This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
Our lead story this week is the hack of a company that covertly spies on its victims.
Any of us could be walking around with LetMeSpy installed on our phone. We wouldn’t know it because LetMeSpy hides itself when it’s installed. Maybe your employer installed it so they could monitor your location at work. Maybe it was installed by a suspicious spouse. Maybe it was installed by a stalker. Whoever installed it, it wasn’t you. And now your sensitive information is in the database of a cybercriminal gang halfway around the world.
As if this blatant violation of your privacy isn’t enough, you are now at increased risk of identity theft, extortion, and cyber scams. All through no fault of your own.
This is wrong. Period. Full stop.
We must not tolerate surveillance spyware installed without a person’s knowledge and consent. Our privacy laws need to strictly control surveillance applications like LetMeSpy. Our smartphones need to be designed to keep apps like LetMeSpy from being covert. And victims need a personal right of action against the stalkers and the apps they use.
I look forward to seeing federal, state, and civil action against this company and the people who installed it without the user’s permission.
And while we’re waiting, this is a good time to freeze your credit if you haven’t already done so. If you need help doing this, take our How Hackable Are You? test and follow the instructions in our downloadable guide.
- LetMeSpy, a phone tracking app spying on thousands, says it was hacked: A hacker has stolen the messages, call logs and locations intercepted by a widely used phone monitoring app called LetMeSpy, according to the company that makes the spyware. … The phone monitoring app, which is used to spy on thousands of people using Android phones around the world, said in a notice on June 21, “a security incident occurred involving obtaining unauthorized access to the data of website users. … As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts,” the notice read. … LetMeSpy is a type of phone monitoring app that is marketed for parental control or employee monitoring. The app is also specifically designed to stay hidden on a phone’s home screen, making it difficult to detect and remove. Also known as stalkerware or spouseware, these kinds of phone monitoring apps are often planted by someone — such as spouses or domestic partners — with physical access to a person’s phone, without their consent or knowledge.
New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter, for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, July 11, 1:00 pm – 2:00 pm PT.
Cyber Humor
Cybersecurity Nonprofit of the Week … The Anti Phishing Working Group (APWG)
Kudos this week to the Anti Phishing Working Group (APWG). APWG unifies the global response to common cybercrimes and related infrastructure abuse through technical diplomacy; curation of a real-time clearinghouse of internet event data; development of applied research; and deployment and maintenance of global cybersecurity awareness campaigns. Like SecureTheVillage, APWG is a fellow-member of Nonprofit Cyber.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
We Must Insist on Better: (Video) (Podcast): Cybercrime is out of control. If you don’t believe us just look at the MOVEit disaster. Join Stan and Julie for a no-holds-barred discussion of how the market encourages poor security and the things we the people can do about it. We’re talking market forces, consumer pressure, and the need for sensible regulations. We’re talking making “Security by Design” and “Security by Default” requirements for software just like brakes and seat belts are required in the cars we buy. As always, Stan and Julie provide actionable tips and thoughtful wisdom in a fun conversation on the complexities of cybersecurity and privacy.
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
Have an Android? You’re under attack. Don’t trust your applications. Don’t trust SMS messages.
- Mobile Cyberattacks Soar, Especially Against Android Users: The number of malware samples is up as attackers aim to compromise users where they work and play: Their smartphones. … Attackers are increasingly targeting users through their mobile devices, attacking vulnerabilities in services that are built into applications and mounting increasing numbers of SMS phishing attacks. … That’s according to mobile security firm Zimperium’s 2023 “Global Mobile Threat Report,” which also found that the average number of unique mobile malware samples grew 51% in 2022, totaling an average of 77,000 unique malware samples found every month. About a quarter of application samples submitted to public repositories — 23% of Android apps and 24% of iOS apps — were malicious, according to data in the report.
Section 3 – Cybersecurity News for the Cyber-Concerned.
National Cybersecurity: While the White House and CISA move forward aggressively, 50 Federal Civilian Executive Branch (FCEB) organizations egregiously fail the “reasonable cybersecurity” test.
- White House releases cybersecurity budget priorities for FY 2025: The Biden administration noted that department and agencies are expected to follow the recently released National Cybersecurity Strategy.
- CISA finalizes key guidance for agencies to secure cloud services: The Cybersecurity and Infrastructure Security Agency is releasing finalized guidance for agencies today detailing how they can secure widely used cloud-based business applications and gain greater visibility into threats lurking on their networks.
- Hundreds of devices found violating new CISA federal agency directive: Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive. … An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, distributed across over 100 systems linked to FCEB agencies. … Of these, Censys discovered hundreds allowing access to the management interfaces of various network appliances.
Encryption technology, privacy, and law enforcement: No simple answers.
- An encryption exodus looms over UK’s Online Safety Bill: The backlash against the encryption-busting Online Safety Bill continues to grow, suggesting the United Kingdom could soon face a looming exodus of secure messaging apps. … First drafted in May 2021, the Online Safety Bill would allow the U.K. government to compel backdoor access to any end-to-end encryption system. While the government claims the complex legislation would make the internet safer by requiring social media giants to remove illegal and harmful content online, such as revenge porn and hate speech, the bill has been met with widespread criticism from tech giants, security experts and privacy advocates.
Must a business alert customers who may be scam victims?
- FTC Says Walmart Facilitated Scams That Stole Hundreds of Millions: Today the FTC announced that it has filed an amended complaint against Walmart in the U.S. District Court for the Northern District of Illinois. The FTC says Walmart failed to properly protect its wire transfer service that, allowed scammers to use it to steal hundreds of millions of dollars. … According to the amended complaint, “Walmart for years turned a blind eye while scammers took advantage of its failure to properly secure the money transfer services offered at Walmart stores. Walmart did not properly train its employees, failed to warn customers, and used procedures that allowed scammers to cash out at its stores, according to the FTC’s complaint.” The FTC said in its statement today.
Solar Winds expects executives to face SEC charges over CISO accountability.
- SolarWinds says SEC investigation ‘progressing to charges’: SolarWinds — the technology firm at the center of a December 2020 hack that affected multiple U.S. government agencies — said its executives may soon face charges from the U.S. Securities and Exchange Commission (SEC) for its response to the incident.
- SEC action sends ripples over CISO accountability for data breaches: SolarWinds recently disclosed that the Securities and Exchange Commission notified top executives of pending legal action over the company’s landmark data breach — a step that some have described as unprecedented. … That’s because the company’s chief information security officer is among those who received a notice, “likely the first time a CISO has ever received one of these,” Jamil Farshchi, CISO at Equifax, said on LinkedIn.
This week in cybercrime includes new MOVEit victims and a political hack on Ft. Worth.
- Hackers Claim $70 Million Ransomware Attack on TSMC via Supplier: The LockBit ransomware group claims it has hacked TSMC, with TSMC stating that one of its suppliers has been breached. The cybercriminals are demanding a ransom of $70 million by August 6 and threaten to leak considerable amount of sensitive data. TSMC told SecurityWeek that its network had not been breached, but one of its IT hardware suppliers had indeed been hacked.
- Canadian oil giant Suncor confirms cyberattack after countrywide outages: The Canadian oil giant Suncor has confirmed that a cyberattack was the cause of widespread outages that ground services to a halt throughout the weekend. … The issues began on Friday, when customers reported problems logging into the app and website for Petro-Canada, a gas station chain owned by Suncor. Employees told CTV News on Saturday that they could only accept cash at a number of gas stations.
- Trans-Rights Hacktivists Steal City of Ft. Worth’s Data: In a security breach first discovered on June 23, Fort Worth, a north Texas city that has more than 935,000 residents, announced that hacktivist threat actors gained unauthorized access to its data. … The hacking group known as SiegedSec accessed thousands of files with administrator logins, but is making no ransom demands… The group claiming responsibility for the cyberattack said it was carried out for political reasons. Specifically, what it deemed to be recent anti-transgender legislation in the state of Texas, stating, “Texas happens to be one of the largest states banning gender affirming care, and for that, we have made Texas our target.”
- Two major energy corporations added to growing MOVEit victim list: Leading global energy companies Schneider Electric and Siemens Energy are the latest victims in the MOVEit vulnerability.
- UCLA among victims of worldwide cyber attack: UCLA confirmed this week that it is among dozens of institutions and companies that had data stolen in a cyber attack that government officials have blamed on a Russian ransomware gang known as, “CL0P.”
A dangerous hypothesis if true about MOVEit
- Russia is targeting the US homeland with its strategy of Cyber Armageddon. A Russia linked ransomware bug attacked the Department of Energy last week: Multiple federal agencies were struck with a massive Russian cyberattack, among them the Department of Energy, which manages U.S. nuclear infrastructure and sets America’s nuclear policy. The new attack has been devastating as millions of Americans and countless businesses, organizations, schools and universities had their data compromised with a destructive ransomware bug. But what’s even more terrifying is its intent. Russian President Putin is almost certainly messaging to Team Biden that Moscow has the wherewithal to unleash a much more crippling attack on the U.S. homeland, resulting in a Cyber Armageddon.
Section 4 – Managing Information Security and Privacy in Your Organization.
Is your law firm putting you at risk? Have you assessed their security controls?
- It’s Open Season on Law Firms for Ransomware & Cyberattacks: An increasing rash of ransomware attacks on law firms prompted the UK’s National Cyber Security Centre to release a threat report last week advising the legal sector that their clients’ deepest, darkest, most sensitive secrets are in the crosshairs of some of the most prolific ransomware actors on the scene — and its time to get serious about securing legal sector networks.
CISO and CIO roles are merging in what could be a dangerous trend.
- Security Chiefs Take On IT Roles as More Infrastructure Moves Online: Chief information security officers balance sometimes competing interests. … About 19% of CISOs at publicly traded companies also have responsibility for IT, according to a survey of 650 security executives published in April by Hitch Partners. Among private companies, 46% of CISOs hold the double role, the recruiting firm found.
Strengthen your defenses as the Solar Winds gang is back at it.
- Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers: Microsoft has disclosed that it’s detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard. … The intrusions, which make use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant’s threat intelligence team said. … The cybercrime Russian group, which drew worldwide attention for the SolarWinds supply chain compromise in December 2020, has continued to rely on unseen tooling in its targeted attacks aimed at foreign ministries and diplomatic entities.
