Cybersecurity News of the Week, July 24, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

This week’s Top of the News demonstrates how active the Federal Government has become in protecting the nation from all kinds of cyber-mischief. We should all be grateful for the work they do.

The Justice Department continues its aggressive activity recovering stolen ransom and other criminal payments.

The FBI and NSA  issued warnings of the threat of foreign interference in the 2022 election. SecureTheVillage is hosting a webinar on election security in September. Stay tuned for details.

The White House held a Summit on the cyber workforce challenge. Kudos to SecureTheVillage friends who participated, including CompTIA, the Cyber Readiness Institute, and nPower. If you’re a young person wondering about a career, or someone considering changing careers—or you know someone who is—consider a career in cyber.

  • FACT SHEET: National Cyber Workforce and Education Summit: On July 19, 2022, National Cyber Director Chris Inglis hosted the National Cyber Workforce and Education Summit at the White House. The event focused on building our Nation’s cyber workforce, improving skills-based pathways to cyber jobs, educating Americans so that they have the skills they need to thrive in our increasingly digital society, and improving Diversity, Equity, Inclusion, and Accessibility (DEIA) in the cyber field. Bringing together entities who employ, train, and educate cyber professionals and Americans at large, the event involved senior U.S. Government officials, senior executives from the private sector, and thought leaders from across the cyber community and the education sector. The White House, July 21, 2022

NIST continues its excellent work as it provides updated guidance for health care security.

  • NIST Updates Guidance for Health Care Cybersecurity: Revised draft publication aims to help organizations comply with HIPAA Security Rule. … In an effort to help health care organizations protect patients’ personal health information, the National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the health care industry. NIST, July 21, 2022

A new Cyber Safety Review Board issues its first-report … and it’s not good as they expect IT departments to be battling the Log4j vulnerability for a decade.

And, as noted below in Section 4, CISA continues its excellent work providing IT organizations with actionable intelligence, recommendations, and resources on securing the IT infrastructure.

Cyber Humor

Security Nonprofit of the Week … Global Cyber Alliance.

This week’s security nonprofit is the Global Cyber Alliance (GCA). GCA builds practical, measurable solutions and  easy to use tools, and they work with partners to accelerate adoption around the world. GCA has several specialized toolkits, including a toolkit for small to medium sized businesses  and a toolkit for mission-based organizations. GCA was one of the founders of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity. SecureTheVillage is a proud member of Nonprofit Cyber.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we discuss the important topic of “resiliency.” Resiliency means you’re able to return to business—continuing to meet your mission—after a cyber-attack. Resilience means your organization “can take a cyber-licking and keep on ticking.” Resilience begins with effectively managing the five cybersecurity functions of the NIST Cybersecurity Framework: Identify. Protect. Detect. Respond. Recover.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

Please. Please. Please. Don’t use qwerty1234 as your password.

The scammers aren’t giving up; they’re shifting tactics. Robotexts have skyrocketed in response to strong FCC robocalls regs.

  • Robocalls have been cut in half, but a study shows robotexts have skyrocketed: A consumer watchdog offers tips on what consumers can do to protect themselves … The U.S. is coming up on the first anniversary of the Federal Communications Commission’s (FCC) effort to make telecoms fight robocalls. The result of those efforts has been consumers receiving nearly half of the scam robocalls they were getting in 2021. Unfortunately, it seems that scammers have adapted and are trying to scam consumers with another method. Consumer Affairs, July 21, 2022

Continuing the privacy stories we’ve been covering since Roe v. Wade was overturned—and in the spirit of last week’s SecureTheVillageWebinar—here’s a dystopian account of how much surveillance is going on here in America.

  • Surveillance is pervasive: Yes, you are being watched, even if no one is looking for you: The U.S. has the largest number of surveillance cameras per person in the world. Cameras are omnipresent on city streets and in hotels, restaurants, malls and offices. They’re also used to screen passengers for the Transportation Security Administration. And then there are smart doorbells and other home security cameras. The Conversation, July 22, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity and privacy stories to keep you informed.

We have three stories this week on the cyber threat from China

  • CNN Exclusive: FBI investigation determined Chinese-made Huawei equipment could disrupt US nuclear arsenal communications: Washington (CNN)On paper, it looked like a fantastic deal. In 2017, the Chinese government was offering to spend $100 million to build an ornate Chinese garden at the National Arboretum in Washington DC. Complete with temples, pavilions and a 70-foot white pagoda, the project thrilled local officials, who hoped it would attract thousands of tourists every year. … But when US counterintelligence officials began digging into the details, they found numerous red flags. The pagoda, they noted, would have been strategically placed on one of the highest points in Washington DC, just two miles from the US Capitol, a perfect spot for signals intelligence collection, multiple sources familiar with the episode told CNN.  CNN, July 23, 2022
  • Why suspected Chinese spy gear remains in America’s telecom networks: The U.S. is still struggling to complete the break up with Chinese telecom companies that Donald Trump started four years ago. … The problem: Small communications networks, largely in rural areas, are saddled with old Chinese equipment they can’t afford to remove and which they can’t repair if it breaks. The companies say they want to ditch the Chinese tech, but promised funds from Congress aren’t coming quickly enough and aren’t enough to cover the cost. Politico, July 21, 2022
  • Opinion: TikTok proves why we need privacy and foreign software policies: TikTok, one of Generation Z’s favorite social media apps, is once again in hot water. The most recent controversy started in mid-June, when BuzzFeed News reported that China-based employees of ByteDance, the video platform’s parent company, “have repeatedly accessed nonpublic data about US TikTok users” as recently as January. BuzzFeed’s story shows TikTok deserves continued scrutiny. But singular focus on TikTok’s data practices should not obscure concerns about the Chinese government influencing TikTok’s content or overshadow the urgent need for comprehensive national policies on data privacy and foreign software. The Washington Post, July 22, 2022

And, of course, the news wouldn’t be complete without a rundown of some the biggest cybercrimes this week.

  • Digital security giant Entrust breached by ransomware gang: Digital security giant Entrust has confirmed that it suffered a cyberattack where threat actors breached their network and stole data from internal systems. … Entrust is a security firm focused on online trust and identity management, offering a wide range of services, including encrypted communications, secure digital payments, and ID issuance solutions. … Depending on what data was stolen, this attack could impact a large number of critical, and sensitive, organizations who use Entrust for identity management and authentication. Bleeping Computer, July 22, 2022
  • Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k: A Twitter data breach has allowed an attacker to get access to the contact details of 5.4M accounts. Twitter has confirmed the security vulnerability which allowed the data to be extracted. … The data – which ties Twitter handles to phone numbers and email addresses – has been offered for sale on a hacking forum, for $30,000 … 9To5Mac, July 22, 2022
  • Neopets data breach exposes personal data of 69 million members: Virtual pet website Neopets has suffered a data breach leading to the theft of source code and a database containing the personal information of over 69 million members. Bleeping Computer, July 20, 2022
  • Hackers steal 50,000 credit cards from 300 U.S. restaurants: 50k credit cards stolen from 300 U.S. restaurants using skimmers. … Payment card details from customers of more than 300 restaurants have been stolen in two web-skimming campaigns targeting three online ordering platforms. Bleeping Computer, July 19, 2022
  • Hackers stole two billion usernames and passwords in 2021: ForgeRock released its fourth annual breach report today, the 2022 ForgeRock Consumer Identity Breach Report, which revealed that over 2 billion data records containing usernames and passwords were compromised in 2021, an increase of 35% from 2020. VentureBeat, July 19, 2022

These next stories are important for giving us insights about what our adversaries are doing. As Sun Tzu said: If you  don’t know your adversary and you don’t know yourself, you will be imperiled in every battle.

  • The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back: Cybercrime is booming. Between 2008 and 2021, the FBI recorded a 207% increase in cybercrime reports, with losses hitting almost $7bn last year. This is being driven by an increasingly professionalized, specialized and collaborative underground supply chain that is harming individuals and businesses alike. Our latest HP Wolf Security report – The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back – traces the key cybercrime moments and trends over the last 30 years, detailing the dynamics of underground markets today and where they might be headed, and what organizations can do to bolster their defenses. HP Threat Research Blog, July 21, 2022
  • Russian hackers behind SolarWinds breach continue to scour US and European organizations for intel, researchers say: The Russian hackers behind a sweeping 2020 breach of US government networks have in recent months continued to hack US organizations to collect intelligence while also targeting an unnamed European government that is a NATO member, cybersecurity analysts tell CNN. CNN Politics, July 19, 2022
  • Cyber-attacks on Port of Los Angeles have doubled since pandemic: Cyber-attacks on one of the world’s busiest ports have nearly doubled since the start of the Covid pandemic. … The number of monthly attacks targeting the Port of Los Angeles is now around 40 million, the port’s executive director Gene Seroka told the BBC. BBC News, July 22, 2022

This week’s cyber-settlement story begins to bring closure to T-Mobile customers victimized from its egregious 2021 breach. Companies like T-Mobile have a responsibility to implement reasonable cybersecurity and privacy practices and need to be held accountable when they don’t.

  • T-Mobile agrees to $350 million settlement over its massive 2021 data breach: T-Mobile has agreed to pay $500 million to settle a class-action lawsuit stemming from the 2021 hack that it says exposed around 76.6 million US residents’ data. According to the proposed agreement filled on Friday, which you can read in full below, T-Mobile will put $350 million into a settlement fund to go to lawyers, fees, and, of course, to people who file claims. It’ll also be obligated to spend $150 million on “data security and related technology” during 2022 and 2023, in addition to what it had already budgeted for. The Verge, July 22, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in securing their organizations and protecting  privacy.

#NeverTrust.AlwaysVerify. … Online bank fraud. Business Email Compromise. Don’t be a victim.

  • The biggest cyber-crime threat is also the one that nobody wants to talk about: The FBI warns that $43 billion has been lost to Business Email Compromise (BEC) … While ransomware gets global attention when it takes down vital services and cyber criminals get away with multi-million dollar ransom payments, there’s another big cybersecurity issue that’s costing the world more money, but remains an embarrassing secret for many, even though, according to the FBI, it’s cost victims over $43 billion dollars to date. ZD Net, July 22, 2022

This next story gives some practical advice for managing third-party information risk. 

  • The Kronos Ransomware Attack: What You Need to Know So Your Business Isn’t Next: Identify your business’s security posture and head off ransomware attacks with third-party risk management and vendor security assessments. … On Dec. 11, 2021, Kronos, a workforce management company that services over 40 million people in over 100 countries, received a rude awakening when it realized its Kronos Private Cloud was compromised by a ransomware attack. This was just the beginning of a series of events to follow. Still to this day, millions of employees are short hundreds or even thousands of dollars as the Kronos software fails to reconcile following the attack. DARK Reading, July 21, 2022

And, as I wrote above, we can all sleep a little easier at night with the support we get from CISA.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge