Cybersecurity News of the Week, December 11, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Our Top-of-the-News this week is a speech by DHS Secretary Mayorkas where he said “Ubiquitous cutting-edge technologies, economic and political instability, and our globalized economy have erased borders and increasingly bring threats and challenges directly into our communities — to our schools, hospitals, small businesses, local governments, and critical infrastructure.” We see the truth of Mayorkas’ warning every week in ransomware attacks, business email compromise and online bank fraud, scam attacks on our seniors, national security thefts, and other cybercrimes.

  • DHS secretary says US faces ‘a new kind of warfare’: Secretary of Homeland Security Alejandro Mayorkas said national security and homeland security are now more interconnected than ever before, largely driven by the fact that U.S. adversaries can execute attacks “with a keystroke.” … In a speech Monday, Mayorkas said that global interconnectedness and the willingness of nations to unleash digital attacks that have international ramifications has brought the national security threat “directly to our communities.” … He pointed to several well-known cyberattacks that had global reach such as the NotPetya attack in 2017, and the Russian cyberattack against the U.S. satellite company Viasat at the start of the Ukraine war, saying that “our homeland security has converged with our national security.” … “The world today is more interconnected than at any time in DHS’s 20-year history,” Mayorkas said at an event hosted by the Center for Strategic and International Studies. … His remarks come amid growing reports of nation-state hackers hitting federal and private organizations alike. On Monday, the Secret Service pointed the finger to the Chinese-linked hackers APT41 for stealing at least $20 million in COVID relief benefits from multiple states, NBC News reported. Cyberscoop, December 5, 2022

Cyber Humor

Security Nonprofit of the Week … Global Cyber Alliance (GCA)

This week’s security nonprofit is the Global Cyber Alliance (GCA). GCA builds practical, measurable solutions and  easy to use tools, and they work with partners to accelerate adoption around the world. GCA recently partnered with the Public Interest Registry  to develop an explainer video on cybersecurity risks to mission-based/non-profit organization and how to use the cybersecurity toolkit for those organizations to address those risks. The video is embedded in the mission-based organization toolkit. GCA was one of the founders of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity. SecureTheVillage is a proud member of Nonprofit Cyber.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

The Oxford Dictionaries’  2022 word of the year “Goblin mode” got me thinking about  how to characterize “cybersecurity mode.” Perhaps the metaphor is Cyber-bear mode, characterized by behavior which is unapologetically protective, aware, cautious, careful, and aggressively defensive, the way a mama-bear aggressively protects her cubs.

Let’s be careful out there. Never trust. Always verify.  Protect yourself. Protect others. Share these stories.

  • Lakes area retired couple scammed out of ‘life savings’: A retired couple in lakes country hope to pay heat and housing bills after a scammer drained their retirement account. Now, they have a message for others on how quickly life can change…. Ron and Sharon Knutson were so excited about retirement after years of working, but it all changed last month, when they got an email saying there were fraudulent PayPal charges on their debit card. … “(H)e said it was on a Visa debit card. Well, that’s our bank card,” Ron Knutson said. … Everything seemed and looked legitimate, but when they called the number on the back of their debit card, they came to believe their phone had also been hacked. WDAY, December 7, 2022
  • New Gift Card Scam Uses Barcode Stickers to Steal Your Cash: Scammers cover up real gift card barcodes with custom codes, allowing them to quietly load your cash onto their cards at checkout. … Scammers have come up with a new, hard-to-detect way to earn money from physical gift cards during the holidays. … As CTVNews reports, shoppers in Canada are being warned to check the barcode on gift cards before purchasing them as they may have a fake barcode on the back. The scam was discovered by former police officer Nichelle Laus, who attempted to purchase a $50 Winners gift card back in October, but it showed up as an Esso gas gift card when scanned. PC Magazine, December 9, 2022
  • Do not fall for this dangerous Amazon shopping scam: Like a dog spotting a squirrel, I can’t help but notice when a fresh text pops up on my iPhone. The little gray notification catches my eye and I’m instantly pulled away from the task at hand. Plus, this one looked important. It was, but only because it helped me identify a very dangerous and pernicious, Amazon shopping scam. Tech Radar, December 6, 2022
  • Don’t Return the Money Someone ‘Accidentally’ Sends You on Venmo: Being kind and understanding could cost you with this scam. … Venmo is an easy way to send money back and forth to friends, family, and the guy who runs the office fantasy football league. But what if you received a Venmo notification that says you’d received money from someone you don’t know and that you weren’t expecting? Chances are, it’s not an accident or a stroke of luck: It’s a scam. Lifehacker, December 9, 2022

Freezing your credit may be the most important thing you (and your aging parents) can do to best protect against identity theft. Do that and these additional eight. Then take our How Hackable Are You? test and see how well protected you (and your aging parents) are.

