Cybersecurity News of the Week, January 22, 2023

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

This week’s Top of the News is an excellent overview of cybercrime. Here are some of the highlights.

• How Hackers Outwit All Efforts to Stop Them: “It’s a Cyber Pandemic.: On the morning of January 11, the Federal Aviation Administration halted all airline takeoffs in the U.S. because of a glitch in a software system critical to flight safety. “There is no evidence of a cyberattack at this point,” said the White House press secretary. … If hackers did indeed attack the FAA, it would be business as usual in the world of cybersecurity. On the same day, according to research firm Cybersecurity Ventures, hackers posted more than 120,000 records stolen from the San Francisco Bay Area transit system’s police department, took down the websites of eight major Danish banks, including the central bank, and broke into military and government agencies in several Southeast Asian and European countries. They also hijacked the cloud-computing platforms of Microsoft and Salesforce, making off with millions of dollars worth of untraceable cryptocurrency. … That’s just on January 11. … Every day of the year, hackers unleash a stream of major attacks against government agencies, companies and individuals. Last year, they took down emergency services, threatened regional power grids, disrupted patient care at major hospitals, brought trains to a halt, took over radio stations to sow panic among listeners with a fake crisis, set off air-raid alerts and attacked U.S. nuclear scientists. … More than 70 million Americans are hit by cybercrimes every year, according to computer security research firm Purplesec, often leaving people defrauded, spied on or publicly humiliated by having private photos and other information published online. More than two-thirds of small businesses have been victimized by hackers at least once. Some experts believe that just about every large organization and government agency has been breached—that’s how enormous and constant cyberattacks have become. … Last year, 22 billion personal and business records were exposed in hacks on U.S. companies, according to a study by security consultancy Flashpoint—and that doesn’t include breaches that were unidentified or unreported, which may well represent the majority of hacks. … As bad as it’s been, it’s getting worse. According to security firms that track attacks, the number of breaches, which had been growing by 15 percent a year, jumped by 38 percent in 2022. Newsweek, January 18, 2023

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide. Please share this with your family, friends, and colleagues.

• How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

• If you’re concerned about all the data about you being swept up by government, big tech, and big politics you’ll want to attend this special webinar with panelists from the ACLU and the Electronic Frontier Foundation. Abuse of Your Personal Privacy: How Government, Big Tech, and Political Agendas Have Run Amok. January 26, 11AM PT.
• I’m facilitating a panel of Harvard alums with the Harvard Club of Chicago. The webinar is designed for business professionals, particularly executives who have to allocate scarce organizational resources and their advisors. Managing Business Risk at Technology’s Edge: Cybersecurity and Biometrics. January 24, 2:00PM PT.

Cyber Humor

Cybersecurity Nonprofit of the Week  … National Cybersecurity Alliance,

Kudos this week to the National Cybersecurity Alliance, a non-profit organization on a mission to create a more secure, interconnected world. The Alliance is an advocate for the safe use of technology, educating everyone on how we can protect ourselves, our families, and our organizations from cybercrime. They create strong partnerships between governments and corporations to amplify their message and to foster a greater “digital” good, encouraging everyone to do their part to prevent digital wrongdoing of any kind. As they say, the real solution to cybercrime isn’t technology, it’s all of us doing our part.  Like SecureTheVillage, the National Cybersecurity Alliance is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl:  Tom Stoppard, in his play “Arcadia,” describes the scientific ferment of the 1820s as follows: “A door like this has cracked open five or six times since we got up on our hind legs. It’s the best possible time to be alive when almost everything you thought you knew is wrong.” Here we are again 200 year later where “everything we thought we knew is wrong.”  Yes, it’s scary. Yes, it’s sad. Yes, it’s dangerous But it’s also exhilarating. It’s Teddy Roosevelt charging up San Juan Hill. It’s we the people  building a community of interested people and organizations working together to create a secure private world. It’s the long-term view as we work to achieve a future where people protect their information and privacy because they want to and they know how to. Join Julie and me as we explore securing the village.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

Let’s Be Careful Out There. Watch out for scams. Protect against “credential-stuffing” by using different complex passwords on different sites and 2FA / MFA when available. Take our How Hackable Are You? test, download our free Guide and update your defenses.

• Ontario senior loses $40,000 in Norton Anti-virus email phishing scam: A phishing email that looks like it was sent from Norton Anti-virus resulted in a Scarborough man losing $40,000. CTV News, January 16, 2023
• NortonLifeLock warns that hackers breached Password Manager accounts: Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. … Around December 1, 2022, an attacker used username and password pairs they bought from the dark web to attempt to log in to Norton customer accounts…. NortonLifeLock underlines that the risk is especially large for those who use similar Norton account passwords and Password Manager master keys, allowing the attackers to pivot more easily. … The company says it has reset Norton passwords on impacted accounts to prevent attackers from gaining access to them again in the future and also implemented additional measures to counter the malicious attempts. … NortonLifeLock also advises customers to enable two-factor authentication to protect their accounts and take up the offer for a credit monitoring service. Bleeping Computer, January 13, 2023
• PayPal accounts breached in large-scale credential stuffing attack: PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data. … Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. … Credential stuffing targets users that employ the same password for multiple online accounts, which is known as “password recycling.” … According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders’ full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers. Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts. … The company strongly recommends that recipients of the notices change the passwords for other online accounts using a unique and long string. Typically, a good password is at least 12-characters long and includes alphanumeric characters and symbols. … Moreover, PayPal advises users to activate two-factor authentication (2FA) protection from the ‘Account Settings’ menu, which can prevent an unauthorized party from accessing an account, even if they have a valid username and password. Bleeping Computer, January 19, 2023

If you’re concerned about your privacy (and you should be), protect yourselves with these ad blockers and browser extensions. Also join us this week for our special privacy webinar with panelists from the ACLU and the Electronic Frontier Foundation. Abuse of Your Personal Privacy: How Government, Big Tech, and Political Agendas Have Run Amok.

• Our Favorite Ad Blockers and Browser Extensions to Protect Privacy: Everything you do online—from browsing to shopping to using social networks—is tracked, typically as behavioral or advertising data. But browser extensions are simple, generally free add-ons that you can use to slow down or break this type of data collection, without completely ruining your experience of using the internet. Wirecutter, January 10, 2023

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

National Cybersecurity

• When It Comes to Cybersecurity, the Biden Administration Is Getting Much More Aggressive: A new policy will empower U.S. agencies to hack into the networks of criminals and foreign governments, among other changes. … President Biden is about to approve a policy that goes much farther than any previous effort to protect private companies from malicious hackers—and to retaliate against those hackers with our own cyberattacks. … The 35-page document, titled “National Cybersecurity Strategy,” differs from the dozen or so similar papers signed by presidents over the past quarter-century in two significant ways: First, it imposes mandatory regulations on a wide swath of American industries. Second, it authorizes U.S. defense, intelligence, and law enforcement agencies to go on the offensive, hacking into the computer networks of criminals and foreign governments, in retaliation to—or preempting—their attacks on American networks. … “Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States,” the document states. Slate, January 17, 2023
• Industrial espionage: How China sneaks out America’s technology secrets: It was an innocuous-looking photograph that turned out to be the downfall of Zheng Xiaoqing, a former employee with energy conglomerate General Electric Power. … According to a Department of Justice (DOJ) indictment, the US citizen hid confidential files stolen from his employers in the binary code of a digital photograph of a sunset, which Mr Zheng then mailed to himself. … It was a technique called steganography, a means of hiding a data file within the code of another data file. Mr Zheng utilised it on multiple occasions to take sensitive files from GE. … The information Zheng stole was related to the design and manufacture of gas and steam turbines, including turbine blades and turbine seals. Considered to be worth millions, it was sent to his accomplice in China. It would ultimately benefit the Chinese government, as well as China-based companies and universities. BBC News, January 17, 2023
• How Much is the U.S. Investing in Cyber (And is it Enough)?: It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes. … To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going and how its budget compares to previous years. Security Intelligence, January 20, 2023

Ukraine’s cybersecurity is in the news this week.

• Cyber-attacks have tripled in past year, says Ukraine’s cybersecurity agency: Ukraine has suffered a threefold growth in cyber-attacks over the past year, with Russian hacking at times deployed in combination with missile strikes, according to a senior figure in the country’s cybersecurity agency. The Guardian, January 18, 2023
• Ukraine signs agreement to join NATO cyber defense center: Ukraine has taken another step to deepen its cooperation with NATO in the cybersecurity field as its war with Russia — both kinetic and digital — approaches the one-year mark. … On Thursday, Ukraine signed an agreement to join the Estonia-based NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). Before it is official, all of CCDCOE’s members will have to sign this agreement. … CCDCOE conducts research on cyber policy, coordinates education and training in cyber defense for all NATO bodies, and organizes the world’s largest international cyber defense exercise, called Locked Shields. … Such cooperation will help Ukraine and NATO to more effectively counter common cyber threats, including from Russia, according to a statement by Ukraine’s National Security and Defense Council (NSDC). The Record, January 20, 2023
• Ukraine calls for ‘Cyber United Nations’ amid Russian attacks: Ukraine’s top cybersecurity leader is calling for the establishment of a single global organization to help share threat information and prepare for future attacks as Russia pounds Ukraine’s infrastructure and seeks to inflict maximum chaos on the ground. … The proposed “Cyber United Nations” is one of a number of efforts Ukrainian officials hope the global community will pursue as Russia pairs cyberattacks with missile strikes to create misery for citizens during the winter months. Politico, January 15, 2023

Kudos to the Netherlands and Ghana as these governments work to help their people manage privacy and disinformation.

• How the Netherlands Is Taming Big Tech: Dutch privacy negotiators have spurred major changes at Google, Microsoft and Zoom, using a landmark European data protection law as a lever. … Dutch government and educational organizations have had remarkable success in compelling Big Tech companies to make major privacy changes. Their carrot-and-stick approach engages high-level Silicon Valley executives in months of highly technical discussions and then makes it worth their while by negotiating collective agreements allowing firms to sell their vetted tools to different government ministries and the nation’s schools. And the Dutch efforts to prod change could provide a playbook for other small nations wrangling with tech superpowers. The New York Times, January 19, 2023
• An African defense against dishonesty: In Ghana, countering cyberthreats and disinformation starts with civic unity and strong democratic virtues. … There have been more than 50 documented campaigns of disinformation in Africa in recent years, directly affecting nearly every country on the continent. Most have come from external sources like Russia and China seeking influence and control of strategic natural resources – although Africa’s authoritarian regimes have been prolific falsifiers, too. “The objective is less to convince as to confuse citizens,” the Africa Center for Strategic Studies noted last year. Another goal: undermine democracy. … One country gaining notice for how it is strengthening its digital defenses is Ghana. It is one of a handful of African countries with a national cybersecurity strategy able to track and respond to digital threats, including disinformation. The West African country jumped 40 places in the Global Cybersecurity Index in just three years, ahead of Ireland and New Zealand. The Christian Science Monitor, January 13, 2023

The LA Unified School District breach continues in the news as investigators discover the hackers were in the school district’s systems earlier than previously believed.

• Hackers penetrated LAUSD computers much earlier than previously known, district probe finds: An intrusion into the computer systems of the Los Angeles school district began more than a month earlier than previously disclosed and likely exposed confidential information, including Social Security numbers, of more than 500 people who worked for district contractors, according to information filed with the state. Los Angeles Times, January 21, 2023

Reflecting the challenge of managing confidential information, this next story illustrates how a basic server configuration error exposed a highly classified database with potential major consequences.

• U.S. airline accidentally exposes ‘No Fly List’ on unsecured server: One of the most sensitive U.S. government documents was left online. … An unsecured server discovered by a security researcher last week contained the identities of individuals from the U.S. government’s Terrorist Screening Database and “No Fly List.” … The server, run by the U.S. national airline CommuteAir, was left exposed on the public internet. … The server contained an unencrypted text file named “NoFly.csv,” containing names and birthdates of as many as 1.5 million people in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations. daily dot, January 21, 2023

This week in cybercrime.

• FBI investigating $690,000 wire theft from Jerry Moran’s Senate campaign: The FBI is investigating allegations that a thief stole from Sen. Jerry Moran’s campaign fund while he was running for U.S. Senate last year, according to a letter his campaign sent to the federal elections commission. … Moran’s campaign wrote a letter to the FEC on Dec. 8, alerting it that two payments were sent for fraudulent invoices during the campaign — one for $345,000 on October 25 and one for $345,000 on November 9 for a total of $690,000. … . “Cybercriminals targeted the accounting firm employed by Moran For Kansas and money was wired to fraudulent bank accounts,” Tom Brandt, a spokesman for Moran’s campaign, said in a statement. The Kansas City Star, January 20, 2023
• T-Mobile Gets Hacked Again: Is the Un-Carrier Un-Safe?: Five breaches in five years isn’t a record to be proud of. … The nation’s second-largest wireless carrier disclosed in a regulatory filing late Thursday that data from 37 million of its customers was stolen in a breach. … Security experts say that while the data wasn’t extremely sensitive, its compromise could put those people at high risk of being scammed or otherwise targeted by cybercriminals. … Sound familiar? That’s because T-Mobile was already dealing with the fallout from a 2021 data breach that compromised the personal information of nearly 77 million people. T-Mobile agreed to a $500 million settlement in that case in July. CNET, January 21, 2023
• Electronic health record giant NextGen dealing with cyberattack: Hospital technology giant NextGen Healthcare said it is responding to a cyberattack after a notorious ransomware group added the company to its list of victims. … The multibillion-dollar healthcare giant produces electronic health record (EHR) software and practice management systems for hundreds of the biggest hospitals and clinics in the U.S., U.K., India and Canada. … On Tuesday, hackers associated with the AlphV/BlackCat ransomware added the company to its list of victims alongside several other businesses. … A spokesperson for NextGen Healthcare said it is aware of the claim and explained that they have been working with cybersecurity experts to “investigate and remediate” the issue. The Record, January 20, 2023
• Cricket Governing Body ICC loses around $2.5 million in phishing scam: The governing body reported the matter to law-enforcement agencies in the USA and an investigation is underway. … The ICC has become a victim of a cyber crime involving a substantial sum of money – about US$ 2.5 million – being wire transferred. While the exact sum involved has not been confirmed, ESPNcricinfo has learned that the alleged scam originated in the USA and happened in 2022. … The route used by fraudsters to commit the financial scam was Business E-mail Compromise (BEC), also known as e-mail account compromise, which the Federal Bureau of Investigation (FBI) describes as “one of the most financially damaging online crimes”. ESPN cricinfo, January 20, 2023
• Royal Mail CEO confirms cyberattack downed UK postal service: Royal Mail CEO Simon Thompson has confirmed that a cyberattack is to blame for the ongoing disruption at the U.K. postal giant. … The admission comes almost a week after Royal Mail first said it was hit by an unspecified “cyber incident” that left the British mail service unable to dispatch items to overseas destinations. TechCrunch, January 17, 2023

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in managing cyber-risk, securing their organizations, and protecting privacy.

The cyber-insurance industry continues in crisis as cybercrime and payments to cybercriminals continues to rise.

• Companies warned to step up cyber security to become ‘insurable’: Investing in better IT security to protect against cyber crime will make businesses more resilient against other risks, … Businesses are at risk of finding that they are unable to secure cyber insurance cover as the volume of cyber attacks reaches new levels. … According to insurers, the cost of cyber risks insurance has rocketed as demand for cover outstrips supply. … Their comments came as the World Economic Forum (WEF) published its Global risk report 2023, which identifies widespread cyber attacks and cyber insecurity as one of the top 10 risks facing governments and organisations over the next 10 years. … Carolina Klint, risk management leader for continental Europe for insurance broker Marsh, and one of the contributors to the report said that insurance companies were now coming out and saying that “cyber risk is systemic and uninsurable”. … That means, in future, companies may not be able to find cover for risks such as ransomware, malware or hacking attacks. ComputerWeekly, January 12, 2023

The government’s Cybersecurity and Infrastructure Agency (CISA) Shields Up Program has valuable security management information for organizations. It should be part of every information security manager’s active reference library.

• Cybersecurity & Infrastructure Security Agency Shields Up Program: Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks.