Cybersecurity News of the Week, March 5, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

This week’s top story is the release of the Biden-⁠Harris Administration National Cybersecurity Strategy. The strategy is designed to make our digital ecosystem

  • Defensible, where cyber defense is overwhelmingly easier, cheaper, and more effective;
  • Resilient, where cyber incidents and errors have little widespread or lasting impact; and,
  • Values-aligned, where our most cherished values shape—and are in turn reinforced by— our digital world.

The strategic approach is to build and enhance collaboration around five pillars:

  1. Defend Critical Infrastructure 
  2. Disrupt and Dismantle Threat Actors
  3. Shape Market Forces to Drive Security and Resilience
  4. Invest in a Resilient Future
  5. Forge International Partnerships to Pursue Shared Goals 

As described in The Wall Street Journal, “The strategy offers a sober assessment of mounting security risks associated with the accelerating integration of digital and physical realities into every facet of daily life, business and commerce that has defined the 21st century—a trend it says has made the problem of insecure technology an urgent national priority.” As a result, the National Cybersecurity Strategy uses all  the “tools of national power in a coordinated manner to protect our national security, public safety, and economic prosperity.”

The most controversial part of the strategy revolve around the needs for shifting liability for software products and services promote secure development practices.   Glenn Gerstell, the former general counsel of the National Security Agency, described it as follows. “In the rush to market you can’t cut corners on safety. That’s why builders of apartment houses that collapse and makers of baby strollers that crumple are liable when people get hurt. Now we’re doing that for cyber.”

SecureTheVillage friend Critical Insight is hosting a webinar on the strategy on Tuesday, March 7.

SecureTheVillage will continue our work at ground-level in support of the strategy.

  1. Increase defensibility and resilience of our mid-size and smaller businesses
  2. Increase defensibility and resilience of our families
  3. Support the development of a diverse and robust cybersecure workforce

Here’s some links for further information. The first item on the list —highly recommended—is an in-depth hour-long discussion with key architects of the Strategy:

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

Cyber Humor

Cybersecurity Nonprofit of the Week  …  OpenSecurityTraining2

Our kudos this week OpenSecurityTraining2 ( OST2 is a nonprofit that provides free multi-day security classes online. Re-launched in 2021, built on top of the Open edX learning management system from MIT, it currently has deep-technical vocational training on topics such as assembly language, OS internals, firmware security, reverse engineering, vulnerability hunting, and secure C software development. OST2 is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

SecureTheVillage is on a mission to make Los Angeles the cyber-safest city in America. … Join Stan and Julie as they riff on SecureTheVillage’s big hairy audacious goal. Why it’s needed — from the Boardroom to the living room — and how SecureTheVillage is organizing the village to accomplish it. … This episode is somewhat more personal than most as Stan shares parts of his own life’s journey that brought him to founding SecureTheVillage more than seven years ago. … As always, Stan and Julie provide actionable tips and thoughtful wisdom in a fun conversation on the complexities of cybersecurity and privacy. (Video) (Podcast)

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Scams are popping up everywhere. Is protecting ourselves enough?: Online scams have been around for decades but consumer protections remain limited while scammers get more sophisticated, experts say. … The Federal Trade Commission, the federal government’s arm that is in charge of enforcing consumer protection laws reported that Americans lost more than $6 billion to fraud in 2021, and more than 2.9 million people reported losing a median of $500. USA Today, March 2, 2023

Study details how data brokers are ‘willing and able’ to sell your mental health records: Data brokers are capitalizing off the sale of Americans’ mental health data, a new report from Duke University’s Sanford School of Public Policy found. … “The research is critical as more depressed and anxious individuals utilize personal devices and software-based health-tracking applications… often unknowingly putting their sensitive mental health data at risk,” the study found. “This report finds that the industry appears to lack a set of best practices for handling individuals’ mental health data, particularly in the areas of privacy and buyer vetting.” … According to the report, which reached out to 37 different data brokers inquiring about mental health data, 26 responded and 11 firms “were ultimately willing and able to sell the requested mental health data.” Yahoo!Finance, February 26, 2023

9 questions about the threats to ban TikTok, answered: So you heard TikTok’s being banned. Here’s what’s actually happening. Vox, March 2, 2023

Section 3 – Cybersecurity News for the Cyber-Concerned.

It’s not just you: Cybercriminals are also using ChatGPT to make their jobs easier: The cybersecurity industry is already seeing evidence of ChatGPT’s use by criminals. … ChatGPT can quickly generate targeted phishing emails or malicious code for malware attacks. … AI companies could be held liable for chatbots counseling criminals since Section 230 may not apply. … Whether it is writing essays or analyzing data, ChatGPT can be used to lighten a person’s workload. That goes for cybercriminals too. Business Insider, February 25, 2023

Biometric-Privacy Rulings in Illinois Expand Potential Liability for Companies: State law focuses on data collection from facial recognition, retinal scans and fingerprinting. … Illinois is the only state that allows individuals to sue over biometric-privacy violations. … A pair of court rulings have expanded the scope of an Illinois biometric-privacy law that already was one of the toughest in the U.S., increasing potential civil liability for companies that collect personal data through facial-recognition technology, retinal scans or fingerprinting. The Wall Street Journal, February 27, 2023

LastPass says employee’s home computer was hacked and corporate vault taken: Already smarting from a breach that stole customer vaults, LastPass has more bad news. … Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers. ars technica, February 27, 2023

US introduces new rules to protect water systems from hackers: The US Environmental Protection Agency on Friday announced new requirements for public water facilities to boost their cybersecurity while expressing concern that many facilities have failed to take basic steps to protect themselves from hackers. CNN, March 3, 2023

Mounting Cyber Threats Mean Financial Firms Urgently Need Better Safeguards: Regulators and supervisors must act now to strengthen the prudential framework. … Cyber attackers continue to target the financial sector. What will happen when an attack takes down a bank or other critical platform, locking users out of their accounts? … Among emerging market and developing economies, most financial supervisors haven’t introduced cybersecurity regulations or build resources to enforce them, according to a recent IMF survey of 51 countries. International Monetary Fund Blog, March 2, 2023

Cybercrime site shows off with a free leak of 2 million stolen card numbers: A Russian-language dark web shop known as BidenCash recently attracted attention from cybersecurity researchers by posting a leak — for free — of 2 million stolen payment card numbers. The Record, March 3, 2023

This week in cybercrime.

Section 4 – Managing  Information Security and Privacy in Your Organization.

Everybody Wants Least Privilege, So Why Isn’t Anyone Achieving It?: Overcoming the obstacles of this security principle can mitigate the damages of an attack. … When I was forming the idea for the company that would become Veza, my co-founders and I interviewed dozens of chief information security officers (CISOs) and chief information officers (CIOs). No matter the size and maturity of their modern tech-savvy companies, we heard one theme over and over: They could not see who had access to their company’s most sensitive data. Every one of them subscribed to the principle of least privilege, but none of them could say how close their company came to achieving it. DARK Reading, March 2, 2023

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge