Cybersecurity News of the Week, December 10, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

This week’s Top of the News along with our Live on Cyber podcast follows on the heels of a story last week that Iranian attacks on water districts were succeeding because, as CISA said, “These compromised devices were publicly exposed to the internet with default passwords.”

Are you running Microsoft Outlook? Keep it patched!

Do you develop critical software. Keep it updated.

As these stories illustrate, too many of us do a lousy job on security basics, on essential cyber hygiene, on data care.

Companies go out of business. Employees lose their jobs. Consumers are hurt. The economy is weakened.

We are heading into 2024. What might have been acceptable behavior in 2004 or even 2014 is no longer acceptable. We know how to do better. And we must do better.

  • Top White House cyber aide says recent Iran hack on water system is call to tighten cybersecurity:  Deputy national security adviser Anne Neuberger said recent cyber attacks by Iranian hackers on U.S. water authorities — as well as a separate spate of ransomware attacks on the health care industry— should be seen as a call to action by utilities and industry to tighten cybersecurity. … Anne Neuberger said in an interview on Friday that the attacks offered a fresh warning that American companies and operators of critical infrastructure “are facing persistent and capable cyber attacks from hostile countries and criminals” that are not going away. … “Some pretty basic practices would have made a big difference there,” said Neuberger, who serves as a top adviser to President Joe Biden on cyber and emerging technology issues. “We need to be locking our digital doors. There are significant criminal threats, as well as capable countries — but particularly criminal threats — that are costing our economy a lot.”
  • More evidence of Russian intelligence exploiting old Outlook flaw: Cybersecurity researchers have discovered another campaign in which hackers associated with Russia’s military intelligence are exploiting a vulnerability in Microsoft software to target critical entities, including those in NATO member countries. … According to a report by Palo Alto Networks’ Unit 42, the Russian threat actor known as Fancy Bear or APT28 breached Microsoft Outlook over the past two years to spy on at least 30 organizations within 14 nations “that are likely of strategic intelligence value to the Russian government and its military.” … Tracked as CVE-2023-23397, the flaw in Outlook allows hackers to gain unauthorized access to email accounts within Microsoft Exchange servers. Microsoft patched the flaw in the spring.
  • Dangerous vulnerability in fleet management software seemingly ignored by vendor: Researchers say Digital Communications Technologies has not addressed a bug impacting its Syrus4 IoT gateway, leaving open the possibility for vehicle fleets to be shut down. … A major vulnerability  has gone ignored by the vendor for months, one that could allow hackers to manipulate a fleet of vehicles at once — including the possibility of shutting down the vehicles — according to researchers that discovered the vulnerability. … As the auto sector has evolved beyond a simple mode of transportation into “computers on wheels,” vulnerabilities in the software that controls multi-ton steel giants have become an increasingly urgent topic for security researchers.

Small and Midsize Organizations. Take your security to the next level. Apply Now! If you’re a small business, nonprofit, or IT / MSP in the greater Los Angeles area, apply NOW for LA Cybersecure, a pilot program with coaching and guidance that costs less than two cups of coffee a week. The LA Cybersecure Pilot Program is funded by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.

Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 

How Hackable Are You? Take our test. Find out how hackable you are and download our free updated 13-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short test as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

Please Support SecureTheVillage.

  • We need your help if we’re to build a world of CyberGuardians. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village TM

Cyber Humor

Cybersecurity Nonprofit of the Week  …  The CyberPeace Institute

Kudos this week to the CyberPeace Institute, an independent and neutral nongovernmental organization whose mission is to ensure the rights of people to security, dignity and equity in cyberspace. The CyberPeace Institute is home to the Humanitarian Cybersecurity Center (HCC). The HCC provides expert support and practical free cyber assistance to non-governmental Organizations (NGOs), tailored to their needs and located anywhere in the world. Through its Cyber Attacks in Times of Conflict Platform #Ukraine, the CyberPeace Institute is tracking cyberattacks and operations targeting critical infrastructure and civilian objects in Ukraine. The CyberPeace Institute is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

There’s No Excuse for Missing the Basics. (Video) (Podcast): When Iran can look up your password on Google… “Think your default password is harmless? Think again,” warns ⁠Julie Michelle Morris⁠. … In this episode of #LiveOnCyber, ⁠Stan Stahl, PhD⁠ unpacks jaw-dropping cyber blunders – starting with the water districts that got hacked when they failed to changed a default password on an Internet-facing device –  tiny oversights that lead to serious breaches, and must-do security tips for businesses flying solo on tech. … Subscribe to Live on Cyber with Stan Stahl, PhD and Julie Michelle Morris, your weekly 15-min update on the latest in information security and privacy affecting our businesses and the communities we live in!

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Here’s another illustration of the ability of AI to get ahead of our ability to control it. Kudos to Francesca Mani for having the courage to do something about deepfake porn. And kudos to the lawmakers who are taking up her fight.

  • ‘Nudify’ Apps That Use AI to ‘Undress’ Women in Photos Are Soaring in Popularity: Apps that use artificial intelligence to undress women are part of a worrying trend of non-consensual pornography being developed and distributed because of advances in artificial intelligence. … Apps and websites that use artificial intelligence to undress women in photos are soaring in popularity, according to researchers. … In September alone, 24 million people visited undressing websites, the social network analysis company Graphika found.
  • A high school’s deepfake porn scandal is pushing US lawmakers into action: On October 20, Francesca Mani was called to the counselor’s office at her New Jersey high school. A 14-year-old sophomore and a competitive fencer, Francesca wasn’t one for getting in trouble. That day, a rumor had been circulating the halls: over the summer, boys in the school had used artificial intelligence to create sexually explicit and even pornographic photos of some of their classmates. She learned that she was one of more than 30 girls who may have been victimized. (In an email, the school claimed “far fewer” than 30 students were affected.) … Francesca didn’t see the photo of herself that day. And she still doesn’t intend to. Instead, she’s put all her energy into ensuring that no one else is targeted this way. … Within 24 hours of learning about the photos, Francesca was writing letters to four area lawmakers, sharing her story and asking them to take action. Three of them quickly responded: US Representative Joe Morelle of New York, US Representative Tom Kean Jr. of New Jersey, and New Jersey state senator Jon Bramnick. In the past few weeks, her advocacy has already fueled new legislative momentum to regulate nonconsensual deepfake pornography in the US. … “I just realized that day [that] I need to speak out, because I really think this isn’t okay,” Francesca told me in a phone call this week. “This is such a new technology that people don’t really know about and don’t really know how to protect themselves against.” Over the past few weeks, in addition to celebrating her 15th birthday, Francesca has also launched a new website that offers resources to other victims of deepfake pornography. 

Android users: Update Now!!

Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.

Related to our above stories on deepfake porn is the need to protect our children on the web. Parents look to Congress for support.

  • Parents Voicing Ever Stronger Concerns About Risks to Children’s Safety Online, From Social Media to Artificial Intelligence to Strangers, New Study Finds: Parents are more and more concerned about risks to their children’s safety on the internet – and they believe technology companies and the government aren’t doing enough to protect children, according to the latest study from the New York Society for the Prevention of Cruelty to Children (NYSPCC), one of the foremost child protection agencies in the world. … Eighty-two percent of parents with children under age 18 have concerns about the potential risks to children interacting with strangers online through popular websites and apps, including 38% who are “extremely” concerned – a jump of 10 percentage points since just last year. … What’s more, almost all parents (89%) are concerned about the potential negative effects social media may have on children’s development. Also top of mind for parents is a new worry: artificial intelligence. In fact, 77% of parents are concerned about AI presenting more internet safety risks to children.
  • 200 groups push Senate to vote on Kids Online Safety Act in 2024: In a letter obtained by NBC News, the American Psychological Association and other groups encouraged Majority Leader Chuck Schumer to introduce the bill in January. … More than 200 organizations sent a letter Wednesday urging Senate Majority Leader Chuck Schumer to schedule a vote on the Kids Online Safety Act first thing in January when Congress reconvenes. … The bipartisan bill, known as KOSA, which was originally introduced in February 2022 and was then reintroduced this May, seeks to create liability, or a “duty of care,” for apps and online platforms that recommend content to minors that can negatively affect their mental health. The measures in the bill could affect social media sites like Facebook or messaging apps like Discord. If platforms do not adequately shield children from certain types of content, the bill would open the door for lawsuits against the platforms. 

AI is a major threat to the 2024 election. It’s use in deepfakes and purposeful misinformation will have the effect of lowering the trust we have in the election.

  • Deepfakes emerge as a top security threat ahead of the 2024 US election: As the US enters a critical election year, AI-generated threats, particularly deepfakes, are emerging as a top security issue, with no reliable tools yet in place to combat them. … While official sources say the 2020 elections in the US occurred without significant voting malfeasance, despite “unfounded claims and opportunities for misinformation,” the prospects for what might happen next year are cloudy and uncertain. In November, connectivity cloud company Cloudflare issued a report identifying what it saw as the cyberattack trends for various groups in the elections space that could threaten trusted, secure, and reliable elections in the US. … “One of the key pillars of democracy is trust, so ensuring that the Internet is secure, reliable, and accessible for the public and those working in the election space is critical to any free and fair election,” Grant Bourzikas, CSO at Cloudflare, tells CSO. … “When it comes to top threats, we will continue to see governments and nation-state-backed actors trying to undermine and control the flow of information and dissemination of false or misleading information that casts doubt in public opinion or perception through internet shutdowns, restricted social media sites during elections, and imposed blocking of websites that report on results.”

It’s no surprise that everyone wants our information. Or that we’re providing it. With too little transparency and too few controls. Kudos to Senators Wyden and Markey for working the problem, albeit way too slowly. And kudos to Bruce Schneier for a somber essay on the dystopian future that awaits if we don’t act to prevent it. As he writes “We could prohibit mass spying. We could pass strong data-privacy rules. But we haven’t done anything to limit mass surveillance. Why would spying be any different?”

  • Senate Democrat says foreign governments spying on smartphone users through push notifications: Sen. Ron Wyden (D-Ore.) warned Wednesday that foreign governments could be using push notifications to spy on smartphone users. … Wyden said in a letter to Attorney General Merrick Garland that his office received a tip last year that foreign governments were asking Apple and Google for their records of smartphone push notifications. When contacted by Wyden’s office on the subject, Apple and Google said they were not permitted under government policy to release such information, the senator said. … Wyden is demanding in the letter that the Justice Department lift any restrictions barring Apple and Google from discussing the legal asks they receive from other governments. He argued users should be aware when governments ask for information about their data.
  • Automakers’ data privacy practices “are unacceptable,” says US senator: OEMs collect too much personal data and share it too freely, says Senator Markey. … US Senator Edward Markey (D-Mass.) is one of the more technologically engaged of our elected lawmakers. And like many technologically engaged Ars Technica readers, he does not like what he sees in terms of automakers’ approach to data privacy. On Friday, Sen. Markey wrote to 14 car companies with a variety of questions about data privacy policies, urging them to do better. … The Mozilla Foundation published a scathing report on the subject of data privacy and automakers. The problems were widespread—most automakers collect too much personal data and are too eager to sell or share it with third parties, the foundation found. … Markey noted the Mozilla Foundation report in his letters, which were sent to BMW, Ford, General Motors, Honda, Hyundai, Kia, Mazda, Mercedes-Benz, Nissan, Stellantis, Subaru, Tesla, Toyota, and Volkswagen. The senator is concerned about the large amounts of data that modern cars can collect, including the troubling potential to use biometric data (like the rate a driver blinks and breathes, as well as their pulse) to infer mood or mental health.
  • The Internet Enabled Mass Surveillance. A.I. Will Enable Mass Spying.  Spying has always been limited by the need for human labor. A.I. is going to change that. … Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did. … Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone.

The E.U. agreed on a sweeping new law to regulate artificial intelligence, sets new global benchmark.

  • E.U. Agrees on Landmark Artificial Intelligence Rules: The agreement over the A.I. Act solidifies one of the world’s first comprehensive attempts to limit the use of artificial intelligence. … European Union policymakers agreed on Friday to a sweeping new law to regulate artificial intelligence, one of the world’s first comprehensive attempts to limit the use of a rapidly evolving technology that has wide-ranging societal and economic implications. … The law, called the A.I. Act, sets a new global benchmark for countries seeking to harness the potential benefits of the technology, while trying to protect against its possible risks, like automating jobs, spreading misinformation online and endangering national security. The law still needs to go through a few final steps for approval, but the political agreement means its key outlines have been set.

In the wake of its loss of personal details of 6.9 million 23andMe users, 23AndMe has changed its terms of service.

This week in cybercrime.

  • Henry Schein ransom saga now in third month, hackers show no mercy: The APLHV/BlackCat ransom gang says it will encrypt Henry Schein’s network systems for the third time – the latest payback move for stalling negotiations from a crushing October ransomware attack. … Henry Schein, a global leader in healthcare technology and product distribution, is still struggling to restore business operations since it announced the ransomware attack on its company website on October 15th. … As negotiations continue to move further south, the Russian-linked ransomware operators have called out the healthcare solutions giant – once again – for lack of “professionalism.”
  • HTC Global Services confirms cyberattack after data leaked online: IT services and business consulting company HTC Global Services has confirmed that they suffered a cyberattack after the ALPHV ransomware gang began leaking screenshots of stolen data. … HTC Global Services is a managed service provider offering technology and business services to the healthcare, automotive, manufacturing, and financial industries.
  • Ransomware group posts stolen Tri-City Medical Center documents to dark web: Information, which includes patient names, is listed as “proof” that a larger post is imminent. … Though Tri-City Medical Center got its operations back up and running 17 days ago, ransomware extortion efforts appear to be ongoing against the Oceanside hospital.

Section 4 – Managing  Information Security and Privacy in Your Organization.

Website administrators, IT departments, IT service providers. You are under attack. Let’s be careful out there.

  • Fake WordPress security advisory pushes backdoor plugin: WordPress administrators are being emailed fake WordPress security advisories for a fictitious vulnerability tracked as CVE-2023-45124 to infect sites with a malicious plugin. … The campaign has been caught and reported by WordPress security experts at Wordfence and PatchStack, who published alerts on their sites to raise awareness.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge