Cybersecurity News of the Week, January 15, 2023

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Experian has once again demonstrated that they lack the security and privacy leadership necessary to protect our identities. The “security weakness” Krebs describes is basic Secure Programming 101, not some subtle hard-to-find bug. This illustrates why it’s way past time to hold Experian and others financially responsible for the harm they cause. As Senator Ron Wyden says “The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight. ” According to Wyden the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) need to do much more to protect Americans from screw-ups by the credit bureaus.

  • Identity Thieves Bypassed Experian Security to View Credit Reports: Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number. Krebs on Security, January 9, 2023

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

Cyber Humor

Cybersecurity Nonprofit of the Week … Cybercrime Support Network

Kudos this week to the Cybercrime Support Network, a nonprofit that helps individuals and small businesses impacted by cybercrime. As a leading voice for cybercrime victims, the Cybercrime Support Network is dedicated to serving those affected by the ever growing impact of cybercrime before, during, and after. Founded in 2017, Cybercrime Support Network (CSN) connects victims to resources, increases cybercrime and online fraud reporting, and decreases revictimization. Since November 2018, CSN has provided help to over 1,000,000 individuals and small businesses via FightCybercrime.org and ScamSpotter.org. The Cybercrime Support Network is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: In cybersecurity, we tell people “Don’t trust. Verify.” This makes the cybersecurity industry an unwitting active participant in the breakdown of trust in society. … And yet, Francis Fukuyama, award-winning Stanford University Professor, contends in his book “Trust: The Social Virtues and the Creation of Prosperity” that “in an era when social capital may be as important as physical capital, only those societies with a high degree of social trust will be able to create the flexible, large-scale business organizations that are needed to compete in the new global economy.” Join Julie and me as we discuss this conundrum and how it leads to building cybersecurity communities of trust.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

Manage Your Technology. Time to patch. And if you’re running Windows 7 or 8, it’s past-time to update.

  • Microsoft Patch Tuesday, January 2023 Edition: Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection. Krebs on Security, January 10, 2022
  • Windows 7 and Windows 8.1 reach the end of the line, and it’s time to upgrade: It’s the end of the line for Windows 7 and Windows 8.1. These older versions of Windows (plus Windows RT) stop receiving all security updates today, over a decade after their original releases. Microsoft will also stop providing Microsoft Edge browser updates for these operating systems in a few days, and the remaining third-party apps that still work will eventually follow suit (Google Chrome support, most notably, ends early next month). Ars technica, January 10, 2023

A very insightful story from Finland on teaching the next generation about misinformation. Much we can learn.

  • How Finland Is Teaching a Generation to Spot Misinformation: The Nordic country is testing new ways to teach students about propaganda. Here’s what other countries can learn from its success. … A typical lesson that Saara Martikka, a teacher in Hameenlinna, Finland, gives her students goes like this: She presents her eighth graders with news articles. Together, they discuss: What’s the purpose of the article? How and when was it written? What are the author’s central claims? … “Just because it’s a good thing or it’s a nice thing doesn’t mean it’s true or it’s valid,” she said. In a class last month, she showed students three TikTok videos, and they discussed the creators’ motivations and the effect that the videos had on them. … Her goal, like that of teachers around Finland, is to help students learn to identify false information. The New York Times, January 10, 2023

Let’s be careful out there.

  • Teen loses $25,000 after falling for phone scam: A distraught teenager who claims to have been scammed out of $25,000 in a matter of seconds has issued a chilling warning. … After scoring her first casual job at 14, Aurora Casilli has been dreaming of the day she would have enough money to buy her very own home. … The 18-year-old from Albany, Western Australia, says she has always known the value of money and over the years, had meticulously saved every cent she possibly could. … At one stage, she was even working three different jobs to help fatten her savings account. … But now Aurora says all her years of dedication and hard work were wasted, as she now “has nothing to her name” after falling victim to an alleged phone scam. … “You never think something like this will happen to you,” she told news.com.au. … “I’m devastated. I’ve worked hard all my life, I was saving for a house. … “All those shifts, all the work I put in, and now this. msn, January 7, 2023

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

A national cybersecurity request by the President for the country to finally take on big tech and pass meaningful data privacy legislation.

  • Republicans and Democrats, Unite Against Big Tech Abuses: Congress can find common ground on the protection of privacy, competition and American children. By President Joe Biden. The American tech industry is the most innovative in the world. I’m proud of what it has accomplished, and of the many talented, committed people who work in this industry every day. But like many Americans, I’m concerned about how some in the industry collect, share and exploit our most personal data, deepen extremism and polarization in our country, tilt our economy’s playing field, violate the civil rights of women and minorities, and even put our children at risk. … As my administration works to address these challenges with the legal authority we have, I urge Democrats and Republicans to come together to pass strong bipartisan legislation to hold Big Tech accountable. The Wall Street Journal, January 11, 2023

Is a cyber attack a war crime when it’s used in support of an organized physical attack against civilians? Ukraine thinks so.

  • Ukraine petitions International Criminal Court to investigate cyberattacks as war crimes: Ukrainian leaders in recent months have been sharing information about Russian cyberattacks with the International Criminal Court, hoping the organization will investigate them as war crimes. … It’s one of the first real chances to test whether and how cyberattacks fit into some of the laws governing war. Russia’s invasion of Ukraine is arguably the most prominent world conflict to date where coordinated, joint physical and cyber assaults are routine. … “When we observe the situation in cyberspace we notice some coordination between kinetic strikes and cyberattacks, and since the majority of kinetic attacks are organized against civilians — being a direct act of war crime — supportive actions in cyber can be considered as war crimes,” top Ukrainian cybersecurity official Victor Zhora told Shannon Van Sant of Politico in an interview that published this week, echoing past remarks. The Washington Post, January 11, 2023

Information security management at the US Department of the Interior is terribly poor. The Department rightfully should be ashamed of itself for this kind of security performance. How can anyone have any confidence that nation state hackers from China or others aren’t already in these systems? Our Agencies should be models to the nation not blatant illustrations of cyber-incompetence.

  • A fifth of passwords used by federal agency cracked in security audit: 89% of the department’s high-value assets didn’t use multi-factor authentication. … More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, and ChangeItN0w!—were weak enough to be cracked using standard methods, a recently published security audit of the agency found. … The audit uncovered a failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—or 89 percent—of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations. ars technica, January 10, 2023

More troubles for TikTok and other social media platforms.

  • Seattle schools sue tech giants over social media harm: The public school district in Seattle has filed a novel lawsuit against the tech giants behind TikTok, Instagram, Facebook, YouTube and Snapchat, seeking to hold them accountable for the mental health crisis among youth. … Seattle Public Schools filed the lawsuit Friday in U.S. District Court. The 91-page complaint says the social media companies have created a public nuisance by targeting their products to children. Yahoo!news, January 7, 2023

Privacy be damned as Roomba posts intimate images from product testers, hackers release sensitive BART files, and California’s experiment in digital license plates makes finding vehicle locations easy for hackers (or suspicious spouses).

  • Roomba testers feel misled after intimate images ended up on Facebook: An MIT Technology Review investigation recently revealed how images of a minor and a tester on the toilet ended up on social media. iRobot said it had consent to collect this kind of data from inside homes—but participants say otherwise. … When Greg unboxed a new Roomba robot vacuum cleaner in December 2019, he thought he knew what he was getting into. … But what Greg didn’t know—and does not believe he consented to—was that iRobot would share test users’ data in a sprawling, global data supply chain, where everything (and every person) captured by the devices’ front-facing cameras could be seen, and perhaps annotated, by low-paid contractors outside the United States who could screenshot and share images at their will. January 10, 2023
  • BART Cybersecurity Under Review After 120,000 Sensitive Files Leaked: Ransomware hackers released last week a collection of 120,000 BART Police Department files on the dark web, including case documents related to child abuse. … Brett Callow, a cybersecurity analyst at Emsisoft, shared information on social media showing that BART appeared to be the latest victim of the prolific ransomware hacker group Vice Society, which is known for attacking government institutions, from schools to fire departments, across the world. The San Francisco Standard, January 11, 2023
  • California’s New Digital License Plates Get Hacked: Late last year, California became only the third state in the US to allow digital license plates. The fancy customizable plates are only available from a company called Reviver, which charges users $20 to $25 per month. At the time, Reviver swore that the DMV-certified cloud service backing the plates was entirely secure, but now we know differently. A team of security researchers hacking around in the automotive industry was able to easily gain access to Reviver’s system, revealing the real-time GPS location of all vehicles. Extreme Tech January 10, 2023

Britain seems under cyber-attack as cybercriminals hit the Guardian and the national postal service.

  • Guardian confirms it was hit by ransomware attack: The Guardian has confirmed it was hit by a ransomware attack in December and that the personal data of UK staff members has been accessed in the incident. … The Guardian described the incident as a “highly sophisticated cyber-attack involving unauthorised third-party access to parts of our network”, most likely triggered by a “phishing” attempt in which the victim is tricked, often via email, into downloading malware. The Guardian, January 11, 2023
  • Royal Mail ransomware attackers threaten to publish stolen data: Britain’s postal service has been unable to send letters and parcels overseas since Wednesday due to hacking. … Royal Mail has been hit by a ransomware attack by a criminal group, which has threatened to publish the stolen information online. … The postal service has received a ransom note purporting to be from LockBit, a hacker group widely thought to have close links to Russia. The guardian, January 12, 2023

Hackers continue to get better as they adapt to law enforcement and learn to use ChatGPT.

  • Darknet drug markets move to custom Android apps for increased privacy: Online markets selling drugs and other illegal substances on the dark web have started to use custom Android apps for increased privacy and to evade law enforcement. … Besides ordering, these apps allow shop clients to communicate with drug vendors and provide specific courier instructions for delivery. … This new trend has been observed by analysts at Resecurity around the beginning of the third quarter of 2022. It is thought to be a response to last year’s high-profile darknet market crackdowns, most notably that of Hydra Market. … Hydra was the leader in drug sales, having 19,000 registered sellers and 17 million customers worldwide. In April 2022, the German authorities confiscated its servers, creating a vacuum in the field. Bleeping Computer, January 9, 2023
  • Functioning Malware Written by ChatGPT Spotted on Dark Web Says Check Point Research: ChatGPT and associated AI projects have raised all sorts of concerns, ranging from job loss to cheating for credentials. One that may be going underlooked is the use of it to generate malware. … While still very much in the basic stages, several proofs of concept have emerged already. The most recent, as described in a new Check Point Research paper, are dark web forum posts indicating that low- or even no-skill threat actors have figured out how to manipulate ChatGPT instructions to get it to produce basic but viable malware, including sophisticated phishing emails. CPO Magazine, January 12, 2023

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in managing cyber-risk, securing their organizations, and protecting privacy.

IT Security Maintenance: Fix your zero-day and update your end-of-life Cisco routers.

  • CISA adds recently-announced Microsoft zero-day to exploited vulnerability catalog: The Cybersecurity and Infrastructure Security Agency added a recently revealed bug to its known exploited vulnerability list this week after Microsoft confirmed it was being used in attacks. … The bug –  first unveiled in Microsoft’s initial Patch Tuesday release of 2023 – affects the Windows Advanced Local Procedure Call (ALPC) and has a CVSS score of 8.8 out of a possible 10. The Record, January 12, 2023
  • Cisco Issues Warning for Unpatched Vulnerabilities in EoL Business Router: Cisco has warned of two security vulnerabilities affecting end-of-life (EoL) Small Business RV016, RV042, RV042G, and RV082 routers that it said will not be fixed, even as it acknowledged the public availability of proof-of-concept (PoC) exploit. … As workarounds, administrators are recommended to disable remote management and block access to ports 443 and 60443. That said, Cisco is cautioning users to “determine the applicability and effectiveness [of the mitigation] in their own environment and under their own use conditions.” The Hacker News, January 14, 2023

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge