This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
The Top of the News is a follow-on to the 23andMe breach that exposed sensitive genetic and other personal information of nearly 7,000,000 customers. This week, the company claimed the breach was our fault, not theirs. This is ludicrous on its surface. Based on publicly available information the breach was allowed to occur ONLY BECAUSE 23andMe failed to require multi-factor authentication (MFA) on its accounts. I am amazed at their chutzpah in blaming us – the victims – of their failure. In addition to my anger at 23andMe, I am sad for the millions of people who have given 23andMe their most precious information only to have the company squander their trust. I feel sad for the residents of our village whose lives have been – and may yet be – impacted by what would seem to be 23andMe’s callous disregard for basic information security management principles. This is one of those moments when you want to “go to the window, open it and stick your head out and yell ‘I’m as mad as hell and I’m not going to take this anymore.'” … 23Andme – You have broken trust with your customers. As one of your customers, you have certainly broken trust with me.
- 23andMe tells victims it’s their fault that their data was breached: Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch. … “Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email. … In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers. … The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.
Small and Midsize Organizations. Take your security to the next level. Apply Now! If you’re a small business, nonprofit, or IT / MSP in the greater Los Angeles area, apply NOW for LA Cybersecure, a pilot program with coaching and guidance that costs less than two cups of coffee a week. https://securethevillage.org/la-cybersecure-pilot/ The LA Cybersecure Pilot Program is funded by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free updated 13-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short test as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, January 9, 1:00 pm – 2:00 pm PT.
Please Support SecureTheVillage.
- We need your help if we’re to build a world of CyberGuardians. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village. TM.
Cyber Humor
Cybersecurity Nonprofit of the Week … The Anti Phishing Working Group (APWG)
Kudos this week to the Anti Phishing Working Group (APWG). APWG unifies the global response to common cybercrimes and related infrastructure abuse through technical diplomacy; curation of a real-time clearinghouse of internet event data; development of applied research; and deployment and maintenance of global cybersecurity awareness campaigns. All of us can help APWG help us by forwarding malicious-appearing phishing messages to reportphishing@apwg.org. Like SecureTheVillage, APWG is a fellow-member of Nonprofit Cyber.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
50 Episodes! Happy 2024. Let’s do it. (Video) (Podcast): Julie and I look ahead to 2024 … And the things we the people are doing to make a difference. How 2024 will see us continue to build the cyber resilience of our communities, encouraging and mobilizing those with cybersecurity knowledge to do more to help those who lack this knowledge. Smaller businesses. Nonprofits. Families and individuals. Even their IT service providers / MSPs. … Why? Because it takes a village to secure the village™. … Join Stan and Julie every week on Live on Cyber for your 15-minutes of ideas and insights as we forge a community to secure the village.
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
More stories of cybercrime affecting individuals, including Andy Cohen. Erin West, Deputy District Attorney in Santa Clara, California and friend of SecureTheVillage says she’s receiving 5-6 emails a day from pig butchering victims. Meanwhile the FBI is warning of a new kind of cyber-kidnapping scam.
- Andy Cohen says he was scammed out of ‘a lot of money’ by fraudsters who pretended to be his bank: Andy Cohen revealed on an episode of his “Daddy Diaries” podcast that he was scammed by fraudsters who impersonated his bank. He says he fell for the scam because he thought it was related to a recently lost card. Andy Cohen says he lost “a lot of money” to scammers who pretended to be from his bank.
- Attorney Says They Are “Receiving 5-6 Emails a Day” From Victims of Pig Butchering Scams: Pig butchering scams, a rapidly growing criminal activity involving online romance, fake crypto investments, and human trafficking, have been plaguing US citizens, resulting in significant financial losses. … In a recent interview, Erin West, Deputy District Attorney in Santa Clara, California, said the problem is escalating, claiming that she receive an average of 5-6 emails daily from individuals who have fallen prey to pig butchering. … “We are receiving 5-6 emails a day from people who are victims of pig butchering. The most recent victim lost $5 million dollars and that’s not even the biggest amount one victim has lost to this scam.” … Compounding the issue, the stolen funds are funneled overseas to transnational criminal organizations in Myanmar and Cambodia, using trafficked individuals as virtual slaves to carry out the pig butchering scams. … According to TRM Labs, a leading blockchain intelligence company, the FBI’s Internet Crime Complaint Center (IC3) has received over 4,300 complaints related to pig butchering, with cumulative losses surpassing $400 million.
- FBI issues ‘cyber kidnapping’ warning after a Utah student was found in the mountains: The warning follows similar messages issued by Chinese and Australian authorities throughout 2023. … The FBI is warning of an extreme scam hitting the U.S. where criminals coerce a victim to stage their own kidnapping and film it, providing blackmail material against their own families. … The warning follows numerous similar messages issued by Chinese and Australian officials throughout 2023 and comes after the first well-documented “cyber kidnapping” case of this severity in the U.S.
Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.
Two major cybersecurity failures didn’t have to happen. How in 2024 can a water district not know to expect a cyberattack? The government has been warning water districts for weeks that they’re under active attack from Iran. Even Rip Van Winkle knows to expect a cyberattack. Especially if you’re a water district. And a large mobile carrier to fail to have controls to remove default passwords? This isn’t rocket science. This is basic blocking and tackling. It’s putting your seat belt on when you get in the car. It’s checking the brakes regularly.
- States and Congress wrestle with cybersecurity after Iran attacks Pittsburgh-area water authority: The tiny Aliquippa water authority in western Pennsylvania was perhaps the least-suspecting victim of an international cyberattack. … It had never had outside help in protecting its systems from a cyberattack, either at its existing plant that dates to the 1930s or the new $18.5 million one it is building. … Then it — along with several other water utilities — was struck by what federal authorities say are Iranian-backed hackers targeting a piece of equipment specifically because it was Israeli-made. … “If you told me to list 10 things that would go wrong with our water authority, this would not be on the list,” said Matthew Mottes, the chairman of the authority that handles water and wastewater for about 22,000 people in the woodsy exurbs around a one-time steel town outside Pittsburgh.
- A “ridiculously weak” password causes disaster for Spain’s No. 2 mobile carrier: Orange España, Spain’s second-biggest mobile operator, suffered a major outage on Wednesday after an unknown party obtained a “ridiculously weak” password and used it to access an account for managing the global routing table that controls which networks deliver the company’s Internet traffic, researchers said. … The hijacking began around 9:28 Coordinated Universal Time (about 2:28 Pacific time) when the party logged into Orange’s RIPE NCC account using the password “ripeadmin” (minus the quotation marks).
Meanwhile, since some people don’t want to be bothered doing what’s right, CISA is asking tech manufacturers to implement alternatives to default passwords.
- CISA urges tech manufacturers to stop using default passwords: Today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged technology manufacturers to stop providing software and devices with default passwords. … Once discovered, threat actors can use such default credentials a backdoor to breach vulnerable devices exposed online. Default passwords are commonly used to streamline the manufacturing process or help system administrators deploy large numbers of devices within an enterprise environment more easily. … Nonetheless, the failure to change these default settings creates a security weakness that attackers can exploit to circumvent authentication measures, potentially compromising the security of their organization’s entire network.
Speaking of passwords … and forgive my sarcasm … it’s nice to see LastPass finally asking users to use 12 character passwords and multifactor authentication (MFA). These should be basic requirements for a password manager. Good password managers don’t let users drive without the cyber-equivalent of seat belts and brakes.
- LastPass Hikes Password Requirements to 12 Characters: A phased rollout will also prompt LastPass customers to re-enroll their accounts in multifactor authentication (MFA) to prevent future breaches. … Password-manager purveyor LastPass has announced it’s setting new rules about the strength of customer passwords, with a new mandate that account master passwords include a minimum of 12 characters.
This week in cybercrime. Healthcare. A major law firm. Several museums, including the Museum of Fine Arts in Boston. Brittany on the French coast. And a report that North Korea stole more than $600M in crypto-thefts in 2023.
- Data breach at healthcare tech firm impacts 4.5 million patients: HealthEC LLC, a provider of health management solutions, suffered a data breach that impacts close to 4.5 million individuals who received care through one of the company’s customers. … On December 22, the firm disclosed that it suffered a data breach between July 14 and 23, 2023, which resulted in unauthorized access to some of its systems. … An investigation of the incident concluded on October 24, 2023, and revealed that the intruder had stolen files from the breached systems hosting the following data types: Name; Address; Date of birth; Social Security number; Taxpayer Identification Number; Medical Record number; Medical information (diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s name and location); Health insurance information (beneficiary number, subscriber number, Medicaid/Medicare identification); Billing and claims information (patient account number, patient identification number, and treatment cost information).
- Law firm that handles data breaches was hit by data breach: An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims. … San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023.
- Museum World Hit by Cyberattack on Widely Used Software: Hackers targeted software that many museums use to show their collections online and to manage sensitive information. … Several prominent museums have been unable to display their collections online since a cyberattack hit a prominent technological service provider that helps hundreds of cultural organizations show their works digitally and manage internal documents. … The Museum of Fine Arts Boston, the Rubin Museum of Art in New York and the Crystal Bridges Museum of American Art in Arkansas were among the institutions confirming that their systems have experienced outages in recent days. … The service provider, Gallery Systems, said in a recent message to clients, which was obtained by The New York Times, that it had noticed a problem on Dec. 28, when computers running its software became encrypted and could no longer operate.
- ‘Large-scale’ cyberattack hits French township, all local services down: The mayor of Pays Fouesnantais, a coastal township in Brittany in northwestern France, announced his municipal authority had been hit by a “large-scale” cyberattack that had taken down all of its community services. … The nature of the attack has not yet been confirmed. Roger Le Goff, the mayor, told local newspaper Ouest-France that the incident was “a big problem” and confirmed that all of the authority’s IT services had been rendered inoperable.
- North Korea Was Responsible for Over $600M in Crypto Thefts Last Year: TRM Labs: U.S. national security officials have raised concerns about North Korea’s use of stolen crypto to develop nuclear weapons. … North Korea-affiliated hackers were involved in a third of all crypto exploits and thefts last year, making off with some $600 million in funds, according to a report from TRM Labs. … The sum brings the Democratic People’s Republic of Korea’s (DPRK) total take from crypto projects to almost $3 billion over the past six years, the blockchain analytics firm said Friday.
Section 4 – Managing Information Security and Privacy in Your Organization.
If you’re using Ivanti’s Endpoint Management software, update now.
- Ivanti warns critical EPM bug lets hackers hijack enrolled devices: Ivanti fixed a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM) that can let unauthenticated attackers hijack enrolled devices or the core server. … Ivanti EPM helps manage client devices running a wide range of platforms, from Windows and macOS to Chrome OS and IoT operating systems. … The security flaw (tracked as CVE-2023-39336) impacts all supported Ivanti EPM versions, and it has been resolved in version 2022 Service Update 5.
