one in a series of fixes included in a stable channel update released Wednesday. Threat post, August, 18, 2022
• Update: Zoom pushes another Mac update to fix critical security flaw: Before you log into Zoom to start your next video call, you should take a few minutes before you join to update your app. Zoom recently released a security patch for a major hole that could let a hacker take over your whole machine. Macworld, August 18, 2022

#Don’tTrust.#AlwaysVerify.It’s a jungle out there.

• PayPal Phishing Scam Uses Invoices Sent Via PayPal: Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer. KrebsOnSecurity, August 18, 2022

More bad news for TikTok. If you must use TikTok, be careful what you type. Never type your passwords into TikTok.

• TikTok Browser Can Track Users’ Keystrokes, According to New Research: The web browser used within the TikTok app can track every keystroke made by its users, according to new research that is surfacing as the Chinese-owned video app grapples with U.S. lawmakers’ concerns over its data practices. The New York Times, August 19, 2022

This seems to be the week for data breach settlements. Check to see if any of this money might belong to you.

• Capital One $190 Million Data Breach Settlement: Are You Eligible for a Payment?: Affected customers could collect up to $25,000, according to a preliminary settlement. … Here’s what you need to know about the Capital One data breach settlement, including how to find out if you’re eligible for a payout, how much money you could receive and the deadline for filing a claim. CNET, August 17, 2022
• Humana, Cotiviti data breach class action settlement: Humana and Cotiviti agreed to a class action settlement to resolve claims they jeopardized consumer data in a 2020 data breach. … The settlement benefits consumers who received notification from Humana that their personal and health information was compromised in a data breach occurring between Oct. 12 and Dec. 16, 2020. Top Class Actions, August, 17, 2022
• Apple’s $14.8 Million iCloud Storage Settlement: Here’s How to Find Out if You’re Owed Money: Apple was accused of not telling iCloud Plus subscribers that it used third-party servers. The settlement received final approval on Aug. 4. … A $14.8 million class-action settlement stemming from accusations that Apple surreptitiously stored iCloud subscribers’ data on third-party servers received final approval in early August. If you paid for an iCloud Plus subscription in 2015 or 2016, you might be owed part of the settlement.  CNET, August 18, 2022

Dare we hope that the scourge of auto-warranty robocalls may be at an end? I suggest you not get your hopes too high as it’s likely only a matter of time until another “feature” of our technology will be exploited by the spammers to once again deliver robocalls by the millions.

• A monumental case looks to crack open the world of auto-warranty robocalls: No sentence in the English language may be more infuriating than the following 12 words: “We have been trying to reach you about your car’s extended warranty.” … If you’ve picked up the phone in response to an unknown caller anytime in the last several years, chances are you’ve encountered this incessant and irritating automated message. But according to state and federal officials, just two men may be responsible for an overwhelming share of the billions of auto-warranty spam calls that have hit US phones. … Now, a new lawsuit in Ohio is trying to cut them off at their source, following a years-long effort across the public and private sectors to turn the tide on the scourge of robocalls once and for all. CNN Business, August 18, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity and privacy stories to keep you informed.

The week in cybercrime.

• LockBit claims ransomware attack on security giant Entrust: The LockBit ransomware gang has claimed responsibility for the June cyberattack on digital security giant Entrust. Bleeping Computer, August 18, 2022
• Mailchimp admits to being hijacked: The email service provider has suffered a security breach, compromising more than 200 accounts including some belonging to cloud and VPN provider DigitalOcean. … Mailchimp said the attack – which apparently occurred earlier this month – targeted its customers in the cryptocurrency industry, forcing it to suspend accounts it suspects of having been hijacked by black-hat hackers, pending further investigation. It claims the action was necessary to protect client data. Cybernews, August 18, 2022
• Confused cyber criminals have hacked a water company in a bizarre case of mistaken identity: A company which provides 1.6 million people with drinking water says it has been targeted by cyber criminals — who appear to mistakenly believe they’ve tapped into a different water supplier. ZD Net, August 16, 2022

Be careful out there as cybercriminals continue to weaken 2FA/MFA. It’s still necessary but nowhere near sufficient.

• Hackers are finding ways around multi-factor authentication. Here’s what to watch for: MFA provides a significant barrier against cyber attacks – but isn’t infallible. … Using MFA protects against the vast majority of attempted account takeovers, but recently there’s been a surge in cyber attacks which aim to dodge past multi-factor authentication security. According to Microsoft, in just one campaign 10,000 organisations have been targeted in this way during the last year. ZD Net, August 18, 2022

The FTC is now embroiled in a lawsuit affecting its ability to protect seemingly private health information. Stay tuned as this may be a harbinger of the FTC’s strategy for handling health-related data.

• FTC is sued after threatening to sue firm allegedly revealing abortion clinic visits: A lawsuit against the agency shows how it might defend health data after the Supreme Court left states free to outlaw abortion. … The Federal Trade Commission is threatening to sue an adtech company it alleges reveals people’s visits to sensitive locations, including women’s reproductive health clinics, according to a lawsuit against the agency filed by Kochava, the adtech company. The Washington Post, August 18, 2022

Apple finds itself in the middle of a security debate over the way iOS handles VPNs. Bottom Line: If, like me, you sometimes use a VPN on your Apple devices, turn on the VPN before opening any applications you want to go through the VPN. If, for example, you want Chrome to use your VPN tunnel, shut Chrome down, turn on and connect your VPN, then re-open Chrome.

• iPhone VPN app security debate continues, as Apple says it’s fixed, and ProtonVPN says not: A debate about whether iPhone VPN app security is flawed continues today, with Apple insisting it has offered a fix since 2019, while ProtonVPN says that it’s only a partial solution. … The controversy began when a well-known security researcher said that iOS virtual private network (VPN) apps are broken, due to a flaw that he claims Apple has known about for at least two and a half years. This backed a previous report by ProtonVPN. 9TO5 Mac, August 19, 2022

Google reported this week that it has blocked the largest ever DDoS attack. For those new to information security, “DDoS” stands for “Distributed Denial of Service.”  In a DDoS attack, the cybercriminal bombards the target network with service requests, overwhelming its ability to process all the requests. Imagine the impact on your favorite restaurant if 1,000 people all showed up at the same time wanting dinner … or if 1,000,000 people were all trying to make reservations on the restaurant’s web site at the same time. It would be chaos.

• Google: Here’s how we blocked the largest web DDoS attack ever: Google Cloud says it protected one customer from a Mēris botnet attack that peaked at 46 million requests per second. ZD Net, August 19, 2022

Our Nation faces a severe cybersecurity talent shortage. This story shows the shortage — made worse by current DoD policies — may be severely impacting the DoD’s Cyber Command.

• Cyber Command’s rotation ‘problem’ exacerbates talent shortage amid growing digital threat: U.S. Cyber Command lost yet another seasoned leader earlier this month. … Lt. Gen. Charles “Tuna” Moore, second in command behind Gen. Paul Nakasone, retired after serving roughly five years at Cyber Command. By all accounts, he was an effective, impressive figure, having completed a Harvard Kennedy School cybersecurity program in 2019 and advancing through the ranks to help oversee the military’s primary digital warfare unit at an increasingly critical time for cyber defenses. … But even for a talented military service member in his 50s, working inside a part of the military that White House officials, Pentagon leaders and lawmakers say is dangerously understaffed, longstanding policies and a military staffing system makes it nearly impossible to remain. … There is “no seat for him,” sources said, pointing out that Moore is just the latest example in a long line of forced retirements where top generals who aren’t promoted “reach the end of the line.” Cyberscoop, August 18, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in securing their organizations and protecting  privacy.

Another piece in the ongoing dialogue around helping our users stay safe.

• People Ignore Fear-Based Security Rules: Let’s Protect Them Anyway: Cybersecurity solutions that require everyone to change their behavior just don’t work. Instead, we should work to reduce the harm done to and by those who won’t give up risky behaviors. … Leading cybersecurity efforts for your company, your family, or even yourself can be a thankless task. You offer truly excellent advice, and nobody follows it. No matter how often you clarify the need to create strong, unique passwords, some folks just won’t use a password manager. And you can warn against clicking shady links until you’re blue in the face…but people still click. … Kyle Tobener, VP and head of security at security startup Copado, challenged Black Hat conference attendees to change their thinking. Assume that you can’t prevent the risky behaviors, and work instead on minimizing the negative consequences, he argued.

The Ransomware Task Force  at the Institute for Security and Technology (IST) has published its Blueprint for Ransomware Defense: An Action Plan for Ransomware Mitigation, Response, and Recovery for Small- and Medium-sized Enterprises. Download it from IST’s website.

• Ransomware attacks are hitting small businesses. These are experts’ top defense tips: WASHINGTON — Over recent years, cybercriminals have targeted governments and small businesses alike in massive digital heists — making hundreds of millions of dollars in 2021 alone in exchange for unlocking victims’ systems. As the attacks got more high profile, peaking after Colonial Pipeline’s shutdown last spring led to fuel shortages across the East Coast, the need for solutions became more desperate. … In 2021, U.S. government officials, academics, and members of think-tanks and the private sector formed the Ransomware Task Force. Its latest report was published in early August with the help of the Center for Internet Security. The report is designed to give small and medium sized businesses a checklist of steps to prepare for, defend against, and recover from ransomware attacks, using data about attacks and what strategies have worked in the past. npr, August 12, 2022

#UpDateNow: The Cybersecurity and Infrastructure Security Agency (CISA) has added 7 vulnerabilities to its list of known exploited bugs.

• CISA Adds Seven Known Exploited Vulnerabilities to Catalog: CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates. CISA, August 18, 2022