Cybersecurity News of the Week, March 17, 2024

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

Kudos to The New York Times for their 2-part automobile privacy story. Did you know that the manufacturer of your car may be selling your driving history to the insurance industry? Neither did I. I must say I’m not surprised. It’s not illegal. And one of the strengths of unfettered capitalism is to ferret out and exploit opportunities to create value. All this data is highly valuable to the insurance industry. So one manufacturer (only one?) sells it to them. What could be more natural than that? I hate regulations but this cries out for consumer protection. At the very least, the requirement must be a transparent easy-to-understand opt-in.

  • Automakers Are Sharing Consumers’ Driving Behavior With Insurance Companies: LexisNexis, which generates consumer risk profiles for the insurers, knew about every trip G.M. drivers had taken in their cars, including when they sped, braked too hard or accelerated rapidly.
  • Florida Man Sues G.M. and LexisNexis Over Sale of His Cadillac Data: Romeo Chicco’s auto insurance rate doubled because of information about his speeding, braking and acceleration, according to his complaint. … In a lawsuit, Romeo Chicco said data on his driving habits from his own XT6 was shared with insurers without his consent. … When Romeo Chicco tried to get auto insurance in December, seven different companies rejected him. When he eventually obtained insurance, it was nearly double the rate he was previously paying. According to a federal complaint filed this week seeking class-action status, it was because his 2021 Cadillac XT6 had been spying on him.

Small and Midsize Organizations. Take your security to the next level. Apply Now! If you’re a small business, nonprofit, or IT / MSP in the greater Los Angeles area, apply NOW for LA Cybersecure, a pilot program with coaching and guidance that costs less than two cups of coffee a week. The LA Cybersecure Pilot Program is funded by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.

Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 

How Hackable Are You? Take our test. Find out how hackable you are and download our free updated 13-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short test as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

  • Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, April 2, 1:00 pm – 2:00 pm PT. The LA Cybersecurity Workforce Coalition is for employers, educators, government, nonprofits, and others with a professional interest in the cybersecurity workforce challenge.
  • Information Security Threat Briefing – A DFPI / FBI / SecureTheVillage Collaboration: SecureTheVillage in collaboration with the CA Department of Financial Protection and Innovation (DFPI) is hosting a cybersecurity threat briefing specifically designed for financial institutions, other fintech organizations, and their IT service providers, MSPs, insurance brokers, and others. FBI Supervisory Special Agent (SSA) Michael Sohn is the keynote speaker. Friday, April 19, 8:30 am – 10:00 am PT.

Please Support SecureTheVillage.

  • We need your help if we’re to build a world of CyberGuardians TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village. TM

Cyber Humor

Cybersecurity Nonprofit of the Week  …  The CyberPeace Institute

Kudos this week to the CyberPeace Institute, an independent and neutral nongovernmental organization whose mission is to ensure the rights of people to security, dignity and equity in cyberspace. The CyberPeace Institute is home to the Humanitarian Cybersecurity Center (HCC). The HCC provides expert support and practical free cyber assistance to non-governmental Organizations (NGOs), tailored to their needs and located anywhere in the world. Through its Cyber Attacks in Times of Conflict Platform #Ukraine, the CyberPeace Institute is tracking cyberattacks and operations targeting critical infrastructure and civilian objects in Ukraine. The CyberPeace Institute is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Tip of the Week: Different websites need different passwords. Why? Read the next story. 15,000 Roku users had their account stolen when hackers tried a password associated with the user’s name on a list of Passwords stolen from other websites. 

  • Hackers stole 15,000 Roku accounts to sell on the dark web: On Friday, March 8, Roku sent out a notification to over 15,000 users to inform them about their accounts being breached by hackers. … Roku explained in the letter that the hackers likely obtained user data from other data breaches and used leaked username and password combinations to access Roku accounts. After gaining access to the Roku accounts, the hackers changed login details and, in some instances, tried to purchase streaming subscriptions with the stored credit card information.

Another sad story of a scam. Please make sure the people you love are sensitive to these scams. Let them know they can call you if they’re unsure. Practice the conversation with smiles on your faces. Protect the people you love. Be a CyberGuardians TM.

  • ‘This can happen to anyone’: Sonoma County woman scammed out of $20,000 urges others to be aware: Even three weeks later, it’s hard for Judith Gage to reckon with the sense of violation and vulnerability she feels after falling for an elaborate scam that started with a message appearing on her frozen computer screen and ended many hours later with her giving $20,000 cash to a man at the bottom of her driveway. … Despite consumer warnings and news stories and policy efforts to reign in scamming, in 2023, nationwide fraud losses topped $14 billion for the first time, according to FTC data, a 14% increase over 2022.|

Good basic advice for securing your smart home. Always ask yourself the key question: “Do I need to connec my range or my refrigerator to the Wi-Fi?” Really? Why? Every device in your smart home that can connect to the Internet is one more place where the bad guys can get in.

  • How to Protect Your Smart Home From Hackers: Thermostats. Doorbells. Ovens. Everything is connected to the internet these days—and vulnerable to cyberattacks. … The problem isn’t simply that somebody can hack a refrigerator or dishwasher, of course. It’s that once a bad actor breaches one of these devices, he or she potentially could control every other device on your home network .. Including confidential financial and other records.

Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.

The ongoing implications of the cyberattack on Change Healthcare continue. Our hearts go out to the millions of innocent victims of this failure. To Change Healthcare, it’s money. To the victims who can’t get their drugs, it’s their lives.

An excellent story on how artificial intelligence is adding to the disinformation polluting our national conversation as we head into the 2024 election. For an excellent in-depth look at this national challenge, see Barbara McQuade’s new book “Attack from Within: How Disinformation Is Sabotaging America.” 

  • Election disinformation takes a big leap with AI being used to deceive worldwide: From Bangladesh to Slovakia, AI-generated deepfakes have been undermining elections around the globe. Experts say their reach and sophistication is a sign of things to come in consequential elections later this year. … Artificial intelligence is supercharging the threat of election disinformation worldwide, making it easy for anyone with a smartphone and a devious imagination to create fake – but convincing – content aimed at fooling voters. … It marks a quantum leap from a few years ago, when creating phony photos, videos or audio clips required teams of peoplewith time, technical skill and money. Now, using free and low-cost generative artificial intelligence services from companies like Google and OpenAI, anyone can create high-quality “deepfakes” with just a simple text prompt.

Kudos to our overworked and understaffed Department of Justice and F.B.I. Keep in mind that this a tiny fraction of what’s being stolen by cybercriminals. It’s a far more effective strategy to learn and good data care and information security practices. Be grateful for law enforcement, but remember it starts with you.

Honor among thieves? … A moment of schadenfreude, a moment to take pleasure in the misfortune of our enemies. It seems a dark web marketplace – where cybercriminals buy and sell each other’s stolen information – has shut down, leaving their customers out millions of dollars. Now they’re threatening to turn over their customers’ information to law enforcement unless they pay an extortion fee.

  • Incognito Darknet Market Mass-Extorts Buyers, Sellers: Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.

And now back to the reality of cybercrimes in the news this week.

  • Billion-dollar boat seller MarineMax reports cyberattack to SEC: A cyberattack has disrupted operations at one of the world’s biggest boat sellers, the company said in regulatory filings this week. … MarineMax, which calls itself the world’s largest recreational boat, yacht, and superyacht services company, filed documents with the Securities and Exchange Commission on Tuesday afternoon describing the incident, which began Sunday. 
  • Stanford University Data Breach Impacts 27,000 Individuals: Stanford University has started notifying 27,000 individuals that their personal information was stolen in a ransomware attack on its Department of Public Safety (DPS). … The incident was discovered on September 27, 2023, but the attackers had access to the Stanford DPS network beginning May 12. The hackers were evicted from the environment and the network was secured shortly after the attack was discovered, the university says.

Here’s a focused look by NPR on the cyber breaches in our public schools. It’s a deeply troubling matter when our students have their personal information — much of it extremely sensitive — wind up for sale on the dark web.

  • Hackers are targeting a surprising group of people: young public school students: When Celeste Gravatt first heard about a data breach in her kids’ school system in February 2023, it sounded innocuous. … “I didn’t really think anything of it at first,” Gravatt says. … In a written statement, the district said it sent written notice of the attack to more than 105,000 people who may have been impacted by it. “This breach was actually really huge,” Gravatt says. “And it wasn’t just school records. It was health records, it was all sorts of things that should be privileged information that are now just out there floating around for anybody to buy.” … It’s an example of a growing nationwide trend in which hackers are targeting a surprising group of people: young public school students.

Section 4 – Managing  Information Security and Privacy in Your Organization.

Four very interesting stories this week on the cybersecurity challenges faced by our businesses and nonprofits.

  • If Companies Are So Focused on Cybersecurity, Why Are Data Breaches Still Rising?: One reason: Ransomware gangs are on the rise, allowing even criminals with minimal computer knowledge to get into the game. … Evolving ransomware attacks, cloud misconfigurations and vendor vulnerabilities are helping to drive an increase in data breaches, says MIT professor Stuart Madnick. … Organizations are spending more money than ever on cybersecurity—an estimated $188 billion globally in 2023, a figure expected to grow to almost $215 billion in 2024—yet hackers always seem to stay a step ahead. … The number of reported data breaches in the U.S. rose to a record 3,205 in 2023, up 78% from 2022 and 72% from the previous high-water mark in 2021, according to the nonprofit Identity Theft Resource Center. Trends are similar in other parts of the world. … What can explain these two seemingly contradictory statistics?
  • Here’s Another Reason a Supplier Should Care if Its Customer Is Hacked: Accountants will charge you higher auditing fees, even if you didn’t suffer any cyberattack
  • As Boards Focus More on Cybersecurity, Are They Missing One of the Biggest Threats?: The weak link inside organizations might be the very people responsible for making sure companies aren’t vulnerable to attack. … Most companies don’t seem to be preparing directors to anticipate, respond to or avoid cyberattacks on themselves.
  • The CISO Role Is Changing. Can CISOs Themselves Keep Up?: What happens to security leaders that don’t communicate security well enough? “Ask SolarWinds.” … In a wide-ranging press Q&A at CPX 2024 in Las Vegas, a panel of CISOs and vice presidents (VPs) of international organizations conferred on how digital transformation, bottom line pressures, and lack of security awareness have forced a shift in the nature of their positions–broadly, from being technical to businesslike, and highly social.

For the technical folk, important updates to Fortinet firewalls. Get these on your patching schedule.

  • Fortinet Discloses Two ‘Critical’ Vulnerabilities, Three High-Severity Flaw: The five newly disclosed vulnerabilities prompted CISA to release an advisory warning Tuesday. … ortinet disclosed five new vulnerabilities with severity ratings of “critical” or “high” Tuesday, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an advisory warning. .. The flaws impact Fortinet products including FortiClient EMS (Enterprise Management Server) and FortiManager as well as FortiOS and FortiProxy.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge