A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.
Stan’s Top of the News
Our Top of News is again privacy with a story from The New York Times that is complementary to our privacy story last week from The Washington Post. The piece below, by noted privacy expert Zeynep Tufekci, takes us on a tour of the dark side of cyber-surveillance written from the perspective of privacy opinions written 100 years ago by former Supreme Court Justice Louis Brandeis. The following quote sets the stage: “What’s needed, for all Americans, is a full legal and political reckoning with the reckless manner in which digital technology has been allowed to invade our lives. The collection, use and manipulation of electronic data must finally be regulated and severely limited. Only then can we comfortably enjoy all the good that can come from these technologies.” Necessary reading as we the people sort out some very complex issues.
- We Need to Take Back Our Privacy: Over 130 years ago, a young lawyer saw an amazing new gadget and had a revolutionary vision — technology can threaten our privacy. … “Recent inventions and business methods call attention to the next step which must be taken for the protection of the person,” wrote the lawyer, Louis Brandeis, warning that laws needed to keep up with technology and new means of surveillance, or Americans would lose their “right to be let alone.” The New York Times, May 19, 2022
These next two stories are warnings about the serious risks from cyber crime to our way of life. We are already on alert for a global food shortage, exacerbated by Russian aggression in Ukraine. Water is in short supply in the west because of drought. We have an election coming up in five months and we need our elected officials to do their part in avoiding what might be unnecessary tragedies of monumental proportion.
- Cyber security: Global food supply chain at risk from malicious hackers: Modern “smart” farm machinery is vulnerable to malicious hackers, leaving global supply chains exposed to risk, experts are warning. BBC, May, 19, 2022
- Water companies are increasingly uninsurable due to ransomware, industry execs say: More water companies are finding they are uninsurable as ransomware attacks against the sector grow, water utility and association executives said Wednesday. CyberScoop, May 18, 2022
Security Nonprofit of the Week
This week’s security nonprofit is the Global Cyber Alliance (GCA). GCA builds practical, measurable solutions and easy to use tools, and they work with partners to accelerate adoption around the world. GCA has several specialized toolkits, including a toolkit for small to medium sized businesses and a toolkit for mission-based organizations. GCA was one of the founders of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity. SecureTheVillage is a proud member of Nonprofit Cyber.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn
Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we discuss the latest in cybersecurity. Social media algorithms: “I gave them my baby. They returned evil.“. The potential for legal chaos as a Texas law prohibiting censorship by social media was upheld by an appeals court. And, if social media algorithms are so good at delivering personalized ads, might we apply these same algorithms to help prevent terrorism?
Section 2 – Personal Data Care – Security and Privacy
Important data care stories for protecting yourself and your family.
In case you were wondering just how often companies are bidding for the right to show you their ads, you can stop wondering. Here in the US it’s 747 times a day, nearly double the number in Europe. Guess which area has the strongest privacy laws.
- This Is How Often Online Ads Are Auctioning Off Your Data Every Day: Advertisers—and shady ad middlemen—are paying to violate your privacy hundreds of times every day you’re online. … How many times do you think your privacy gets violated every day you spend surfing the web? Maybe once? Twice? A few dozen times? It turns out that daily number is in the hundreds, according to a new report from the Irish Council for Civil Liberties (ICCL). On average, a European user’s data is shared with advertising and adtech middlemen 376 times per day—and for Americans, it’s double that: 747 times daily, the report reads. Gizmodo, May 16, 2022
- When Your Smart ID Card Reader Comes With Malware: Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder’s appropriate security level. But many government employees aren’t issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here’s one example. KrebsOnSecurity, May 17, 2022
- Over 200 Apps on Play Store Caught Spying on Android Users Using Facestealer: More than 200 Android apps masquerading as fitness, photo editing, and puzzle apps have been observed distributing spyware called Facestealer to siphon user credentials and other valuable information. The Hacker News, May 17, 2022
#BeCarefulOutThere. #Don’tTrust.Verify. It’s also smart advice while reading the news. It’s hard not to fall prey to our own confirmation bias. All the more reason to be diligent and check out the story.
- Fake news – why do people believe it?: In the age of the perpetual news cycle and digital media, the risks that stem from the fake news problem are all too real. … Every day brings a deluge of news content that competes for our attention and spans everything from politics, health, sports, climate change to the war in Ukraine. The endless amount and breadth of information – which is instantly available as news articles, video clips, photos or other media on news websites, social media platforms, television, radio and other sources – can, and often does, feel overwhelming. Is it any wonder that so many of us struggle to cope with information overload and even with discerning facts from fiction online? WeLiveSecurity, May 18, 2022
Section 3 – General Cybersecurity and Privacy Stories
Cybersecurity and privacy stories for those wanting a deeper look.
As always, this week’s news brings us more stories of cybercrime. Even acknowledging the reality that we’re unlikely to ever eliminate cybercrime, there is still much that all of us can do to make it harder on the cybercriminal. The sad truth is that our businesses and other organizations simply make it too easy for the cybercriminal. Just like we automatically put on our seat belts when we get into our cars and take our car keys with us when we leave, we must build the same sense of carefulness into our digital lives. Until we do, stories like these will continue to be commonplace.
- US Manufacturing Giant Parker Hit by Conti Ransomware Gang: US manufacturing company Parker-Hannifin Corporation has announced a data breach exposing employees’ personal identifiable information (PII) after Conti ransomware actors published reportedly stolen data last month. Infosecurity Magazine, May 16, 2022
- Data breach at Department of Insurance exposed personal information of 1.8M Texans, audit says: A security breach at the Department of Insurance leaked the personal information of 1.8 million Texans for nearly three years, according to an audit. … A massive security breach at the Texas Department of Insurance leaked the personal information of almost 2 million Texans for nearly three years, according to a state audit released last week. ABC13, The Texas Tribune, May 16, 2022
- Brazilian e-commerce firm Americanas reports multimillion-dollar loss following cyberattack: Brazilian e-commerce conglomerate Americanas.com reported a multimillion-dollar loss in sales in its financial results on Friday after a major cyberattack earlier this year. … The company lost 923 million Brazilian reais ($183 million) in sales after two attacks that took place between February 19 and 20 and rendered its e-commerce operation unavailable. ZD Net, May 16, 2022
- Nikkei becomes latest major news outlet hit with ransomware: Nikkei Group — one of the world’s largest financial news outlets — announced that its Asia headquarters in Singapore is suffering from a ransomware attack that began on May 13. The Record, May 20, 2022
- Pharmacy Giant Hit By Data Breach Affecting 3.6 Million Customers: Pharmacy retailer Dis-Chem recently announced that it had been hit by a data breach affecting the personal details of 3.6 million customers. Infosecurity Magazine, May 18, 2022
And as this next story demonstrates, the cybercriminals continue to up their game. So must we.
- ‘Eternity malware’ offers Swiss Army knife of cybercrime tools: A one-stop shop for data and crypto kleptomaniacs. ‘Eternity malware’ offers Swiss Army knife of cybercrime tools … UPDATED Malware that steals passwords, cookies, and payment card data from web browsers is being sold via a Telegram channel and a Tor website, security researchers have discovered. … Collectively named the ‘Eternity Project’ by its architects, the suite of malware already includes stealers, clippers, worms, miners, and ransomware, with a Distributed Denial of Service (DDoS) bot apparently under development. … A Telegram channel provides information about forthcoming software updates and videos documenting the malware’s functionality to hundreds of subscribers. The Daily Swig, May 18, 2022
One of the big changes over the last few years has been the ability of law enforcement to fight back. It’s still too little and the arrests of criminals is always too late, but it represents progress. Anything we can do to make it harder on the cybercriminals takes some of the pressure off our organizations and our people. Again the Biden administration leads the way with actions by both the Department of Justice and the Cybersecurity and Infrastructure Security Agency.
- U.S. charges Venezuelan doctor with selling ransomware used by Iranian group: NEW YORK, May 16 (Reuters) – A Venezuelan cardiologist who taught himself computer programming sold software that was used by an Iranian hacking group to attack Israeli companies, U.S. prosecutors said on Monday in bringing criminal charges against him. Reuters, May 16, 2022
- US agencies announce initiatives to crack down on ransomware: The Cybersecurity and Infrastructure Security Agency on Friday said it plans to convene a Joint Ransomware Task Force, while the Department of Justice announced it is launching two international initiatives aimed at tracking illegal cryptocurrency transfers and disrupting “top tier” cyber actors. The Record, May 20, 2022
Great kudos to IBM for its win-win-win-win partnerships with six Historically Black Colleges and Universities (HBCUs), the Specialisterne Foundation, and the VA to train underrepresented communities in technology.
- IBM Partners With Six HBCU Schools To Train Underrepresented Communities On Technology: IBM has announced education initiatives with the U.S. Department of Veteran Affairs (VA), Specialisterne Foundation and six HBCU schools to provide free STEM job training to people from underrepresented communities. … According to an IBM press release the collaboration is part of the tech giant’s focus on providing STEM job training to underrepresented communities as part of its commitment to training 30 million people worldwide by 2030 to create inclusive economic opportunities and address a longstanding STEM job skills shortage. Black Enterprise, May 18, 2022
The Pentagon continues its challenging struggle to get 300,000 defense contractors up to speed on their information security management programs. The nation can’t wait but neither can the private sector implement needed controls overnight.
- Pentagon updates timeline for CMMC cybersecurity initiative: The Department of Defense hopes to begin implementing its Cybersecurity Maturity Model Certification (CMMC) program requirements in contracts in May 2023, as part of an effort to prod hundreds of thousands of defense contractors to better protect their networks and controlled unclassified information. Fedscoop, May 18, 2022
And, as is customary, the week’s news brought another story of Russian perfidy.
- Russian government procured powerful botnet to shift social media trending topics: A subcontractor for Russia’s Federal Security Service is accused of creating a powerful botnet that had the ability to not only launch damaging DDoS attacks but also manipulate trending topics on social media platforms, according to cybersecurity firm Nisos. The Record, May 20, 2022
In 2013, Aaron Swartz, programmer and Internet hacktivist, committed suicide after his arrest for violating the Computer Fraud and Abuse Act. Swartz was accused of downloading academic journal articles from MIT using a guest account. Swartz’ arrest was widely seen at the time as wrong. Now nine year later, the Department of Justice has finally revised its policy. It’s about time.
- DOJ Revises Policy for Good-Faith Security Researchers: Specifies That White Hats Cannot Be Charged Under Computer Fraud and Abuse Act … The U.S. Department of Justice has revised its policy on who it charges with violations under the Computer Fraud and Abuse Act. The DOJ now specifies that good-faith security research and researchers cannot be charged under the CFAA because they help improve cybersecurity standards. GovInfoSecurity, May 20, 2022
Section 4 – Data Care in the Organization
Stories to support executives and top management in securing their organizations.
The Cybersecurity and Infrastructure Agency released three alerts this week. It’s a good reminder for IT Departments and MSPs to take advantage of CISA Alerts in securing the network. CISA does great work but it’s of little value if it falls on deaf ears.
- Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control: The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960). CISA, May 18, 2022
- Threat Actors Exploiting F5 BIG-IP CVE-2022-1388: The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2022-1388. This recently disclosed vulnerability in certain versions of F5 Networks, Inc., (F5) BIG-IP enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses. F5 released a patch for CVE-2022-1388 on May 4, 2022, and proof of concept (POC) exploits have since been publicly released, enabling less sophisticated actors to exploit the vulnerability. Due to previous exploitation of F5 BIG-IP vulnerabilities, CISA and MS-ISAC assess unpatched F5 BIG-IP devices are an attractive target; organizations that have not applied the patch are vulnerable to actors taking control of their systems. CISA, May 18, 2022
- Weak Security Controls and Practices Routinely Exploited for Initial Access: The cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom have issued a joint Cybersecurity Advisory (CSA) on 10 routinely exploited weak security controls, poor configurations, and bad practices that allow malicious actors to compromise networks. While these poor practices may be common, organizations can apply basic practices, such as the following, to help protect their systems … CISA, May 17, 2022