This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
This week’s Top of the News are two stories about China’s cyber spying of America. Our first story, from The Wall Street Journal, shows China got to the top of the food chain. The second story, from The New York Times, points out that this serious hack is – to China – just “ordinary espionage.” Beyond spying, China is estimated to steal $600 billion per year of America’s intellectual property through breaking into the computer networks of American businesses, research labs, and universities. (Both links go behind the paywalls.)
- U.S. Ambassador to China Hacked in China-Linked Spying Operation: Hackers linked to Beijing accessed the email account of the U.S. ambassador to China, Nicholas Burns, in an attack that is believed to have compromised at least hundreds of thousands of individual U.S. government emails, according to people familiar with the matter. … Daniel Kritenbrink, the assistant secretary of state for East Asia, was also hacked in the cyber-espionage attack, the people said. The two diplomats are believed to be the two most senior officials at the State Department targeted in the alleged spying campaign disclosed last week, one of the people said.
- Hacking of Government Email Was Traditional Espionage, Official Says: The hackers penetrated the accounts of senior State Department officials, including the U.S. ambassador to China. … The hack of Microsoft’s cloud that resulted in the compromise of government emails was an example of a traditional espionage threat, a senior National Security Agency official said. … Speaking at the Aspen Security Forum, Rob Joyce, the director of cybersecurity at the N.S.A., said the United States needed to protect its networks from such espionage, but that adversaries would continue to try to secretly extract information from each other. … “It is China doing espionage,” Mr. Joyce said. “It is what nation-states do. We have to defend against it, we need to push back against it. But that is something that happens.”
New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter, for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. We feature info on how to freeze your credit and what ‘marriage scams’ are in Edition 1. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, August 1, 1:00 pm – 2:00 pm PT.
- Cybersecurity Threat Briefing – Meeting Today’s Cyber Crime Challenges, with Special Guest Speaker SSA Michael Sohn, FBI. Co-hosted with Department Financial Protection & Innovation. Friday, August 18, 8:30 am – 10:00 am PT Save the Date.
Cyber Humor
Cybersecurity Nonprofit of the Week … The Global Anti-Scam Alliance
Our kudos this week to the Global Anti-Scam Alliance. Their mission is to create a world where people worldwide are safe from the financial and emotional trauma caused by online scams. To protect consumers worldwide from scams. GASA realizes its mission by raising awareness, enabling hand-on tools for consumers and law enforcement, facilitating knowledge sharing, organizing research, supporting the development of (legal) best practices, and offering training and education. Like SecureTheVillage, the Global Anti-Scam Alliance is a fellow-member of Nonprofit Cyber.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
Privacy Crisis: (Video) (Podcast): One thing that Americans might be united on is that our tax information is private and is not to be shared. We expect the IRS to protect our tax information and we expect our tax preparers to do the same. Once again our expectations have been dashed. … In this week’s Live on Cyber, Stan and Julie delve into the alarming disclosure that personal tax information was sold to tech giants Google and Meta by tax preparers H&R Block, TaxAct, and Extra Layer. … Stan and Julie urge everyone to raise our voices and demand better data protection – privacy must not be compromised for profit.
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
AI makes scamming you easier. Don’t fall victim. Set a code word with family members.
- Scammers use AI to mimic voices of loved ones in distress: Artificial intelligence is making phone scams more sophisticated — and more believable. Scam artists are now using the technology to clone voices, including those of friends and family. … The disturbing trend is adding to mounting losses due to fraud. Americans lost nearly $9 billion to fraud last year alone – an increase of over 150% in just two years, according to the Federal Trade Commission. … The AI scam, which uses computer-generated voice, has left a trail of emotional devastation. Jennifer DeStefano, a mother, recounted during a U.S. Senate meeting her terrifying encounter with scammers who used the voice of her 15-year-old daughter, claiming they had her. … “Mom, these bad men have me. Help me, help me, help me,” DeStefano said she was told over the phone. … But her daughter was safe in her bed.
- By criminals, for criminals: AI tool easily generates ‘remarkably persuasive’ fraud emails: An artificial intelligence tool promoted on underground forums shows how AI can help refine cybercrime operations, researchers say. … In one experiment, we instructed WormGPT to generate an email intended to pressure an unsuspecting account manager into paying a fraudulent invoice,” SlashNext says. “The results were unsettling. WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.”
Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.
White House moves to provide consumers with basic security information for our smart devices.
- White House unveils new cybersecurity labeling plan to tell you when your smart devices are secure: The Biden administration is rolling out a voluntary program today to label internet of things devices — like smart refrigerators and baby monitors — if they meet cybersecurity benchmarks, similar to the Energy Star labeling program for energy-efficient products.
In rare bipartisan action, the House Judiciary Committee has advanced legislation closing loopholes allowing data brokers to sell consumer data to law enforcement and federal agencies.
- Legislation preventing data broker sales to government agencies moves forward: The bill may ultimately be included in a larger surveillance reform package aimed at reforming Section 702. … The House Judiciary Committee on Wednesday advanced legislation closing loopholes that allow data brokers to sell consumer data to law enforcement and federal agencies. … The bill addresses longstanding concerns from civil liberties and privacy advocates that such purchases allow law enforcement to evade the Fourth Amendment, which protects against warrantless searches. In the House, the bill is co-sponsored by four Republicans and four Democrats, including ranking committee member Rep. Jerry Nadler of New York.
Kudos to the FTC and the 50 States. We look forward to your success.
- FTC Launches Crackdown on Illegal Robocalls, Telemarketing: Action will target VoIP providers that facilitate calls, as well as consent farms that gather and sell consumers’ personal information. … US regulators have launched a nationwide crackdown on companies inundating US consumers with billions of unwanted and illegal telemarketing robocalls. … The action, known as Operation Stop Scam Calls, was announced Tuesday by the Federal Trade Commission and involves more than 100 federal and state law enforcement agencies across the country, as well as the attorneys general of all 50 states and Washington, DC. … “We are taking action against those who trick people into phony consent to receive these calls and those who make it easy and cheap to place these calls,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement announcing the crackdown.
Password manager LastPass works to recover from its breach. I was surprised to read that prior to the breach LastPass did not require its engineers to use LastPass owned and managed computers.
- LastPass: The lessons we learnt from our devastating breach: How does one of the biggest password managers that fell the hardest bounce back? … It’s been over half a year since LastPass suffered its catastrophic breach, but still the memory lingers, and for good reason. Despite handling the most sensitive of user information, the company succumbed to the worst possible fate for such a service: backups of users’ entire vaults stolen from right under the company’s nose. … Now many are still reluctant to trust LastPass again. … CEO Karim Toubba hopes to change that, as he told us how LastPass has taken certain steps and put in place various policies to prevent lightning striking twice.
The MOVEit breach continues to ripple through the economy. Estimated losses to date $75,000,000. At least 13 lawsuits filed.
- Victims of Cyberattack on File-Transfer Tool Pile Up: Data breaches through Progress Software’s MoveIt tool are rippling out to companies that don’t themselves use the product. … The list of companies hit by a cyberattack on a widely used software tool continues to expand and several victims have filed lawsuits alleging mishandling of data. … The continued disclosure of new victims affected by hackers exploiting a vulnerability in MoveIt underscores how cyberattacks can ripple through supply chains. Some companies have been drawn into data breaches without having used MoveIt because their business partners use it. … Since Progress Software disclosed a flaw in MoveIt on May 31, more than 200 companies have said they were affected by cyberattacks on the software, and hackers have claimed credit for attacking close to 400. … At least 13 lawsuits accusing Progress of poor cybersecurity have been filed since the vulnerability was first disclosed in federal courts around the U.S.
- Clop gang to earn over $75 million from MOVEit extortion attacks: The Clop ransomware gang is expected to earn between $75-100 million from extorting victims of their massive MOVEit data theft campaign. … In a new report released today, Coveware explains that the number of victims paying ransoms has fallen to a record low of 34%, causing ransomware gangs to switch strategies to make their attacks more profitable.
North Korea’s cybercrime activities again in the news. Cybercrime estimated to make up more than half of North Korea’s GDP.
- Cyberattack on GitHub customers linked to North Korean hackers, Microsoft says: Microsoft is attributing a cyberattack on customers of software development platform GitHub to a previously unknown hacking group based in North Korea.
- North Korea-backed hackers breached JumpCloud to target cryptocurrency clients: North Korean state-backed hackers breached U.S. enterprise software company JumpCloud to target its cryptocurrency clients, security researchers said on Thursday.
Other breaches this week.
- Henry Ford Health says data breach affects 168,000 patients: Henry Ford Health is addressing a data breach of personal information affecting about 168,000 patients across all of its hospitals and other facilities in Michigan,.
- Rite Aid announces data breach that may have compromised customers’ personal information: Rite Aid says customers’ personal information may have been compromised in a data breach. … The drug store chain said an “unknown party” had accessed names, birth dates, addresses and prescription information. In some cases, insurance information – like plan names and cardholder IDs – was accessed.
- Dating app spills 340GB of steamy data and 260,000 user profiles: Over 260,000 dating app account records and 340 gigabytes of images and private chat logs were left open to the public on an Amazon Web Services S3 storage bucket. Impacted was the dating service 419 Dating – Chat & Flirt, developed by Siling App based in Hong Kong.
Section 4 – Managing Information Security and Privacy in Your Organization.
In response to criticism following the breach of the State & Commerce Departments, Microsoft to provide security logs.
- Microsoft to stop locking vital security logs behind $57-per-user monthly plan: US agency urged Microsoft to expand access to logs that can identify cyberattacks. … Microsoft will expand access to important security log data after being criticized for locking detailed audit logs behind a Microsoft 365 enterprise plan that costs $57 per user per month. The logging updates will start rolling out “in September 2023 to all government and commercial customers,” the company said.
The Cybersecurity & Infrastructure Security Agency to help organizations better secure their cloud assets.
- CISA shares free tools to help secure data in the cloud: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shared a factsheet providing details on free tools and guidance for securing digital assets after switching to the cloud from on-premises environments. … The newly released factsheet helps network defenders, incident response analysts, and cybersecurity professionals mitigate the risk of information theft and exposure, as well as data encryption and extortion attacks.
