This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
Special Report: TikTok. TikTok makes this week’s Top of the News as lawmakers in Washington and several states consider banning or otherwise controlling access to it. There are two concerns that are specific to TikTok and its Chinese owner. There is an additional third concern that applies to all social media apps.
First is the concern over spying and the control the Chinese government has over TikTok, both the product and its ranking algorithm.
- According to Lawfare, China’s 2017 National Intelligence Law commands that “any organization or citizen shall support, assist, and cooperate with state intelligence work according to law.” [The law] grants intelligence agencies authority to insist on this support: “state intelligence work organs, when legally carrying forth intelligence work, may demand that concerned organs, organizations, or citizens provide needed support, assistance, and cooperation.” Organizations and citizens must also protect the secrecy of “any state intelligence work secrets of which they are aware.”
- Robert Hubbell described it this way: “Imagine for a moment that the US passed a law that said every software company in the US had to provide the FBI and CIA a “back door access” into their software that would permit covert surveillance of users. Imagine further that every software company was required to assist the FBI and CIA in spying on Americans and was obligated to keep that surveillance secret. Finally, imagine that any US citizen who refused to cooperate with the CIA and FBI in gathering intelligence on US citizens could be jailed for life. Under those conditions, how would you feel about using Google, Bing, Firefox, Word, iMessage, WhatsApp, Gmail, Excel, TurboTax, YouTube, Twitter, Instagram, Spotify, iTunes, Ring Doorbell, Uber, Lyft, and DoorDash?”
The second concern is over control of TikTok’s ranking algorithm. Fast forward to the 2024 election and imagine what is likely to be a close election. Now imagine the impact on the election when the Chinese government orders TikTok to rank user posts so as to spread misinformation and otherwise support China’s election meddling. We the People have a responsibility to ourselves and our posterity to prevent this from happening and to minimize its effect.
- Banning TikTok in the U.S. Is Easier Said Than Done: Legal and practical obstacles could confound any bid to erase the Chinese-owned app’s huge U.S. footprint. The Wall Street Journal, March 25, 2023
- TikTok has your data even if you’ve never used the app: The app collects and transfers data even if deleted, a new report says. … A ban on TikTok in the United States or a sale of the app by its Chinese owner, ByteDance, will not resolve national security concerns or fears TikTok could be used to siphon Americans’ data, according to a new cybersecurity report obtained by ABC News. ABC News, March 16, 2023
- There’s a Problem With Banning TikTok. It’s Called the First Amendment.: The First Amendment has so far played only a bit part in the debate about banning TikTok. This may change. If the U.S. government tries to shut down this major communications platform, the First Amendment will certainly have something to say about it. The New York Times, March 24, 2003
- A TikTok Ban May Be Just the Beginning: If the video app is blocked by federal authorities, it could be the beginning of the end for mega-popular Chinese apps in the U. S.—and for China’s ambitions to build a software-driven economy. The Wall Street Journal, March 25, 2023
The third concern, exemplified by this next story, is the impact social media apps have on our children, their evolving sense of self, and their mental health. It’s relatively easy to draw a straight line between social media apps and the increase of suicidal thoughts amongst our children.
- Utah governor signs laws requiring parents’ consent for minors to use social media: Utah’s regulations come amid ongoing debates about the impact of social media on young people’s mental health. Four other states are considering similar measures. NBC News, March 23, 2023
All of the above notwithstanding, we also have to keep in mind the impact banning TikTok will have on the entertainment industry.
- Hollywood, music industry brace for a TikTok ban: The entertainment industry has become so reliant on TikTok that banning the app could hurt business, industry insiders say. The Washington Post, March 25, 2023
Nor can we imagine for a minute that politics won’t come into play in a move to ban TikTok.
- TikTok ban would be ‘a slap in the face’ to young Democratic voters, activists warn: Gen Z voters lean overwhelmingly Democratic, but some Democrats warn they’ll stay home if the White House bans their favorite app. NBC News, March 22, 2023
There are no easy answers to the TikTok challenge so stay tuned as we stumble our way through a resolution.
How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, April 4, 1:00 pm – 2:00 pm PST
Cyber Humor
Security Nonprofit of the Week … Global Cyber Alliance (GCA)
Kudos this week to cybersecurity nonprofit Global Cyber Alliance (GCA). GCA builds practical, measurable solutions and easy to use tools, and they work with partners to accelerate adoption around the world. GCA recently partnered with the Public Interest Registry to develop an explainer video on cybersecurity risks to mission-based/non-profit organization and how to use the cybersecurity toolkit for those organizations to address those risks. The video is embedded in the mission-based organization toolkit. GCA was one of the founders of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity. SecureTheVillage is a proud member of Nonprofit Cyber.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
Live on Cyber with Dr. Stan Stahl: (Video) (Podcast):
Ben Franklin famously said “Distrust and caution are the parents of security.” … Join Stan Stahl, PhD and Julie Michelle Morris as they riff on distrust and caution, in Ben’s time and in our own. … Our need to have “distrust and caution” when identities on the Internet are so easy to fake and security is so poor; the wiring instructions from the escrow company may be from hackers who have broken into the escrow company’s computers; the Facebook “friend” you follow may be part of a botnet from China or Russia spewing misinformation and disinformation; the person you’ve fallen in love with online may be a scammer who will steal everything you’ve got. Distrust and caution indeed. … As always, Stan and Julie provide actionable tips and thoughtful wisdom in a fun conversation on the complexities of cybersecurity and privacy.
Cybersecurity Quote of the Week
Section 2 – Managing our security and privacy. Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
Be careful out there.
- Dirty Dozen: Watch out for scammers using email and text messages to try tricking people during tax season: With the filing deadline quickly approaching, the Internal Revenue Service today urged everyone to remain vigilant against email and text scams aimed at tricking taxpayers about refunds or tax issues. IRS, March 21, 2023
- Fake ChatGPT Chrome Browser Extension Caught Hijacking Facebook Accounts: Google has stepped in to remove a bogus Chrome browser extension from the official Web Store that masqueraded as OpenAI’s ChatGPT service to harvest Facebook session cookies and hijack the accounts. The Hacker News, March 23, 2023
- Warning: AI-generated YouTube Video Tutorials Spreading Infostealer Malware: Threat actors have been increasingly observed using AI-generated YouTube Videos to spread a variety of stealer malware such as Raccoon, RedLine, and Vidar. The Hacker News, March 13, 2023
Manage your privacy.
- Why You Should Opt Out of Sharing Data With Your Mobile Provider: A new breach involving data from nine million AT&T customers is a fresh reminder that your mobile provider likely collects and shares a great deal of information about where you go and what you do with your mobile device — unless and until you affirmatively opt out of this data collection. Here’s a primer on why you might want to do that, and how. Krebs on Security, March 20, 2023
Section 3 – Cybersecurity News for the Cyber-Concerned.
Fasten your seat belts, it’s gonna be a bumpy ride. Our next story is a harbinger of just how crazy we can expect cyberspace to become as the nation navigates Trump’s likely indictment.
- Donald Trump arrested? AI-generated images go viral on Twitter: The Twitter posts showing Donald Trump’s arrest were fabricated through a platform called Midjourney, an AI text-to-image generator. ITP net, March 23, 2023
Our next story is a follow-up to one we had last week.
- The FBI’s BreachForums bust is causing ‘chaos in the cybercrime underground’: The dramatic fall of one of the preeminent cybercrime communities on the web will have major implications for the cybercrime markets. Cyberscoop, March 24, 2023
As expected, cybercriminals have businesses between a rock and a hard place: Pay extortion to keep information private or be sued by the people whose private information was leaked.
- Cancer patient sues medical provider after ransomware group posts her photos online: The suit comes about six weeks after the ransomware threatened to post sensitive material online if they weren’t paid. Cyberscoop, March 14, 2023
This week in cybercrime. Cybercriminals lower down the food chain seem to have learned from the nation-state attack on Solar Winds. Hack a technology company and get online access to all of their customers. We’ve seen it before in hacks of IT service providers. Here’s several companies falling victim to the breach of file transfer service GoAnyway used by them all. I doubt that GoAnyway will recover.
- UK Pension Protection Fund latest victim of GoAnywhere hack: The U.K. Pension Protection Fund, one of Britain’s largest asset owners, managing £39 billion, has confirmed it has been affected by the hack of popular file transfer service GoAnywhere. March 24, 2023
- Hitachi Energy confirms data breach after Clop GoAnywhere attacks: Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a GoAnyway zero-day vulnerability. Bleeping Computer, March 17, 2023
- City of Toronto and Virgin confirm hackers accessed data through file transfer systems: The City of Toronto and British multinational conglomerate Virgin confirmed that hackers were able to access data through a vulnerability in a popular file transfer service that has affected dozens of organizations in recent weeks. The Record, March 23, 2023
In other cybercrime news.
- A Cyberattack on Ferrari Exposed Customer Data, and the Hacker Is Demanding Ransom: The Italian marque said it will not pay the ransom demanded by the perpetrators. iRobb Report, March 22, 2023
- Dole confirms employee data was breached in ransom attack: The Dole Food Company revealed in an SEC filing Wednesday that employee data was accessed during last month’s ransomware attack. Cyber news, March 23, 2023
- Australia’s Latitude takes systems offline, Federal Police investigate cyberattack: Australian fintech firm Latitude Group Holdings Ltd (LFS.AX) said on Monday it had taken its platforms offline as the cyberattack detected last week remained active, adding the Federal Police was investigating the incident. Reuters, March 20, 2023
Section 4 – Managing Information Security and Privacy in Your Organization.
More stories illustrating just how unprepared we are. Tone starts at the top. We need Boards and management to provide cybersecurity leadership.
- Survey Finds Boards Have Work To Do on Cybersecurity: Executive Summary: Despite more than three-quarters of boards having at least one cyber expert among the directors, only three in 10 directors rate their board’s ability to oversee a cyber crisis highly. … More than one-third of directors representing the energy and utilities industry have no board cyber expert, highlighting vulnerability in the critical infrastructure sector. … Board directors largely have confidence in management to effectively deal with cyber risk. Sixteen percent rated management ‘excellent’ and 43% rated management ‘very good’. … Tabletop exercises involving cyber scenarios are lacking. Less than half of all respondents said their board had participated in one or more during the last 12 months. WSJ Pro Cybersecurity, March 20, 2023
- Mid-sized businesses cybersecurity challenges: In the last twelve months, 24% of mid-sized businesses have suffered a cyber attack or are unsure if they have suffered a cyber attack. … 61% of mid-sized businesses do not have dedicated cybersecurity experts in their organization. … 47% of mid-sized businesses do not currently have an incident response plan. …27% of mid-sized businesses reported having no cyber insurance coverage. HelpNet, March 20, 2023