A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.
Stan’s Top of the News
Kicking off the new year, our Top of the News concerns the LastPass breach. The bottom line for LastPass users: Change your Master Password and your passwords to all sensitive web sites. Make sure your Master Password is at least 16 characters. And use two-factor authentication (2FA, MFA). You might also want to find a LastPass replacement, one with a stronger commitment to ethics and integrity. See items #2 and #7 in our How Hackable Are You? Guide for more information.
- Here’s the situation. Last August LastPass announced that they’d been breached. They downplayed the breach at the time saying that customers’ master passwords, encrypted passwords, personal information, and other data stored in customer accounts weren’t affected. In an update Thursday, the company acknowledged that hackers copied a backup of customer vault data that included encrypted data fields such as website usernames and passwords, secure notes, and form-filled data. This means the cyber criminals have your LastPass “vault” which implies they have access to all of your passwords if they can get your Master Password. This, in turn, is a piece of cake if your Master Password isn’t long and complex.
- LastPass users: Your info and password vault data are now in hackers’ hands: Password manager says breach it disclosed in August was much worse than thought. … LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults. Ars technica, December 22, 2022
- LastPass security attacked by rival company 1Password: ‘Passwords could be cracked for $100’: The LastPass security breach controversy continues. After an independent security analyst described statements made by LastPass as “half-truths and outright lies,” rival password management company 1Password has also weighed in … LastPass claimed that cracking users’ master passwords would take millions of years, but 1Password says that this isn’t true for most users. Indeed, it says, it would cost just $100 to crack the master password of a typical LastPass user. 9TO5Mac, December 29, 2022
How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- If you’re concerned about all the data about you being swept up by government, big tech, and big politics you’ll want to attend this special webinar with panelists from the ACLU and the Electronic Frontier Foundation. Abuse of Your Personal Privacy: How Government, Big Tech, and Political Agendas Have Run Amok. January 26, 11AM PT. And if you’re not concerned yet, download and run Privacy Badger as I discuss in the next section.
- I’m facilitating a panel of Harvard alums with the Harvard Club of Chicago. The webinar is designed for business professionals, particularly executives who have to allocate scarce organizational resources and their advisors. Managing Business Risk at Technology’s Edge: Cybersecurity and Biometrics. January 24, 2:00PM PT.
Cybersecurity Nonprofit of the Week … Nonprofit Cyber
Kudos this week to the 30 nonprofits comprising Nonprofit Cyber. Nonprofit Cyber is a coalition of implementation-focused cybersecurity nonprofits to collaborate, work together on projects, voluntarily align activities to minimize duplication and increase mutual support, and link the community to key stakeholders with a shared communication channel. Nonprofit Cyber has compiled the Nonprofit Cyber Solutions Index. This is the first comprehensive index of actual cybersecurity capabilities provided by the NGO community. In particular, the index identifies a large selection of free or low-cost cybersecurity capabilities for individuals, small businesses, and others left behind in the current environment. SecureTheVillage is a proud member of Nonprofit Cyber.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn
Live on Cyber with Dr. Stan Stahl: Julie and I took the week off to be with family and friends. The link is to our discussion the previous week “Are ‘Ransomers’ After You?” Join Julie and me as we talk about how you’re at cyber risk whether you’re Moby Dick or simply a small fish in a sea of cyber criminals. Simply put, you are naïve if you believe you’re not important enough to attract ransomware. … We also discuss what you can do about it, starting by taking our short quiz: How Hackable Are You?
Section 2 – Personal Data Care – Security and Privacy
Important data care stories for protecting yourself and your family.
- Netgear warns users to patch recently fixed WiFi router bug: Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible. … The flaw impacts multiple Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC router models. Bleeping Computer, December 29, 2022
- Recent updates for older Nintendo games were due to a major security vulnerability: Over the past few week’s many of you, including us, have been surprised at older Nintendo Switch games and Nintendo 3DS games getting random software updates. the cause of this was never explicitly stated by Nintendo and the patch notes for the games which were updated simply said that “Several issues have been addressed to improve the gameplay experience.” However, it seems that was only half of the story. My Nintendo News, December 24, 2022
Cyber Scams of the Week. Let’s be careful out there.
- Texas Man Admits $1.2 Million Romance Scam Targeting St. Louis Woman: On Monday, a man from Texas admitted targeting a St. Louis woman in a $1.2 million romance scam. U.S. Attorney’s Office, Eastern District of Missouri, December 19, 2022
- Rush City woman indicted in global scheme involving romance scams, pandemic aid fraud: A federal grand jury has alleged that a 69-year-old Rush City, Minn., woman helped carry out a global fraud scheme that duped victims around the country through romance fraud schemes and also targeted pandemic aid programs. Minneapolis star Tribune, December 21, 2022
The Equifax Breach
- Consumers are getting payments from Equifax data breach settlement. Here’s what to expect if you filed a claim: The money heading to consumers comes from a $425 million consumer restitution fund, according to Equifax, which said last week that payments have started going out. … While individuals could file a claim for up to $125, the payment amount may be far less than that, according to the settlement administrator. … The form of payment depends on how you chose to receive it when you filed the claim as part of the settlement. CNBC, December 28, 2022
Section 3 – A Deeper Look for the Cyber-Concerned Citizen
Data Care, cybersecurity, and privacy stories to keep you informed.
Feel Good Story of the Week
- Wisconsin Resident With Ukrainian Roots Steals Bitcoin From Russian Darknet Market, Donates to Charity: A Ukrainian living in the U.S. has reportedly hacked a major drug market on the Russian dark web, diverting some of its crypto proceeds. The man says he donated the digital cash stolen from the illicit website to an organization delivering humanitarian aid across his war-torn homeland. … Ukrainian-born cyber intelligence expert Alex Holden, who left Kyiv as a teenager in the 1980s and now lives in Mequon, Wisconsin, claims he has hacked into Solaris, one of Russia’s largest online drug markets, Forbes informs in a report. … Supported by his team at Hold Security, he was able to get hold of some of the bitcoin sent to dealers and the darknet site’s owners. The cryptocurrency, worth over $25,000, was later transferred to Enjoying Life, a charitable foundation based in the Ukrainian capital. Bitcoin.com, December 26, 2022
National Cyber Defense
- Cyber highlights in the $1.7 trillion government spending bill: President Joe Biden on Thursday signed a $1.7 trillion federal spending bill that includes a significant funding increase for the Cybersecurity and Infrastructure Security Agency (CISA). … The bipartisan legislation boosts the agency’s budget by roughly $313 million, for a total of $2.9 billion. That is a 12% increase over fiscal year 2022 and 15% more than the White House sought for the Homeland Security Department’s cyber wing. … The bill allocates more than $1.7 billion for cybersecurity efforts, including the “protection of civilian federal networks that also benefit” state, local, tribal and territorial government networks. It also grants CISA $46 million for “threat hunting and response capabilities” across those systems. … The spending bill — which will keep the government operating through September, or the end of the fiscal year — reauthorizes CISA’s National Cybersecurity Protection System. The program provides government entities with cyber defense tools, like intrusion detection. … Lawmakers also want CISA to report back in 90 days about the feasibility of a public-private “cyber insurance and data analysis” working group and establishing an accreditation program for third-party cybersecurity providers that work with federal agencies, critical infrastructure operators and state and local governments. The Record, December 30, 2022
- Biden signs TikTok ban for government devices, setting up a chaotic 2023 for the app: President Joe Biden approved a limited TikTok ban Thursday when he signed the 4,126-page spending bill into law. The ban prohibits the use of TikTok by the federal government’s nearly 4 million employees on devices owned by its agencies, with limited exceptions for law enforcement, national security and security research purposes. … The ban comes after a wave of actions against the viral video app in recent weeks amid mounting security concerns raised by media reports, China hawks and politicians. Given the increasing scrutiny of TikTok, which is owned by the Chinese company Bytedance, it could be just the beginning of challenges to come for the app. … The renewed pressure on the app under the Biden administration comes two years after a proposed ban by then-President Donald Trump was stopped in court. NBC News, December 30, 2022
- US lawmakers press government for answers over use of Israeli spyware: Congressman Adam Schiff and Senator Ron Wyden enquire about Washington’s purchase and use of Israeli spyware. … Two senior US lawmakers have sent letters to several government agencies seeking answers on the purchase and use of powerful spyware made by two Israeli firms, as Congress recently passed measures to rein in the proliferation of hacking software. Middle East Eye, December 28, 2022
The Looming Cyber Insurance Meltdown. (See above story: Cyber Highlights of Gov’t Spending Bill)
- Zurich Insurance CEO: Cyberattacks Will Be ‘Uninsurable’: As cyberattacks grow, they will become “uninsurable,” the CEO of Europe’s Zurich insurance said. … Speaking to the Financial Times on Monday (Dec. 26), Mario Greco said that cyberattacks could pose a larger threat to insurers than systemic issues like pandemics and climate change. … “What will become uninsurable is going to be cyber,” Greco said. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” … There must be a perception that this is not just data … this is about civilization,” he said. “These people can severely disrupt our lives.” PYMNTS, December 26, 2022
Technology Run Amok
- The Signal App and the Danger of Privacy at All Costs: Two weeks ago, the Twitter co-founder Jack Dorsey passionately advocated in a blog post the view that neither Twitter nor the government nor any other company should exert control over what participants post. “It’s critical,” he said, “that the people have tools to resist this, and that those tools are ultimately owned by the people.” … Mr. Dorsey is promoting one of the most potent and fashionable notions in Silicon Valley: that a technology free of corporate and government control is in the best interest of society. To that end, he announced he would give $1 million a year to Signal, a text-messaging app. … Like Messages on your iPhone, Facebook Messenger and WhatsApp, Signal uses end-to-end encryption, making it impossible for the company to read the contents of user messages. But unlike those other companies, Signal also refrains from collecting metadata about its users. The company doesn’t know the identity of users, which users are talking to each other or who is in a group message. It also allows users to set timers that automatically delete messages from the sender’s and receiver’s respective accounts. … The company — an L.L.C. that is governed by a nonprofit — is founded on the belief that it needs to combat what it calls “state corporate surveillance” of our online activities in defense of an uncompromisable value: individual privacy. Distrustful of government and large corporations and apparently persuaded that they are irredeemable, technologists look for workarounds. … This level of privacy can be beneficial on a number of fronts. For instance, Signal is used by journalists to communicate with confidential sources. But it is no coincidence that criminals have also used this government-evading technology. When the F.B.I. arrested several Oath Keepers for rioting at the Capitol on Jan. 6, 2021, one of its primary pieces of evidence was messages on Signal. (It’s unclear how the F.B.I. got access to the messages in this instance; there is a longstanding cat and mouse game between lawmakers and technology.) … The ethical universe, according to Signal, is simple: The privacy of individuals must be respected above all else, come what may. If terrorists or child abusers or other criminals use the app, or one like it, to coordinate activities or share child sexual abuse imagery behind impenetrable closed doors, that’s a shame — but privacy is all that matters. … One should always worry when a person or an organization places one value above all. The moral fabric of our world is complex. It’s nuanced. Sensitivity to moral nuance is difficult, but unwavering support of one principle to rule them all is morally dangerous. Reid Blackman, The New York Times, December 28, 2022
This Week in Cybercrime
- Hackers stole data from multiple electric utilities in recent ransomware attack: Hackers stole data belonging to multiple electric utilities in an October ransomware attack on a US government contractor that handles critical infrastructure projects across the country, according to a memo describing the hack obtained by CNN. CNN, December 27, 2022
- Canadian copper mine suffers ransomware attack, shuts down mills: A major Canadian copper mine suffered a ransomware attack on Tuesday, forcing the company to switch to manual processes and shut down mills. The Record, December 30, 2022
- Bitcoin mining pool BTC.com reports $3M cyberattack: BTC.com, the seventh-largest Bitcoin mining pool has suffered a cyberattack resulting in a significant loss of company and customer funds. … The attack occurred on Dec. 3, with attackers stealing around $700,000 in client assets and $2.3 million in the company’s assets. The mining pool’s parent firm, BIT Mining Limited, made the official announcement on Dec. 26. CoinTelegraph, December 26, 2022
- Royal ransomware group claims it attacked Iowa PBS station: A ransomware group linked to a number of recent hacks said on Thursday that it was behind a cyberattack on the Iowa branch of the Public Broadcasting Service. The Record, December 30, 2022
- FBI investigating outage affecting Onondaga County records system: The FBI and Homeland Security are investigating an outage that has affected the Onondaga County Clerk’s records system since Monday. Syracuse.com, December 30, 2022
- Cyber gang says it leaked sensitive personal data of Xavier students and employees: University officials have declined to comment further on late November hack. … A ransomware gang with international reach is claiming that it leaked sensitive personal data belonging to Xavier University students and employees, apparently after university officials refused to meet their demands. NOLA, December 28, 2022
- Hive Ransomware Hits Louisiana Hospitals, Leaks Patient Data: Hackers stole and leaked personal data for nearly 270,000 patients and employees in a ransomware attack in October against a healthcare organization located in southwest Louisiana. The Hive ransomware group has taken credit for the attack. BankInfo Security, December 29, 2022
- North Korean hackers stealing NFTs using nearly 500 phishing domains: The hackers created decoy websites impersonating NFT marketplaces, NFT projects and even a DeFi platform. …Hackers linked to North Korea’s Lazarus Group are reportedly behind a massive phishing campaign targeting nonfungible token (NFT) investors — utilizing nearly 500 phishing domains to dupe victims. … Examples of these fake websites include a site pretending to be a project associated with the World Cup, as well as sites that impersonate well-known NFT marketplaces such as OpenSea, X2Y2 and Rarible. Cointelegraph, December 26, 2022
- North Korea hacked almost 900 South Korean foreign policy experts, sought ransom: North Korea carried out cyberattacks on at least 892 foreign policy experts from South Korea to steal their personal data and email lists as well as carrying out ransomware attacks against online malls, according to the National Police Agency. The South Korean authorities said on Sunday that the attacks were meticulous enough to have tricked some of the victims into signing into fake websites, exposing their login details to the attackers. South China Morning Post, December 25, 2022
Section 4 – Information Security and Privacy Management in the Organization
Stories to support executives and top management in managing cyber-risk, securing their organizations, and protecting privacy.
Vulnerability Management. Update Now.
- CISA Adds Two Known Exploited Vulnerabilities to Catalog: CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates. Cybersceurity & Infrastructure Security Agency, December 29, 2022