Cybersecurity News of the Week, December 4, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

It’s the holiday season. Time to be especially cautious of scams. Let’s be careful out there. Don’t trust. Always verify.

  • Watch out for this triple-pronged PayPal phishing and fraud scam: My day started rough. … It was 7 a.m., and I was just partially through my first cup of coffee, when I noticed a new message in my email inbox. … It was from PayPal and the subject line said, “You’ve got a money request.” … And so began my first look at this three-pronged PayPal phishing scam. ZD Net, December 2, 2022
  • Beware of Holiday Shipping Notification Scams: Text scams pretending to be the USPS and other shipping companies are on the rise this holiday season. … It’s no secret scammers get more skilled and ingenious with time. Part of their strategy is knowing when is the best time to target certain people. As the holidays approach and people are expecting packages from Black Friday shopping or early Christmas gifts to arrive, scammers are taking advantage of the time to strike confusion and catch people off guard with shipping scams. … If you’ve gotten a text or email message that seems to be from the United States Postal Service (USPS) or any shipping company with a link, be alert. These kinds of shipping scam messages have been on the rise since May and are expected to keep increasing through the holiday shopping season, according to a news report from WGAL, an affiliate of NBC. Lifehacker, December 2, 2022
  • FBI warns of rise in costly technical support scams: The Federal Bureau of Investigation has issued an alert about the rise in technical support scams spreading across the country. … FBI field offices in Pittsburgh, Las Vegas, Boston and Chicago continue to warn the public of heightened fraud and cyber security risks. … According to the FBI bulletin, the technical support scam involves a cybercriminal posing as technical support offering to resolve issues such as compromised email or bank accounts, computer viruses, or software renewals. Good Morning America, November 30, 2022

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Cyber Humor

Security Nonprofit of the Week  … The Center for Internet Security

Our kudos this week to the Center for Internet Security (CIS®). Whether you buy IT services or provide them, you need to know about the Center for Internet Security and the great work they do to make the connected world a safer place for people, businesses, and governments.  Strong proponents of collaboration and innovation, CIS® is a community-driven nonprofit responsible for the CIS Controls®, CIS Benchmarks™, and CIS Hardened Images®. CIS is also home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®). The Center for Internet Security is also one of the founders of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie and me as we raise the alarm on cyber-scams during the holiday season. We also discuss the new SecureTheVillage tool How hackable are you and how it can help you better protect yourself and your family against identity theft and other cyber attacks.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

Navigating privacy. Keeping private information private.

  • Googling abortion? Your details aren’t as private as you think: In the wake of the US supreme court’s overturning of Roe v Wade, Google pledged fresh policies to protect people’s abortion-related data. But new research has shown the way our location and other personal data is stored remains largely unchanged, raising fears that intimate details of a person’s abortion search could be used to penalize them. … The research, shared exclusively with the Guardian, raises questions about Google’s commitment to implementing its promised changes, the group contends. Furthermore, a Guardian analysis shows that additional data stored on Android phones can still create a detailed portrait of a user’s journey to seek an abortion, even if the location of abortion clinics visited are properly masked. The Guardian, November 29, 2022
  • TSA now wants to scan your face at security. Here are your rights: 16 major domestic airports are testing facial-recognition tech to verify IDs — and it could go nationwide in 2023 … Next time you’re at airport security, get ready to look straight into a camera. The TSA wants to analyze your face. … The Transportation Security Administration has been quietly testing controversial facial recognition technology for passenger screening at 16 major domestic airports — from Washington to Los Angeles — and hopes to expand it across the United States as soon as next year. Kiosks with cameras are doing a job that used to be completed by humans: checking the photos on travelers’ IDs to make sure they’re not impostors. The Washington Post, December 2, 2022
  • Kids Online Safety Act may harm minors, civil society groups warn lawmakers:     Dozens of civil society groups urged lawmakers in a letter Monday against passing a bill that aims to protect children from online harm. … They warned the bill itself could actually pose a further danger to kids and teens by encouraging more data collection on minors and preventing access to topics such as LGBTQ issues. … The bipartisan Kids Online Safety Act has gained momentum at a time when debates over parental control of what’s taught in school, specifically as it relates to gender identity and sexual orientation, have come to the forefront. … The American Civil Liberties Union, Center for Democracy & Technology, Electronic Frontier Foundation, Fight for the Future, GLAAD and Wikimedia Foundation were among the more than 90 groups that wrote to Senate Majority Leader Chuck Schumer, D-N.Y., Senate Commerce Committee Chair Maria Cantwell, D-Wash., and Ranking Member Roger Wicker, R-Miss., opposing the Kids Online Safety Act. CNBC, November 28, 2022

It looks like consumers will begin to get some relief from Zelle scams. While I’m sympathetic to the need for banks to do more to protect their customers, consumers have the opportunity to shut down these scams. As security and privacy professionals, let’s educate consumers to “just say no.” SecureTheVillage developed our How Hackable Are You quiz and Guide to help consumers do just that.

  • Banks Plan to Start Reimbursing Some Victims of Zelle Scams: A rule change planned for early next year would shift liability for some losses onto the banks, not their customers. … The seven banks that own the payments network Zelle are preparing a major rule change early next year that will require the network’s member banks to compensate customers who fall victim to certain kinds of scams, according to two people familiar with the plans. The New York Times, November 28, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

Stories of cybercrime and its aftermath. This includes a story of the growth of cybercriminals in sub-Saharan Africa targeting the west.

  • How a Cyberattack Plunged a Long Island County Into the 1990s: Suffolk County officials had to return to the days of paper checks and faxes after an episode that exposed government weaknesses. … Emergency dispatchers taking down 911 calls by hand, unable to use their geolocation technology for callers. Police officers radioing in crime scene details, rather than emailing reports to headquarters. Office workers resorting to fax machines. … For weeks this fall, the government of Suffolk County was plunged back into the 1990s after a malicious ransomware attack forced it largely offline. A frantic push to counter the threat hobbled the county, as officials disabled email for all 10,000 civil service workers and scrubbed infected hardware, seeking to stem fallout from compromised computer systems. … More than two months after the attack, some of the gears that run much of Long Island are still stubbornly mired in a cybermorass. It is a situation that experts say not only reveals the county’s vulnerability but also presents an ominous warning for a nation unprepared for crippling online threats. The New York Times, November 28, 2022
  • Cyber black market selling hacked ATO and MyGov logins shows Medibank and Optus only tip of iceberg: The highly sensitive information of millions of Australians — including logins for personal Australian Tax Office accounts, medical and personal data of thousands of NDIS recipients, and confidential details of an alleged assault of a Victorian school student by their teacher — is among terabytes of hacked data being openly traded online. … At least 12 million Australians have had their data exposed by hackers in recent months. Austrailian Broadcasting, November 27, 2022
  • Gangs of cybercriminals are expanding across Africa, investigators say: Online scams such as banking and credit card fraud are the most prevalent cyberthreat, says Interpol. … Experts attribute the surge in cybercrime in Africa to rapid growth of internet use as a result of the Covid pandemic. … Police and investigators fear organised gangs of fraudsters are expanding across sub-Saharan Africa, exploiting new opportunities as a result of the Covid-19 pandemic and the global economic crisis to make huge sums with little risk of being caught. … The growth will have a direct impact on the rest of the world, where many victims of “hugely lucrative” fraud live, senior police officials have said. The Guardian, November 28, 2022

Several stories this week deal with national and international cybersecurity.

  • How Would Cyber Insurance Companies Cover Catastrophic Hacks?  Insurance firms that cover cyberattacks are working out what to do in the event of a catastrophic hack, one that takes down a systemically important company and possibly even the economy. WSJ Pro Cybersecurity reporter James Rundle joins host Zoe Thomas to discuss how insurers are modeling the fallout from such an attack and why this kind of catastrophe is so hard to prepare for. The Wall Street Journal, Tech News Briefing Podcast, Nov 30, 2022
  • DHS cyber safety board to probe Lapsus$ hacks: The Homeland Security Department on Friday announced its cyber review board would investigate a series of high-profile breaches attributed to the Lapsus$ group, a prolific global data extortion gang run by teenagers. The Record, December 2, 2022
  • Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices: CryWiper masquerades as ransomware, but its real purpose is to permanently destroy data. … Mayors’ offices and courts in Russia are under attack by never-before-seen malware that poses as ransomware but is actually a wiper that permanently destroys data on an infected system, according to security company Kaspersky and the Izvestia news service. … Kaspersky researchers have named the wiper CryWiper, a nod to the extension .cry that gets appended to destroyed files. Kaspersky says its team has seen the malware launch “pinpoint attacks” on targets in Russia. Izvestia, meanwhile, reported that the targets are Russian mayors’ offices and courts. Additional details, including how many organizations have been hit and whether the malware successfully wiped data, weren’t immediately known. Ars technica, December 2, 2022
  • Hacked El Salvador Journalists Sue Spyware Maker Pegasus in US Court: Journalists from the El Faro investigative outlet believe President Nayib Bukele’s government purchased the spyware and is behind the hacking. … The journalists filed a lawsuit this week in U.S. federal court against NSO Group for allegedly infecting their phones with malicious spyware that allowed its operators unfettered access to their lives and work. Vice, December 2, 2022
  • Chrome, Defender, and Firefox 0-days linked to commercial IT firm in Spain: Variston IT fingerprints found in source code for advanced Chrome exploit. … Google researchers said on Wednesday they have linked a Barcelona, Spain-based IT company to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox, and Windows Defender. … Variston IT bills itself as a provider of tailor-made information security solutions, including: technology for embedded SCADA (supervisory control and data acquisition) and Internet of Things integrators; custom security patches for proprietary systems; tools for data discovery; security training; and the development of secure protocols for embedded devices. According to a report from Google’s Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on devices they want to spy on. ars technica, November 30, 2022
  • SIM-swapper gets 18 months, must pay back $20 million he stole from crypto investor: A 25-year-old Florida man was sentenced on Thursday to a year-and-a-half in prison and ordered to pay restitution for his participation in a SIM-swapping scheme that siphoned off cryptocurrency worth more than $23 million at the time. … Nicholas Truglia was involved in the 2018 heist along with an unknown number of perpetrators who gained access to the phone of Michael Terpin, a prominent crypto investor, by linking his phone number to a SIM card in their possession and thereby getting access to his accounts. The group stole some three million tokens, worth about $23.8 million. According to the criminal indictment, the tokens ended up in Truglia’s account and were converted to Bitcoin, with the proceeds shared among the participants. According to the Southern District of New York’s Attorney’s Office, Truglia must pay Terpin more than $20 million in restitution within 60 days. The Record, December 2, 2022

Twitter seems to have opened the floodgates for hate speech while also no longer being able to protect its platform from abuse. As more people look for a Twitter alternative, we also include a story of the security of Twitter-alternative Mastodon.

  • Twitter not safer under Elon Musk, says former head of trust and safety: Nov 29 (Reuters) – Twitter’s former head of trust and safety Yoel Roth on Tuesday said the social media company was not safer under new owner Elon Musk, warning in his first interview since resigning this month that the company no longer had enough staff for safety work. Reuters, November 29, 2022
  • Layoffs Have Gutted Twitter’s Child Safety Team: Just one person remains to enforce the company’s ban on child sexual abuse content across Japan and the Asia Pacific region. … Removing child exploitation is “priority #1”, Twitter’s new owner and CEO Elon Musk declared last week. But, at the same time, following widespread layoffs and resignations, just one staff member remains on a key team dedicated to removing child sexual abuse content from the site, according to two people with knowledge of the matter, who both requested to remain anonymous. Wired, November 28, 2022
  • Twitter grapples with Chinese spam obscuring news of protests: For hours, links to adult content overwhelmed other posts from cities where dramatic rallies escalated. … Twitter’s radically reduced anti-propaganda team grappled on Sunday with a flood of nuisance content in China that researchers said was aimed at reducing the flow of news about stunning widespread protests against coronavirus restrictions. The Washington Post, November 27, 2022
  • How secure a Twitter replacement is Mastodon? Let us count the ways: The demise of Twitter’s security and privacy teams has people looking for alternatives. … As Elon Musk critics flee from Twitter, Mastodon seems to be the most common replacement. In the last month, the number of monthly active users on Mastodon has rocketed more than threefold, from about 1 million to 3.5 million, while the total number of users jumped from about 6.5 million to 8.7 million. … This substantial increase raises important questions about the security of this new platform, and for good reason. Unlike the centralized model of Twitter and virtually every other social media platform, Mastodon is built on a federated model of independent servers, known as instances. In this respect, it’s more akin to email or Internet Relay Chat (IRC), where security depends on the ability and attention of the admin who configured it and maintains each individual server. ars technica, November 29, 2022

LastPass’s August breach appears to have led to a second breach. This one appears to have compromised user information.

  • LastPass’ latest data breach exposed some customer information: CEO Karim Toubba says hackers didn’t gain access to users’ stored passwords, but disclosed this breach happened using information taken back in August. LastPass has experienced another data breach, but this time, it exposed user data. According to a post from LastPass CEO Karim Toubba, hackers accessed a third-party cloud storage service used by the password manager and were able to “gain access to certain elements” of “customers’ information.” The Verge, November 30, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in managing cyber-risk, securing their organizations, and protecting privacy.

CISA adds two programs to its list of programs that are under active cyber attack. Patch these now.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge