Cybersecurity News of the Week, January 8, 2023

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

CISA Director Jen Easterly was at CES this week with a straightforward message [lightly edited]: “At the end of the day, we are in an unsustainable position. We cannot have the same sort of attacks that we’ve been seeing for years. We have to get out of this do loop, and we have to create a sustainable approach to cyber safety. … Sustainable cybersecurity is three key things. … First, It’s about technology companies creating products and software that is secure by design and secure by default. … Second, corporate cyber responsibility, and that’s really about CEOs and board members actually embracing cyber risk as something that’s a matter of good governance. They have to work to drive down cyber risk. They have to own it. They have to embrace Corporate Cyber Responsibilities, just as they’ve embraced corporate social responsibility as a matter of good corporate citizenship because cyber is a social good. It’s about societal resilience… Third, we need to fundamentally change the relationship between government and industry. We need make a paradigm shift in something where there’s a default to share information, where the government is much more transparent and responsive and value added, and where we’re seeing this as shared responsibilities. … We have to ensure that cybersecurity is integrated into the curriculum from kindergarten all the way up to 12th grade, so that earlier on, we’re getting people who wouldn’t think about tech because it sounds scary and complicated more interested in technology and cybersecurity, again, from the youngest of ages. … This isn’t a problem the government can fix. It isn’t all on the back of the technology companies. It isn’t all in the back of citizens. We all have to look at this together to ensure that we are a cyber safe world.

  • Easterly: Sustainable Cyber Rides on Better Design, Communications: The nation’s path to sustainable cybersecurity improvement lies in improving technology security by design, and achieving better communication between industry and government, said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), during an address today at the CES 2023 technology conference in Las Vegas. … Easterly emphasized the need for a fundamental shift in how government and industry work together in order to get more persistent collaboration. … The private sector owns and operates a majority of the U.S. critical infrastructure, so partnerships between the public and private sectors are essential to sustainable cybersecurity. But often times, she said, that necessary heightened level of communication only exists when emergencies arise. MeriTalk, January 5, 2023
  • Cybersecurity burden falling ‘on consumers,’ not companies: CISA director: Cybersecurity and Infrastructure Security Agency Director Jen Easterly speaks with Yahoo Finance tech editor Dan Howley at CES 2023 in Las Vegas about how the agency can better protect U.S. public, why CEOs need to better embrace corporate cybersecurity responsibilities, and how the cybersecurity industry is diversifying. Yahoo!finance, January 5, 2023

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

Cyber Humor H4

Cybersecurity Nonprofit of the Week … Cyber Readiness Institute

Our kudos this week to the Cyber Readiness Institute (CRI) and the great work they do helping our medium-size and smaller organizations manage their information security challenges. CRI’s Cyber Readiness Program helps organizations protect their data, employees, vendors, and customers. This free, online program is designed to help small and medium-sized enterprises become more secure against today’s most common cyber vulnerabilities. Their free Cyber Leader Certification Program is a personal professional credential for those who have completed the Cyber Readiness Program. Both are highly recommended. Like SecureTheVillage, the Cyber Readiness Institute is a fellow-member of Nonprofit Cyber.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie and me as we explore the lighter side of cybersecurity with a great piece by IBM called “Is it time to have ‘the Talk’ with your kids?” We of course segue from fun to the seriousness of cyber crime, particularly for seniors.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

Feel Good Story of the Week

  • 73-Year-Old Grandma Helps Police Arrest Alleged Scammer: Police in New York took down an alleged scam artist with the help of a grandma. The woman named Jean says it started when she got a call from someone, who called her grandma, claiming to need bail money after getting arrested for drunk driving. The former 911 dispatcher says the mysterious caller eventually asked for $8,000. She contacted the local police who set up a sting operation. Inside Edition Digital’s Mara Montalbano has more. Inside Edition, January 5, 2022

Heart-Wrenching Cyber-Scam Story of the Week

  • 3 big mistakes that can give scammers access to your bank accounts: Scam artists are maliciously and deliberately targeting lonely and vulnerable people, well aware that they are more susceptible to their deceit. Sadly, these heartless scammers’ first target is often the elderly. … They tug on their hearts with some sob story and, unfortunately in many cases, successfully drain their entire bank accounts. … Here’s a letter I recently received from Susie, who generously took the time to write to me with a very sad and frightening example of just how low these scam artists will stoop and the devastating consequences of their actions:  “Here’s a heartbreaking story for you. I volunteer at a nursing home. Kurt Knutsson, CyberGuy Report, Fox News Live, December 31, 2023

Be Careful Out There

  • Phishing attacks are increasing and getting more sophisticated. Here’s how to avoid them: Phishing attacks, where a cybercriminal sends a deceptive message that’s designed to fool a user into providing sensitive information such as credit card numbers or to launch malware on the user’s system, are on the rise. … There was a 61% increase in the rate of phishing attacks in the six months ending October 2022 compared to the previous year. … The attacks are also getting more sophisticated, and are spreading beyond emails to text messages and other forms of personal communication. CNBC, January 7, 2022

Password Lessons from the LastPass Breach.

  • A Breach at LastPass Has Password Lessons for Us All: The hacking of the password manager should make us reassess whether to trust companies to store our sensitive data in the cloud. … While many of us were unplugging from the internet to spend time with loved ones over the holidays, LastPass, the maker of a popular security program for managing digital passwords, delivered the most unwanted gift. It published details about a recent security breach in which cybercriminals had obtained copies of customers’ password vaults, potentially exposing millions of people’s online information. … From a hacker’s perspective, this is the equivalent of hitting the jackpot. … When you use a password manager like LastPass or 1Password, it stores a list containing all of the user names and passwords for the sites and apps you use, including banking, health care, email and social networking accounts. It keeps track of that list, called the vault, in its online cloud so you have easy access to your passwords from any device. LastPass said hackers had stolen copies of the list of user names and passwords of every customer from the company’s servers. … This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But other than the obvious next step — to change all of your passwords if you used LastPass — there are important lessons that we can learn from this debacle, including that security products are not foolproof, especially when they store our sensitive data in the cloud. The New York Times, January 5, 2023

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

International Cybersecurity

  • Davos 2023: Why we need global rules to crack down on cybercrime: The impact of cybercrime is compounded by a scarcity of security experts, poor reporting habits and a lack of global agreements about how to regulate cyber threats. … The cost of cybercrime could reach $10.5 trillion annually by 2025. … Targets range from individuals right up to governments and critical infrastructure. … Cybercriminals operate internationally, and we need international rules in order to crack down on them. World Economic Forum, January 2, 2022
  • Pentagon hosts Five Eyes partners for zero-trust cybersecurity talks: An addendum to the Pentagon’s zero-trust strategy, published in late November, is now in the works, following a meeting of the U.S. and some of its closest intelligence-sharing allies. … A three-day event at Fort Meade, Maryland, home to the Defense Information Systems Agency and U.S. Cyber Command, drew representatives from the Department of Defense and Five Eyes partners Australia, Canada, New Zealand and the U.K. The topic: zero trust, a new paradigm that assumes networks are already compromised and, as a result, require continuous validation of users and devices. C4ISRNet, January 6, 2022

TikTok’s slide towards a ban continues as its recommendation algorithm leads toward potentially harmful content.

  • Jan. 6 Committee Experiment Found TikTok Went From Zero To Nazi in 75 Minutes: The platform has largely escaped notice in the public battles over content moderation, but it’s not immune from hateful extremism. … When the Jan. 6 committee wanted to test how easy it was for TikTok users to wander down a far-right rabbit hole, they tried an experiment. They created Alice, a fictional 41-year-old from Acton, Massachusetts, gave her a TikTok account, and tracked what the social media app showed her. … To their surprise, it only took 75 minutes of scrolling — with no interaction or cues about her interests — for the platform to serve Alice videos featuring Nazi content, following a detour through clips on the Amber Heard-Johnny Depp defamation suit, Donald Trump, and other right-wing culture war flashpoints. Rolling Stone, January 5, 2023 

WhatsApp Makes It Easier to Bypass State Censorship.

  • Keeping lines of communication open —WhatsApp just made it harder to censor citizens with Internet shutdowns: To ring in the new year, WhatsApp introduced a new feature to help people circumvent government-imposed Internet shutdowns that the United Nations said last summer work to undermine human rights. … “To help, today we’re launching proxy support for WhatsApp users all over the world,” WhatsApp’s statement said. “What this means is we’re putting the power into people’s hands to maintain access to WhatsApp if their connection is blocked or disrupted.” … WhatsApp’s new proxy support feature enables users to “connect to WhatsApp through servers set up by volunteers and organizations around the world dedicated to helping people communicate freely.” It also allows users to set up their own proxy servers to help others connect to the app. The feature is currently available to all users running the most updated version of the app. Ars technica, January 5, 2023

On the Legal Front

  • Meta Fined Over $400 Million in EU for Serving Ads Based on Online Activity: A top European Union privacy regulator ruled that Meta Platforms can’t use its contracts with Facebook and Instagram users to justify sending them ads based on their online activity, delivering one of the bloc’s biggest blows yet to the digital-advertising industry. … The ruling, announced Wednesday by Ireland’s Data Protection Commission, also imposed fines of 390 million euros, or $414 million, on Meta, saying that the company violated EU privacy laws by saying such ads are necessary to execute contracts with users. … Meta, the parent of Instagram and Facebook, said it disagrees with the ruling and plans to appeal both it and the fines. Wall Street Journal, January 4, 2023
  • LastPass hit with class-action lawsuit over hack: Former LastPass customer says $53,000 in bitcoin was stolen from him as a result of password manager’s data breach. … LastPass is facing a class-action lawsuit filed by a former customer who says a hacker stole tens of thousands in Bitcoin from him as a result of one of the password manager’s multiple data breaches last year. … The complaint filed in the U.S. District Court of Massachusetts accuses LastPass of failing to “exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach that began in August” and impacted “potentially millions” of customers. Fox Business, January 5, 2022
  • JPMorgan Must Face Lawsuit by Ray-Ban Maker Over $272 Million Cybertheft: JPMorgan Chase & Co was ordered by a New York judge to face a lawsuit by the French maker of Ray-Ban sunglasses, which said cybercriminals withdrew $272 million from its New York account after the bank ignored “red flags” of suspicious activity. … [Ray-ban manufacturer] EssilorLuxottica said warning signs of fraud included transfers being made in whole-dollar amounts and through small banks going to unfamiliar entities associated with coffee, furniture and hair care instead of the optical industry. US News & World Report, January 5, 2023

Privacy Run Amok

  • Hackers leak email addresses tied to 235 million Twitter accounts: The records, probably compiled in late 2021, were published on a popular underground marketplace, researchers said. … Records of 235 million Twitter accounts and the email addresses used to register them have been posted to an online hacking forum, setting the stage for anonymous handles to be linked to real-world identities. … That poses threats of exposure, arrest or violence against people who used Twitter to criticize governments or powerful individuals, and it could open up others to extortion, security experts said. Hackers could also use the email addresses to attempt to reset passwords and take control of accounts, especially those not protected by two-factor authentication. The Washington Post, January 4, 2023
  • Electronic Court Filings Are a Privacy Nightmare: The private health and financial information of people involved in lawsuits is far too easy to search and steal. … Most courts of law have finally entered the computer age. Until recently, every case produced a mountain of papers that were eventually physically archived deep in the subterranean bowels of a courthouse. Now many courts require lawsuits to be filed online, where court papers are archived on publicly accessible websites. It’s all very convenient, but the convenience comes with a downside: Sensitive personal information and documents—including medical, psychiatric and financial records—are forever accessible to anyone with access to the internet. Wall Street Journal, January 4, 2023

This Week’s Cyber Crime-Five

  • First LastPass, now Slack and CircleCI. The hacks go on (and will likely worsen): Don’t expect victims to be forthcoming. Their alerts conceal more than they reveal. … In the past 24 hours, the world has learned of serious breaches hitting chat service Slack and software testing and delivery company CircleCI, though giving the companies’ opaque wording—“security issue” and “security incident,” respectively—you’d be forgiven for thinking these events were minor. … The compromises—in Slack’s case, the theft of employee token credentials and for CircleCI, the possible exposure of all customer secrets it stores—come two weeks after password manager LastPass disclosed its own security failure: the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form. It’s not clear if all three breaches are related, but that’s certainly a possibility. … The most concerning of the two new breaches is the one hitting CircleCI. On Wednesday evening, the company reported a “security incident” that prompted it to advise customers to rotate “all secrets” they store on the service. The alert also informed customers that it had invalidated their Project API tokens, an event requiring them to go through the hassle of replacing them. … CircleCI says it’s used by more than 1 million developers in support of 30,000 organizations and runs nearly 1 million daily jobs. The potential exposure of all those secrets—which could be login credentials, access tokens, and who knows what else—could prove disastrous for the security of the entire Internet. Ars technica, January 5, 2023
  • Rail giant Wabtec discloses data breach after Lockbit ransomware attack: U.S. rail and locomotive company Wabtec Corporation has disclosed a data breach that exposed personal and sensitive information. … Wabtec is a U.S.-based public company producing state-of-the-art locomotives and rail systems. The company employs approximately 25,000 people and has a presence in 50 countries, being the world’s market leader in freight locomotives and a major player in the transit segment. Bleeping Computer, January 3, 2023
  • SickKids: 80% of hospital priority systems back online after LockBit ransomware attack: Toronto’s Hospital for Sick Children, Canada’s largest pediatric health center, said it has restored 80% of its systems that have a direct impact on hospital operations following a ransomware attack. … A spokesperson for the hospital told The Record that patients and families dealt with diagnostic and treatment delays because clinical teams struggled to receive lab reports and imaging results after the LockBit ransomware group launched an attack on the night of December 18. The Record, January 6, 2023
  • A mysterious cyberattack has shuttered the Guardian’s office for a month: : A ransomware attack on the Guardian has hobbled the London-based news-organization’s basic operations, shutting down everything from its office wifi to the tills in the staff canteen. … The Guardian described the attack that began on December 20 as a “serious incident which has affected our IT network and systems.” The paper closed its offices, telling staff to work remotely for several days around the Christmas holiday. … But in a memo to employees this week, chief executive Anna Bateson said that the company’s offices will remain closed until at least January 23. Two Guardian staffers told Semafor that a tiny skeleton crew continues to go into the London office. … “It’s been a total nightmare,” one Guardian employee said. Semafor, January 4, 2023
  • Five Guys Data Breach Puts HR Data Under a Heat Lamp: Job applicants could face a raft of follow-on attacks after cyber intruders accessed their data in an opportunistic attack. … The Five Guys burger empire has been hit with what appears to be a “smash-and-grab” operation: Cyberattackers busted into a file server and made off with the personally identifiable information (PII) of people who applied to work at the chain. … Details are scant, but in a form letter to the impacted sent out on Dec. 29, Five Guys chief operating officer Sam Chamberlain noted that an “unauthorized access to files” was discovered on Sept. 17 and was blocked the same day. DARKReading, January 4, 2023

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in managing cyber-risk, securing their organizations, and protecting privacy.

See our Top-of-the-News stories of CISA Director Jen Easterly at CES. “We’ve somehow accepted that the incentives are all aligned toward cost capability, performance, and speed to market and not safety … We’ve accepted that software is developed with all kinds of vulnerabilities and flaws. We’ve accepted that cybersecurity is the purview of the IT people that may not have the influence. … Currently, a lot of the responsibility for mitigating cyber risks is placed on the shoulders of consumers who may not understand or be prepared to handle that threat. … Enterprise leaders must understand and embrace that mitigating cyber risk is a matter of good governance.”

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge