A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.
Stan’s Top of the News
This Week’s Top of the News is again about privacy in the wake of the Supreme Court’s recent decision to overturn Roe v Wade.
- Texts, web searches about abortion have been used to prosecute women: The data privacy risks associated with abortion aren’t hypothetical. Cases in Mississippi and Indiana could preview how digital evidence could be used post-Roe. Washington Post, July 3, 2022
- Federal Patient Privacy Law Does Not Cover Most Period-Tracking Apps: A patient privacy law known as HIPAA, passed in 1996, hasn’t kept pace with new technologies and at-home tests. ProPublica, July 5, 2022
- Data privacy concerns make the post-Roe era uncharted territory: It’s becoming increasingly clear that the end of Roe will look vastly different than before Roe — in large part because of the role of data. NPR, July 2, 2022
- Your Phone’s Location Access Reveals a Lot. Here’s How to Turn It Off.: Your phone is likely selling your location information to the highest bidder. But there are steps you can take to help prevent that. Wirecutter, June 29, 2022
- End-to-End Encryption’s Central Role in Modern Self-Defense: A number of course-altering US Supreme Court decisions last month—including the reversal of a constitutional right to abortion and the overturning of a century-old limit on certain firearms permits—have activists and average Americans around the country anticipating the fallout for rights and privacy as abortion “trigger laws,” expanded access to concealed carry permits, and other regulations are expected to take effect in some states. And as people seeking abortions scramble to protect their digital privacy and researchers plumb the relationship between abortion speech and tech regulations, encryption proponents have a clear message: Access to end-to-end encrypted services in the US is more important than ever. Wired, July 5, 2022
- ‘Asleep at the wheel’: Canada police’s spyware admission raises alarm: An admission from Canada’s national police force that it routinely uses powerful spyware to surveil citizens has prompted concern from experts, who warn the country is “asleep at the wheel” when it comes to regulating and reining in use of the technology. The Guardian, July 7, 2022
Privacy Webinar: SecureTheVillage is hosting a webinar on July 21 at 11:00AM Pacific Time to assist ‘village residents’ understand the risks to their privacy along with what they can do to protect themselves. The privacy challenges raised by the overturning of Roe v. Wade cross political lines and demonstrate that each of us has the personal responsibility to treat our online privacy as a core element of sound data care.
- Roe v Wade: Critical Implications for Our Personal Privacy. The overturning of Roe v Wade has upended what privacy means for every single person in the USA. We invite you to a webinar with legal and privacy experts to learn what this ruling means for your personal privacy and safety.
Security Nonprofit of the Week … Cyber Readiness Institute.
Our kudos this week to the Cyber Readiness Institute (CRI) and the great work they do helping our medium-size and smaller organizations manage their information security challenges. CRI’s Cyber Readiness Program helps organizations protect their data, employees, vendors, and customers. This free, online program is designed to help small and medium-sized enterprises become more secure against today’s most common cyber vulnerabilities. Their free Cyber Leader Certification Program is a personal professional credential for those who have completed the Cyber Readiness Program. Both are highly recommended.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn
Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we discuss Multi-Factor Authentication (MFA / 2FA) … what it is and why it’s a vital piece of defense. Our conversation follows a survey by the Cyber Readiness Institute, our Security Nonprofit of the Week. The survey showed that more than half of small and medium-sized business owners do not use multi-factor authentication and only 28% who provide multi-factor authentication options require its use. MFA is one of the most important things individuals and organizations can do to protect their online accounts. As Nike says: Just do it!!
Section 2 – Personal Data Care – Security and Privacy
Important data care stories for protecting yourself and your family.
- 8 common Facebook Marketplace scams and how to avoid them: Here’s what to watch out for when buying or selling stuff on the online marketplace and how to tell if you’re being scammed. … Last year, Facebook Marketplace passed one billion global users. In so doing, it’s become a giant of the consumer-to-consumer space, allowing individual Facebook users to buy from and sell to each other seamlessly. It has surpassed the popularity of Craigslist for several reasons. It’s also free and simple to use, as most people already have a Facebook account. It allows users to search for listings from their local area, making pick-up much easier. And because people can view sellers’ profiles, they feel more assured of safety and security on the site. Unfortunately, this is often a false sense of security. WeLiveSecurity, July 6, 2022
- Hackers are using YouTube videos to trick people into installing malware: Cybercriminals have begun to lean on YouTube as a means of distributing potent malware (opens in new tab), security experts have discovered. Tech Radar, July 6, 2022
Keep your browser up to date. Review your privacy and security settings.
- Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk: Everyone uses browsers to access a wide range of networked systems, from shopping sites to enterprise management. As a result, browsers collect tons of sensitive information — from passwords to credit card data — that hackers are eager to get their hands on. DARK Reading, July 5, 2022
And take advantage of the protections browsers offer.
- New Firefox privacy feature strips URLs of tracking parameters: Mozilla Firefox 102 was released today with a new privacy feature that strips parameters from URLs that are used to track you around the web. Bleeping Computer, June 28, 2022
Section 3 – General Data Care, Cybersecurity, and Privacy Stories
Data Care, cybersecurity and privacy stories for those wanting a deeper look.
This week continues to see its share of cyber attacks.
- Marriott Hotels admits to third data breach in 4 years: Digital thieves made off with 20GB of internal documents and customer data. The Register, July 6, 2022
- SHI Hit By ‘Coordinated And Professional Malware Attack’: The IT solutions provider’s email and website knocked out of action for a while, but says customers are safe. CRN, July 6, 2022
- How a fake job offer took down the world’s most popular crypto game: Hackers duped a senior engineer at Axie Infinity into applying for a job at a fictitious company. … The scheme resulted in the loss of $540 million in crypto earlier this year. The Block, July 6, 2022
- Medical debt collection firm says ransomware attack exposed info on 650+ healthcare orgs: A February ransomware attack on a medical debt collection company caused a widespread data breach affecting 657 healthcare organizations. The Record, July 8, 2022
- Disneyland investigating compromised Facebook and Instagram accounts: Disneyland officials are investigating an incident that occurred on Thursday morning in which the Facebook and Instagram accounts of the theme park were hacked and used to send several offensive messages. The Record, July 7, 2022
- In a big potential breach, a hacker offers to sell a Chinese police database: For about $200,000, an unidentified person or group is offering what is described as data on a billion Chinese citizens. A sampling seemed to show the data to be genuine. … In what may be one of the largest known breaches of Chinese personal data, a hacker has offered to sell a Shanghai police database that could contain information on perhaps one billion Chinese citizens. The New York Times, July 5, 2022
Three stories on cyber warnings to help us get prepared for an attack.
- China: MI5 and FBI heads warn of ‘immense’ threat: The heads of UK and US security services have made an unprecedented joint appearance to warn of the threat from China. … FBI director Christopher Wray said China was the “biggest long-term threat to our economic and national security” and had interfered in politics, including recent elections. … MI5 head Ken McCallum said his service had more than doubled its work against Chinese activity in the last three years and would be doubling it again. BBC, July 7, 2022
- North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector: CISA, the Federal Bureau of Investigation (FBI), and the Department of the Treasury (Treasury) have released a joint Cybersecurity Advisory (CSA), North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector, to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations. CISA, July 6, 2022
- Cyberattacks: A very real existential threat to organizations: One in five organizations have teetered on the brink of insolvency after a cyberattack. Can your company keep hackers at bay? … We all know cybersecurity is a critical element of business risk. But how critical? Some boardrooms seem to pay little more than lip service to security and still manage to avoid serious repercussions. That’s why a new report from global insurer Hiscox makes for interesting reading. It actually claims that many European and American organizations have come close to insolvency after security breaches. And while spending is on the rise, fewer global firms than ever are described as cyber-readiness “experts.” WeLiveSecurity, July 4, 2022
For those of us living in California … Being Number 1 isn’t always a good thing..
- California Ranks No. 1 For Data Breaches Costing Billions Of Dollars: California ranks No. 1 in the number of corporate data breach victims according to a new analysis of the five-year period ending in 2021. Patch-Manhattan Beach, July 6, 2022
We continue to see stories of companies who expose sensitive information because they misconfigure their cloud settings.
- Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: ‘Lives at Stake’: The unsecured server exposed more than 1.5 million files, including airport worker ID photos and other PII, highlighting the ongoing cloud-security challenges worldwide. DARK Reading, July 6, 2022
And then there are the cybersecurity threats that are on their way.
- These are the cybersecurity threats of tomorrow that you should be thinking about today: The rise of quantum computing, deepfakes, the Internet of Things and more are among the things that could create very real challenges for cybersecurity going forwards. ZD Net, July 5, 2022
Occasionally one gets relatively good cybersecurity stories. Here are two.
- Dutch University retrieves Bitcoin ransomware payment and makes a profit: The Netherlands’ Maastricht University has managed to recoup the Bitcoin ransom it paid to ransomware scum in 2019 – and has made a tidy profit on the deal. The Register, July 5, 2022
- Crema DeFi hacker returns $8 million in stolen funds, awarded a $1.68 million bounty: Decentralized Finance (DeFi) company Crema and a hacker that attacked the platform over the weekend have reached an agreement that will see a majority of the stolen funds returned in exchange for a $1.68 million bounty. The Record, July 7, 2022
The attempt to pass privacy legislation in Washington just hit a roadblock as the US Chamber opposes parts of the current bill.
- US Chamber of Commerce Opposes “Unworkable” Federal Privacy Law Despite Popular Support, Cites Override of State Law and Right to Private Action: Outside of individual tech giants, the US Chamber of Commerce is likely the largest organization standing in opposition to the passage of a federal privacy law. The group has come out against the recently proposed American Data Privacy and Protection Act (ADPPA), citing its priority over individual state law and its guarantee of rights to class action lawsuits as dealbreakers. CPO Magazine, July 7, 2022
And finally …. If you are thinking about a career in cybersecurity or know someone who is, this story is for you. With several hundred thousand openings and no college degree needed, cybersecurity offers great career opportunities.
- CISA and NPower offer free entry-level cybersecurity training: NPower, a US-based non-profit participating in a cybersecurity workforce development program started by the Cybersecurity and Infrastructure Agency (CISA), is looking for recruits for a free cybersecurity training program aimed at underserved populations in the US, including women, people of color, young adults, and military veterans and their spouses. The program is part of CISA’s wider effort to address the cyber workforce shortage in the short and long term. Help Net Security, July 6, 2022
Section 4 – Data Care in the Organization
Stories to support executives and top management in securing their organizations.
We can’t emphasize enough the importance of using Multi-Factor Authentication (MFA / 2FA) to protect access to critical information. Thanks to the Cyber Readiness Institute for their survey showing the dismal state of MFA usage.
- Global Small and Medium-Sized Businesses Slow to Move to More Secure Multi-Factor Authentication Account Access Method, New Cyber Readiness Institute Survey Finds: More Than Half of Small and Medium-Sized Business Owners Do Not Use Multi-Factor Authentication … Only 28% Who Provide Multi-Factor Authentication Options Require Its Use. Cyber Readiness Institute
- Smaller Companies Are Urged to Adopt Multifactor Authentication: The inconvenience of multiple login steps pales next to the risk of using only passwords, experts say. Wall Street Journal, July 5, 2022