Cybersecurity News of the Week, December 25, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Happy holidays … or a day or two after if you’ve taken Christmas off.

Our top-story this week is the impending resignation of Chris Inglis, our National Cyber Director. Chris, his team at the White House, and extending throughout the Federal government (with the notable exception of our largely dysfunctional legislative branch) our doing great work under difficult circumstances. Chris will be missed but the work will go on.

  • Chris Inglis to resign as national cyber director: National Cyber Director Chris Inglis plans to step down from his position as a senior White House cybersecurity adviser, a decision first reported by CNN and confirmed to CyberScoop by three sources with direct knowledge of the matter. CyberScoop, December 21, 2022

How Hackable Are You? Please take our quiz and find out how well protected you are. Download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

Cyber Humor

Cybersecurity Nonprofit of the Week  H4 … Sightline Security

Our kudos this week to Sightline Security, a nonprofit that helps nonprofits secure and protect their critical information. Sightline’s mission is to equip, empower, and support global nonprofits to navigate and embed cybersecurity into their organizations with confidence. Kudos to Sightline Security for their cyber support to the vital under-served nonprofit community. Like SecureTheVillage, Sightline Security is a fellow-member of Nonprofit Cyber.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Are ‘Ransomers’ After You?… Join Julie and me as we talk about how you’re at cyber risk whether you’re Moby Dick or simply a small fish in a sea of cyber criminals. Simply put, you are naive if you believe you’re not important enough to attract ransomware. … We also discuss what you can do about it, starting by taking our short quiz: How Hackable Are You?

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

The LastPass breach is extremely serious. If you’re a LastPass user, you must assume that the hackers have your “password vault.” You should immediately change your Master Password. Make it at least 16 characters long. Make it complex with upper and lower case, numbers, and special characters. With that done, consider changing passwords to financial and other sensitive accounts. And be very cautious of phishing attacks that might be based on personal information that might have been stolen from LastPass.

  • LastPass users: Your info and password vault data are now in hackers’ hands: Password manager says breach it disclosed in August was much worse than thought. … LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults. … The revelation, posted on Thursday, represents a dramatic update to a breach LastPass disclosed in August. At the time, the company said that a threat actor gained unauthorized access through a single compromised developer account to portions of the password manager’s development environment and “took portions of source code and some proprietary LastPass technical information.” The company said at the time that customers’ master passwords, encrypted passwords, personal information, and other data stored in customer accounts weren’t affected. … In Thursday’s update, the company said hackers accessed personal information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses customers used to access LastPass services. The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data. Ars technica, December 22, 2022

Get an ad blocker!! The FBI warns that search engine ads are pushing malware and recommends installing an ad blocker. This is good advice not just as a protection against malware but as a means to protect some of your privacy from all the companies that track you while you surf the web. You can see what I mean by installing Privacy Badger from the Electronic Frontier Foundation in your browser. With Privacy Badger you’ll be able to see all the third-party trackers that Privacy Badger blocks. This story from PC Magazine explains the FBI’s reasoning and links to a review of ad blockers from the magazine. After running Privacy Badger you may want to register for our upcoming privacy webinar.

  • FBI Recommends Installing An Ad Blocker To Dodge Scammers: The agency issued the advice while warning about cybercriminals using search engine ads to target unsuspecting victims. … It’s a good idea to install an ad blocker to help you avoid online scams —and apparently the FBI agrees. … On Wednesday, the agency issued the recommendation in an alert(Opens in a new window) about avoiding malicious ads over search engines. The threat of so-called “malvertising” has been around for years, but what was notable about the FBI’s alert was its advice on how consumers can protect themselves from the threat. PC Magazine, December 22, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

It’s been an interesting week in cybercrime. Beyond the usual suspects, this week saw college students being blackmailed by cyber-criminals who stole their sensitive personal information in a cyber attack on the college. And the taxicab story is a great illustration both of (i) the creativity cyber-criminals bring to their discovery of where they can steal “value” and (ii) the depth of our cybersecurity weaknesses. This is why it’s so important for organizations and people to understand how they’re being threatened and take proactive defensive action.

  • Ransomware hackers take demands directly to college students: ‘For you, it’s a sad day’: A hacker group broke into Knox College’s computer system and gained access to student data, a common ransomware tactic. But this group had a new wrinkle for Knox students. … The email went out to students at Knox College, a small liberal arts school in Illinois, on the evening of Dec. 12. … A hacker group known as Hive had broken into the college’s computer system and gained access to student data, a common ransomware tactic. But this group had a new wrinkle for Knox students. … “We have compromised your collage networks,” the email said, written in the kind of broken English common among international ransomware hackers. “The data we have includes your personal information, medical records, psychological assessments, and many other sensitive data.  … Additionally all of your SSN and Medical records will be put for sale, for every hacker to gain access and use your data in whatever illegal activity they want,” the hackers wrote. “To us, this is a normal business day. For you, its a sad day where everyone will see your personal and private info.” NBC News, December 20, 2022
  • Compromised dispatch system helped move taxis to front of the line: Defendants allegedly conspired with Russians, drew as many as 1,000 daily trips. … Two men have been charged with participating in a scheme that raked in big money by using a compromised dispatch system at New York’s John F. Kennedy International Airport to allow paying taxis to move to the front of the line. … Daniel Abayev and Peter Leyman, both 48 and of Queens, New York, allegedly participated in a scheme that compromised the electronic dispatch system, federal prosecutors in the Southern District of New York said. Taxi drivers are required to wait in a holding lot. The computer-run dispatch system is designed to ensure that drivers are assigned in the order they arrive. … The defendants, prosecutors said, conspired with Russian nationals to compromise the dispatch system and cause it to move specific taxis to the front of the line. Participants then advertised a service allowing drivers to skip the line in exchange for $10 each time. Ars technica, December 22, 2022
  • Ransomware Attack Causes Disruption at British Newspaper The Guardian: British news organization The Guardian on Wednesday announced that a ransomware attack has been causing disruption to behind-the-scenes services. … The 200-year-old media company told staff to work from home after being hit with ransomware on Tuesday night. The Guardian shut down some of its technology infrastructure, with the print newspaper being impacted the most. Security Week, December 22, 2022
  • McGraw Hill breach exposed 22 terabytes of sensitive student data: Two unprotected S3 buckets contained troves of confidential information. …  McGraw Hill is one of America’s “big three” educational publishers, with a growing technology business that sells services to host and facilitate online classes.As vpnMentor discovered, however, McGraw Hill didn’t receive a passing grade in security and decent opsec practices. …  Researchers at vpnMentor found two Amazon Web Services (AWS) S3 buckets full of personal and sensitive data, later confirming that those were files belonging to McGraw Hill’s online educational platform. The buckets contained more that 22 terabytes of data, with over 117 million files that were publicly available to anyone knowing where to search. Tech Spot, December 22, 2022
  • Chinese Electric Automaker Nio Hit by Ransomware Attack: China-based Nio Inc. said on Tuesday that hackers had breached its computer systems and accessed data on users and vehicle sales, in the latest hacking incident to hit the global auto industry. … The hackers had sent an email to the electric carmaker demanding $2.25 million worth of bitcoin and claiming that they had its internal data, according to media reports. Insurance Journal, December 22, 2022

I read this as a fascinating story of cyber-mis-management. It exemplifies the classic management story about four people named Everybody, Somebody, Anybody and Nobody. There was an important job to be done and Everybody was sure that Somebody would do it. Anybody could have done it, but Nobody did it. Somebody got angry about that, because it was Everybody’s job. Everybody thought Anybody could do it, but Nobody realized that Everybody wouldn’t do it. It ended up that Everybody blamed Somebody when Nobody did what Anybody could have. Every organization needs to ask itself “Is this us?”

  • How Hackers Used One Software Flaw to Take Down a County Computer System: An information technology director was put on leave for negligence after Suffolk County officials released the results of their investigation. … The malicious cyberattack that forced Suffolk County government offline for weeks this fall, plunging it back to the pen and paper and fax machines of the 1990s as it fought to stem the threat, began more than a year ago, county officials revealed on Wednesday. … A forensic digital investigation into the cause of the attack, in which hackers stole sensitive data, forcing officials on Long Island to disable email for all 10,000 civil service workers as the New York county scrubbed software to stave off the intrusion, revealed that hackers first penetrated Suffolk’s computer system on Dec. 19, 2021. They entered via the county clerk’s office, exploiting a flaw in an obscure but commonplace piece of software. The New York Times, December 21, 2022

Leading our privacy news this week is Meta’s settling of the Cambridge Analytica class-action in what will the “largest recovery ever achieved in a data privacy class action.” The other two stories serve to help explain why our upcoming Abuse of Your Personal Privacy webinar is so important.

  • Meta to settle Cambridge Analytica class-action for $725 million: Facebook parent company Meta has agreed to pay $725 million to settle a class-action lawsuit over the company’s decision to allow Cambridge Analytica and other third parties to access users’ personal data. … The proposal, if approved, would cap a legal dispute that began in 2018 when it became known that Facebook allowed Cambridge Analytica, a British data analytics and advertising firm, to access the personal information of about 87 million users. … In a motion filed late Thursday in the U.S. District Court for the Northern District of California and first reported by Reuters, lawyers said the proposed settlement would be the “largest recovery ever achieved in a data privacy class action and the most Facebook has ever paid to resolve a private class action.” The Record, December 23, 3022
  • ‘Power Run Amok’: Madison Square Garden Uses Face-Scanning Tech to Remove Perceived Adversaries: Over the past month, multiple attorneys whose firms have litigation against the venue have said MSG used facial-recognition tech to find them and kick them out of shows by Brandi Carlile and the Rockettes. … Barbara Hart was celebrating her wedding anniversary and waiting for Brandi Carlile to take the stage at Madison Square Garden on Oct. 22, when a pair of security guards approached her and her husband by their seats and asked for the couple to follow them. At first, Hart tells Rolling Stone she was excited, thinking it was some sort of surprise before the concert started. Her excitement turned to anxiety soon after, however, as she spoke with security and gathered that she’d been identified using facial-recognition technology. Then they escorted her out of the venue. Rolling Stone, December 21, 2022
  • Data brokers raise privacy concerns — but get millions from the federal government: How an old privacy law and new security demands force Washington to rely on an industry in the crosshairs. … The idea was simple and appealing: Give citizens a single, easy-to-use webpage to access all kinds of federal services, from passport renewal to small-business loans. … The site,, launched in 2017 and got backing from the Biden administration in an executive order last December. As of this week, it’s connected to more than 20 government agencies, including the Small Business Administration, the Office of Personnel Management, the Social Security Administration and NASA. … But when citizens enter their personal information to register for the site, it’s not the federal government that validates it — it’s a group of private-sector data brokers, companies that are increasingly under scrutiny for collecting, storing and selling massive amounts of information on Americans without their knowledge. Politico, December 21, 2022

With TikTok banned on government devices and politicians falling over each other offering sound bites, the following from The Washington Post is refreshing. The article also offers advice for TikTok users to protect their privacy.

  • Those government TikTok ‘bans’ hardly ban anything: A bunch of states and now Congress are seeking to ban government employees from using TikTok. Let’s get real. … Those bans hardly ban anything. … Many American politicians are grandstanding over TikTok for your attention. … The same U.S. officials saying that TikTok is a gateway to Chinese spying and manipulation have done almost nothing real about that risk. … So far, people with power in the United States haven’t been willing to actually block Americans from using TikTok, even as new reporting revealed that TikTok employees improperly accessed data on Americans. … But people in power also haven’t followed through on TikTok restrictions that could protect Americans. The Washington Post, December 23, 2022

I’m not sure what set of words describes the two “men’ in the next story. Swatting is bad enough, given that we’ve had innocent people shot and killed during the inevitable confrontation. But to hack into victims Ring cameras so they could watch the proceedings and taunt the police? Miscreants? Goons? Scumbags? Jerks?

  • Hacked Ring Cams Used to Record Swatting Victims: Two U.S. men have been charged with hacking into the Ring home security cameras of a dozen random people and then “swatting” them — falsely reporting a violent incident at the target’s address to trick local police into responding with force. Prosecutors say the duo used the compromised Ring devices to stream live video footage on social media of police raiding their targets’ homes, and to taunt authorities when they arrived. Krebs on Security, December 19, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in managing cyber-risk, securing their organizations, and protecting privacy.

Here’s three stories that serve to wrap up the year and point the way towards what to expect in 2023. Here’s the bottom line: We are doing far less than we need in managing our cyber risk and cybercrime will continue to rise in 2023. As Bob Dylan told us 60 years ago, “It doesn’t take a weatherman to know which way the wind is blowing.

  • 4 Most Common Cyberattack Patterns from 2022: As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. … It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. … In this article, we’ll round up some of the most common cyberattack patterns we saw in 2022, what they meant for organizations (and society in general) and present some concrete strategies to deal with these threats in the future. Security Intelligence, December 20, 2022
  • Cybersecurity’s Biggest Mistakes of 2022: In just a few years, the world of cybersecurity has changed dramatically. New technologies and threats have emerged, old ones have fallen by the wayside, and the stakes have never been higher. … As we move into 2023, it’s important to take stock of the past year and learn from our mistakes. Here are some of the biggest cybersecurity mistakes of 2022 – and how to avoid them in the New Year. SentinelOne, December 19, 2022
  • Cybercrime (and Security) Predictions for 2023: Threat actors continue to adapt to the latest technologies, practices, and even data privacy laws—and it’s up to organizations to stay one step ahead by implementing strong cybersecurity measures and programs. … Here’s a look at how cybercrime will evolve in 2023 and what you can do to secure and protect your organization in the year ahead.  The Hacker News, December 19, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge