This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
This week’s Top of the News continues to be driven by the continuing MOVEit disaster. This week more MOVEit customers disclosed having lost confidential information, including the nation’s two largest retirement funds, California’s CalPERS and CalSTRS, the New York Public Schools, consulting giants EY and PwC, and countless more.
Imagine innocently standing on the corner of an intersection when a car goes out of control and hits you. This is what the MOVEit disaster looks like to its victims; innocently standing on the corner going about our business when thwack an out of control car hits us. It’s what most cybercrime and cyber-scams look like to the victims.
The MOVEit disaster screams to us to do something. Cybercrime and breaches of our privacy have gotten out of hand. There must be a better way.
And there is a better way, if only organizations that write applications like MOVEit were incentivized to adopt it. The problem is that today, they are not. The incentives for improved cybersecurity are misaligned as companies only have to pass a very low security and privacy bar to sell their products. This misalignment is made worse given the reality that too few of our midsize and smaller organizations have the vast security and privacy expertise to know what it is they need insist upon.
Forty years ago I worked for a company who provided advanced software engineering services to the Air Force. Our role was to make certain the algorithms that controlled launching our nuclear missiles were secure and private. Forty years ago we knew that if you wanted a secure algorithm that would keep information private, you had to build it into the algorithm. Writing the algorithm and then trying to secure it was a fools errand.
The twin concepts of “Security / Privacy by Design” and “Security / Privacy by Default” are just what they sound like. We build security and privacy into our applications and other algorithms just like we install brakes in our cars. And we install air belts and other crash systems into our cars so we are less likely to be injured when the inevitable collision occurs; that’s safety by default.
Based on the news, it’s likely that the root cause of MOVEit’s troubles was a failure to build “Security and Privacy by Design” into the MOVEit algorithm. And any reasonable implementation of “Security / Privacy by Default” would have led Process to better encrypt their customers’ sensitive information, keeping the stolen information safe when the breach occurred.
Every organization out there should take the MOVEit disaster as an opportunity to look at all the vendors you use that have access to your information. Ask them about their “Security / Privacy by Design” and “Security / Privacy by Default” practices. Let them know that these practices are important to you. Ask your IT service providers the same question.
And we all need to support the Biden administration’s call to require “Security / Privacy by Design” and “Security / Privacy by Default” in all systems the government uses.
The economics of algorithms are such that we won’t get better security and privacy unless we demand it. Just like we didn’t get safer cars until the 1960s when we demanded it.
Sadly, until the incentives change, our mid-size and smaller businesses, our families, will continue to bear the brunt of cybercrime and assaults on our privacy. SecureTheVillage will continue to advocate for improved security and privacy engineering practices as we work to help the community better protect itself.
Let’s use the MOVEit debacle to move the needle on our security and privacy.
Links
- MOVEIt breach impacts Genworth, CalPERS as data for 3.2 million exposed
- Data breach exposes sensitive information on NYC Public Schools’ students and staff
- Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. Cybersecurity and Infrastructure Security Agency.
New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter, for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. We feature info on how to freeze your credit and what ‘marriage scams’ are in Edition 1. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, July 11, 1:00 pm – 2:00 pm PT. There is no meeting in June
Cyber Humor
Security Nonprofit of the Week … Global Cyber Alliance (GCA)
Kudos this week to cybersecurity nonprofit Global Cyber Alliance (GCA). GCA builds practical, measurable solutions and easy to use tools, and they work with partners to accelerate adoption around the world. GCA recently partnered with the Public Interest Registry to develop an explainer video on cybersecurity risks to mission-based/non-profit organization and how to use the cybersecurity toolkit for those organizations to address those risks. The video is embedded in the mission-based organization toolkit. GCA was one of the founders of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity. SecureTheVillage is a proud member of Nonprofit Cyber.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
Vineyards and Breaches: (Video) (Podcast): Dr. Stahl, back from his Portugal holiday, riffs on Douro Valley vineyards and cybersecurity, highlighting their shared complexities and team dynamics. Julie and Stan get practical as they segue from the delights of Portuguese wine to the recent MOVEit breach. They provide advice for individuals and smaller organizations who might be impacted by the breach or want to learn from it. This leads to a discussion of the need for organizations that develop applications like MOVEit to implement principles of “Security and Privacy by Design” and “Security and Privacy by Default“, pillars of the Administration’s National Cybersecurity Strategy.”
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
Scams against the elderly are often devastating. Let’s warn our elders.
- ‘Emotional hackers’ scam $800K from Minneapolis woman’s father: A Minneapolis woman calls it emotional hacking: Scammers drained $800,000 from her father’s bank account. … He’s a 76-year-old Ukrainian immigrant with limited English skills. He sold his home in Washington State in April and essentially became homeless a week later.
Fake sextortion schemes linked to teen suicides.
- How AI is helping scammers target victims in “sextortion” schemes: Rapidly advancing AI technologies are making it easier for scammers to extort victims, including children, by doctoring innocent photos into fake pornographic content, experts and police say. … The warnings coincide with a general “explosion” of “sextortion” schemes targeting children and teens that have been linked more than a dozen suicides, according to the FBI. … The National Center for Missing & Exploited Children has recently received reports of manipulated images of victims being shared on social media and other platforms, says John Shehan, a senior vice president at the organization.
Private health data under attack (See our recent webinar Invasion of the Body & Mind (Data) Snatchers)
- Americans’ most private data is under threat. Here’s how to protect it: A new bill would protect reproductive and sexual health data. … Like millions of other young people, I use a period app to track my cycle. But in the post-Roe era, that could lead to serious consequences — even jail time. That’s because there are almost no federal protections for our reproductive and sexual health data. The information you leave behind in period and fertility tracking apps, ride-sharing apps, search engines, browsing history, location data and more can be sold and shared without your consent with advertisers, data brokers or even law enforcement.
Have an ASUS router? Update now!!
- ASUS urges customers to patch critical router vulnerabilities: ASUS has released new firmware with cumulative security updates that address vulnerabilities in multiple router models, warning customers to immediately update their devices or restrict WAN access until they’re secured.
Section 3 – Cybersecurity News for the Cyber-Concerned.
Signs of progress.
- Google announces $20 million investment for cyber clinics: The announcement dovetails with growing interest in Congress to invest in the next generation of the cyber workforce. … Google is committing more than $20 million dollars to support the creation and expansion of cybersecurity clinics at 20 higher education institutions across the United States, the company announced on Thursday.
- What’s Working: What happened since Colorado invested in Colorado Springs as a cybersecurity hub: The city had a big head start with five nearby military bases. Now the region’s cybersecurity growth is on the map and ahead of metro areas like Denver. … Along North Nevada Avenue in Colorado Springs, a nondescript building in a shade similar to a manila folder houses tenants who are anything but vanilla. … In one area, retired U.S. Air Force Lt. General Harry D. Raduege leads a small team at the National Cybersecurity Center, a nonprofit helping small and medium-sized businesses get the tools and support needed to battle malicious cyberthreats.
- Protecting Nonprofits Through Cybersecurity Volunteering: Nonprofits are frequent targets of cyber attacks due to their access to sensitive information from high-risk communities and the large amount of money they raise each year. Criminals often manage to steal these funds because nonprofits lack basic security controls. A key obstacle for nonprofits is access to cybersecurity experts. Adrien Ogee, Chief Operations Officer, Cyber Peace Initiative
- Hacker responsible for 2020 Twitter breach sentenced to prison: Three years after one of the most visible hacks in recent history played out in real-time in front of millions of Twitter users, one of the hackers responsible for the breach will now serve time in federal prison. … Joseph James O’Connor, 24, was sentenced Friday in a New York federal court to five years in prison after pleading guilty in May to four counts of computer hacking, wire fraud and cyberstalking. O’Connor also agreed to forfeit at least $794,000 to the victims of his crimes.
- DOJ establishes cybercrime enforcement unit as U.S. warnings mount over Chinese hacking: Assistant Attorney General for National Security Matt Olsen said the center will speed up disruption campaigns and prosecutions. … The Department of Justice established a cyber-focused section within its National Security Division to combat the full range of digital crimes, a top department official said Tuesday. … The National Security Cyber Section — NatSec Cyber, for short — has been approved by Congress and will elevate cyberthreats to “equal footing” with other major national security issues, including counterterrorism and counterintelligence, Assistant Attorney General for National Security Matt Olsen said in remarks at the Hoover Institution in Washington.
- SEC Alleges SolarWinds CFO, CISO Violated US Securities LawS: The Securities and Exchange Commission accused SolarWinds CFO Bart Kalsu and CISO Tim Brown of violating securities laws in their response to a high-profile software supply chain cyberattack in 2020. Kalsu and Brown Could Face Monetary Penalties, Public Company Officer Ban.
Securing our homes and businesses will take more than slogans and public service announcements.
- US ‘can’t PSA our way out’ of cyber vulnerability, CISA director says: Speaking during a Cybersecurity Advisory Committee meeting, CISA Director Jen Easterly noted that corporate responsibility for cyber must stand “as a matter of good governance.”
A fascinating look from Krebs on Security at a critical element of the malware ecosystem.
- Why Malware Crypting Services Deserve More Scrutiny: If you operate a cybercrime business that relies on disseminating malicious software, you probably also spend a good deal of time trying to disguise or “crypt” your malware so that it appears benign to antivirus and security products. In fact, the process of “crypting” malware is sufficiently complex and time-consuming that most serious cybercrooks will outsource this critical function to a handful of trusted third parties. This story explores the history and identity behind Cryptor[.]biz, a long-running crypting service that is trusted by some of the biggest names in cybercrime.
This Week in the world of cybercrime
- Capital One becomes latest bank affected by cyberattack on debt-buying giant: Capital One is the latest financial institution to reveal that it was affected by a cyberattack on NCB Management Services, a company that purchases debt.
- SMS Phishers Harvested Phone Numbers, Shipment Data from UPS Tracking Tool: The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn’t be shipped unless the customer paid an added delivery fee.
- Hackers use fake OnlyFans pics to drop info-stealing malware: A malware campaign is using fake OnlyFans content and adult lures to install a remote access trojan known as ‘DcRAT,’ allowing threat actors to steal data and credentials or deploy ransomware on the infected device. … OnlyFans is a content subscription service where paid subscribers can access private photos, videos, and posts from adult models, celebrities, and social media personalities. … It is a widely used site and a highly recognizable name, so it can act as a magnet for people looking to access paid content for free.
- Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces: Over 101,100 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials. … The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News.
- Hackers threaten to leak 80GB of confidential data stolen from Reddit: Hackers are threatening to release confidential data stolen from Reddit unless the company pays a ransom demand – and reverses its controversial API price hikes. … In a post on its dark web leak site, the BlackCat ransomware gang, also known as ALPHV, claims to have stolen 80 gigabytes of compressed data from Reddit during a February breach of the company’s systems.
- Microsoft says early June disruptions to Outlook, cloud platform, were cyberattacks: Microsoft says the early June 2023 disruptions to its Microsoft’s flagship office suite — including the Outlook email and OneDrive file-sharing apps — were denial-of-service attacks by a shadowy new hacktivist group.
Section 4 – Managing Information Security and Privacy in Your Organization.
For your IT Team: Patch Now!!
- U.S. Cybersecurity Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog: The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. … This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel devices (CVE-2023-27992).
