Cybersecurity News of the Week, December 19, 2021

Individuals at Risk

Cyber Privacy

Sorry, but unless you manually change these settings, Google is still tracking you: Google stores your location and data history when you use any of its apps. We’ll show you how to turn that off. Cnet, December 16, 2021

Cyber Defense

73% of Americans fear they’ve had data stolen: Do 3 ‘big things well’ after a breach, expert says: “You don’t have to be perfect,” but there are certain steps you can take to keep your data safe. Grow.Acorns, December 13, 2021

Cyber Warning

Security flaws found in a popular guest Wi-Fi system used in hundreds of hotels: A security researcher says an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk. TechCrunch, December 17, 2021

Cyber Humor

Information Security Management for the Organization

Cyber Warning

CISA, White House urge organizations to get ready for holiday cyberattacks: The US government provided a list of things companies need to do ahead of the Christmas holiday to protect themselves from cyberattacks. ZDNet, December 16, 2021

Secure The Human

Large-scale phishing study shows who bites the bait more often: A large-scale phishing study involving 14,733 participants over a 15-month experiment has produced some surprising findings that contradict previous research results that formed the basis for popular industry practices. BleepingComputer, December 15, 2021

Cybersecurity in Society

Cyber WARNING – Log4ShelL / log4j

What Log4Shell teaches us about open source security: A serious security vulnerability is discovered in a piece of open-source software — widely used behind the scenes on the internet but little known to the average person — that can give attackers access to a treasure trove of sensitive data. VentureBeat, December 18, 2021

The Log4j security flaw could impact the entire internet. Here’s what you should know: A critical flaw in widely used software has cybersecurity experts raising alarms and big companies racing to fix the issue. CNN, December 17, 2021

Log4j: Just How Screwed Are We?: A vulnerability in a widely used Apache library has caused Internet-wide chaos—and the trouble may just be starting. Gizmodo, December 15, 2021

With Log4j vulnerability, the full impact has yet to come: There’s no way to sugarcoat it: the widespread vulnerability in Apache Log4j will be exploited for some nastier cyberattacks than those we’ve seen so far. And the worst of them may actually be months — or even years — into the future. VentureBeat, December 16, 2021

DHS secretary ‘extraordinarily concerned’ about latest software vulnerability that forced US Patent office to take its systems offline for 12 hours: Homeland Security Secretary Alejandro Mayorkas said Thursday that he’s “extraordinarily concerned” about a newly revealed critical flaw in widely used software that is roiling the internet and caused the US Patent and Trademark Office to temporarily shut down external access to its computer systems. CNN, December 16, 2021

CISA Issues Emergency Directive on Log4j: The Cybersecurity Infrastructure and Security Agency orders federal agencies to take actions to mitigate vulnerabilities to the Apache Log4j flaw and attacks exploiting it. DarkReading, December 17, 2021

Hack warning: China, Iran, other countries exploiting vulnerability, Microsoft says: Hackers linked with the governments of China, Iran, North Korea and Turkey have moved to exploit a critical flaw in software used by big tech firms around the world, Microsoft is warning. WRAL TechWire, December 15, 2021

Cyber Crime

Credit card info of 1.8 million people stolen from sports gear sites: Four affiliated online sports gear sites have disclosed a cyberattack where threat actors stole credit cards for 1,813,224 customers. BleepingComputer, December 17, 2021

New Phorpiex Botnet Variant Steals Half a Million Dollars in Cryptocurrency: Cryptocurrency users in Ethiopia, Nigeria, India, Guatemala, and the Philippines are being targeted by a new variant of the Phorpiex botnet called Twizt that has resulted in the theft of virtual coins amounting to $500,000 over the last one year. TheHackerNews, December 16, 2021

‘Extremely sophisticated’ ransomware shuts down Virginia legislature systems: A ransomware attack involving “extremely sophisticated malware” crippled the IT agency serving the Virginia state legislature as it prepares for its January session, officials told the Associated Press on Monday. Statescoop, December 14, 2021

Kronos hit with ransomware, warns of data breach and ‘several week’ outage: The HR management platform has already informed major customers, like the city government of Cleveland, about the attack. ZDNet, December 13, 2021

Inside Ireland’s Public Healthcare Ransomware Scare: The consulting firm PricewaterhouseCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland’s public health system. The unusually candid post-mortem found that nearly two months elapsed between the initial intrusion and the launching of the ransomware. It also found affected hospitals had tens of thousands of outdated Windows 7 systems, and that the health system’s IT administrators failed to respond to multiple warning signs that a massive attack was imminent. KrebsOnSecurity, December 13, 2021

Cyber Surveillance

A new spyware-for-hire, Predator, caught hacking phones of politicians and journalists: Cytrox is one of seven surveillance companies now banned from Meta’s platforms. TechCrunch, December 16, 2021

Google: This zero-click iPhone attack was incredible and terrifying: Google Project Zero researchers explain how a now-patched exploit was one of the most sophisticated they’ve ever seen. ZDNet, December 16, 2021

U.S. lawmakers call for sanctions against Israel’s NSO, other spyware firms: WASHINGTON, Dec 15 (Reuters) – A group of U.S. lawmakers is asking the Treasury Department and State Department to sanction Israeli spyware firm NSO Group and three other foreign surveillance companies they say helped authoritarian governments commit human rights abuses. Reuters, December 15, 2021

Documents link Huawei to Uyghur surveillance projects, report claims: Washington Post alleges marketing slides reveal firm had a role in developing technology for China. TheGuardian, December 15, 2021

Cyber Privacy

French privacy authority demands Clearview AI flush facial recognition data gathered within its borders: A hot potato: Clearview AI is again under fire for scraping personal information and pictures from the internet. This time, a French regulator is demanding that it delete all data on French nationals stored in the company’s database. The commission threatens hefty fines if Clearview does not comply. Techspot, December 17, 2021

FTC considers drafting new regulations on data and algorithms to protect consumer privacy and civil rights: Washington, DC (CNN Business)The Federal Trade Commission says it’s considering drafting new rules for US businesses that would more strongly regulate how they can use data and algorithms, in the latest move to clamp down on technology companies run amok. CNN, December 17, 2021

Know Your Enemy

How Cybercriminals Are Using Bitcoin’s Blockchain to Make Botnets Stronger Than Ever: Last week, Google announced that it had partially disrupted the operations of a massive botnet—a gargantuan network of over one million malware-infected Windows computers. In the world of cybersecurity, that would be news on its own, but this particular network was using an alarming blockchain integration that makes it tough to beat. Gizmodo, December 13, 2021

National Cybersecurity

Exclusive: ‘Cyber is the most dangerous weapon in the world,’ JPMorgan council warns: New York (CNN Business)Business leaders and former policymakers are sounding the cyber alarm. CNN, December 16, 2021

Ukraine hosts large-scale simulation of cyber-attack against energy grid: Cybersecurity professionals from across Ukraine have tackled a large-scale cyber-attack simulation with echoes of the hugely damaging real-world assault against the country’s power grid in 2015. The Daily Swig, December 17, 2021

Why Classifying Ransomware as a National Security Threat Matters: National security isn’t just about warfare or physical conflict. Anything that directly impacts economic stability and economic capability are also part of national security — and that includes ransomware attacks. DarkReading, December 13, 2021

Cyber Enforcement

NY Man Pleads Guilty in $20 Million SIM Swap Theft: A 24-year-old New York man who bragged about helping to steal more than $20 million worth of cryptocurrency from a technology executive has pleaded guilty to conspiracy to commit wire fraud. Nicholas Truglia was part of a group alleged to have stolen more than $100 million from cryptocurrency investors using fraudulent “SIM swaps,” scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identities. KrebsOnSecurity, December 16, 2021

We Now Know What Information the FBI Can Obtain from Encrypted Messaging Apps: What user data can U.S. federal law enforcement obtain from providers of encrypted messaging services? A recently disclosed January 2021 document from the Federal Bureau of Investigation (FBI) supplies a concise summary with respect to nine different “secure messaging” apps. It shows that with legal process, the FBI can get various types of metadata, and in some cases even stored message content. Exactly what’s available, though, varies widely by app. The one-page document should give useful guidance to privacy-conscious people – including journalists, whistleblowers, and activists – while also helping to dispel misconceptions about the FBI’s surveillance capabilities (or lack thereof) in the encrypted messaging context. Kudos to government-transparency nonprofit Property of the People (POTP), run by “FOIA guru” Ryan Shapiro and indefatigable lawyer Jeffrey Light, for obtaining this record under the Freedom of Information Act. JustSecurity, December 14, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge