A weekly aggregation of essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
Big kudos to the Justice Department and F.B.I. in what Lisa Monaco, deputy attorney general, called a “21st century cyber-stakeout.” “Simply put,” she said, “using lawful means, we hacked the hackers.” For more on this story, see F.B.I. Director Wray’s Press Conference remarks.
- Justice Dept. Dismantles a Major Ransomware Operation: The department said it had successfully prevented victims from having to pay $130 million in ransoms to Hive, a prolific ransomware gang, before seizing two of the group’s servers on Wednesday night. … Federal investigators dismantled the computer networks of a cybercriminal organization that had demanded hundreds of millions of dollars in ransom from schools, hospitals and other critical infrastructure, the Justice Department said on Thursday. … In July, the F.B.I. and its counterparts in Germany, the Netherlands and the European law enforcement agency Europol gained covert access to the servers and websites run by the organization, Hive, considered one of the most active ransomware groups last year. Over the next few months, agents hid in the system, identified targets and repeatedly thwarted Hive’s attempts to extort over 300 victims, preventing them from having to pay $130 million in ransoms. The New York Times, January 26, 2023
When I saw this next story, it immediately brought to mind Howard Beal’s explosive line from the movie Network: “I’m as mad as hell, and I’m not going to take this anymore!” Experian has proven once again that their claims to “take your security seriously” is market-speak for “our profits are more important than your security and privacy.” C’mon Congress. Do your job. Pass meaningful legislation to protect us from Experian and all the other companies that claim to “take your security seriously.” You too, FTC and the rest of the Administration.
- Experian Glitch Exposing Credit Files Lasted 47 Days: On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022. Krebs on Security, January 25, 2023
Making cybersecurity more challenging is the fact that responsibility for American cybersecurity is split between Federal and state governments and the private sector.
- Data security: Who is responsible for protecting cyber America?: U.S. cybersecurity is more fractured than it might appear, with state and federal authorities handling their own responsibilities while private companies also have to work on their own infrastructure. … “We know that other nation states — China, Russia, Iran and North Korea — are coming after us in the cyber domain,” Jamil Jaffer, founder and executive director at the National Security Institute at the George Mason University Law School, told Fox News Digital. … “We generally expect the government to defend against those kinds of attacks. If a Russian bomber comes across the horizon, nobody says, ‘Hey, you know, Walmart or Target, why didn’t you have surface-to-air missiles on the roof of your building, defend against that Russian bear bomber?’ … “Of course, we don’t expect that [in cybersecurity],” he continued. “We expect Walmart, Target, JPMorgan, a small mom-and-pop business in the middle of the country to defend themselves against any cyberattack, whether it’s somebody in their basement or the Chinese nation-state or the Russian nation-state.” Fox News, January 25, 2023
How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.
Cybersecurity Nonprofit of the Week … The Institute for Security and Technology.
With the takedown of the Hive ransomware group, special kudos this week to The Institute for Security and Technology and their Ransomware Task Force (RTF). The Task Force aims to equip businesses, organizations, and governments of all sizes to prepare for ransomware attacks, effectively respond, and quickly recover. This week the Task Force published the Cyber Incident Reporting Framework. This follows the earlier release of its ‘Blueprint for Ransomware Defense’ representing a set of foundational and actionable safeguards derived from the Center for Internet Security’s Critical Security Controls. The Institute is a fellow-member of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn
Live on Cyber with Dr. Stan Stahl: Noted author and satirist H.L. Mencken is famous for pointing out that “For every complex problem there is an answer that is clear, simple, and wrong.” Join Stan and Julie as they riff on this all-too common human desire for simple solutions to complex problems. How it’s built into our neurology. How it makes it harder to manage cybersecurity. And even how it manifests in the conspiracy theories that drive our political discontent. As always, Stan and Julie provide actionable tips and thoughtful wisdom in a fun conversation on the complexities of cybersecurity and privacy.
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
Protect your privacy.
- Everyone Wants Your Email Address. Think Twice Before Sharing It.: Your email address has become a digital bread crumb for companies to link your activity across sites. Here’s how you can limit this. The New York Times, January 25, 2023
- How Mental Health and Prayer Apps Fail Spectacularly at Privacy: Your smartphone can instantly connect you to safe spaces via therapists, guided meditation, or scripture. But how safe—and how private—is the data that comes from these interactions? Pocket.
Beware of phishing attacks with OneNote attachments.
- Hackers now use Microsoft OneNote attachments to spread malware: Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets. Bleeping Computer, January 21, 2023
Another story illustrating the dangers of using the same passwords on different sites.
- Norton LifeLock Warns on Password Manager Account Compromises: Password manager accounts may have, ironically, been compromised via simple credential stuffing, thanks to password reuse. … Norton LifeLock customers have fallen victim to a credential-stuffing attack. Cyber attackers used a third-party list of stolen username and password combinations to attempt to break into Norton accounts, and possibly password managers, the company is warning. DARK Reading, January 13, 2023
This week’s cyber-scams. Warn your family, friends, and colleagues.
- Scammers steal $793,000 in online scam, halting project for new sanctuary: A Piedmont Triad church project is halted, after an online scam left Elkin Valley Baptist Church out more than $793,000. WXII Winston-Salem, January 25, 2023
- Scottsdale couple saved from scam by CVS store clerk: “Please learn from our mistake,” Francie Hidalgo says about the situation. KPNX Phoenix, January 25, 2023
- I believed the SMS was from my bank – and fell victim to a $22,000 scam: When I play it back in my mind, I can clearly see points where I should have twigged – but I was blind to the signals. The Guardian, January 23, 2023
Section 3 – Cybersecurity News for the Cyber-Concerned.
Illustrating the challenge of shared public / private responsibility for cybersecurity, a private-sector airline left the “No Fly List” unprotected on its public servers. Protecting confidential information is not just about Trump, Biden, and Pence.
- EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server: One of the most sensitive U.S. government documents was left online. … An unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the U.S. government’s Terrorist Screening Database and “No Fly List.” daily dot, January 21, 2023
Another ongoing cybersecurity challenge is whether a ransomware victim should pay the ransomware.
- Should Suffolk have paid the $2.5M ransom for cyberattack?: With Suffolk’s ransomware lockdown approaching its fifth month, the recent revelation that the proposed ransom was $2.5 million might lead some to wonder whether paying it would have saved the county time, money and rippling impacts. … Reports of the cost of the event range anywhere from $5.4 million for the investigation and restoration to more than $17 million for things such as new software and security licenses and hardware needed to replace older or damaged systems. Newsday, January 27, 2023
Meanwhile, it’s good to see cybercrime gangs going after each other.
- Darknet Market Solaris Hacked by Competitor, Elliptic Reveals: A leading marketplace on the dark web, Solaris, has been hit by a rival, according to crypto analytics company Elliptic. The Russia-linked platform, which tried to occupy space vacated by the busted Hydra, is believed to have conquered up to a fifth of the illicit market before the hack. Bitcoin.com, January 21, 2023
The day will certainly come when quantum computing is able to break our current encryption algorithms. Three weeks ago researchers in China announced a major step forward in this quest. But no Chicken Little, the sky is not falling.
- RSA’s demise from quantum attacks is very much exaggerated, expert says: Three weeks ago, panic swept across some corners of the security world after researchers discovered a breakthrough that, at long last, put the cracking of the widely used RSA encryption scheme within reach by using quantum computing. … At the Enigma 2023 Conference in Santa Clara, California, on Tuesday, computer scientist and security and privacy expert Simson Garfinkel assured researchers that the demise of RSA was greatly exaggerated. For the time being, he said, quantum computing has few, if any, practical applications. … “In the near term, quantum computers are good for one thing, and that is getting papers published in prestigious journals,” Garfinkel, co-author with Chris Hoofnagle of the 2021 book Law and Policy for the Quantum Age, told the audience. “The second thing they are reasonably good at, but we don’t know for how much longer, is they’re reasonably good at getting funding.” ars technica, January 25, 2023
It was another bad week in cybercrime. … Even as we can be grateful that Taylor Swift’s ticket travails got cybersecurity onto the entertainment feeds where people are more likely to see it, we know it’s unlikely to change the behavior of those who are not yet aware. When will we ever learn?
- Ticketmaster says cyberattack disrupted Taylor Swift ticket sales: Ticketmaster was hit by a cyberattack in November that led to the problems with ticket sales for Taylor Swift’s upcoming U.S. tour, the president of its parent company plans to tell a congressional committee Tuesday. Politico, January 23, 2023
- The latest cyberattack on health care shows how vulnerable the sector is: An apparent ransomware attack on a major electronic health records company demonstrates the vulnerability of the health-care sector to potentially disastrous cyberattacks. … The cyber incident impacted NextGen Healthcare last week. It apparently took place at the hands of a ransomware group that the Department of Health and Human Services warned about earlier this month. The Washington Post, January 23, 2023
- FBI says North Korean hackers responsible for $100M Harmony Horizon Bridge crypto heist: The hacker group used “social engineering of victims” in the Harmony hack. … In June, hackers made off with $100 million in crypto assets (opens in new tab) from the Harmony Horizon Bridge. The FBI now says that “cyber actors associated with the DPRK” were behind the theft. PC Gamer, January 25. 2023
Section 4 -Managing Information Security and Privacy in Your Organization
Zero trust applies even to zero trust. Don’t believe the hype. Zero trust is a vital paradigm. It’s a new way of thinking about trust in an environment when we have to assume that the enemy is inside the walls. But it is not a silver bullet. … There are no silver bullets. Caveat emptor. … Trust me on this; the mathematics of zero trust goes back to a paper Jim Williams and I wrote at MITRE 40 years ago.
- Companies Struggle With Zero Trust as Attackers Adapt to Get Around It: Only one in 10 enterprises will create a robust zero-trust foundation in the next three years, while more than half of attacks won’t even be prevented by it, according to Gartner. … The zero-trust approach to security promises to reduce threats and make successful attacks less damaging, but companies should not expect that implementing zero-trust principles will be easy or prevent most attacks, business intelligence firm Gartner said this week. DARKReading, January 26, 2023
With ChatGPT being used to write malware and create ever-more sophisticated phishing attacks, organizations must prepare to aggressively defend themselves.
- Why AI Phishing is Code Red for Businesses in 2023: ChatGPT is all the rage, even causing upset among teachers and academics, but with this facile way of writing term papers comes yet another weapon in the hacker toolset. Stu Sjouwerman, CEO of KnowBe4, explains how cybercriminals are adopting AI to create phishing emails and ways organizations can protect themselves from AI-generated scams. Spiceworks, January 27, 2023
- Microsoft Urges Customers to Secure On-Premises Exchange Servers: Microsoft is urging customers to keep their Exchange servers updated as well as take steps to bolster the environment, such as enabling Windows Extended Protection and configuring certificate-based signing of PowerShell serialization payloads. … “Attackers looking to exploit unpatched Exchange servers are not going to go away,” the tech giant’s Exchange Team said in a post. “There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts.” The Hacker News, January 28, 2023