Cybersecurity News of the Week, July 3, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Our top stories are again on privacy in a post-Roe world. Even as the discussion centers on privacy relative to abortion, the privacy implications go far beyond abortion to any activity that any state or any one might not like. Abortion privacy post-Roe is the canary-in-the-coal-mine that will influence how we the people define our privacy rights, the legal limits to invasions of our privacy, and the steps we all individually need to take to protect our privacy, both from unfriendly government and hacker vigilantes. This is such an important story that SecureTheVillage is hosting a special webinar on the subject.

  • Roe v. Wade Was Overturned: Here’s How Your Phone Could Be Used to Spy on You: With Roe v. Wade overturned, so-called trigger laws already passed in 13 states will ban abortion in large parts of the country. Here’s how your smartphone could be used to prosecute you if you do decide to have an abortion in an area where it’s criminalized. Scientific American, June 24, 2022
  • HHS issues new guidance on post-Roe v. Wade patient privacy: The US Department of Health and Human Services Office for Civil Rights has released new guidance aimed at patient privacy in the wake of last week’s Supreme Court ruling that overturned Roe v. Wade, holding that there is no longer a federal constitutional right to an abortion. CNN, June 29, 2022
  • The future of privacy rights in a post-Roe world: Privacy experts fear the Supreme Court’s decision to overturn federal abortion rights will erode other key protections and expose daily life online to criminal investigations. Axios, June 29.

Hold The Date … July 21 11:00AM PT

Roe v Wade: Critical Implications for Our Personal Privacy, SecureTheVillage Community Webinar, July 21, 11AM PT: The overturning of Roe v Wade has upended what privacy means for every single person in the USA.  We invite you to a webinar with legal and privacy experts to learn what this ruling means for your personal privacy and safety. The panelists will explore the privacy implications of the Supreme Court’s recent ruling, outline expected legal intrusions by states on personal privacy, discuss how new state laws directly incentivize vigilantes and hackers, and share tangible strategies on how to protect oneself, including minimizing the vast ‘data footprint’ created by our use of everyday technology. This lively discussion will be relevant to any gender, sexual orientation, or political affiliation, as some Justices have suggested that other monumental cases could be revisited, implying we may expect even more dramatic challenges to our privacy rights going forward. 

Happy Independence Day.

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.

Security Nonprofit of the Week … Sightline Security

Our kudos this week to Sightline Security, a nonprofit that helps nonprofits secure and protect their critical information. Their mission is to equip, empower, and support global nonprofits to navigate and embed cybersecurity into their organizations with confidence.  Sightline Security is on the front lines helping health service nonprofits protect sensitive patient data as it comes under attack in post-Roe America. Kudos to Sightline Security for their cyber support to the vital under-served nonprofit community.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we discuss data privacy in post-Roe America.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

#Don’tTrust#AlwaysVerify. This week’s Zelle scam story is another reminder.

  • Zelle Scams: Take These 4 Steps to Protect Your Money From Fraud: Criminals are using the banking payment service Zelle to scam unsuspecting consumers. … Free payment service Zelle has become a mainstay for commercial banking customers — over 100 million people have access to the app via their bank accounts. While the service is simple and quick, its instant, irreversible transactions have made it an attractive target for scam artists. CNET, June 27, 2022

Some good news from the FCC as we struggle against spam phone calls.

  • FCC says it closed a loophole that many robocallers used to evade blocking: Starting today, small carriers must use STIR/SHAKEN Caller ID authentication tech. … The Federal Communications Commission today said it closed a robocall loophole by requiring small phone companies to implement the caller ID authentication technology known as STIR and SHAKEN. Ars technica, June 30, 2022

Section 3 – General Data Care, Cybersecurity, and Privacy Stories

Data Care, cybersecurity and privacy stories for those wanting a deeper look.

This week’s cybercrime stories include another supply-chain attack, this one a provider of employment software to governments. And North Korea is at it again as cybercrime continues to help them skirt economic blockades.

  • Publishing giant Macmillan still unable to process orders after ransomware attack: Publishing giant Macmillan is in the process of recovering from a ransomware attack that has left it unable to process orders electronically. The Record, July 1, 2022
  • Cyberattack Shuts Down Unemployment Services in Several States: The incident risks stopping tens of thousands of Americans from claiming their unemployment benefits on time. … The incident involves a Florida-based company called Geographic Solutions Inc. (GSI), which markets itself as a leading provider of employment software for government agencies. Starting on Tuesday, numerous state labor departments including those in California, Louisiana, and Tennessee reported that an outage at Geographic Solutions had forced them to take their online unemployment services offline. PC Mag, July 1, 2022
  • North Korea accused of orchestrating $100 million Harmony crypto hack: Hackers connected to a prolific North Korea military-backed group have been accused of orchestrating the recent $100 million hack of blockchain company Harmony. The Record, June 30, 2022

Another #Don’tTrust#AlwaysVerify story

  • Fake copyright infringement emails install LockBit ransomware: The recipients of these emails are warned about a copyright violation, allegedly having used media files without the creator’s license. These emails demand that the recipient remove the infringing content from their websites, or they will face legal action. Bleeping Computer, June 26, 2022

And here’s another way cybercriminals are monetizing their hacking capabilities. You’re in a lawsuit. You go into court. And you discover that your opponent knows your strategy, knows what your witnesses will say, and knows your strategy for combatting their strategy. Puts you at major disadvantage.

  • How mercenary hackers sway litigation battles: A trove of thousands of email records uncovered by Reuters reveals Indian cyber mercenaries hacking parties involved in lawsuits around the world – showing how hired spies have become the secret weapon of litigants seeking an edge. Reuters, June 30, 2022

This next story is about an egregious cyber-leak — a file containing extremely sensitive PII was left exposed and unprotected for several hours on the Internet. Think of it as leaving $10,000 sitting in a bag on a park bench for several hours. It’s possible no one would notice the bag of money and it would still be there when you returned. It’s also possible the money would be gone. It’s the same for files left unprotected on the Internet.

These next two stories are about dangerous infrastructure risks. Imagine a ransomware attack that shut down the elevators in an office building — with people in them — until a ransom was paid. Or a cyber-attack on a plane in the air. The sky may be falling so slowly that few notice. But it is falling. And it’s falling faster.

  • Microsoft Exchange bug abused to hack building automation systems: A Chinese-speaking threat actor has hacked into the building automation systems (used to control HVAC, fire, and security functions) of several Asian organizations to backdoor their networks and gain access to more secured areas in their networks. Bleeping Computer, June 27, 2022
  • Hackers can bring ships and planes to a grinding halt. And it could become much more common: Vast container ships and chunky freight planes — essential in today’s global economy — can now be brought to halt by a new generation of code warriors…. “The reality is that an aeroplane or vessel, like any digital system, can be hacked,” David Emm, principal security researcher at Kaspersky, told CNBC. … In December, German firm Hellmann Worldwide Logistics said its operations had been impacted by a phishing attack. CNBC, June 27, 2002

Is the person you’re interviewing real or fake? Is your new Facebook friend real or fake? Welcome to the world of “Deep Fakes.”

  • This co-worker does not exist: FBI warns of deepfakes interviewing for tech jobs: A lot of people are worried about the prospect of competing with AI for their jobs, but this probably isn’t what they were expecting. The FBI has warned of an uptick in cases where “deepfakes” and stolen personal information are being used to apply for jobs in the U.S. — including faking video interviews. Don’t dust off the Voight-Kampff test just yet, though. TechCrunch, June 28, 2022

To conclude this section here are several stories on cyber-defense, including an initiative by the State Department to help secure our elections.

Section 4 – Data Care in the Organization

Stories to support executives and top management in securing their organizations.

Kudos as always to our Federal partners, the security folks at the National Institute of Standards and Technology (NIST) and the Cybersecurity & Infrastructure Security Agency (CISA). Their work is vital in keeping us cyber-safe.

  • NIST Releases New macOS Security Guidance for Organizations: The National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints and assessing their security. … “This document and the mSCP GitHub site are intended for system administrators, security professionals, policy authors, privacy officers, and auditors who have responsibilities involving macOS security. Additionally, vendors of device management, security, configuration assessment, and compliance tools that support macOS may find this document and the GitHub site to be helpful,” NIST says. Security Week, June 27, 2022
  • CISA Adds Eight Known Exploited Vulnerabilities to Catalog: CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates.  Cybersecurity & Infrastructure Agency, June 27, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge