SecureTheVillage
Today’s marks the beginning of the 14th year of our Cybersecurity News of the Week & Weekend Patch Report. What began in 2009 as a short blog post to a handful of colleagues has grown to a weekly cybersecurity newsletter that reaches several thousand security practitioners, business executives, attorneys, consultants, insurance professionals, educators, law enforcement professionals, and families. Even as we’re proud of what we’ve done, we recognize the challenge before us as we work to educate and support the community, advocating for a secure global village.
Individuals at Risk
News stories to inform and support your cybersecurity and privacy.
Cyber Privacy
Apple plans AirTag updates to curb unwanted tracking: Apple said Thursday it plans to add more safeguards to AirTags to cut down on unwanted tracking following reports that the devices have been used to stalk people and steal cars. CNN Business, February 10, 2022
I Used Apple AirTags, Tiles and a GPS Tracker to Watch My Husband’s Every Move: A vast location-tracking network is being built around us so we don’t lose our keys: One couple’s adventures in the consumer tech surveillance state. New York Times, February 11, 2022
Just How Much Does Your Phone Listen to Sell You Targeted Ads?: Have you ever been talking about something with a friend, only to receive an ad for the same thing later? It makes you wonder whether your phone is listening to you and what you can do to stop it. But just how much do our phones spy on us? Lifehacker, February 10, 2022
IRS To Ditch Biometric Requirement for Online Access: The Internal Revenue Service (IRS) said today it will be transitioning away from requiring biometric data from taxpayers who wish to access their records at the agency’s website. The reversal comes as privacy experts and lawmakers have been pushing the IRS and other federal agencies to find less intrusive methods for validating one’s identity with the U.S. government online. KrebsOnSecurity, February 7, 2022
Cyber Warning
FBI warns: SIM-swapping attacks are rocketing, don’t brag about your crypto online: Americans lost more than $68 million to SIM swapping attacks in 2021, a number that has been exponentially increasing since 2018 when the agency first began tracking this threat. FBI alert backs up Microsoft’s call to avoid using phone numbers for two-factor authentication. ZD Net, February 9, 2022
Cyber Defense
Google account hacks drop 50% for 150 million who got 2-factor login: Another story on the importance of 2FA/MFA … With two-factor authentication, hackers can’t get far even if they’ve stolen your password. Ultimately, Google wants to move entirely beyond passwords. c|net February 8, 2022
Cyber Update
Apple issues urgent security patch for iOS — update your iPhone now: All the iPhone and iPad owners out there need to update their devices to the latest version as soon as possible. The launch of iOS 15.3.1 and iPadOS 15.3.1 has a lot of changes, but its most notable is a patch that fixes a serious security flaw, the kind that you don’t want any bad actors to exploit. Tom’s guide, February 11, 2022
Cyber Humor
Cybersecurity in Society
News stories for the cyber-aware citizen.
Cyber Crime
One of Europe’s biggest car dealer hit with ransomware attack: Emil Frey confirmed that the ransomware attack took place in January. ZDNet, February 11, 2022
A Quincy, MA city pension investment manager lost $3.5 million in an email phishing scam: More than $3 million is missing from the city’s pension fund after an investment manager fell victim to an email phishing scheme, a state board of overseers said. The money has not been recovered. The Patriot Ledger, February 11, 2022
Hundreds of e-commerce sites booby-trapped with payment card-skimming malware: About 500 e-commerce websites were recently found to be compromised by hackers who installed a credit card skimmer that surreptitiously stole sensitive data when visitors attempted to make a purchase. Ars technica, February 11, 2022
Cyber Surveillance
We Need Answers About the CIA’s Mass Surveillance: The Central Intelligence Agency has been collecting American’s private data without any oversight or even the minimal legal safeguards that apply to the NSA and FBI, an unconstitutional affront to our civil liberties. Electronic Frontier Foundation, February 11, 2022
CIA is secretly collecting bulk data pertaining to Americans, senators say: A partially redacted letter from Sens. Ron Wyden, D-Ore., and Martin Heinrich, D-N.M., said the program existed outside the normal bounds of oversight. NBC News, February 10, 2022
Cyber Warning
U.S. issues blanket warning on potential of destructive Russian hacks: The lead U.S. cyber defense agency released a broad national warning Friday night that Russia’s potential invasion of Ukraine could spill into hacks against American computer networks. Yahoo!News, February 11, 2022
CISA, FBI, NSA Issue Advisory on Severe Increase in Ransomware Attacks: Cybersecurity authorities from Australia, the U.K., and the U.S. have published a joint advisory warning of an increase in sophisticated, high-impact ransomware attacks targeting critical infrastructure organizations across the world in 2021. The Hacker News, February 10, 2022
Cyber — SNAFU
Radio station snafu in Seattle bricks some Mazda infotainment systems: Some Mazda owners in the Seattle area are stuck with bricked infotainment systems after listening to a particular radio station. Ars technica, February 9, 2022
Know the Enemy
Hidden in plain sight: How the dark web is spilling onto social media: A trip into the dark corners of Telegram, which has become a magnet for criminals peddling everything from illegal drugs to fake money and COVID-19 vaccine passes. WeLiveSecurity, February 10, 2022
Ransomware gangs are changing their tactics. That could prove very expensive for some victims: Researchers detail how some ransomware groups are shifting towards smaller targets, but ones where they can still guarantee a significant payday. ZDNet, February 7, 2022
Cyber Justice
Prosecutor isn’t pressing charges against reporter who found flaw in state website: Closing out a story SecureTheVillage posted in October, a St. Louis Post-Dispatch reporter targeted by Missouri Gov. Mike Parson for uncovering a security flaw in a state-run website won’t face criminal charges. The decision comes after the governor spent months publicly labeling the reporter a “hacker” for discovering the flaw and notifying the state about it. Missouri Independent, February 11, 2022
Cyber Insurance
Insurers Want to Avoid Covering War. Ukraine Hacks Put That to the Test: As U.S. officials warn of Russian cyberattacks, a court ruling could affect whether insurance covers the damage. Wall Street Journal, January 27, 2022
Cyber Enforcement
Nintendo hacker Gary Bowser sentenced to 3 years in prison: Gary Bowser, the public face behind Nintendo ROM hacker group Team Xecuter, has been handed a 40-month sentence and a $14.5 million fine for his crimes. PC Gamer, February 11, 2022
Hollowed-Out Books, Fake Passports And Burner Phones: What Led To The Feds’ Raid On The Crypto Couple: Prosecutors say the bitcoin money laundering saga of New York couple Heather Morgan and Ilya Lichtenstein “appear pulled from the pages of a spy novel.” Forbes, February 10, 2022
Russian Govt. Continues Carding Shop Crackdown: Russian authorities have arrested six men accused of operating some of the most active online bazaars for selling stolen payment card data. The crackdown — the second closure of major card fraud shops by Russian authorities in as many weeks — comes closely behind Russia’s arrest of 14 alleged affiliates of the REvil ransomware gang, and has many in the cybercrime underground asking who might be next. KrebsOnSecurity, February 9, 2022
NetWalker ransomware gang affiliate pleads guilty and slapped with a 7-year sentence: Sebastien Vachon-Desjardins caused at least $2.8 million in damages in Canada and will also be facing charges in the US. ZD Net, February 8, 2022
Cyber Lawsuit
Inmediata Data Breach $1.1M Class Action Settlement: Inmediata has agreed to pay over $1.1 million to resolve claims it put its customers at risk in a 2019 data breach. Top Class Actions, February 10, 2022
Cyber Regulation
SEC Proposes First-Ever Cybersecurity Rule for Advisors: The Securities and Exchange Commission is proposing new rules that for the first time would establish explicit and detailed cybersecurity compliance requirements for registered investment advisors, including obligations to enact written policies and to report cyber breaches to clients and regulators. Barron’s, February 9, 2022
Information Security Deep-Dive
News stories for the cybersecurity professional and those with cybersecurity management responsibilities.
Information Security Management
Information Security: Lessons in Continual Improvement: I was first drawn to information security because it reminded me of the Mad Magazine Spy Versus Spy series. I liked the idea of being the White Hat spy protecting our organization from being attacked by the insidious Black Hat. I am continually intrigued at how the Black Hat is constantly evolving. However, this relentless evolution that keeps me interested also, sometimes, keeps me up at night. David Lam, Miller Kaplan, Los Angeles Business Journal, February 7, 2022 (Miller Kaplan is a SecureTheVillage Platinum Sponsor)
CISA warns admins to patch maximum severity SAP vulnerability: The US Cybersecurity and Infrastructure Security Agency (CISA) has warned admins to patch a set of severe security flaws dubbed ICMAD (Internet Communication Manager Advanced Desync) and impacting SAP business apps using Internet Communication Manager (ICM). Bleeping Computer, February 9, 2022
Ransomware developer releases Egregor, Maze master decryption keys: The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer. BleepingComputer, February 9, 2022
National Cyber Defense
Google Project Zero hails dramatic acceleration in security bug remediation: Researchers credit greater transparency and responsible disclosure policies for improvements in the patching process. The Daily Swig, February 11, 2022
More companies may have to get a CMMC assessment after all: The Pentagon’s revamped Cybersecurity Maturity Model Certification program is moving forward under the Defense Department chief information officer, but DoD is rolling back an aspect of the plan that would have allowed some 40,000 companies to self-attest to their cybersecurity practices. Federal News Network, February 10, 2022