This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
We end the year with two stories that reflect the challenges we have protecting our children from online dangers. We are – as 2023 comes to an end – doing an abysmal job of protecting our children. Even as we applaud the F.T.C.’s actions to implement child privacy safeguards, we can’t help but notice that the F.T.C. is acting on a 25 year old law; a law enacted six years before Facebook was even born. And as the second story once again demonstrates, our demands for end-to-end encryption are making protecting our children even harder. There is no technical reason we can’t protect our children and protect our rights to privacy. It doesn’t need to come from a weakening of encryption. There are several excellent ideas in the second story. All it will take is the will of Congress to act.
- U.S. Regulators Propose New Online Privacy Safeguards for Children: The F.T.C. called for sweeping changes that could curb how social media, game and learning apps use and monetize youngsters’ data. … Federal regulators on Wednesday proposed sweeping changes to the federal children’s online privacy protection rule. … The Federal Trade Commission on Wednesday proposed sweeping changes to bolster the key federal rule that has protected children’s privacy online, in one of the most significant attempts by the U.S. government to strengthen consumer privacy in more than a decade. … The changes are intended to fortify the rules underlying the Children’s Online Privacy Protection Act of 1998, a law that restricts the online tracking of youngsters by services like social media apps, video game platforms, toy retailers and digital advertising networks. Regulators said the moves would “shift the burden” of online safety from parents to apps and other digital services while curbing how platforms may use and monetize children’s data.
- A ‘Recipe for Disaster’: Insiders Warned Meta’s Privacy Push Would Shield Child Predators: The company’s own child-safety experts sounded the alarm about efforts to encrypt messages on Instagram and Facebook. This month, it started doing it anyway. … When Meta Platforms began rolling out encryption for Facebook direct messages this month, it was advancing a project that members of its safety staff have long warned would end in disaster. … Some Meta employees had warned internally that such encryption would limit the ability to detect and report child sexual abuse on Meta’s platforms. … In 2018, David Erb, an engineering director at Facebook, was running a “community integrity” team focused on detecting harmful user behavior. When the team began studying inappropriate interactions between adults and minors on Facebook, it determined that the most frequent way adults found children to prey upon was Facebook’s “People You May Know” algorithm. … “It was a hundred times worse than any of us expected,” Erb said in a recent interview. “There were millions of pedophiles targeting tens of millions of children.”
Small and Midsize Organizations. Take your security to the next level. Apply Now! If you’re a small business, nonprofit, or IT / MSP in the greater Los Angeles area, apply NOW for LA Cybersecure, a pilot program with coaching and guidance that costs less than two cups of coffee a week. https://securethevillage.org/la-cybersecure-pilot/ The LA Cybersecure Pilot Program is funded by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free updated 13-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short test as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, January 2, 1:00 pm – 2:00 pm PT.
Please Support SecureTheVillage.
- We need your help if we’re to build a world of CyberGuardians. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village. TM.
Cyber Humor
Security Nonprofit of the Week … Global Cyber Alliance (GCA)
Kudos this week to cybersecurity nonprofit Global Cyber Alliance (GCA). GCA builds practical, measurable solutions and easy to use tools, and they work with partners to accelerate adoption around the world. GCA recently partnered with the Public Interest Registry to develop an explainer video on cybersecurity risks to mission-based/non-profit organization and how to use the cybersecurity toolkit for those organizations to address those risks. The video is embedded in the mission-based organization toolkit. GCA was one of the founders of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity. SecureTheVillage is a proud member of Nonprofit Cyber.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
This is How We Survive 2024 (Video) (Podcast): What is resilience? It’s like the old Timex ads, to “take a licking and keep on ticking.” As we sit here looking at 2024, it’s not pretty what’s coming our way: Cybercrime way up. Regulations tightening. Our own SEC sued a CISO. (Didn’t see that one coming.) We’re facing burnout of our best and brightest in the cybersecurity sector. The attacks are intense. Infrastructure, schools, hospitals. Pig butchering. Zelle fraud. … Cybercrime. So easy and so so lucrative. … What does it look like to have a defensible posture against all of this, and survive 2024? Join Julie and Stan as they talk about resilience. Personal resilience. Community resilience. … Subscribe to Live on Cyber with Stan Stahl, PhD and Julie Michelle Morris, your weekly 15-min update on the latest in information security and privacy affecting our small and medium size businesses and nonprofits, and the communities we live in.
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
A human interest story from the Wall Street Journal illustrates the importance of physically protecting your smart phone.
- He Stole Hundreds of iPhones and Looted People’s Life Savings. He Told Us How. A convicted iPhone thief explains how a vulnerability in Apple’s software got him fast cash—and then a stint in a high-security prison … RUSH CITY, Minn.—Before the guards let you through the barbed-wire fences and steel doors at this Minnesota Correctional Facility, you have to leave your phone in a locker. Not a total inconvenience when you’re there to visit a prolific iPhone thief. … I wasn’t worried that Aaron Johnson would steal my iPhone, though. I came to find out how he’d steal it. … “I’m already serving time. I just feel like I should try to be on the other end of things and try to help people,” Johnson, 26 years old, told me in an interview we filmed inside the high-security prison where he’s expected to spend the next several years.
An investigative piece by Sophos on three cybercrime gangs. They would find victims on dating sites, and induce them to invest in fraudulent schemes.
- Luring with love, a network of pig butchering “mining” scams robbed millions from victims’ wallets: Three threat groups using the exact same scam kit stole from 90 victims, mostly during the period of June to August, using smart contracts to hijack wallets and transfer their contents without needing to bypass device security. To date, nearly $3 million has been stolen by the coordinated groups. … Cryptocurrency-based crime has metastasized into many forms. Because of the ease with which cryptocurrency ignores borders and enables multinational crime rings to quickly obtain and launder funds, and because of widespread confusion about how cryptocurrency functions, a wide range of confidence scams have focused on convincing victims to convert their personal savings to crypto—and then separate them from it. … Among these sorts of organized criminal activities, none seem as pervasive as “pig butchering” (from the Mandarin term, sha zhu pan, coined to describe the activity). Most of these scams use dating applications or other social media to lure victims into what they think is a budding romantic or platonic relationship, and then introduce a fraudulent scheme to make money together. In some recent cases we found the scammers using generative AI to write messages to their targets to make them more convincing.
Moving into 2024, the AARP has a good piece on scams to watch out for in 2024.
- 6 Top Scams to Watch Out for in 2024: Criminals are getting more sophisticated and supercharging old scams with new technology. … One reason that scammers are so difficult to stop, security experts say, is that they keep raising their game. They’re continually perfecting their scams, taking advantage of tech innovations and honing their methods to better manipulate their targets. … “We keep coming up with different tools to combat scams and fraud, but it’s just like playing whack-a-mole,” says Better Business Bureau spokesman Josh Planos.
Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.
The SEC’s new data breach rules have gone into effect. And if you’ve been following the President’s National Cybersecurity Strategy, it’s one element in a full-court press towards strengthening the nation’s cybersecurity posture through tightened regulations and the inclusion of stronger cybersecurity requirements in government purchasing.
- As the SEC’s new data breach disclosure rules take effect, here’s what you need to know: The controversial regulation represents a major shake-up for US organizations. … Starting from today, December 18, publicly owned companies operating in the U.S. must comply with a new set of rules requiring them to disclose “material” cyber incidents within 96 hours. … Under the incoming cybersecurity disclosure requirements, first approved by the SEC in July, organizations must report cybersecurity incidents, such as data breaches, to the SEC in a specific line item on a Form 8-K report within four business days. According to the regulator, the rules are intended to increase visibility into cybersecurity governance and provide disclosure in a more “consistent, comparable and decision-useful way” that will benefit investors and companies alike. … “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said at the time.
- A quiet cybersecurity revolution is touching every corner of the economy as U.S., allies ‘pull all the levers’ to face new threats: … On Dec. 15, the Securities and Exchange Commission’s (SEC’s) expanded cybersecurity rules came into effect, requiring public companies to disclose incidents within four business days. That means headline-grabbing breaches–such as the one that affected all Okta customer support system users or the 23andMe hack that included the information of nearly 7 million customers–will have even greater consequences than whatever data was compromised. And the SEC rules are only the tip of the iceberg of changes to regulatory compliance. … With little fanfare and largely unnoticed by the press, institutional investors, or anyone else, the federal government is quietly directing a seismic shift in the economy by mandating stringent cybersecurity compliance across all 16 critical infrastructure sectors.
Four stories this week about national security and law enforcement. In the Black Cat story by cyber-journalist Brian Krebs the criminal gangs are said to have declared open season on everything from hospitals to nuclear power plants.
- NSA Blocked 10 Billion Connections to Malicious and Suspicious Domains: The National Security Agency has published a new yearly report detailing its cybersecurity efforts throughout 2023. … The National Security Agency’s domain security service blocked 10 billion user connections to known malicious or suspicious domains, the agency notes in an annual report. … Published on Tuesday, the NSA’s 2023 Cybersecurity Year in Review report (PDF) details the agency’s efforts in cybersecurity and its work with government partners, foreign partners, and defense industrial base (DIB) entities to improve national security. … The NSA’s cybersecurity efforts mainly focus on protecting national security systems (NSS), which contain classified information or are critical to US military and intelligence, the Department of Defense (DoD) services and agency networks, and DIB organizations (DoD contractors).
- Global law enforcement seizes $300 million, arrests 3,500 involved in transnational cybercrime operation: A transnational cybercrime operation was taken down this week after law enforcement agencies from 34 countries coordinated on nearly 3,500 arrests and the seizure of about $300 million in stolen funds. … According to Interpol, law enforcement agencies have spent six months running operation HAECHI IV — which sought to target organizations involved in voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud.
- Lapsus$: GTA 6 hacker handed indefinite hospital order: Arion Kurtaj from Oxford, who is autistic, was a key member of international gang Lapsus$. … The gang’s attacks on tech giants including Uber, Nvidia and Rockstar Games cost the firms nearly $10m. … The judge said Kurtaj’s skills and desire to commit cyber-crime meant he remained a high risk to the public. … He will remain at a secure hospital for life unless doctors deem him no longer a danger.
- BlackCat Ransomware Raises Ante After FBI Disruption: The U.S. Federal Bureau of Investigation (FBI) disclosed today that it infiltrated the world’s second most prolific ransomware gang, a Russia-based criminal group known as ALPHV and BlackCat. The FBI said it seized the gang’s darknet website, and released a decryption tool that hundreds of victim companies can use to recover systems. Meanwhile, BlackCat responded by briefly “unseizing” its darknet site with a message promising 90 percent commissions for affiliates who continue to work with the crime group, and open season on everything from hospitals to nuclear power plants.
The New York Times offers another story illustrating that with AI all privacy bets are off.
- How Strangers Got My Email Address From ChatGPT: Last month, I received an alarming email from someone I did not know: Rui Zhu, a Ph.D. candidate at Indiana University Bloomington. Mr. Zhu had my email address, he explained, because GPT-3.5 Turbo, one of the latest and most robust large language models (L.L.M.) from OpenAI, had delivered it to him. … My contact information was included in a list of business and personal email addresses for more than 30 New York Times employees that a research team, including Mr. Zhu, had managed to extract from GPT-3.5 Turbo in the fall of this year. With some work, the team had been able to “bypass the model’s restrictions on responding to privacy-related queries,” Mr. Zhu wrote.
Meanwhile the Register offers a story illustrating how we have to continue to raise our game as cyber criminals continue to innovate.
- Cybercrooks book a stay in hotel email inboxes to trick staff into spilling credentials: Research highlights how major attacks like those exploiting Booking.com are executed. … Cybercriminals are preying on the inherent helpfulness of hotel staff during the sector’s busy holiday season. … Researchers at Sophos said the latest malware campaign targeting hotels involves sending emails that play on the emotions of staff, while at the same time applying time pressure, to trick them into downloading and running password-stealing Windows malware. … Two main categories of emails are sent: those that complain about serious issues regarding a recent stay, and requests for information to assist a future booking. Both typically necessitate a fast response from hotel management.
In the aftermath of the cyber attack on 23AndMe, NIST has released a report documenting several significant privacy weaknesses in how genomic data is generated, stored and shared. It also documents several regulatory weaknesses. Congress: Are you listening?
- NIST report identifies significant privacy gaps in genomic data handling: A new National Institute of Standards and Technology (NIST) report on the cybersecurity of genomic data found major privacy gaps in how the data is generated, stored and shared. … NIST found significant “gaps” in the genomic data generation system, including weaknesses in safe sharing of the data; inadequate monitoring; processing vulnerabilities; lacking guidance to organizations handling sensitive genomic data; and scant regulation addressing national security and privacy threats in how the data is collected, retained and aggregated.
Even if you’ve followed the ransomware attack on the British Library, here are two good stories bringing the story up-to-date. The second, from the New Yorker, is a nice point-of-view essay from a library patron.
- As British Library faces fallout of cyber attack—what can arts bodies do to combat ransomware threats?: A hack that has limited the British Library’s access to its digital systems is the latest in a series of online raids on cultural institutions. … A cyber attack on the digital systems of the British Library in London continues to affect its website, online systems and some onsite services with limited access to some publications and manuscripts. The so-called ransomware attack, which was launched on 31 October, is part of a recent pattern marking an increase in the severity of cyber attacks on critical infrastructure. The online attacks have affected cultural institutions such as the Metropolitan Opera in New York and the Natural History Museum in Berlin, and the data they hold, and has left others considering how best to defend themselves against future attacks.
- The Disturbing Impact of the Cyberattack at the British Library: The library has been incapacitated since October, and the effects have spread beyond researchers and book lovers. … “The B.L.,” as its people know it, is a magnificent, red-brick, vaguely ship-shaped structure a few hundred yards from King’s Cross station, where you can request anything from a quarto by Shakespeare to “The Art of Faking Exhibition Poultry” (1934). On Saturdays, the building is quieter and the place has a mellow, productive atmosphere. … By midmorning on October 28th, the public Wi-Fi wasn’t working, and neither was the online catalogue: it was impossible to use a computer to request a book, access a journal, or listen to any of the library’s millions of audio recordings. … When the B.L. reopened after the weekend, it was in a pre-digital state. The Web site, phone lines, and all online services—exhibition-ticket sales, reader registrations, card transactions in the gift shop, the electronic nervous system that unified the library’s collections and shared them with the world—were down. … “It’s a lot of reputational damage to have the English-speaking world’s greatest library on its knees for such a long period of time,” Budd said. “And, the more time that passes, the more resources are affected and the more badly that reputation is hit.”
This week in cybercrime.
- First American takes IT systems offline after cyberattack: First American Financial Corporation, the second-largest title insurance company in the United States, took some of its systems offline today to contain the impact of a cyberattack.
- Comcast says hackers stole data of close to 36 million Xfinity customers: Comcast has confirmed that hackers exploiting a critical-rated security vulnerability accessed the sensitive information of almost 36 million Xfinity customers.
- Vans and North Face owner VF Corp. shares tumble as it says cyberattack could hamper holiday fulfillment: Shares of VF Corp. tumbled after the company said it suffered a cybersecurity breach. … The attack is expected to have a material effect on its business. … It’s a major hit as the company, which owns The North Face and Vans, gears up for the holiday rush.
- Mr. Cooper hackers stole personal data on 14 million customers: Hackers stole the sensitive personal information of more than 14.6 million Mr. Cooper customers, the mortgage and loan giant has confirmed. … In a filing with Maine’s attorney general’s office, Mr. Cooper said the hackers stole customer names, addresses, dates of birth and phone numbers, as well as customer Social Security numbers and bank account numbers. Mr. Cooper previously said that customer banking information was stored by a third-party company and believed to be unaffected. … Mr. Cooper said in a separate filing with federal regulators on Friday that hackers obtained personal data on “substantially all of our current and former customers.”
Section 4 – Managing Information Security and Privacy in Your Organization.
Our management story this week is again on the challenge we face in changing culture. At a time when we need every employee to be as cautious on their keyboard as they are in their car, in a recent survey 37% percent of people said they felt intimidated and 39% said they felt frustrated by cybersecurity.
- No Weak Links: Think About Your Human Firewall: When it comes to fostering a culture of cybersecurity at your organization, sometimes it’s best to start with creating awareness of some basic behavior changes. … Why does cybersecurity remain such a challenge for so many of us, and what can we do to make it seem more achievable? We think it really comes down to three things: fear, uncertainty, and doubt. … Our 2023 Oh Behave! survey of some 6,000 people in six different countries found that 37 percent of people said they felt intimidated, and 39 percent of people said they felt frustrated by cybersecurity. For many of us, cybersecurity can feel like a daunting challenge because it’s a constantly evolving field. Attackers are always finding new ways to exploit vulnerabilities.
