This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
Our Top of the News is the threat posed by Chinese government-backed hackers.
- FBI director warns that Chinese hackers are preparing to ‘wreak havoc’ on US critical infrastructure: FBI Director Christopher Wray on Wednesday warned that Chinese hackers are preparing to “wreak havoc and cause real-world harm” to the US. … China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” Wray told the House Select Committee on the Chinese Communist Party. … Though cyber officials have long sounded the alarm about China’s offensive cyber capabilities, Wray’s dramatic public warning underlines the huge level of concern at the top of the US government about the threat Chinese hackers pose to critical infrastructure nationwide. The head of the National Security Agency and other senior US officials also testified on Chinese cyber activity in front of the panel Wednesday. … Chinese government-backed hackers, Wray said, are targeting things like water treatment plants, electrical infrastructure and oil and natural gas pipelines. … The Chinese hackers are working “to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous,” Wray said. “And let’s be clear: Cyber threats to our critical infrastructure represent real world threats to our physical safety.”
- Exclusive: US disabled Chinese hacking network targeting critical infrastructure: The U.S. government in recent months launched an operation to fight a pervasive Chinese hacking operation that compromised thousands of internet-connected devices, two Western security officials and a person familiar with the matter said. … The Justice Department and Federal Bureau of Investigation sought and received legal authorization to remotely disable aspects of the Chinese hacking campaign, the sources told Reuters. … The hacking group at the center of recent activity, Volt Typhoon, has especially alarmed intelligence officials who say it is part of a larger effort to compromise Western critical infrastructure, including naval ports, internet service providers and utilities.
Small and Midsize Organizations. Take your security to the next level. Apply Now! If you’re a small business, nonprofit, or IT / MSP in the greater Los Angeles area, apply NOW for LA Cybersecure, a pilot program with coaching and guidance that costs less than two cups of coffee a week. https://securethevillage.org/la-cybersecure-pilot/ The LA Cybersecure Pilot Program is funded by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free updated 13-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short test as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, February 6, 1:00 pm – 2:00 pm PT. The LA Cybersecurity Workforce Coalition is for employers, educators, government, nonprofits, and others with a professional interest in the cybersecurity workforce challenge.
Please Support SecureTheVillage.
- We need your help if we’re to build a world of CyberGuardians TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village. TM.
Cybersecurity Nonprofit of the Week … Cybercrime Support Network
Kudos this week to the Cybercrime Support Network, a nonprofit that helps consumers impacted by cybercrime. As a leading voice for cybercrime victims, the Cybercrime Support Network is dedicated to serving those affected by the ever growing impact of cybercrime by helping them to recognize, report and recover from an incident. Founded in 2017, Cybercrime Support Network (CSN) connects victims to resources, increases cybercrime and online fraud reporting, and decreases revictimization. Since its founding, CSN has provided help to millions of consumers via FightCybercrime.org and ScamSpotter.org.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
Waiting for Security (Video) (Podcast): “Unfortunately, the technology underpinning our critical infrastructure is inherently insecure because of DECADES of software developers NOT BEING HELD LIABLE for defective technology. That has led to incentives where FEATURES and SPEED to market have been prioritized AGAINST SECURITY, leaving our nation VULNERABLE to cyber invasion. That has to stop,” Jen Easterly, CISA. … Join Stan and Julie this week on Live on Cyber as they discuss how market economies force security responsibility on the people least able to protect themselves. And ways we the people are pushing back. … Subscribe to your weekly 15-min update on the latest in information security and privacy affecting our businesses and the communities we live in!
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
From Steve Lopez in the Los Angeles Times comes two more sad stories of loss.
- Column: ‘My life cannot be ruined by this scammer.’ Two victims lost everything and sued their banks: In a span of just three weeks in the summer of 2022, Alice Lin was swindled out of her life savings in an internet scam that began on a Chinese-language chat app. She lost more than $720,000 and sank so low that the 80-year-old two-time widow and mother of four considered taking her own life. … In the same year, Artemis Yaffe was targeted by a scammer posing as an IRS agent, losing her $1.8-million nest egg and — eventually — her home. It took less than two months for her life to be upended, sending the 77-year-old widow into a tailspin from which she has yet to emerge.
Yet another warning to be careful out there.
- Beware of scammers sending live couriers to liquidate victims’ life savings: The scams sound easy to detect, but they steal billions of dollars, often from the elderly.
Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.
Two stories of an out-of-control Internet. One from the conservative Wall Street Journal. The other from the liberal New York Times. Seems to say something about dysfunctional Washington’s inability to protect we the people.
- ‘You Have Blood on Your Hands’: Senators Say Tech Platforms Hurt Children: Meta internal documents show top officials asked Mark Zuckerberg to invest in protections for children. … Meta Platforms’ Mark Zuckerberg, TikTok’s Shou Zi Chew and other tech CEOs faced withering bipartisan criticism on Wednesday from senators who said social-media platforms must bear more legal liability when children are harmed online. … “You have blood on your hands,” Sen. Lindsey Graham (R., S.C.) told the executives during a hearing of the Senate Judiciary Committee, eliciting applause from a packed audience that included many holding pictures of children. … The presence of grieving families lent the roughly four-hour session an emotional charge, as lawmakers repeated stories of sexual exploitation, suicide and other suffering blamed on social media. … At the same time, it wasn’t clear it would lead to a different result than previous congressional tongue-lashings of the tech industry. Several senators acknowledged the futility of their legislative response to date, despite a bipartisan consensus that the current laws don’t adequately address harms to children on the platforms. … “We have an annual flogging every year,” said Sen. Thom Tillis (R., N.C.). “And what materially has occurred?”
- N.S.A. Buys Americans’ Internet Data Without Warrants, Letter Says: The disclosure comes amid congressional scrutiny and a Federal Trade Commission crackdown on commercial data brokers. … The National Security Agency buys certain logs related to Americans’ domestic internet activities from commercial data brokers, according to an unclassified letter by the agency. … The letter, addressed to a Democratic senator and obtained by The New York Times, offered few details about the nature of the data other than to stress that it did not include the content of internet communications. … Still, the revelation is the latest disclosure to bring to the fore a legal gray zone: Intelligence and law enforcement agencies sometimes purchase potentially sensitive and revealing domestic data from brokers that would require a court order to acquire directly. … It comes as the Federal Trade Commission has started cracking down on companies that trade in personal location data that was gathered from smartphone apps and sold without people’s knowledge and consent about where it would end up and for what purpose it would be used.
You think the Internet is bad now? Wait. A warning on the proposed UN Cybercrime Treaty from the Electronic Frontier Foundation.
- In Final Talks on Proposed UN Cybercrime Treaty, EFF Calls on Delegates to Incorporate Protections Against Spying and Restrict Overcriminalization or Reject Convention: UN Member States are meeting in New York this week to conclude negotiations over the final text of theUN Cybercrime Treaty, which—despite warnings from hundreds of civil society organizations across the globe, security researchers, media rights defenders, and the world’s largest tech companies—will, in its present form, endanger human rights and make the cyber ecosystem less secure for everyone. … EFF and its international partners are going into this last session with a unified message: without meaningful changes to limit surveillance powers for electronic evidence gathering across borders and add robust minimum human rights safeguard that apply across borders, the convention should be rejected by state delegations and not advance to the UN General Assembly in February for adoption.
On the Regulatory Front.
- As New SEC Rules Go Into Effect, Cybersecurity Moves to Top of Agenda for Risk Leaders & Boards: 36% of risk managers say cybersecurity is top concern … Two new research reports are further cementing what many corporate leaders already know: 2024 will be the year of cybersecurity. The Allianz Risk Barometer rates cybersecurity as the biggest risk to business, according to risk leaders, while annual reporting by Corporate Board Member, Diligent Institute and BDO found that board members are most challenged by AI, cybersecurity and data privacy.
- FTC says Blackbaud’s lax security allowed hacker to steal sensitive data – and that’s just the beginning of the story: Keep data secure. Safely dispose after use. Tell people the truth. … We’re not suggesting that the principles of sound data security can be boiled down to a haiku, but there are certain fundamentals every business should follow. The FTC’s proposed action against Blackbaud, Inc., alleges that the company’s failure to implement some of those basics resulted in the theft of highly sensitive data about millions of consumers, including Social Security numbers and bank account information. But that’s just the start of where the FTC says Blackbaud violated the law.
- Citigroup Sued Over Handling of Online Scams: New York Attorney General Letitia James wants bank to pay back defrauded customersNew York state is pressing Citi to enhance the bank’s antifraud defenses. … New York Attorney General Letitia James sued a unit of Citigroup, alleging that the bank had failed to protect its customers from online scams and then illegally denied those account holders reimbursements. … “The results are devastating,” James’s office wrote Tuesday in its civil complaint. “Consumers lose tens of thousands of dollars or more by doing nothing more than clicking on a link in a text that appears to be from a trusted source, providing information on a call with a purported representative of Citi, or answering security questions on a website that looks official.” … The suit described the experiences of several unnamed New Yorkers who lost money through scams related to their Citi bank accounts. In one instance, a bank customer lost $40,000 after clicking on a link in a text message that appeared to be from Citi. … Citibank lacked robust security measures and didn’t respond to red flags, efforts that would have limited thefts by scammers who had infiltrated customers’ accounts to send fraudulent wire transfers, according to the complaint.
- SolarWinds Requests Court Dismiss Regulator’s Fraud Case: Calls Securities and Exchange Commission’s Cybersecurity Allegations ‘Unfounded’. … Network monitoring software vendor SolarWinds moved to dismiss a federal lawsuit accusing the company and its CISO of securities fraud after they allegedly misstated the efficacy of its cybersecurity controls. … Austin, Texas-based SolarWinds in a Friday court filing called charges filed last October by the Securities and Exchange Commission “as unfounded as they are unprecedented” and moved for the “fundamentally flawed” case to be dismissed lest it “revictimize the victim” of a Russian intelligence hacking campaign.
Stories of cybercrime
- SIM-swapping ring stole $400M in crypto from a US company, officials allege: Scheme allegedly targeted Apple, AT&T, Verizon, and T-Mobile stores in 13 states. … The US may have uncovered the nation’s largest “SIM swap” scheme yet, charging a Chicago man and co-conspirators with allegedly stealing $400 million in cryptocurrency by targeting over 50 victims in more than a dozen states, including one company. … A recent indictment alleged that Robert Powell—using online monikers “R,” “R$,” and “ElSwapo1″—was the “head of a SIM swapping group” called the “Powell SIM Swapping Crew.” He allegedly conspired with Indiana man Carter Rohn (aka “Carti” and “Punslayer”) and Colorado woman Emily Hernandez (allegedly aka “Em”) to gain access to victims’ devices and “carry out fraudulent SIM swap attacks” between March 2021 and April 2023.
- Computer intruder tried to poison Florida city’s drinking water with lye: Change boosting sodium hydroxide level was reversed before anyone got hurt. Someone broke into the computer system of a water treatment plant in Florida and tried to poison drinking water for a Florida municipality’s roughly 15,000 residents, officials said on Monday.
- AnyDesk says hackers breached its production servers, reset passwords: AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company’s production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack. … AnyDesk is a remote access solution that allows users to remotely access computers over a network or the internet. The program is very popular with the enterprise, which use it for remote support or to access colocated servers. … The company reports having 170,000 customers, including 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS, and the United Nations.
- Johnson Controls says ransomware attack cost $27 million, data stolen: Johnson Controls International has confirmed that a September 2023 ransomware attack cost the company $27 million in expenses and led to a data breach after hackers stole corporate data. … Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, air conditioners, and fire safety equipment.
- Nation-state actor used stolen Okta credentials in Thanksgiving attack, Cloudflare says: Senior executives at networking giant Cloudflare said a suspected nation-state attacker used credentials stolen from Okta to breach the company’s systems in late November.
Section 4 – Managing Information Security and Privacy in Your Organization.
For your IT.
- Juniper Networks Releases Urgent Junos OS Updates for High-Severity Flaws: Juniper Networks has released out-of-band updates to address high-severity flaws in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems.