Cybersecurity News of the Week, March 5, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

This week’s top story is the release of the Biden-⁠Harris Administration National Cybersecurity Strategy. The strategy is designed to make our digital ecosystem

• Defensible, where cyber defense is overwhelmingly easier, cheaper, and more effective;
• Resilient, where cyber incidents and errors have little widespread or lasting impact; and,
• Values-aligned, where our most cherished values shape—and are in turn reinforced by— our digital world.

The strategic approach is to build and enhance collaboration around five pillars:

1. Defend Critical Infrastructure 
2. Disrupt and Dismantle Threat Actors
3. Shape Market Forces to Drive Security and Resilience
4. Invest in a Resilient Future
5. Forge International Partnerships to Pursue Shared Goals 

As described in The Wall Street Journal, “The strategy offers a sober assessment of mounting security risks associated with the accelerating integration of digital and physical realities into every facet of daily life, business and commerce that has defined the 21st century—a trend it says has made the problem of insecure technology an urgent national priority.” As a result, the National Cybersecurity Strategy uses all  the “tools of national power in a coordinated manner to protect our national security, public safety, and economic prosperity.”

The most controversial part of the strategy revolve around the needs for shifting liability for software products and services promote secure development practices.   Glenn Gerstell, the former general counsel of the National Security Agency, described it as follows. “In the rush to market you can’t cut corners on safety. That’s why builders of apartment houses that collapse and makers of baby strollers that crumple are liable when people get hurt. Now we’re doing that for cyber.”

SecureTheVillage friend Critical Insight is hosting a webinar on the strategy on Tuesday, March 7.

SecureTheVillage will continue our work at ground-level in support of the strategy.

1. Increase defensibility and resilience of our mid-size and smaller businesses
2. Increase defensibility and resilience of our families
3. Support the development of a diverse and robust cybersecure workforce

Here’s some links for further information. The first item on the list —highly recommended—is an in-depth hour-long discussion with key architects of the Strategy:

• The Biden-Harris Administration’s National Cybersecurity Strategy,  Join CSIS for a discussion on the Strategy with remarks from Acting National Cyber Director Kemba Walden and Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger. Center for Strategic & International Studies, March 2, 2023
• Biden National Cyber Strategy Seeks to Hold Software Firms Liable for Insecurity: Markets have imposed ‘inadequate costs’ on companies that build vulnerable technology, it says. The Wall Street Journal, March 2, 2023
• How the U.S. National Cyber Strategy Reaches Beyond Government Agencies, Significant shifts in government policy emphasize private-sector responsibility for cybersecurity, WSJ Pro Cybersecurity, March 2, 2023
• New Biden Cybersecurity Strategy Assigns Responsibility to Tech Firms, The policy document urges more mandates on the firms that control most of the nation’s digital infrastructure, and an expanded government role to disrupt hackers and state-sponsored entities. The New York Times, March 2, 2023
• Cybersecurity’s Third Rail: Software Liability, In calling for responsibility on those in the software supply chain best positioned to know their product and control the processes that would address risk factors, the administration is saying it is time for software development and services to catch up with the rest of the legal and economic framework. Lawfare Blog, March 3, 2023
• Five under-the-radar parts of Biden’s national security strategy, The Washington Post, March 2, 2023
• The New National Cybersecurity Strategy—A Strategic Step Forward | Opinion; Frank J. Cilluffo , director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, Newsweek, March 2, 2023

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

• How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

• Urgent Panel Discussion: Immediate Impacts of the New National Cybersecurity Strategy: SecureTheVillage friend, Critical Insight is hosting a special webinar on the new National Cybersecurity Strategy released by the White House. The strategy calls for major changes in the Public and Private Sectors. The Strategy has some long-awaited initiatives and some controversial and surprising proposals. Tue, March 7, 12:00 pm – 1:00 pm PST
• Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, March 7, 1:00 pm – 2:00 pm PST

Cyber Humor

Cybersecurity Nonprofit of the Week  …  OpenSecurityTraining2

Our kudos this week OpenSecurityTraining2 (https://p.ost2.fyi). OST2 is a nonprofit that provides free multi-day security classes online. Re-launched in 2021, built on top of the Open edX learning management system from MIT, it currently has deep-technical vocational training on topics such as assembly language, OS internals, firmware security, reverse engineering, vulnerability hunting, and secure C software development. OST2 is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

SecureTheVillage is on a mission to make Los Angeles the cyber-safest city in America. … Join Stan and Julie as they riff on SecureTheVillage’s big hairy audacious goal. Why it’s needed — from the Boardroom to the living room — and how SecureTheVillage is organizing the village to accomplish it. … This episode is somewhat more personal than most as Stan shares parts of his own life’s journey that brought him to founding SecureTheVillage more than seven years ago. … As always, Stan and Julie provide actionable tips and thoughtful wisdom in a fun conversation on the complexities of cybersecurity and privacy. (Video) (Podcast)

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Scams are popping up everywhere. Is protecting ourselves enough?: Online scams have been around for decades but consumer protections remain limited while scammers get more sophisticated, experts say. … The Federal Trade Commission, the federal government’s arm that is in charge of enforcing consumer protection laws reported that Americans lost more than $6 billion to fraud in 2021, and more than 2.9 million people reported losing a median of $500. USA Today, March 2, 2023

Study details how data brokers are ‘willing and able’ to sell your mental health records: Data brokers are capitalizing off the sale of Americans’ mental health data, a new report from Duke University’s Sanford School of Public Policy found. … “The research is critical as more depressed and anxious individuals utilize personal devices and software-based health-tracking applications… often unknowingly putting their sensitive mental health data at risk,” the study found. “This report finds that the industry appears to lack a set of best practices for handling individuals’ mental health data, particularly in the areas of privacy and buyer vetting.” … According to the report, which reached out to 37 different data brokers inquiring about mental health data, 26 responded and 11 firms “were ultimately willing and able to sell the requested mental health data.” Yahoo!Finance, February 26, 2023

9 questions about the threats to ban TikTok, answered: So you heard TikTok’s being banned. Here’s what’s actually happening. Vox, March 2, 2023

Section 3 – Cybersecurity News for the Cyber-Concerned.

It’s not just you: Cybercriminals are also using ChatGPT to make their jobs easier: The cybersecurity industry is already seeing evidence of ChatGPT’s use by criminals. … ChatGPT can quickly generate targeted phishing emails or malicious code for malware attacks. … AI companies could be held liable for chatbots counseling criminals since Section 230 may not apply. … Whether it is writing essays or analyzing data, ChatGPT can be used to lighten a person’s workload. That goes for cybercriminals too. Business Insider, February 25, 2023

Biometric-Privacy Rulings in Illinois Expand Potential Liability for Companies: State law focuses on data collection from facial recognition, retinal scans and fingerprinting. … Illinois is the only state that allows individuals to sue over biometric-privacy violations. … A pair of court rulings have expanded the scope of an Illinois biometric-privacy law that already was one of the toughest in the U.S., increasing potential civil liability for companies that collect personal data through facial-recognition technology, retinal scans or fingerprinting. The Wall Street Journal, February 27, 2023

LastPass says employee’s home computer was hacked and corporate vault taken: Already smarting from a breach that stole customer vaults, LastPass has more bad news. … Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers. ars technica, February 27, 2023

US introduces new rules to protect water systems from hackers: The US Environmental Protection Agency on Friday announced new requirements for public water facilities to boost their cybersecurity while expressing concern that many facilities have failed to take basic steps to protect themselves from hackers. CNN, March 3, 2023

Mounting Cyber Threats Mean Financial Firms Urgently Need Better Safeguards: Regulators and supervisors must act now to strengthen the prudential framework. … Cyber attackers continue to target the financial sector. What will happen when an attack takes down a bank or other critical platform, locking users out of their accounts? … Among emerging market and developing economies, most financial supervisors haven’t introduced cybersecurity regulations or build resources to enforce them, according to a recent IMF survey of 51 countries. International Monetary Fund Blog, March 2, 2023

Cybercrime site shows off with a free leak of 2 million stolen card numbers: A Russian-language dark web shop known as BidenCash recently attracted attention from cybersecurity researchers by posting a leak — for free — of 2 million stolen payment card numbers. The Record, March 3, 2023

This week in cybercrime.

• Chick-fil-A: 71,000 customers had financial information stolen during cyberattack: Fast food giant Chick-fil-A said more than 71,000 of its customers had their financial information stolen from their website during a breach lasting from December to February. The Record, March 3, 2023
• Tennessee State, Southeastern Louisiana universities hit with cyberattacks: Two universities in Tennessee and Louisiana are struggling with cyberattacks that have crippled campus services and left students scrambling to find alternative tools. The Record, March 2, 2023
• Washington state public bus system confirms ransomware attack: A public transportation system serving parts of Washington state has confirmed that a ransomware attack two weeks ago disrupted some of its systems. … Pierce Transit — which provides bus, van and carpool services primarily to the city of Tacoma and the surrounding Pierce County area — said the ransomware attack started on February 14 and forced the organization to put temporary workarounds in place. The Record, March 2, 2023
• Hackers claim Oakland ransomware attack, leak ‘confidential’ data: Play Ransomware, the hacker group claiming responsibility for a ransomware attack on Oakland in February, has published confidential data. … The group claims the leak contains 10 gigabytes of compressed data. SFGATE, March 3, 2023
• Oregon City server outage caused by ‘sophisticated ransomware attack,’ officials say: Investigators say the computer problems that hindered government business in Oregon City earlier this month were caused by a cyberattack, according to a statement from the city Monday. The Oregonian, February 27, 2023

Section 4 – Managing  Information Security and Privacy in Your Organization.

Everybody Wants Least Privilege, So Why Isn’t Anyone Achieving It?: Overcoming the obstacles of this security principle can mitigate the damages of an attack. … When I was forming the idea for the company that would become Veza, my co-founders and I interviewed dozens of chief information security officers (CISOs) and chief information officers (CIOs). No matter the size and maturity of their modern tech-savvy companies, we heard one theme over and over: They could not see who had access to their company’s most sensitive data. Every one of them subscribed to the principle of least privilege, but none of them could say how close their company came to achieving it. DARK Reading, March 2, 2023