  • Eight Questions to Ask Your Aging Parents (and Yourself) to Keep Their Phones Safe From Hackers: People over 60 lose a lot of money to phone scams. Some simple steps can make them more secure. … Scammers have a lot of opportunities to bilk people during the holiday season. How do you make sure they aren’t tricking someone you love—particularly someone who is especially vulnerable to scams? … While swindlers will target people of all ages, older Americans have become the favored mark. Adults 60 and over lose the most money to fraud each year, and phone scams do the most financial damage, according to a Federal Trade Commission report released in October 2022. … So, it is vital to make sure your older family members know how to keep their phones safe. The best way to start is by looking in the mirror. Figure out what security steps you take—or should take—with your own phone and how you could protect yourself better, and then help your relatives tighten up their defenses. Remember, age might make some people more susceptible to these risks, but anybody can miss key security strategies. And no criminals will check your age before they hack you. The Wall Street Journal, December 6, 2022

Another reminder to use two-factor authentication (2FA / MFA). With 2FA, cybercriminals need more than your password to hack your Facebook account.

  • Coloradans are having their Facebook accounts hacked, and then getting banned for life: Many Coloradans lost access to their connections with their personal friends and memories — even their living — after hackers get into their Facebook accounts and post harmful content…. It’s an on-going issue that Denver7 continues to hear from Coloradans: becoming permanently locked out their Facebook accounts after hackers break in and post harmful content such as child sexual abuse material. … Many have lost access to their connections with their personal friends and memories. Some, in addition to that, have lost access to the way they make their livings. Denver7, December 8, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

Lots of cybercrime to cover this week.

  • Hackers linked to Chinese government stole millions in Covid benefits, Secret Service says: The theft of state unemployment funds is the first pandemic fraud tied to foreign, state-sponsored cybercriminals that the U.S. government has acknowledged publicly. … Hackers linked to the Chinese government stole at least $20 million in U.S. Covid relief benefits, including Small Business Administration loans and unemployment insurance funds in over a dozen states, according to the Secret Service. … The theft of taxpayer funds by the Chengdu-based hacking group known as APT41 is the first instance of pandemic fraud tied to foreign, state-sponsored cybercriminals that the U.S. government has acknowledged publicly, but may just be the tip of the iceberg, according to U.S. law enforcement officials and cybersecurity experts. NBC News, December 5, 2022
  • Amnesty International Canada says it was hacked by Beijing: TORONTO — The Canadian branch of Amnesty International said Monday it was the target of a cyberattack sponsored by China. … The human rights organization said it first detected the breach Oct. 5 and hired forensic investigators and cybersecurity experts to investigate. … Ketty Nivyabandi, Secretary General of Amnesty International Canada, said the searches in their systems were specifically and solely related to China and Hong Kong, as well as a few prominent Chinese activists. The hack left the organization offline for nearly three weeks. The Washington Post, December 6, 2022
  • Little Rock School Board authorizes settlement on cyber attack; agreement to cost district at least $250,000: The Little Rock School Board on Monday authorized Superintendent Jermall Wright to enter into a settlement agreement to end as favorably as possible the current cyber attack on the 21,000-student school system’s data networks. … The terms of that agreement will cost the capital city school system more than  a quarter of a million dollars, according to information read aloud by board member Leigh Ann Wilson. Wilson made the motion to pursue the settlement process, noting the $250,000 cost to the district, plus “fees.” … Wright told the board repeatedly  that the data breach was “horrible,” that he wouldn’t wish the situation on anyone and that every option before district officials to resolve the cyber  attack had negative impacts. Arkansas Democrat Gazette, December 5, 2022
  • ‘It was only a matter of time’ – Suffolk County clerk says she raised concerns before massive hack: A special bipartisan committee will hold hearings “probing the cause and response” of the ransomware attack that stole the personal information of as many as 470,000 Suffolk County residents. … Suffolk County Clerk Judith Pascale told News 12 that she warned Suffolk County officials in January that a cyberattack could happen. She brought her concerns to the Ways and Means Committee and asked them to install more computer security and more substantial firewall protection. She says the firewall protection in place during the attack wasn’t enough for a government entity. … “It was only a matter of time. And that’s why we should have taken the precautions,” said Pascale. “…People looked at me like I was crazy…I said ‘when this happens, it’s going to be devastating.’” News 12, Long Island, December 4, 2022

These next stories connect several dots in the global spyware challenge. The first story, from the New York Times, illustrates a major spyware challenge. We want to use these tools to help us secure ourselves against terrorists, criminals, and our foreign enemies. At the same time, we don’t want these tools used by foreign governments to spy on their political opponents or journalists. And we also want to ensure that our government uses these tools in accordance with the rule of law. Meanwhile, in response to the loss of privacy wrought by spyware, Apple (and other private-sector companies) are providing user tools to thwart spyware and make things more challenging for law enforcement.

  • How the Global Spyware Industry Spiraled Out of Control: The Biden administration took a public stand last year against the abuse of spyware to target human rights activists, dissidents and journalists: It blacklisted the most notorious maker of the hacking tools, the Israeli firm NSO Group. … But the global industry for commercial spyware — which allows governments to invade mobile phones and vacuum up data — continues to boom. Even the U.S. government is using it. The New York Times, December 8, 2022
  • Pegasus spyware was used to hack reporters’ phones. I’m suing its creators: When you’re infected by Pegasus, spies effectively hold a clone of your phone – we’re fighting back. … I was warned in August 2020. A source told me to meet him at six o’clock at night in an empty parking lot in San Salvador. He had my number, but he contacted me through a mutual acquaintance instead; he didn’t want to leave a trace. When I arrived, he told me to leave my phone in the car. As we walked, he warned me that my colleagues at El Faro, the Salvadoran news organization, were being followed because of a story they were pursuing about negotiations between the president of El Salvador and the notorious MS-13 gang. … This may read like an eerie movie scene, but there are many Central American journalists who have lived it for real. The suspicion you’re being followed, ditching your phone before meetings, using encrypted messaging and email apps, speaking in code, never publishing your live location – these are ordinary routines for many in my profession. … I wouldn’t know until more than a year later what my source really meant. My colleagues weren’t just being trailed as they investigated that story. They, and at least 18 other members of El Faro – including me – had been the repeated targets of a weapons-grade espionage software called Pegasus. Nelson Rauda Zablah, The Guardian, December 5, 2022
  • Apple Plans New Encryption System to Ward Off Hackers and Protect iCloud Data: ‘Advanced Data Protection’ will offer end-to-end encryption on iCloud backups, Notes, Photos and other services—a step that may draw ire from law enforcement. … Apple is finally bringing end-to-end encryption to most of iCloud, including backups, photos and more. … Apple is planning to significantly expand its data-encryption practices, a step that is likely to create tensions with law enforcement and governments around the world as the company continues to build new privacy protections for millions of iPhone users. … The expanded end-to-end encryption system, an optional feature called Advanced Data Protection, would keep most data secure that is stored in iCloud, an Apple service used by many of its users to store photos, back up their iPhones or save specific device data such as Notes and Messages. The data would be protected in the event that Apple is hacked, and it also wouldn’t be accessible to law enforcement, even with a warrant. … While Apple has drawn attention in the past for being unable to help agencies such as the Federal Bureau of Investigation access data on its encrypted iPhones, it has been able to provide much of the data stored in iCloud backups upon a valid legal request. Last year, it responded to thousands of such requests in the U.S., according to the company. … With these new security enhancements, Apple would no longer have the technical ability to comply with certain law-enforcement requests such as for iCloud backups—which could include iMessage chat logs and attachments and have been used in many investigations. Wall Street Journal, December 7, 2022

TikTok continues in the news, now with two lawsuits by the State of Indiana, the latest in a growing number of moves by state officials to push back against the platform’s influence on children and its connections to China.

  • TikTok Is Sued by State of Indiana, Accused of Targeting Young Teens With Adult Content: Suits come as states push back against the platform, citing worries over its influence on children and security concerns related to China. TikTok is accused of violating Indiana’s state consumer-protection laws by misrepresenting that its video-sharing platform is appropriate for users 12 and up. … Indiana filed a pair of lawsuits against TikTok Wednesday, alleging the platform is deceiving consumers about its content and data security, . … The state said its lawsuits are the first of their kind against the popular app and its owner, Beijing-based ByteDance Ltd. … In one of the complaints, Indiana alleged that TikTok’s algorithm is designed to addict young users and promotes harmful content that isn’t appropriate for them. The lawsuit cites studies and reports linking heavy use of the platform to mental disorders among teenagers, including eating disorders and depression. … The second lawsuit alleged that China has the ability to use TikTok’s data to spy on, blackmail and coerce users to serve the country’s national security and economic interests. Both lawsuits seek changes to TikTok’s practices, as well as civil penalties for each alleged violation. The Wall Street Journal, December 7, 2022

We’ve been following the Medibank breach since it surfaced in late-October. Medibank is a leading Australian health insurer. The breach compromised the private medical information of nearly 10 million Australians. This week the cybercriminals responsible for the breach posted a file of people insured by Medibank who had undergone an abortion. The author of the following story — a journalist who terminated her pregnancy — raises the serous question of how the news should cover these stories.

  • The editorial questions ABC News journalists faced when covering the Medibank data leak: Cyber experts believe the release of stolen Medibank customer data was designed to “incite fear”.(AAP) … “Added one more file: abortions.” … I found out about this post by Medibank’s hackers through anonymous sources who were monitoring the dark web as the company’s cyber-hacking crisis continued. … It’s estimated that one-in-six Australian women in their 30s have terminated a pregnancy, including myself. … I don’t think there’s anything shameful about this but it’s something personal you’d only want revealed on your own terms. … As I sat there ready to report on the story for TV that day, I imagined how my healthcare data could reveal the tangible specifics of my termination, like dates and place. ABC Australia News, December 10, 2022

Our next story is another warning not to take cybersecurity for granted. The assumption must always be that there are vulnerabilities. The challenge is for the good guys to find and fix them before the bad guys find and exploit them.

  • SiriusXM Vulnerability Lets Hackers Remotely Unlock and Start Connected Cars: Cybersecurity researchers have discovered a security vulnerability that exposes cars from Honda, Nissan, Infiniti, and Acura to remote attacks through a connected vehicle service provided by SiriusXM. … The issue could be exploited to unlock, start, locate, and honk any car in an unauthorized manner just by knowing the vehicle’s vehicle identification number (VIN), researcher Sam Curry said in a Twitter thread last week. The Hacker News, December 5, 2022

And our final story tells how Estonia is helping Ukraine fend off Russian cyberattacks.

  • How Estonia is helping Ukraine take on Russian cyber threats: Estonia is playing a leading role in providing cybersecurity and digital support for Ukraine, areas the Baltic nation dominates in. … Ukraine has surprised the world with its ability to fend off major cyberattacks from Russia. And one small country — Estonia — has played an outsized role in helping them do so. Politico, December 8, 2023

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in managing cyber-risk, securing their organizations, and protecting privacy.

Two important stories for executives and cybersecurity managers.

  • What you should know when considering cyber insurance in 2023: When even the best-laid cybersecurity plans fail, cyber insurance can help mitigate an organization’s exposure to financial and operational risk—but the insurance landscape is shifting with the times. … As the frequency and severity of ransomware, phishing, and denial of service attacks has increased, so has demand for cyber insurance. About $6.5 billion in direct written premiums were recorded in 2021, a 61% increase over the prior year, according to an October 2022 memorandum from the US-based National Association of Insurance Commissioners. “Some companies see it as essential to their risk management strategy,” says Heather Engel, managing partner at advisory firm Strategic Cyber Partners. … However, experts say that cyber insurance might not be readily available to all who want it in 2023. Enterprise executives are finding that policy costs are rising, and insurers are asking for more proof that strong cybersecurity strategies are in place before agreeing to provide coverage. Many companies may have no choice but to meet such terms, as more organizations are requiring that their business partners have cyber coverage. CSO, December 6, 2022
  • Automated dark web markets sell hacked corporate email accounts for $2: Cybercrime marketplaces are increasingly selling stolen corporate email addresses for as low as $2 to fill a growing demand by hackers who use them for business email compromise and phishing attacks or initial access to networks. … Analysts at Israeli cyber-intelligence firm KELA have closely followed this trend, reporting at least 225,000 email accounts for sale on underground markets. … The largest webmail shops are Xleet and Lufix, claiming to offer access to over 100k breached corporate email accounts, with prices ranging between $2 and $30, if not more, for highly-desirable organizations. … Typically, these accounts were stolen via password cracking (brute-forcing) or credential stuffing, had their credentials stolen through phishing, or were bought from other cybercriminals. … Hackers use their access to corporate email accounts in targeted attacks like business email compromise (BEC), social engineering, spear-phishing, and deeper network infiltration. Bleeping Computer, December 8, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge