Cybersecurity News of the Week, May 22, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Our Top of News is again privacy with a story from The New York Times that is complementary to our privacy story last week from The Washington Post. The piece below, by noted privacy expert Zeynep Tufekci, takes us on a tour of the dark side of cyber-surveillance written from the perspective of privacy opinions written 100 years ago by former Supreme Court Justice Louis Brandeis. The following quote sets the stage: “What’s needed, for all Americans, is a full legal and political reckoning with the reckless manner in which digital technology has been allowed to invade our lives. The collection, use and manipulation of electronic data must finally be regulated and severely limited. Only then can we comfortably enjoy all the good that can come from these technologies.” Necessary reading as we the people sort out some very complex issues.

  • We Need to Take Back Our Privacy: Over 130 years ago, a young lawyer saw an amazing new gadget and had a revolutionary vision — technology can threaten our privacy. … “Recent inventions and business methods call attention to the next step which must be taken for the protection of the person,” wrote the lawyer, Louis Brandeis, warning that laws needed to keep up with technology and new means of surveillance, or Americans would lose their “right to be let alone.” The New York Times, May 19, 2022

These next two stories are warnings about the serious risks from cyber crime to our way of life. We are already on alert for a global food shortage, exacerbated by Russian aggression in Ukraine. Water is in short supply in the west because of drought. We have an election coming up in five months and we need our elected officials to do their part in avoiding what might be unnecessary tragedies of monumental proportion.

Cyber Humor

Security Nonprofit of the Week

This week’s security nonprofit is the Global Cyber Alliance (GCA). GCA builds practical, measurable solutions and  easy to use tools, and they work with partners to accelerate adoption around the world. GCA has several specialized toolkits, including a toolkit for small to medium sized businesses  and a toolkit for mission-based organizations. GCA was one of the founders of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity. SecureTheVillage is a proud member of Nonprofit Cyber.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we discuss the latest in cybersecurity. Social media algorithms: “I gave them my baby. They returned evil.“. The potential for legal chaos as a Texas law  prohibiting censorship by social media was upheld by an appeals court. And, if social media algorithms are so good at delivering personalized ads, might we apply these same algorithms to help prevent terrorism?

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

In case you were wondering just how often companies are bidding for the right to show you their ads, you can stop wondering. Here in the US it’s 747 times a day, nearly double the number in Europe. Guess which area has the strongest privacy laws.

  • This Is How Often Online Ads Are Auctioning Off Your Data Every Day: Advertisers—and shady ad middlemen—are paying to violate your privacy hundreds of times every day you’re online. … How many times do you think your privacy gets violated every day you spend surfing the web? Maybe once? Twice? A few dozen times? It turns out that daily number is in the hundreds, according to a new report from the Irish Council for Civil Liberties (ICCL). On average, a European user’s data is shared with advertising and adtech middlemen 376 times per day—and for Americans, it’s double that: 747 times daily, the report reads. Gizmodo, May 16, 2022

#BeCarefulOutThere. #Don’tTrust.Verify.

  • When Your Smart ID Card Reader Comes With Malware: Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder’s appropriate security level. But many government employees aren’t issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here’s one example. KrebsOnSecurity, May 17, 2022
  • Over 200 Apps on Play Store Caught Spying on Android Users Using Facestealer: More than 200 Android apps masquerading as fitness, photo editing, and puzzle apps have been observed distributing spyware called Facestealer to siphon user credentials and other valuable information. The Hacker News, May 17, 2022

#BeCarefulOutThere. #Don’tTrust.Verify.  It’s also smart advice while reading the news. It’s hard not to fall prey to our own confirmation bias. All the more reason to be diligent and check out the story.

  • Fake news – why do people believe it?: In the age of the perpetual news cycle and digital media, the risks that stem from the fake news problem are all too real. … Every day brings a deluge of news content that competes for our attention and spans everything from politics, health, sports, climate change to the war in Ukraine. The endless amount and breadth of information – which is instantly available as news articles, video clips, photos or other media on news websites, social media platforms, television, radio and other sources – can, and often does, feel overwhelming. Is it any wonder that so many of us struggle to cope with information overload and even with discerning facts from fiction online? WeLiveSecurity, May 18, 2022

Section 3 – General Cybersecurity and Privacy Stories

Cybersecurity and privacy stories for those wanting a deeper look.

As always, this week’s news brings us more stories of cybercrime. Even acknowledging the reality that we’re unlikely to ever eliminate cybercrime, there is still much that all of us can do to make it harder on the cybercriminal. The sad truth is that our businesses and other organizations simply make it too easy for the cybercriminal. Just like we automatically put on our seat belts when we get into our cars and take our car keys with us when we leave, we must build the same sense of carefulness into our digital lives. Until we do, stories like these will continue to be commonplace.

And as this next story demonstrates, the cybercriminals continue to up their game. So must we.

  • ‘Eternity malware’ offers Swiss Army knife of cybercrime tools: A one-stop shop for data and crypto kleptomaniacs. ‘Eternity malware’ offers Swiss Army knife of cybercrime tools … UPDATED Malware that steals passwords, cookies, and payment card data from web browsers is being sold via a Telegram channel and a Tor website, security researchers have discovered. … Collectively named the ‘Eternity Project’ by its architects, the suite of malware already includes stealers, clippers, worms, miners, and ransomware, with a Distributed Denial of Service (DDoS) bot apparently under development. … A Telegram channel provides information about forthcoming software updates and videos documenting the malware’s functionality to hundreds of subscribers. The Daily Swig, May 18, 2022

One of the big changes over the last few years has been the ability of law enforcement to fight back. It’s still too little and the arrests of criminals is always too late, but it represents progress. Anything we can do to make it harder on the cybercriminals takes some of the pressure off our organizations and our people. Again the Biden administration leads the way with actions by both the Department of Justice and the Cybersecurity and Infrastructure Security Agency.

  • U.S. charges Venezuelan doctor with selling ransomware used by Iranian group: NEW YORK, May 16 (Reuters) – A Venezuelan cardiologist who taught himself computer programming sold software that was used by an Iranian hacking group to attack Israeli companies, U.S. prosecutors said on Monday in bringing criminal charges against him. Reuters, May 16, 2022
  • US agencies announce initiatives to crack down on ransomware: The Cybersecurity and Infrastructure Security Agency on Friday said it plans to convene a Joint Ransomware Task Force, while the Department of Justice announced it is launching two international initiatives aimed at tracking illegal cryptocurrency transfers and disrupting “top tier” cyber actors. The Record, May 20, 2022

Great kudos to IBM for its win-win-win-win partnerships with six Historically Black Colleges and Universities (HBCUs), the Specialisterne Foundation, and the VA to train underrepresented communities in technology.

  • IBM Partners With Six HBCU Schools To Train Underrepresented Communities On Technology: IBM has announced education initiatives with the U.S. Department of Veteran Affairs (VA),  Specialisterne Foundation and six HBCU schools to provide free STEM job training to people from underrepresented communities. … According to an IBM press release the collaboration is part of the tech giant’s focus on providing STEM job training to underrepresented communities as part of its commitment to training 30 million people worldwide by 2030 to create inclusive economic opportunities and address a longstanding STEM job skills shortage. Black Enterprise, May 18, 2022

The Pentagon continues its challenging struggle to get 300,000 defense contractors up to speed on their information security management programs. The nation can’t wait but neither can the private sector implement needed controls overnight.

  • Pentagon updates timeline for CMMC cybersecurity initiative: The Department of Defense hopes to begin implementing its Cybersecurity Maturity Model Certification (CMMC) program requirements in contracts in May 2023, as part of an effort to prod hundreds of thousands of defense contractors to better protect their networks and controlled unclassified information. Fedscoop, May 18, 2022

And, as is customary, the week’s news brought another story of Russian perfidy.

In 2013, Aaron Swartz, programmer and Internet hacktivist, committed suicide after his arrest for violating the Computer Fraud and Abuse Act. Swartz was accused of downloading academic journal articles from MIT using a guest account. Swartz’ arrest was widely seen at the time as wrong. Now nine year later, the Department of Justice has finally revised its policy. It’s about time.

  • DOJ Revises Policy for Good-Faith Security Researchers: Specifies That White Hats Cannot Be Charged Under Computer Fraud and Abuse Act … The U.S. Department of Justice has revised its policy on who it charges with violations under the Computer Fraud and Abuse Act. The DOJ now specifies that good-faith security research and researchers cannot be charged under the CFAA because they help improve cybersecurity standards. GovInfoSecurity, May 20, 2022

Section 4 – Data Care in the Organization

Stories to support executives and top management in securing their organizations.

The Cybersecurity and Infrastructure Agency released three alerts this week. It’s a good reminder for IT Departments and MSPs to take advantage of CISA Alerts in securing the network. CISA does great work but it’s of little value if it falls on deaf ears.

  • Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control: The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960).  CISA, May 18, 2022
  • Threat Actors Exploiting F5 BIG-IP CVE-2022-1388: The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2022-1388. This recently disclosed vulnerability in certain versions of F5 Networks, Inc., (F5) BIG-IP enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses. F5 released a patch for CVE-2022-1388 on May 4, 2022, and proof of concept (POC) exploits have since been publicly released, enabling less sophisticated actors to exploit the vulnerability. Due to previous exploitation of F5 BIG-IP vulnerabilities, CISA and MS-ISAC assess unpatched F5 BIG-IP devices are an attractive target; organizations that have not applied the patch are vulnerable to actors taking control of their systems. CISA, May 18, 2022
  • Weak Security Controls and Practices Routinely Exploited for Initial Access: The cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom have issued a joint Cybersecurity Advisory (CSA) on 10 routinely exploited weak security controls, poor configurations, and bad practices that allow malicious actors to compromise networks. While these poor practices may be common, organizations can apply basic practices, such as the following, to help protect their systems … CISA, May 17, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge