Cybersecurity News of the Week, May 29, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

SecureTheVillage presents Nicole Perlroth, Award-winning Cybersecurity Journalist and New York Times Bestselling Author. For those who didn’t see it or want to see it again or want their colleagues to see it. … Now available on demand. … … An Event By & For Leaders in Cybersecurity.

  • Security. Privacy. Freedom. … A Conversation with Nicole Perlroth: “This webinar was utterly fabulous. If you would have told me that I would sit for an hour and a half on a webinar about cybersecurity and know that even if it was longer I would still be enjoying it, I might think you’re crazy. But that’s what happened. Vibrant. Engaging. Motivating.” … Rachel Eryn Kalish, M.C. / Facilitator, Mediator, Conflict Resolution Pioneer. SecureTheVillage, May 4, 2022

Cyber Humor

Security Nonprofit of the Week

Kudos this week to US Valor, a nonprofit with two intertwined objectives: (1) providing opportunities to U.S. veterans and (2) helping America meet our cybersecurity workforce challenge. US Valor does this through an innovative Department of Labor approved Apprenticeship Program. The US Valor Cybersecurity Apprenticeship Program (CAP) is all about helping transitioning military personnel and U.S. Veterans experience a smooth transition from military life to the civilian world through its Department of Labor Registered Apprenticeship Program (RAP). I’m a proud member of US Valor’s Advisory Board.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we discuss the latest in cybersecurity. This week we endeavor to think outside the broken box of our dysfunctional political systems. How might social media use its algorithms to identify potential gun massacres before they happen. What would it take to bring the power of artificial intelligence to bear on this problem? How might we structure the “system” to protect privacy AND alert law enforcement of impending tragedy.  SecureTheVillage, May 25, 2022

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

If you use a Netgear router, please check if its one of these two unfixable ones. If so, you want to replace it.

  • Netgear Says It Can’t Fix Multiple Vulnerabilities On Two Of Its Routers For Homeworkers: This morning, networking equipment manufacturer Netgear issued a security advisory for its BR200 and BR500 routers. These two products were released a year ago and were touted as an ideal, ultra-secure router for home workers who need seamless access to their corporate network so they can work from home as if they were in the office. The idea was and is a great one, but it seems there is a problem. Forbes, May 20, 2022

I haven’t seen reviews of this yet, but if it holds up to scrutiny it promises to be a valuable tool for the Airbnb crowd.

Section 3 – General Cybersecurity and Privacy Stories

Cybersecurity and privacy stories for those wanting a deeper look.

Verizon released their 2022 Data Breach Investigation Report (DBIR) this week. As usual, the DBIR is a cornucopia of cybercrime statistics. While it’s must reading for security and IT professionals … and the managers they report to … everyone needs to be aware of its the top-line findings.

  • ‘There’s No Ceiling’: Ransomware’s Alarming Growth Signals a New Era, Verizon DBIR Finds: Ransomware has become so efficient, and the underground economy so professional, that traditional monetization of stolen data may be on its way out. … The past year has seen a staggering acceleration in ransomware incidents, with 25% of all breaches containing a ransomware component. … That’s the top-line finding in the 2022 Verizon Data Breach Investigations Report (DBIR), which found that ransomware events in conjunction with breaches ballooned 13% in the past year — last year’s report found that just 12% of incidents were ransomware-related. That translates into a rate of increase that’s more than the previous five years of growth combined. Dark Reading, May 24, 2022

#Cybercrime. This week’s cybercrime stories illustrate the DBIR findings.

  • Hackers breach Zola wedding registry accounts and make fraudulent purchases: The popular wedding planning website Zola, known for its online gift registries, guest list management, and wedding websites, confirmed Monday that hackers had managed to access the accounts of a number of its users and tried to initiate fraudulent cash transfers. The Verge, May 23, 2022
  • Hackers Know Where You’ve Been Driving: General Motors Discloses Data Breach: The Michigan carmaker says that a credential stuffing attack pilfered a pile of personal information from car owners. They hackers stole reward points, too. … General Motors suffered a hack that exposed a significant amount of sensitive personal information on car owners—names, addresses, phone numbers, locations, car mileage, and maintenance history. Gizmodo, May 24, 2022

This cybercrime story is just plain weird.

  • Ransomware encrypts files, demands three good deeds to restore data: Shut up and take … poor kids to KFC? … In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we’re told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool. The Register, May 26, 2022

And, as this story illustrates, cybercrime is only going to get worse.


  • Virtual learning apps tracked and shared kids’ data and online activities with advertisers, report says: (CNN Business) Millions of students who participated in virtual learning during the Covid-19 pandemic had their personal data and online behaviors tracked by educational apps and websites without their consent and in many cases shared with third-party advertising technology companies, a new report has found. CNN, May 26, 2022
  • A Face Search Engine Anyone Can Use Is Alarmingly Accurate: PimEyes is a paid service that finds photos of a person from across the internet, including some the person may not want exposed. “We’re just a tool provider,” its owner said. … For $29.99 a month, a website called PimEyes offers a potentially dangerous superpower from the world of science fiction: the ability to search for a face, finding obscure photos that would otherwise have been as safe as the proverbial needle in the vast digital haystack of the internet. The New York Times, May 26, 2022
  • DuckDuckGo in hot water over hidden tracking agreement with Microsoft: DuckDuckGo may face a user backlash after security researchers discovered a hidden tracking agreement with Microsoft. … The privacy-focused company offers a search engine that claims not to track people’s searches, or behavior, and also doesn’t build user profiles that can be used to display personalized advertising. Tech Radar, May 25, 2011
  • State privacy laws are being written by tech companies to minimize protections: Some state privacy laws use wording written by tech companies and their lobbyists, says a new report today. A formerly Apple-backed lobbying group has previously been cited as pushing for weaker privacy protection based on this wording. 9to5 Mac, May 26, 2022

Cyber-Surveillance. It’s not just Pegasus and the NSO Group attacking iPhones.

  • Multiple Governments Buying Android Zero-Days for Spying: Google: An analysis from Google TAG shows that Android zero-day exploits were packaged and sold for state-backed surveillance…. At least eight governments around the world have purchased a package of Android zero-day exploits from a company called Cytrox and are using them to install spyware on targets’ mobile phones. The development highlights the sophistication of off-the-shelf surveillance offerings, according to a recent report. DARKReading, May 23, 2022

Meanwhile, Australia’s attempt to digitize driver’s licenses seems to have hit a roadblock.

  • “Tough to forge” digital driver’s license is… easy to forge: In late 2019, the government of New South Wales in Australia rolled out digital driver’s licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would “provide additional levels of security and protection against identity fraud, compared to the plastic [driver’s license]” citizens had used for decades. … Now, 30 months later, security researchers have shown that it’s trivial for just about anyone to forge fake identities using the digital driver’s licenses, or DDLs. Gizmodo, May 24, 2022

On the good news side, we offer the following three stories.

Section 4 – Data Care in the Organization

Stories to support executives and top management in securing their organizations.

Our next two stories are mandatory reading for security professionals and the people they report to.

#UpdateNow. CISA continues to provide super support identifying vulnerabilities that are being actively exploited.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge