Cybersecurity News of the Week, January 29, 2023

A weekly aggregation of essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned.  Designed to educate, support, and advocate.

Stan’s Top of the News

Big kudos to the Justice Department and F.B.I. in what Lisa Monaco, deputy attorney general,  called a “21st century cyber-stakeout.” “Simply put,” she said, “using lawful means, we hacked the hackers.” For more on this story, see F.B.I. Director Wray’s Press Conference remarks.

  • Justice Dept. Dismantles a Major Ransomware Operation: The department said it had successfully prevented victims from having to pay $130 million in ransoms to Hive, a prolific ransomware gang, before seizing two of the group’s servers on Wednesday night. … Federal investigators dismantled the computer networks of a cybercriminal organization that had demanded hundreds of millions of dollars in ransom from schools, hospitals and other critical infrastructure, the Justice Department said on Thursday. … In July, the F.B.I. and its counterparts in Germany, the Netherlands and the European law enforcement agency Europol gained covert access to the servers and websites run by the organization, Hive, considered one of the most active ransomware groups last year. Over the next few months, agents hid in the system, identified targets and repeatedly thwarted Hive’s attempts to extort over 300 victims, preventing them from having to pay $130 million in ransoms. The New York Times, January 26, 2023

When I saw this next story, it immediately brought to mind Howard Beal’s explosive line from the movie Network: “I’m as mad as hell, and I’m not going to take this anymore!” Experian has proven once again that their claims to “take your security seriously” is market-speak for “our profits are more important than your security and privacy.” C’mon Congress. Do your job. Pass meaningful legislation to protect us from Experian and all the other companies that claim to “take your security seriously.” You too, FTC and the rest of the Administration.

  • Experian Glitch Exposing Credit Files Lasted 47 Days: On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022. Krebs on Security, January 25, 2023

Making cybersecurity more challenging is the fact that responsibility for American cybersecurity is split between Federal and state governments and the private sector.

  • Data security: Who is responsible for protecting cyber America?: U.S. cybersecurity is more fractured than it might appear, with state and federal authorities handling their own responsibilities while private companies also have to work on their own infrastructure. … “We know that other nation states — China, Russia, Iran and North Korea — are coming after us in the cyber domain,” Jamil Jaffer, founder and executive director at the National Security Institute at the George Mason University Law School, told Fox News Digital.  … “We generally expect the government to defend against those kinds of attacks. If a Russian bomber comes across the horizon, nobody says, ‘Hey, you know, Walmart or Target, why didn’t you have surface-to-air missiles on the roof of your building, defend against that Russian bear bomber?’ … “Of course, we don’t expect that [in cybersecurity],” he continued. “We expect Walmart, Target, JPMorgan, a small mom-and-pop business in the middle of the country to defend themselves against any cyberattack, whether it’s somebody in their basement or the Chinese nation-state or the Russian nation-state.” Fox News, January 25, 2023

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Cyber Humor

Cybersecurity Nonprofit of the Week … The Institute for Security and Technology.

With the takedown of the Hive ransomware group, special kudos this week  to The Institute for Security and Technology and their Ransomware Task Force (RTF). The Task Force aims to equip businesses, organizations, and governments of all sizes to prepare for ransomware attacks, effectively respond, and quickly recover. This week the Task Force published the Cyber Incident Reporting Framework. This follows the earlier release of its ‘Blueprint for Ransomware Defense’ representing a set of foundational and actionable safeguards derived from the Center for Internet Security’s Critical Security Controls. The Institute is a fellow-member of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Noted author and satirist H.L. Mencken is famous for pointing out that  “For every complex problem there is an answer that is clear, simple, and wrong.” Join Stan and Julie as they riff on this all-too common human desire for simple solutions to complex problems. How it’s built into our neurology. How it makes it harder to manage cybersecurity. And even how it manifests in the conspiracy theories that drive our political discontent. As always, Stan and Julie provide actionable tips and thoughtful wisdom in a fun conversation on the complexities of cybersecurity and privacy.

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.

Protect your privacy.

Beware of phishing attacks with OneNote attachments.

Another story illustrating the dangers of using the same passwords on different sites.

  • Norton LifeLock Warns on Password Manager Account Compromises: Password manager accounts may have, ironically, been compromised via simple credential stuffing, thanks to password reuse. … Norton LifeLock customers have fallen victim to a credential-stuffing attack. Cyber attackers used a third-party list of stolen username and password combinations to attempt to break into Norton accounts, and possibly password managers, the company is warning. DARK Reading, January 13, 2023

This week’s cyber-scams. Warn your family, friends, and colleagues.

Section 3 – Cybersecurity News for the Cyber-Concerned.

Illustrating the challenge  of shared public / private responsibility for cybersecurity, a private-sector airline left the “No Fly List” unprotected on its public servers. Protecting confidential information is not just about Trump, Biden, and Pence.

Another ongoing cybersecurity challenge is whether a ransomware victim should pay the ransomware.

  • Should Suffolk have paid the $2.5M ransom for cyberattack?: With Suffolk’s ransomware lockdown approaching its fifth month, the recent revelation that the proposed ransom was $2.5 million might lead some to wonder whether paying it would have saved the county time, money and rippling impacts. … Reports of the cost of the event range anywhere from $5.4 million for the investigation and restoration to more than $17 million for things such as new software and security licenses and hardware needed to replace older or damaged systems. Newsday, January 27, 2023

Meanwhile, it’s good to see cybercrime gangs going after each other.

  • Darknet Market Solaris Hacked by Competitor, Elliptic Reveals: A leading marketplace on the dark web, Solaris, has been hit by a rival, according to crypto analytics company Elliptic. The Russia-linked platform, which tried to occupy space vacated by the busted Hydra, is believed to have conquered up to a fifth of the illicit market before the hack., January 21, 2023

The day will certainly come when quantum computing is able to break our current encryption algorithms. Three weeks ago researchers in China announced a major step forward in this quest. But no Chicken Little, the sky is not falling.

  • RSA’s demise from quantum attacks is very much exaggerated, expert says: Three weeks ago, panic swept across some corners of the security world after researchers discovered a breakthrough that, at long last, put the cracking of the widely used RSA encryption scheme within reach by using quantum computing. … At the Enigma 2023 Conference in Santa Clara, California, on Tuesday, computer scientist and security and privacy expert Simson Garfinkel assured researchers that the demise of RSA was greatly exaggerated. For the time being, he said, quantum computing has few, if any, practical applications. … “In the near term, quantum computers are good for one thing, and that is getting papers published in prestigious journals,” Garfinkel, co-author with Chris Hoofnagle of the 2021 book Law and Policy for the Quantum Age, told the audience. “The second thing they are reasonably good at, but we don’t know for how much longer, is they’re reasonably good at getting funding.” ars technica, January 25, 2023

It was another bad week in cybercrime. … Even as we can be grateful that Taylor Swift’s ticket travails got cybersecurity onto the entertainment feeds where people are more likely to see it, we know it’s unlikely to change the behavior of those who are not yet aware. When will we ever learn?

  • Ticketmaster says cyberattack disrupted Taylor Swift ticket sales: Ticketmaster was hit by a cyberattack in November that led to the problems with ticket sales for Taylor Swift’s upcoming U.S. tour, the president of its parent company plans to tell a congressional committee Tuesday. Politico, January 23, 2023
  • The latest cyberattack on health care shows how vulnerable the sector is: An apparent ransomware attack on a major electronic health records company demonstrates the vulnerability of the health-care sector to potentially disastrous cyberattacks. … The cyber incident impacted NextGen Healthcare last week. It apparently took place at the hands of a ransomware group that the Department of Health and Human Services warned about earlier this month. The Washington Post, January 23, 2023
  • FBI says North Korean hackers responsible for $100M Harmony Horizon Bridge crypto heist: The hacker group used “social engineering of victims” in the Harmony hack. … In June, hackers made off with $100 million in crypto assets (opens in new tab) from the Harmony Horizon Bridge. The FBI now says that “cyber actors associated with the DPRK” were behind the theft. PC Gamer, January 25. 2023

Section 4 -Managing  Information Security and Privacy in Your Organization

Zero trust applies even to zero trust. Don’t believe the hype. Zero trust is a vital paradigm. It’s a new way of thinking about trust in an environment when we have to assume that the enemy is inside the walls. But it is not a silver bullet. … There are no silver bullets. Caveat emptor. … Trust me on this; the mathematics of zero trust goes back to a paper Jim Williams and I wrote at MITRE 40 years ago.

  • Companies Struggle With Zero Trust as Attackers Adapt to Get Around It: Only one in 10 enterprises will create a robust zero-trust foundation in the next three years, while more than half of attacks won’t even be prevented by it, according to Gartner. … The zero-trust approach to security promises to reduce threats and make successful attacks less damaging, but companies should not expect that implementing zero-trust principles will be easy or prevent most attacks, business intelligence firm Gartner said this week. DARKReading, January 26, 2023

With ChatGPT being used to write malware and create ever-more sophisticated phishing attacks, organizations must prepare to aggressively defend themselves.

  • Why AI Phishing is Code Red for Businesses in 2023: ChatGPT is all the rage, even causing upset among teachers and academics, but with this facile way of writing term papers comes yet another weapon in the hacker toolset. Stu Sjouwerman, CEO of KnowBe4, explains how cybercriminals are adopting AI to create phishing emails and ways organizations can protect themselves from AI-generated scams. Spiceworks, January 27, 2023

Update Now.

  • Microsoft Urges Customers to Secure On-Premises Exchange Servers: Microsoft is urging customers to keep their Exchange servers updated as well as take steps to bolster the environment, such as enabling Windows Extended Protection and configuring certificate-based signing of PowerShell serialization payloads.  … “Attackers looking to exploit unpatched Exchange servers are not going to go away,” the tech giant’s Exchange Team said in a post. “There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts.” The Hacker News, January 28, 2023

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge