Cybersecurity News of the Week, August 28, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Our top stories this week surround the Twitter whistleblower disclosure that surfaced this week. The disclosure, filed by former Twitter head of security Peiter “Mudge” Zatko, alleged that Twitter executives have misled regulators and even the company’s own board about its shortcomings. Mudge asserts that when it came to security issues, “deliberate ignorance” was the norm. Mudge’s story is important for at least three reasons.

First, if Twitter’s information security controls are as weak as Mudge claims, then what does that mean for Twitter’s ability to manage the fake computer programs (spam bots) which spew out mis-and-dis-information. This is vital as we approach the 2022 mid-terms.

Second is what the Twitter allegations might say about the general state of America’s information security defenses. In discussions I’ve had with many information security professionals, from government, large companies, and smaller ones, there’s a general sense that a lack of concern and  “deliberate ignorance” is all too frequently the norm for executives and boards. The general consensus is that we are far too reactive, seeking to lock the barn door only after the horse has been stolen … and then only locking the door through which the horse was stolen, leaving the others still unlocked.

And third is the question of whether Mudge was right to file a whistleblower complaint. When security researchers (white-hat hackers) find a vulnerability in a computer program the norm (developed in part by Mudge) is to privately notify the company so they can fix it and issue an upgrade. (Our free Weekend Patch and Update Report lists the weekly updates for common programs). If, after a reasonable amount of time, a company hasn’t issued an update, the norm is to go public, both to warn users of the vulnerability and to increase the pressure on the company to update their program. Mudge says he was acting in the same manner after his repeated attempts to work from the inside at Twitter went nowhere.

  • Former security chief claims Twitter buried ‘egregious deficiencies’: In an explosive whistleblower complaint obtained by The Washington Post, former Twitter security chief Peiter ‘Mudge’ Zatko alleges the company misled regulators about lax security and spam. The Washington Post, August 23, 2022
  • Twitter’s Ex-Security Head Files Whistleblower Complaint on Spam, Privacy Issues: Former executive Peiter Zatko makes sweeping claims about the social-networking platform. Wall Street Journal, August 23, 2022
  • The Twitter whistleblower needs you to trust him: In Nov. 2020, Zatko, the hacker known as “Mudge,” was hired as Twitter’s security lead, with a global remit to fix gaping vulnerabilities in one of the world’s most important communications platforms. But 14 months later, he was fired. Six months after that, he filed a sweeping whistle-blower complaint that paints a damning portrait of a company in crisis. Time, August 25, 2022
  • How Twitter has been shaken by a whistleblower’s allegations: In the days since it was first reported that former Twitter head of security Peiter “Mudge” Zatko had filed an explosive whistleblower disclosure, the company has had to confront renewed scrutiny from lawmakers, a dip in its stock price and added uncertainty in its high-stakes legal battle with billionaire Elon Musk. CNN Business, August 27, 2022

Election Security Webinar

Our democracy depends on getting the mid-term elections right. This means — first and foremost — getting cybersecurity right. … Find out what’s really going on from three of the nation’s leading experts in election cybersecurity as SecureTheVillage presents a community webinar on election security. September 28, 11:00 am – 12:30 pm PDT Register now!!! Sponsorships available!!!

  • What Every Citizen Needs to Know: 2022 Election Cybersecurity: Our democracy depends on getting the mid-term elections right. This means — first and foremost — getting cybersecurity right … Everything from protecting sensitive voter identities, registered voter lists, and voting machines; coming to grips with social media; and ensuring confidence in the outcomes. … Find out what’s really going on from three of the nation’s leading experts in election cybersecurity. How vulnerable are our election systems? How is cybersecurity managed in the 50 states? How do we navigate the coming flood of both mis-information and dis-information? How much confidence can we have in the outcome? Panelists include Kim Wyman, Senior Election Security Advisor, Cybersecurity and Infrastructure Security Agency (CISA); Kathy Boockvar, Vice President of Election Operations & Support, Center for Internet Security;  Adam Powell III, Executive Director, Election Cybersecurity Initiative, USC Annenberg Center on Communication Leadership and Policy, University of Southern California. Dr. Stan Stahl, SecureTheVillage President and founder will moderate.

Two election stories this week illustrate some of the election challenges the Nation faces. We’ll be discussing these and other challenges with our expert panel.

  • CISA, Election Partners Hold Annual Exercise to Test Election Security: The Cybersecurity and Infrastructure Security Agency (CISA), along with the U.S. Election Assistance Commission, National Association of Secretaries of State (NASS), and the National Association of State Election Directors (NASED), held an annual election security exercise last week to test Election Day plans. … The fifth annual Tabletop the Vote exercise took place August 17 to 19, bringing together Federal, state, local, and private sector partners. The three-day event included a range of hypothetical scenarios affecting election operations, allowing participants to share best practices around “cyber and physical incident planning, preparedness, identification, response, and recovery.” MeriTalk, August 22, 2022
  • How U.S. Cyber Command, NSA Are Defending Midterm Elections: One Team, One Fight: With 75 days until the midterm elections, the Defense Department is fully engaged to defend the U.S. electoral system from foreign interference and foreign influence alongside interagency partners. … “This is an enduring, no-fail mission for U.S. Cyber Command and the National Security Agency, who bring unique insights and actions to the whole-of-government effort,” U.S. Army Gen. Paul M. Nakasone, commander of Cybercom and Director of NSA/Chief of the Central Security Service, said. DOD News, Cyber National Mission Force and National Security Agency , Aug. 25, 2022

Cyber Humor

Security Nonprofit of the Week … The Institute for Security and Technology

Kudos this week to The Institute for Security and Technology.  and their Ransomware Task Force (RTF). The Task Force aims to equip businesses, organizations, and governments of all sizes to prepare for ransomware attacks, effectively respond, and quickly recover. In April 2021, the Task Force brought together 60+ experts to publish ‘Combating Ransomware, A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force’ with 48 recommendations for a unified, aggressive, comprehensive, public-private anti-ransomware campaign. This month, the Task Force published the ‘Blueprint for Ransomware Defense’ representing a set of foundational and actionable safeguards derived from the Center for Internet Security’s Critical Security Controls. The Blueprint is designed for small- and medium-sized enterprises (SMEs) and includes a list of tools and resources. The Institute is a fellow-member of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie and me as we riff on keeping software up to date, one of the most the important DataCare activities. We discuss why this is so vitally important for individuals, as well as organizations, and also provide guidance on how to staying up to date.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

#NeverTrust.#AlwaysVerify. I hate posting these kinds of stories. But they are a significant part of the news. And, while stories like the next one break your heart, perhaps it will keep others from falling victim.  And the third story is a story of hope.

  • Elderly couple loses nearly $700K online scam:  A local family said scammers were able to steal their life savings through a fake Amazon purchase and bank wire transfers. … POWAY, Calif. (KGTV) — A local family said scammers were able to steal their life savings through a fake Amazon purchase and bank wire transfers. … William and Ave Bortz have been married for more than 55 years. “I’m looking forward to the next 55,” Ave Bortz said. … They were hoping to live out their golden years on the money they saved over the years and the profit from a recent home sale. Unfortunately, that is no longer the case. 10 News, San Diego, August 25, 2022
  • Woman Scammed Out Of $1,000 After ‘Lost Children’ Asked To Use Her Phone To Call Their Mom: Laura Grasso, a resident of the Upper East Side, was scammed out of $1,000 after helping two “lost” children who came to her for assistance. … While enjoying a day in Central Park last month, the two young scammers approached her, insisting they were lost and asked to borrow her phone to call their mom. Yahoo!news, August 22, 2022
  • Near-victim of phishing scam shares story to warn others: WICHITA, Kan. (KWCH) – With scammers constantly seeking opportunities to steal personal information and money, a Wichita man shared a recent experience with hopes of keeping others from becoming victims. While the scammers walked away without getting the man’s money, they did gain access to his computer and bank account. … After the phishing attempt, the man, Larry, and his wife had to set up a new bank account, reset all of their direct deposits and get their computer cleared of malware. … An email that caught Larry’s eye claimed to be from Best Buy’s Geek Squad. The message said he was being charged for separate virus protection. … “I was trying to cancel because virus protection for three years, $349, is quite a bit,” Larry said. … So, he called the phone number given in the email and that directed him to another number to call. … “(They) had my name, my address, where I banked, knew that I was with the Geek Squad,” Larry said. “They knew I had total tech support and knew I had an automatic payment coming out.” … He said they gained access to his computer and bank account and began to demand that he send money. Larry said he refused and hung up. … “I deleted the email, I deleted everything right then and shut everything off and got my little rear to the bank.” KWCH12, Wichita, KS, August 25, 2022
  • Hackers Are Breaking Into and Emptying Cash App Accounts: Multiple users of the hugely popular Cash App have reported hackers stealing their funds, and fraudsters are selling access to accounts on the dark web. … Hackers are breaking into unsuspecting victims’ Cash App accounts, a massively popular payment app, and stealing hundreds of dollars, according to victims Motherboard spoke to. In one person’s case, they said, Cash App has not reimbursed them for the stolen funds. Vice, August 24, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity and privacy stories to keep you informed.

The stories below — combined with the Twitter whistleblower story and the stories of individuals being scammed — don’t bode well. As more organizations and people are being victimized by cybercrime and as major insurance providers are excluding classes of cyber-claims, one hopes we’re coming to an inflection point in our data care, cybersecurity, and privacy defenses where we’ll begin to see an all-of-America push to get in front of the cybercrime tsunami.

  • 77% of security leaders fear we’re in perpetual cyberwar from now on: A survey of cybersecurity decision makers found 77 percent think the world is now in a perpetual state of cyberwarfare. … In addition, 82 percent believe geopolitics and cybersecurity are “intrinsically linked,” and two-thirds of polled organizations reported changing their security posture in response to the Russian invasion of Ukraine. The Register, August 27, 2022
  • Lloyd’s to Exclude Catastrophic Nation-Backed Cyberattacks From Insurance Coverage: Lloyd’s of London Ltd. will require its insurer groups globally to exclude catastrophic state-backed hacks from stand-alone cyber insurance policies starting next year. … Lloyd’s is a marketplace where roughly 75 syndicates of underwriters congregate to provide insurance coverage for businesses, organizations and individuals. As of March 31, when coverage begins or is renewed, syndicates must exclude state-backed cyberattacks from policies that protect against physical and digital damage caused by hacks, Underwriting Director Tony Chaudhry said in a bulletin dated Aug. 16.  WSJPro Cybersecurity, August 18, 2022
  • The number of companies caught up in in recent hacks keeps growing: 2FA provider Authy, password manager LastPass, and DoorDash all experienced breaches. … In recent weeks, security provider Twilio revealed it was breached by well resourced phishers, who used their access to steal data from 163 of its customers. Security firm Group-IB, meanwhile said that the same phishers who hit Twilio breached at least 136 companies in similar advanced attacks. Ars technica, August 26, 2022
  • Before Portland lost $1.4 million in cyber breach, city treasurer raised red flag: Hackers used city email to trick employees into transferring money … This spring, cybercriminals made off with $1.4 million in taxpayer money — the single biggest theft of funds in the city of Portland’s history. … According to an email exchange obtained by OPB, the loss could have been easily avoided. The records show the city’s treasury flagged the $1.4 million wire transfer as potentially fraudulent before the money left Portland’s coffers. … But housing bureau officials paid it anyway. At this point, cybersecurity experts say, there’s little chance the city claws it back. Oregon Public Broadcasting, August 22, 2022
  • Hackers may have breached medical billing records of nearly 1 million CNY patients: Syracuse, N.Y. — The medical billing records of nearly 1 million Central New York patients may have been obtained by hackers. … Practice Resources LLC, a company that provides billing services for dozens of hospitals and medical providers, said hackers may have obtained names, home address, dates of treatment and internal account numbers of more than 924,000 patients., August 26, 2022
  • French hospital hit by $10M ransomware attack, sends patients elsewhere: The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located 28km from the center of Paris, suffered a cyberattack on Sunday, which has resulted in the medical center referring patients to other establishments and postponing appointments for surgeries. Bleeping Computer, August 23, 2022

Help on the privacy side may be on the horizon as a House committee continues work on national privacy policy. A major challenge is whether such legislation will be a floor or a ceiling. As a California resident, I don’t want to see any of my California privacy rights watered down by Federal legislation written in part by lobbyists for corporations who want to get out from under the California Privacy Rights Act (CPRA).

National cybersecurity is in the news with two stories this week.

  • NATO investigates hacker sale of missile firm data: NATO is assessing the impact of a data breach of classified military documents being sold by a hacker group online. … The data includes blueprints of weapons being used by Nato allies in the Ukraine war. … Criminal hackers are selling the dossiers after stealing data linked to a major European weapons maker. BBC News, August 26, 2022
  • US and Israeli agencies use new agreement to defend against cyberattacks: Washington (CNN)The US and Israeli governments have shared key details of unrelated cyberattacks on their infrastructure — one from suspected pro-Russia hackers and the other from possible Iranian hackers — as part of heightened efforts in recent months to bolster cyber defense between the two allies, a senior US Treasury official told CNN. CNN, August, 25, 2022

On the misinformation front, Google reports on interesting research that may help people better handle misinformation.

  • Google Finds ‘Inoculating’ People Against Misinformation Helps Blunt Its Power: British researchers and a team from Google found that teaching people how to spot misinformation made people more skeptical of it. … In the fight against online misinformation, falsehoods have key advantages: They crop up fast and spread at the speed of electrons, and there is a lag period before fact checkers can debunk them. … So researchers at Google, the University of Cambridge and the University of Bristol tested a different approach that tries to undermine misinformation before people see it. They call it “pre-bunking.” The New York Times, August 24, 2022

We have three legal stories this week including the first ever settlement under California’s Consumer Privacy Act (CCPA).

  • Cosmetics retailer Sephora to pay $1.2 million under sweeping California privacy law: SAN FRANCISCO — California has its first significant settlement under the state’s sweeping online privacy law, and it’s not with a tech company.  … California Attorney General Rob Bonta said Wednesday that the state had reached a settlement with Sephora in which the cosmetics retailer will pay $1.2 million and agree to an injunction for selling customers’ data without telling them. NBC News, August 24, 2022
  • Oracle’s ‘surveillance machine’ targeted in US privacy class action: Enterprise giant Oracle is facing a fresh privacy class action claim in the U.S. … The suit, which was filed Friday as a 66-page complaint in the Northern District of California, alleges the tech giant’s “worldwide surveillance machine” has amassed detailed dossiers on some five billion people, accusing the company and its adtech and advertising subsidiaries of violating the privacy of the majority of the people on Earth. TechCrunch, August, 22, 2022
  • Facebook agrees to settle Cambridge Analytica data privacy lawsuit: The four-year-old case alleged that the company had violated consumer privacy laws by sharing users’ personal data with third parties. … Meta’s Facebook has in principle agreed to settle a lawsuit in the San Francisco federal court seeking damages for letting third parties, including Cambridge Analytica, access the private data of users, a court filing showed. … The financial terms were not disclosed in the filing on Friday that asked the judge to put the class-action suit on hold for 60 days until the lawyers for both plaintiffs and Facebook finalize a written settlement. The Guardian, August 26, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in securing their organizations and protecting  privacy.

We should all continue to be grateful for the people of CISA and the work they do to provide assistance to those organizations for which “deliberate ignorance” is not the order of the day.

  • CISA Adds Ten Known Exploited Vulnerabilities to Catalog: CISA has added ten new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates.  CISA, August 25, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge