This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Corner
In a continuation of last week’s story of National Public Data’s horrific data leak, the news this week is they negligently stored their own passwords where they were available to anyone who cared to look!!
And Solar Winds – another cybersecurity poster child – stored the password for accessing its Web Help Desk in the program itself. This is worse than leaving your keys in the car. When you leave your keys in the car, you only hurt yourself. When you leave a default password in your application, you hurt everyone using your application.
We need to make Security by Default the law of the land. It’s not reasonable to expect smaller businesses and nonprofits, families and individuals, to take care of themselves when the technology companies can build security into their products. Why should a person ever have to even think about patching? Why should a person have to enable encryption? Or remove default passwords? The technology companies need to build default security into the products they sell. If it takes regulations to do it, so be it.
And we need Privacy by Default as well. Who gave Google permission to put my house online so cybercriminals can case it, looking for security cameras and other defenses? (See the story in Section 2.) The default needs to be to blur the house.
- National Public Data Published Its Own Passwords: New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.
- Hardcoded Credential Vulnerability Found in SolarWinds Web Help Desk: SolarWinds has issued patches to address a new security flaw in its Web Help Desk (WHD) software that could allow remote unauthenticated users to gain unauthorized access to susceptible instances. … “The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing [a] remote unauthenticated user to access internal functionality and modify data,” the company said in a new advisory released today.
From SecureTheVillage
- Upcoming Events
- Cybersecurity is a Forest Fire and All I Have is a Garden Hose. Managing Emerging Threats without Burning Out. Dr. Stahl leads a panel discussion at AITP-LA meeting. August 29. 6:00 – 9:00PM. Accenture in DTLA
- A Reasonable Approach to Reasonable Security. Save the Date. October 22, 2024. SecureTheVillage’s 5th Annual Reasonable Security Summit.
- Smaller business? Nonprofit? Take your security to the next level. Apply Now! If you’re a small business or nonprofit in the greater Los Angeles area, apply NOW for LA Cybersecure. Protect your organization with our innovative team-based learn-by-doing program with coaching and guidance that costs less than two cups of coffee a week.
- IT Service Provider / MSP? Take your client’s security to the next level. Apply Now! If you’re an IT service provider in the greater Los Angeles area, apply NOW for LA Cybersecure. With our innovative team-based learn-by-doing program, you’ll have both that “seat at the table” and the peace of mind that you’re providing your clients with the IT security management they need. … The LA Cybersecure Program is funded in part by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
- Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basic controls and download our free updated 13-step guide.
- Please Support SecureTheVillage: We need your help if we’re to build a world of CyberGuardians TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village. TM.
Cybersecurity Nonprofit of the Week … The Institute for Security and Technology.
Kudos this week to The Institute for Security and Technology and their Ransomware Task Force (RTF). The Task Force aims to equip businesses, organizations, and governments of all sizes to prepare for ransomware attacks, effectively respond, and quickly recover. The Task Force has published the Cyber Incident Reporting Framework and the Blueprint for Ransomware Defense representing a set of foundational and actionable safeguards derived from the Center for Internet Security’s Critical Security Controls. Like SecureTheVillage, the Institute is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits.
Cyber Humor
Section 2: Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
Two stories this week demonstrate the importance of always being suspicious. Don’t trust. Verify.
- Don’t trust Google for customer service numbers. It might be a scam: Google keeps highlighting impostors when you’re looking for banks, airlines or local businesses — and the toll can be devastating. … Scams just keep popping up when you Google. … On Monday, I found what appeared to be impostors of customer service for Delta and Coinbase, the cryptocurrency company, in the “People also ask” section high up in Google. … This fits a persistent pattern of bad guys finding ways to trick Google into showing scammers’ numbers for airlines, hotels, local repair companies, banks or other businesses. … The toll can be devastating when people are duped by these bogus business numbers. Fortune recently reported on a man who called what a Google listing said was Coinbase customer support, and instead it was an impostor who Fortune said tricked the man and stole $100,000.
- Cybercriminals Exploit Popular Software Searches to Spread FakeBat Malware: Cybersecurity researchers have uncovered a surge in malware infections stemming from malvertising campaigns distributing a loader called FakeBat. … “These attacks are opportunistic in nature, targeting users seeking popular business software,” the Mandiant Managed Defense team said in a technical report.
A new danger. And an easy fix. Blur your home on Google Maps.
- People are now blurring their homes on Google Maps to deter potential burglars: RIVERSIDE, Calif. (KABC) — With burglaries, break-ins and home invasion robberies on the rise in Southern California, experts say there is yet another tool at homeowners’ disposal to protect property. … Some residents are now “blurring” out their homes in the street-view function on Google Maps. … “I’ve never even heard of that, and I think it’s a great idea,” said Ofc. Ryan Railsback with the Riverside Police Department. “Criminals are coming up with new and innovative ways to do their job, so we need to be up on how to do ours.”
Elder fraud continues to grow. Please warn your family and friends.
- Map Shows States Where Elder Fraud is On The Rise: Elder fraud is on the rise in several U.S. states, a recent report has found, with the average amount of money stolen last year through scams of Americans over 60 totaling more than $36,000. … According to All About Cookies – an organization that aims to educate on online privacy and digital security – this was an increase of three percent, The 10 states that saw the largest increase in elder fraud between 2022 and 2023 were Arizona, Utah, Rhode Island, Kansas, North Carolina, Texas, Washington, Oregon, Mississippi, and Oklahoma. … “One thing we noticed when evaluating that report is that scammers seem to be getting better at picking out the most valuable targets. For identity theft, that means devoting scam efforts to cities in states where people make more money than the rest of the country on average and pulling away from cities in lower-income states,” Josh Koebert, researcher and study author at All About Cookies told Newsweek.
Section 3: Cybersecurity and Privacy News for the Cyber-Concerned.
With fewer than 80 days to the next election, America’s enemies are hard at work.
- Iran Is to Blame for Hacking Into Trump’s Campaign, Intelligence Officials Say: American intelligence agencies said on Monday that Iran was responsible for hacking into former President Donald J. Trump’s campaign and trying to breach the Biden-Harris campaign. … “Iran seeks to stoke discord and undermine confidence in our democratic institutions,” intelligence officials wrote in a joint statement from the F.B.I., the Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency.
- Meta takes down more accounts tied to Iranian hackers targeting the U.S. election: Meta says Iranian-linked hackers posed as tech support on the WhatsApp messaging app to target people affiliated with the administrations of President Joe Biden and former President Donald Trump, in the latest evidence of Iran’s attempts to influence the 2024 presidential election. … The parent company of Facebook, Instagram and WhatsApp said on Friday it has blocked a small cluster of WhatsApp accounts linked to a group of hackers affiliated with Iran’s Islamic Revolutionary Guard Corps. The same group has also attempted email phishing attacks targeting people connected with Trump, Biden, and Vice President Kamala Harris, Microsoft and Google have said in recent weeks.
Meanwhile North Korea continues to attack our cyber-world.
- Windows 0-day was exploited by North Korea to install advanced rootkit: A Windows zero-day vulnerability recently patched by Microsoft was exploited by hackers working on behalf of the North Korean government so they could install custom malware that’s exceptionally stealthy and advanced, researchers reported Monday. … “The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can’t reach,” Gen researchers reported. “This type of attack is both sophisticated and resourceful, potentially costing several hundred thousand dollars on the black market. This is concerning because it targets individuals in sensitive fields, such as those working in cryptocurrency engineering or aerospace to get access to their employer’s networks and steal cryptocurrencies to fund attackers’ operations.”
Arresting one Russian cybercriminal is like killing one cockroach. How many are still out there?
- Russian laundering millions for Lazarus hackers arrested in Argentina: The federal police in Argentina (PFA) have arrested a 29-year-old Russian national in Buenos Aires on charges of money laundering related to cryptocurrency proceeds belonging to the North Korean Lazarus hackers. … The San Isidro Specialized Fiscal Unit in Cybercrime Investigations (UFEIC) collaborated with blockchain analysis firm TRM Labs to identify and locate the individual despite him using a complex transactions network that span across multiple blockchains to obfuscate the source of the assets. … The man accepted large amounts of stolen cryptocurrency from multiple actors including the Lazarus group, distributors of child abuse content, financiers of terrorism. The suspect laundered the funds through crypto exchanges and tumblers, and then converted the assets into fiat money.
Meanwhile, the SEC and DOJ have been active taking on organizations that fail to implement reasonable security.
- Financial firm fined $850k for violating SEC cyber rules: A financial services firm has agreed to pay a $850,000 penalty over charges from the Securities and Exchange Commission over the mishandling of two cybersecurity incidents. … The SEC said in a statement that it had charged Equiniti Trust Company with failing to secure customer assets after more than $6.6 million was stolen in two separate cyberattacks in 2022 and 2023.
- DOJ sues Georgia Tech over allegedly failing to meet cyber requirements for DOD contracts: The Justice Department is suing the Georgia Institute of Technology and an affiliate company, claiming they failed to meet the cybersecurity standards required for obtaining Pentagon contracts. … The U.S. government had earlier joined a whistleblower suit brought by current and former members of Georgia Tech’s cybersecurity team and on Thursday the DOJ filed an additional motion to sue on behalf of the Defense Department, the Air Force and the Defense Advanced Research Projects Agency. … In advancing the suit, the DOJ makes use of the False Claims Act — a Civil War-era law aimed at combatting shady contractors— which has been used for cyber cases since 2022 under its Civil Cyber-Fraud Initiative.
In a complete change of pace, here’s a story by MIT on saving our past as we leap into the future.
- The race to save our online lives from a digital dark age: We’re making more data than ever. What can—and should—we save for future generations? And will they be able to understand it? … There is a photo of my daughter that I love. She is sitting, smiling, in our old back garden, chubby hands grabbing at the cool grass. It was taken in 2013, when she was almost one, on an aging Samsung digital camera. I originally stored it on a laptop before transferring it to a chunky external hard drive. … A few years later, I uploaded it to Google Photos. When I search for the word ”grass,” Google’s algorithm pulls it up. It always makes me smile. … I pay Google £1.79 a month to keep my memories safe. That’s a lot of trust I’m putting in a company that’s existed for only 26 years. But the hassle it removes seems worth it. There’s just so much stuff nowadays. The admin required to keep it updated and stored safely is just too onerous. … One day in the maybe-not-so-distant future, YouTube won’t exist and its videos may be lost forever. Facebook—and your uncle’s holiday posts—will vanish. There is precedent for this. MySpace, the first largish-scale social network, deleted every photo, video, and audio file uploaded to it before 2016, seemingly inadvertently. Entire tranches of Usenet newsgroups, home to some of the internet’s earliest conversations, have gone offline forever and vanished from history. And in June this year, more than 20 years of music journalism disappeared when the MTV News archives were taken offline. … For many archivists, alarm bells are ringing.
This week in cybercrime. A sad story of a failed bank and lives destroyed.
- Cryptocurrency ‘pig butchering’ scam wrecks Kansas bank, sends ex-CEO to prison for 24 years: The former CEO of a small Kansas bank was sentenced to more than 24 years in prison for looting the bank of $47 million — which he sent to cryptocurrency wallets controlled by scammers who had duped him in a “pig butchering” scheme that appealed to his greed, federal prosecutors said. … The massive embezzlement by then-CEO Shan Hanes in a series of wire transfers over just eight weeks last year led to the collapse and FDIC takeover of Heartland Tri-State Bank in Elkhart, one of only five U.S. banks that failed in 2023. … Hanes, 53, also swindled funds from a local church and investment club — and a daughter’s college savings account — to transfer money, purportedly to buy cryptocurrency as the scammers insisted they needed more funds to unlock the supposed returns on his investments, according to records from U.S. District Court in Wichita, Kansas.
- Halliburton shuts down systems after cyberattack: Oil drilling and fracking giant Halliburton said it has shut down some of its internal systems following a cyberattack earlier this week. … In a brief statement filed with government regulators on Thursday, Halliburton said it became aware of unauthorized access to its systems on Wednesday and responded by “proactively taking certain systems offline.” The company said it is “working to identify any effects of the incident.”
- Connecticut-based nonprofit pays $1 million ransom after cyberattack: A Connecticut-based nonprofit has paid $1 million in ransom after a cyberattack that happened in mid-May. … The National Association for Amateur Radio (ARRL) said their system’s network was compromised by threat actors who used information they purchased on the dark web on May 15. … ARRL called the incident a “highly coordinated and executed attack” and “an act of organized crime.” The FBI categorized the attack as “unique,” the nonprofit says, because of the sophistication of the cyberattack.
- Progress made to restore Flint services after cyber attack: Flint, MI — Officials are still working to restore city services after a cyber attack this month. … Flint City Administrator Clyde Edwards issued a statement saying there has been some progress restoring internal processes. … Flint officials discovered City Hall had been compromised sometime in the early hours of August 14 saying there was “an internal network and internet outage caused by a criminal ransomware attack.” At that time FBI and Michigan’s Attorney General’s Office was involved in the investigation. … In addition to billing systems being impacted, Flint City Council committee meetings were canceled on August 21 and phone systems were not operational. Emergency services, including Genesee County 9-1-1, Flint Police and Fire Departments were not impacted. … There is still no clear date for full restoration but city officials did urge residents to protect their information as staff works to find out if resident information was leaked.
- Columbus officials warn victims, witnesses after ransomware leak of prosecutor files: City leaders in Columbus warned victims and witnesses of crimes to stay alert about potential threats after a ransomware gang published information stolen from the local prosecutors office on the dark web. … During a press conference on Saturday, Columbus Mayor Andrew Ginther and City Attorney Zach Klein confirmed that the data of city residents, customers and employees was exposed by ransomware hackers. They noted the particular danger facing people who may have information in files stolen from the prosecutor’s database. … Klein said that while some of the information leaked is publicly available, he acknowledged that there are “probably people that are out there that are maybe trying to escape an abuser, that are trying to escape a situation that could be violent for them.”
- Crypto Whale Loses $55 Million In Massive Hack: In a massive security breach, a crypto whale has reportedly lost $55.47 million in DAI due to a sophisticated phishing attack. The incident, detailed by blockchain analytics firm Lookonchain and cyber security firm Certik, involves the unauthorized transfer of ownership of a Maker vault containing substantial DAI holdings to a malicious entity.
Section 4: Securing the Technology.
As the world moves to quantum, it’s the smaller organizations that will be left behind.
- Breakthrough quantum algorithm can break advanced data encryption: The widely-used RSA encryption system relies on the difficulty of factoring extremely large numbers, a task that classical computers cannot accomplish in a reasonable timeframe. … Researchers at MIT have achieved a breakthrough in quantum computing. …They have developed a novel algorithm that can enable quantum machines to quickly break the encryption methods that currently protect our digital world. … It also underscores the critical importance of developing new, quantum-resistant encryption methods as quantum factoring is a process capable of rendering widely-used encryption systems like RSA ineffective.
- CISOs urged to prepare now for post-quantum cryptography: Three NIST-approved encryption algorithms set the stage for establishing PQC strategies, which — despite quantum computing’s infancy — CISOs should begin launching given the attack techniques and challenges involved. … After eight years of review and development, the US National Institute of Standards and Technology (NIST) has chosen three encryption algorithms as the basis for its post-quantum cryptography (PQC). … The three new algorithms collectively cover general encryption — used to protect information exchanged across a public network — and digital signatures.