This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
Let’s give the gift of cybersecurity to family and friends this holiday season. Let’s alert them. Let’s caution them. Let’s warn them. And let’s teach them how to protect themselves.
- Police warn holiday shoppers about card draining: What to know about the gift card scam: Authorities nationwide are issuing a warning about a gift card scam called card draining as many holiday shoppers look to buy gift cards as Christmas gifts. … They are warning those that have purchased or plan on purchasing gift cards from retailers to exercise caution and look out for any signs of tampering, such as scuff marks or scratches near the bar code on the back of the card.
- That QR Code You’re About to Scan Could Be Risky, F.T.C. Warns: Scammers have used QR codes to steal personal information by imitating legitimate companies or sending deceptive emails and text messages, the Federal Trade Commission said.
- ‘Pig butchering’ is draining victims’ bank accounts. Here’s how to avoid being scammed: Barely a day goes without a scam of some kind popping up on our phones or in our email, trying to get us to download malware, reveal a password or pay for fraudulent goods. But there’s one bit of con artistry gaining traction that you definitely don’t want to fall for. … It’s called a “pig butchering” scheme, because the perpetrators will “fatten up” a victim to gain their trust before “butchering” them — typically by persuading them to invest large sums of money into a fraudulent investment, then making off with all of it.
Small and Midsize Organizations. Take your security to the next level. Apply Now! If you’re a small business, nonprofit, or IT / MSP in the greater Los Angeles area, apply NOW for LA Cybersecure, a pilot program with coaching and guidance that costs less than two cups of coffee a week. https://securethevillage.org/la-cybersecure-pilot/ The LA Cybersecure Pilot Program is funded by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free updated 13-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short test as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, January 2, 1:00 pm – 2:00 pm PT.
Please Support SecureTheVillage.
- We need your help if we’re to build a world of CyberGuardians. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village TM.
Cyber Humor
Cybersecurity Nonprofit of the Week … The Center for Internet Security
Our kudos this week to the Center for Internet Security (CIS®). CIS® is a community-driven nonprofit responsible for the CIS Controls®, CIS Benchmarks™, and CIS Hardened Images®. Strong proponents of collaboration and innovation, CIS is also home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®). SecureTheVillage is a recipient of a grant from the Center’s Allen Paller Laureate Program to support our launch of a Pilot Program to measurably improve the cybersecurity of small and midsize organizations. The Center for Internet Security is one of the founders of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
Cybersecurity Hall of Shame (Video) (Podcast): Digital Communications Technologies, a major trucking company software vendor, has developed such readily exploitable software that it could create a shutdown that would be felt nationwide. … A major vulnerability has gone ignored by the vendor for months, one that could allow hackers to manipulate a fleet of vehicles at once. … We write the software. Russia and China exploit it. … There are cyber-nots – smaller organizations without the knowledge and resources to protect themselves – in our supply chain. Our enemies know it, too. Are we fostering a lucrative market for cybercrime? In this Live on Cyber with Stan Stahl, PhD and Julie Michelle Morris, we talk about simple ways to join the fight for online safety! Let’s press for better standards and adoption so smaller organizations on the wrong side of the digital divide aren’t eaten alive by cyber criminals. … Subscribe to Live on Cyber with Stan Stahl, PhD and Julie Michelle Morris, your weekly 15-min update on the latest in privacy and information security affecting our businesses and the communities we live in!
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
Kudos to the FCC for bringing holiday cheer to consumers
- The FCC just closed major loopholes used by businesses and scammers to send an avalanche of unwanted calls and texts: FCC commissioners agreed to update the group’s rules regarding spam calls and texts. … The new ruling closes a major lead generation-based loophole that’s plagued consumers for years.
- FCC updates data breach rules, with consumers in mind: The Federal Communications Commission updated its data breach rules for the first time in 16 years Wednesday, expanding how a breach is defined and who to alert when there is one. … The FCC order, decided in a 3-2 party-line vote, will broaden the commission’s breach notification rules to include certain personally identifiable information belonging to customers that is held by telecommunications carriers and providers, according to a press release.
Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.
Lots of Cyber-Kudos this week. To the Senate and White House, to Health and Human Services (HHS), to the UK and our other international allies, to Microsoft, and to Apple. Extra-Kudos go to Ukraine’s defense intelligence directorate.
- White House Taps National Security Vet as Cybersecurity Lead: Harry Coker Jr. is now the second official national cyber director for the federal government, and he comes to the job with a resume that includes leadership stints with the CIA and the NSA. … The U.S. Senate confirmed Coker’s appointment this week, paving the way for Coker to be sworn in, the White House has announced. The announcement ends a 10-month period without a permanent national cyber director after Chris Inglis departed earlier this year. Coker comes to the role after stints working in the CIA, National Security Agency (NSA), private sector and U.S. Navy. He is the second person to hold the position in a permanent capacity. … Coker was formerly executive director of the NSA, and he also held leadership roles within the CIA’s Directorate of Digital Innovation, Directorate of Science and Technology, and the Director’s Area, according to his biography. Coker’s specific titles with the CIA were director of the Open Source Enterprise, deputy director of CIA’s Office of Public Affairs, and member of the Executive Diversity and Inclusion Council.
- HHS releases cybersecurity strategy for hospitals following uptick in cyberattacks: It’s critical for hospitals to “lock their digital doors,” a White House official said. … The US Department of Health and Human Services (HHS) announced a series of steps it plans to take to help hospitals and health systems improve their cybersecurity following an uptick in cyberattacks. … The department’s cybersecurity strategy includes providing hospitals with financial incentives to implement best practices. The goal is to prevent future cyberattacks, Anne Neuberger, deputy national security advisor for cyber and emerging technologies, told Healthcare Brew. … “The healthcare sector consistently ranks at the bottom across critical infrastructure sectors by independent surveys on how they’re doing from a cybersecurity perspective,” Neuberger said. “To us, it’s a priority to partner with the sector to help: to make resources available, to make every security device available, to make toolkits available.” … Cyberattacks are up 93% since 2018 and attacks involving ransomware are up 278%, according to an HHS press release. Last month, a cyberattack that affected hospitals owned by Nashville-based Ardent Health Services in multiple states “led to ambulances being turned away, elective services being canceled, and rural clinics closing,” Neuberger said.
- U.S., U.K., and Global Partners Release Secure AI System Development Guidelines: The U.K. and U.S., along with international partners from 16 other countries, have released new guidelines for the development of secure artificial intelligence (AI) systems. … “The approach prioritizes ownership of security outcomes for customers, embraces radical transparency and accountability, and establishes organizational structures where secure design is a top priority,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. … The goal is to increase cyber security levels of AI and help ensure that the technology is designed, developed, and deployed in a secure manner, the National Cyber Security Centre (NCSC) added.
- Microsoft disrupts cybercrime operation selling fraudulent accounts to notorious hacking gang: Microsoft says it has successfully dismantled the infrastructure of a cybercrime operation that sold access to fraudulent Outlook accounts to other hackers, including the notorious Scattered Spider gang. … The group, tracked by Microsoft as “Storm-1152,” is described as a major player in the cybercrime as a service (CaaS) ecosystem, whereby criminals provide hacking and cybercrime services to other individuals or groups. … Storm-1152 created for sale approximately 750 million fraudulent Microsoft accounts through its “hotmailbox.me” service to earn “millions of dollars in illicit revenue” and cause “millions of dollars in damage to Microsoft,” according to the company. The tech giant described the operation as the “number one seller and creator of fraudulent Microsoft accounts.”
- Apple will no longer give police users’ push notification data without a warrant: Apple said it will no longer give over records of users’ push notifications to law enforcement unless the company receives a valid judge’s order. In its law enforcement guidelines updated this week, Apple said law enforcement and government agencies can now obtain push notification records with a court order or a search warrant, both of which have to be approved by a judge. … Previously, Apple allowed police to obtain this information with a subpoena, which are issued by police departments and law enforcement agencies with no judicial oversight.
- Ukraine’s intelligence claims cyberattack on Russia’s state tax service: Ukraine’s defense intelligence directorate (GUR) said it infected thousands of servers belonging to Russia’s state tax service with malware, and destroyed databases and backups. … During the operation, Ukraine’s military spies said they managed to break into one of the “key well-protected central servers” of Russia’s federal tax service (FNS) as well as more than 2,300 regional servers throughout Russia and occupied Crimea. The attack also affected a Russian tech company that operates FNS’s database. … According to GUR’s statement published Tuesday, the attack led to the “complete destruction” of the agency’s infrastructure. GUR claimed they destroyed configuration files “which for years ensured the functioning of Russia’s tax system.”
The Washington Post published a story this week of how China has embedded itself in parts of our critical infrastructure. And Ukraine’s largest telecom operator has been shut down in a cyberattack.
- China’s cyber army is invading critical U.S. services: A utility in Hawaii, a West Coast port and a pipeline are among the victims in the past year, officials say. … The Chinese military is ramping up its ability to disrupt key American infrastructure, including power and water utilities as well as communications and transportation systems, according to U.S. officials and industry security officials. … Hackers affiliated with China’s People’s Liberation Army have burrowed into the computer systems of about two dozen critical entities over the past year, these experts said. … The intrusions are part of a broader effort to develop ways to sow panic and chaos or snarl logistics in the event of a U.S.-China conflict in the Pacific, they said.
- Ukraine’s largest telecom operator shut down after cyberattack: Ukraine’s largest telecom operator, Kyivstar, got hit by a major cyberattack on Tuesday, leaving millions of people without cell service and internet. … Kyivstar customers began complaining about network and internet outages in the early morning. The company later reported via Facebook that it got hit by a “powerful” cyberattack that led to a “large-scale technical failure.” Customers’ data hasn’t been compromised, the statement said.
In the ongoing battle over privacy, shame on the pharmacies sharing data without a warrant.
- Pharmacies share medical data with police without a warrant, inquiry finds: The revelation could shape the debate over Americans’ health privacy as states move to criminalize abortion and drugs related to reproductive health. … The nation’s largest pharmacy chains have handed over Americans’ prescription records to police and government investigators without a warrant, a congressional investigation found, raising concerns about threats to medical privacy.
Another warning to be careful of the “facts” your AI program reports.
- Researchers say Bing made up facts about European elections: Researchers found Microsoft’s chatbot on Copilot provided false and misleading information about European elections. … Human rights organization AlgorithmWatch said in a report that it asked Bing Chat — recently rebranded as Copilot — questions about recent elections held in Switzerland and the German states of Bavaria and Hesse. It found that one-third of its answers to election-related questions had factual errors and safeguards were not evenly applied.
And another warning of surveillance becoming ubiquitous as Meta and Ray-Ban team up.
- How Meta’s New Face Camera Heralds a New Age of Surveillance: For the past two weeks, I’ve been using a new camera to secretly snap photos and record videos of strangers in parks, on trains, inside stores and at restaurants. (I promise it was all in the name of journalism.) I wasn’t hiding the camera, but I was wearing it, and no one noticed. … I was testing the recently released $300 Ray-Ban Meta glasses that Mark Zuckerberg’s social networking empire made in collaboration with the iconic eyewear maker. The high-tech glasses include a camera for shooting photos and videos, and an array of speakers and microphones for listening to music and talking on the phone.
Several companies are embroiled in class action lawsuits following breaches.
- Stanley Steemer, Mr. Cooper, other companies face data breach class action lawsuits: Data breach class action lawsuits overview: … Who: Consumers recently filed class action lawsuits against Columbia University, Northwell Health, Stanley Steemer, Pathward, AutoZone, Postmeds, Dollar Bank and Mr. Cooper, among others. … Why: The class action lawsuits involve data breach claims. … Where: The data breach lawsuits affect consumers nationwide.
In cyber crime this week, more fallout from the MOVEit breach as Delta Dental reports the personal information of more than 7 million people was exposed. Meanwhile patients of Fred Hutchinson Cancer Center are being extorted by cybercriminals.
- Delta Dental of California data breach exposed info of 7 million people: Delta Dental of California and its affiliates are warning almost seven million patients that they suffered a data breach after personal data was exposed in a MOVEit Transfer software breach.
- Cybercriminals seek to extort Fred Hutch patients for about $2M: “Your data has been stolen and will soon be sold to various data brokers and black markets to be used in fraud and other criminals,” the alleged attackers say in an email sent directly to one patient.
Section 4 – Managing Information Security and Privacy in Your Organization.
Patch. Patch. Patch. Two more reminders that every organization needs a robust vulnerability and patch management program. For IT organizations seeking guidance on how to do this, see the Center for Internet Security’s Control 7. Even the smallest IT organizations should implement the first 4 of CIS’s controls. These controls are included in SecureTheVillage’s LA Cybersecure Pilot Program.
- Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies: US, UK, and Poland warn of Russia-linked cyberespionage group’s broad exploitation of recent TeamCity vulnerability. … The Russian cyberespionage group known as APT29 has been exploiting a recent TeamCity vulnerability on a large scale since September 2023, according to government agencies in the US, UK, and Poland. … The issue, tracked as CVE-2023-42793 (CVSS score of 9.8) and impacting on-premises TeamCity instances, is described as an authentication bypass that can be exploited without user interaction to steal sensitive information and take over vulnerable servers. … Exploitation of the bug started days after patches were released in late September, with several ransomware groups observed targeting CVE-2023-42793. By the end of October, North Korean state-sponsored threat actors were also exploiting the flaw. … Now, government agencies in the US, the UK, and Poland reveal that at least one Russian nation-state actor has been exploiting the vulnerability in cyberattacks since September.
- Atlassian patches critical remote code execution vulnerabilities in multiple products: The company also releases advisories for high-severity data leaks and denial-of-service issues across multiple products, including Jira and Confluence. … Atlassian has released urgent patches for several of its products to fix remote code execution and denial-of-service vulnerabilities. Flaws in Atlassian products have been exploited by hackers before, including shortly after a patch was released or even before a fix was available.
