A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.
Stan’s Top of the News
Our top stories are again on privacy in a post-Roe world. Even as the discussion centers on privacy relative to abortion, the privacy implications go far beyond abortion to any activity that any state or any one might not like. Abortion privacy post-Roe is the canary-in-the-coal-mine that will influence how we the people define our privacy rights, the legal limits to invasions of our privacy, and the steps we all individually need to take to protect our privacy, both from unfriendly government and hacker vigilantes. This is such an important story that SecureTheVillage is hosting a special webinar on the subject.
- Roe v. Wade Was Overturned: Here’s How Your Phone Could Be Used to Spy on You: With Roe v. Wade overturned, so-called trigger laws already passed in 13 states will ban abortion in large parts of the country. Here’s how your smartphone could be used to prosecute you if you do decide to have an abortion in an area where it’s criminalized. Scientific American, June 24, 2022
- HHS issues new guidance on post-Roe v. Wade patient privacy: The US Department of Health and Human Services Office for Civil Rights has released new guidance aimed at patient privacy in the wake of last week’s Supreme Court ruling that overturned Roe v. Wade, holding that there is no longer a federal constitutional right to an abortion. CNN, June 29, 2022
- The future of privacy rights in a post-Roe world: Privacy experts fear the Supreme Court’s decision to overturn federal abortion rights will erode other key protections and expose daily life online to criminal investigations. Axios, June 29.
Hold The Date … July 21 11:00AM PT
Roe v Wade: Critical Implications for Our Personal Privacy, SecureTheVillage Community Webinar, July 21, 11AM PT: The overturning of Roe v Wade has upended what privacy means for every single person in the USA. We invite you to a webinar with legal and privacy experts to learn what this ruling means for your personal privacy and safety. The panelists will explore the privacy implications of the Supreme Court’s recent ruling, outline expected legal intrusions by states on personal privacy, discuss how new state laws directly incentivize vigilantes and hackers, and share tangible strategies on how to protect oneself, including minimizing the vast ‘data footprint’ created by our use of everyday technology. This lively discussion will be relevant to any gender, sexual orientation, or political affiliation, as some Justices have suggested that other monumental cases could be revisited, implying we may expect even more dramatic challenges to our privacy rights going forward.
Happy Independence Day.
We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.
Security Nonprofit of the Week … Sightline Security
Our kudos this week to Sightline Security, a nonprofit that helps nonprofits secure and protect their critical information. Their mission is to equip, empower, and support global nonprofits to navigate and embed cybersecurity into their organizations with confidence. Sightline Security is on the front lines helping health service nonprofits protect sensitive patient data as it comes under attack in post-Roe America. Kudos to Sightline Security for their cyber support to the vital under-served nonprofit community.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn
Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we discuss data privacy in post-Roe America.
Section 2 – Personal Data Care – Security and Privacy
Important data care stories for protecting yourself and your family.
#Don’tTrust#AlwaysVerify. This week’s Zelle scam story is another reminder.
- Zelle Scams: Take These 4 Steps to Protect Your Money From Fraud: Criminals are using the banking payment service Zelle to scam unsuspecting consumers. … Free payment service Zelle has become a mainstay for commercial banking customers — over 100 million people have access to the app via their bank accounts. While the service is simple and quick, its instant, irreversible transactions have made it an attractive target for scam artists. CNET, June 27, 2022
Some good news from the FCC as we struggle against spam phone calls.
- FCC says it closed a loophole that many robocallers used to evade blocking: Starting today, small carriers must use STIR/SHAKEN Caller ID authentication tech. … The Federal Communications Commission today said it closed a robocall loophole by requiring small phone companies to implement the caller ID authentication technology known as STIR and SHAKEN. Ars technica, June 30, 2022
Section 3 – General Data Care, Cybersecurity, and Privacy Stories
Data Care, cybersecurity and privacy stories for those wanting a deeper look.
This week’s cybercrime stories include another supply-chain attack, this one a provider of employment software to governments. And North Korea is at it again as cybercrime continues to help them skirt economic blockades.
- Publishing giant Macmillan still unable to process orders after ransomware attack: Publishing giant Macmillan is in the process of recovering from a ransomware attack that has left it unable to process orders electronically. The Record, July 1, 2022
- Cyberattack Shuts Down Unemployment Services in Several States: The incident risks stopping tens of thousands of Americans from claiming their unemployment benefits on time. … The incident involves a Florida-based company called Geographic Solutions Inc. (GSI), which markets itself as a leading provider of employment software for government agencies. Starting on Tuesday, numerous state labor departments including those in California, Louisiana, and Tennessee reported that an outage at Geographic Solutions had forced them to take their online unemployment services offline. PC Mag, July 1, 2022
- North Korea accused of orchestrating $100 million Harmony crypto hack: Hackers connected to a prolific North Korea military-backed group have been accused of orchestrating the recent $100 million hack of blockchain company Harmony. The Record, June 30, 2022
Another #Don’tTrust#AlwaysVerify story
- Fake copyright infringement emails install LockBit ransomware: The recipients of these emails are warned about a copyright violation, allegedly having used media files without the creator’s license. These emails demand that the recipient remove the infringing content from their websites, or they will face legal action. Bleeping Computer, June 26, 2022
And here’s another way cybercriminals are monetizing their hacking capabilities. You’re in a lawsuit. You go into court. And you discover that your opponent knows your strategy, knows what your witnesses will say, and knows your strategy for combatting their strategy. Puts you at major disadvantage.
- How mercenary hackers sway litigation battles: A trove of thousands of email records uncovered by Reuters reveals Indian cyber mercenaries hacking parties involved in lawsuits around the world – showing how hired spies have become the secret weapon of litigants seeking an edge. Reuters, June 30, 2022
This next story is about an egregious cyber-leak — a file containing extremely sensitive PII was left exposed and unprotected for several hours on the Internet. Think of it as leaving $10,000 sitting in a bag on a park bench for several hours. It’s possible no one would notice the bag of money and it would still be there when you returned. It’s also possible the money would be gone. It’s the same for files left unprotected on the Internet.
- California Department of Justice Alerts Individuals Impacted by Exposure of Personal Information from 2022 Firearms Dashboard: The California Department of Justice has announced that personal information was disclosed in connection with the June 27, 2022 update of its Firearms Dashboard Portal. California Office of the Attorney General, June 29, 2022
These next two stories are about dangerous infrastructure risks. Imagine a ransomware attack that shut down the elevators in an office building — with people in them — until a ransom was paid. Or a cyber-attack on a plane in the air. The sky may be falling so slowly that few notice. But it is falling. And it’s falling faster.
- Microsoft Exchange bug abused to hack building automation systems: A Chinese-speaking threat actor has hacked into the building automation systems (used to control HVAC, fire, and security functions) of several Asian organizations to backdoor their networks and gain access to more secured areas in their networks. Bleeping Computer, June 27, 2022
- Hackers can bring ships and planes to a grinding halt. And it could become much more common: Vast container ships and chunky freight planes — essential in today’s global economy — can now be brought to halt by a new generation of code warriors…. “The reality is that an aeroplane or vessel, like any digital system, can be hacked,” David Emm, principal security researcher at Kaspersky, told CNBC. … In December, German firm Hellmann Worldwide Logistics said its operations had been impacted by a phishing attack. CNBC, June 27, 2002
Is the person you’re interviewing real or fake? Is your new Facebook friend real or fake? Welcome to the world of “Deep Fakes.”
- This co-worker does not exist: FBI warns of deepfakes interviewing for tech jobs: A lot of people are worried about the prospect of competing with AI for their jobs, but this probably isn’t what they were expecting. The FBI has warned of an uptick in cases where “deepfakes” and stolen personal information are being used to apply for jobs in the U.S. — including faking video interviews. Don’t dust off the Voight-Kampff test just yet, though. TechCrunch, June 28, 2022
To conclude this section here are several stories on cyber-defense, including an initiative by the State Department to help secure our elections.
- Ex-Uber security chief accused of hushing database breach must face fraud charges: A US judge yesterday threw out an attempt to dismiss wire fraud charges against a former Uber employee accused of trying to cover up a computer crime. The Register, June 29, 2022
- Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks: Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks. The Register, June 28, 2022
- DOJ sets new goals for responding to ransomware attacks: The Justice Department said it wants to increase the percentage of reported ransomware incidents it handles to 65% by September 2023. The Record, July 1, 2022
- Canada’s National Police Force Admits Use of Spyware to Hack Phones: The Royal Canadian Mounted Police says it only uses such tools in the most serious cases, when less intrusive techniques are unsuccessful. … In a “remarkable” disclosure, Canada’s national police force has described for the first time how it uses spyware to infiltrate mobile devices and collect data, including by remotely turning on the camera and microphone of a suspect’s phone or laptop. Homeland Security Today, July 2, 2022
- State Department offers up to $10 million for info on foreign interference in U.S. Elections : The State Department announced on Thursday that it is offering up to $10 million for tips about foreign interference in U.S. elections, including illegal cyber activities. … The cash, offered through the department’s Rewards for Justice program, would be for any information that leads to the identification or location of any foreign person or entity “who knowingly engaged or is engaging in foreign election interference.” The Record, July 1, 2022
Section 4 – Data Care in the Organization
Stories to support executives and top management in securing their organizations.
Kudos as always to our Federal partners, the security folks at the National Institute of Standards and Technology (NIST) and the Cybersecurity & Infrastructure Security Agency (CISA). Their work is vital in keeping us cyber-safe.
- NIST Releases New macOS Security Guidance for Organizations: The National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints and assessing their security. … “This document and the mSCP GitHub site are intended for system administrators, security professionals, policy authors, privacy officers, and auditors who have responsibilities involving macOS security. Additionally, vendors of device management, security, configuration assessment, and compliance tools that support macOS may find this document and the GitHub site to be helpful,” NIST says. Security Week, June 27, 2022
- CISA Adds Eight Known Exploited Vulnerabilities to Catalog: CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates. Cybersecurity & Infrastructure Agency, June 27, 2022