A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.
Stan’s Top of the News
SecureTheVillage presents Nicole Perlroth, Award-winning Cybersecurity Journalist and New York Times Bestselling Author. For those who didn’t see it or want to see it again or want their colleagues to see it. … Now available on demand. … … An Event By & For Leaders in Cybersecurity.
- Security. Privacy. Freedom. … A Conversation with Nicole Perlroth: “This webinar was utterly fabulous. If you would have told me that I would sit for an hour and a half on a webinar about cybersecurity and know that even if it was longer I would still be enjoying it, I might think you’re crazy. But that’s what happened. Vibrant. Engaging. Motivating.” … Rachel Eryn Kalish, M.C. / Facilitator, Mediator, Conflict Resolution Pioneer. SecureTheVillage, May 4, 2022
Security Nonprofit of the Week
Kudos this week to US Valor, a nonprofit with two intertwined objectives: (1) providing opportunities to U.S. veterans and (2) helping America meet our cybersecurity workforce challenge. US Valor does this through an innovative Department of Labor approved Apprenticeship Program. The US Valor Cybersecurity Apprenticeship Program (CAP) is all about helping transitioning military personnel and U.S. Veterans experience a smooth transition from military life to the civilian world through its Department of Labor Registered Apprenticeship Program (RAP). I’m a proud member of US Valor’s Advisory Board.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn
Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we discuss the latest in cybersecurity. This week we endeavor to think outside the broken box of our dysfunctional political systems. How might social media use its algorithms to identify potential gun massacres before they happen. What would it take to bring the power of artificial intelligence to bear on this problem? How might we structure the “system” to protect privacy AND alert law enforcement of impending tragedy. SecureTheVillage, May 25, 2022
Section 2 – Personal Data Care – Security and Privacy
Important data care stories for protecting yourself and your family.
If you use a Netgear router, please check if its one of these two unfixable ones. If so, you want to replace it.
- Netgear Says It Can’t Fix Multiple Vulnerabilities On Two Of Its Routers For Homeworkers: This morning, networking equipment manufacturer Netgear issued a security advisory for its BR200 and BR500 routers. These two products were released a year ago and were touted as an ideal, ultra-secure router for home workers who need seamless access to their corporate network so they can work from home as if they were in the office. The idea was and is a great one, but it seems there is a problem. Forbes, May 20, 2022
I haven’t seen reviews of this yet, but if it holds up to scrutiny it promises to be a valuable tool for the Airbnb crowd.
- Lumos System Can Find Hidden Cameras and IoT Devices in Your Airbnb or Hotel Room: A group of academics has devised a system that can be used on a phone or a laptop to identify and locate Wi-Fi-connected hidden IoT devices in unfamiliar physical spaces. The Hacker News, May 25, 2022
Section 3 – General Cybersecurity and Privacy Stories
Cybersecurity and privacy stories for those wanting a deeper look.
Verizon released their 2022 Data Breach Investigation Report (DBIR) this week. As usual, the DBIR is a cornucopia of cybercrime statistics. While it’s must reading for security and IT professionals … and the managers they report to … everyone needs to be aware of its the top-line findings.
- ‘There’s No Ceiling’: Ransomware’s Alarming Growth Signals a New Era, Verizon DBIR Finds: Ransomware has become so efficient, and the underground economy so professional, that traditional monetization of stolen data may be on its way out. … The past year has seen a staggering acceleration in ransomware incidents, with 25% of all breaches containing a ransomware component. … That’s the top-line finding in the 2022 Verizon Data Breach Investigations Report (DBIR), which found that ransomware events in conjunction with breaches ballooned 13% in the past year — last year’s report found that just 12% of incidents were ransomware-related. That translates into a rate of increase that’s more than the previous five years of growth combined. Dark Reading, May 24, 2022
#Cybercrime. This week’s cybercrime stories illustrate the DBIR findings.
- Hackers breach Zola wedding registry accounts and make fraudulent purchases: The popular wedding planning website Zola, known for its online gift registries, guest list management, and wedding websites, confirmed Monday that hackers had managed to access the accounts of a number of its users and tried to initiate fraudulent cash transfers. The Verge, May 23, 2022
- Hackers Know Where You’ve Been Driving: General Motors Discloses Data Breach: The Michigan carmaker says that a credential stuffing attack pilfered a pile of personal information from car owners. They hackers stole reward points, too. … General Motors suffered a hack that exposed a significant amount of sensitive personal information on car owners—names, addresses, phone numbers, locations, car mileage, and maintenance history. Gizmodo, May 24, 2022
This cybercrime story is just plain weird.
- Ransomware encrypts files, demands three good deeds to restore data: Shut up and take … poor kids to KFC? … In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we’re told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool. The Register, May 26, 2022
And, as this story illustrates, cybercrime is only going to get worse.
- Military-made cyberweapons could soon become available on the dark web, Interpol warns: Interpol Secretary General Jurgen Stock said he’s concerned state-developed cyberweapons will become available on the darknet in a “couple of years” as the number of cyberattacks more than doubled globally in 2021, according to the World Economic Forum’s Global Cybersecurity Outlook report. CNBC, May 23, 2022
- Virtual learning apps tracked and shared kids’ data and online activities with advertisers, report says: (CNN Business) Millions of students who participated in virtual learning during the Covid-19 pandemic had their personal data and online behaviors tracked by educational apps and websites without their consent and in many cases shared with third-party advertising technology companies, a new report has found. CNN, May 26, 2022
- A Face Search Engine Anyone Can Use Is Alarmingly Accurate: PimEyes is a paid service that finds photos of a person from across the internet, including some the person may not want exposed. “We’re just a tool provider,” its owner said. … For $29.99 a month, a website called PimEyes offers a potentially dangerous superpower from the world of science fiction: the ability to search for a face, finding obscure photos that would otherwise have been as safe as the proverbial needle in the vast digital haystack of the internet. The New York Times, May 26, 2022
- DuckDuckGo in hot water over hidden tracking agreement with Microsoft: DuckDuckGo may face a user backlash after security researchers discovered a hidden tracking agreement with Microsoft. … The privacy-focused company offers a search engine that claims not to track people’s searches, or behavior, and also doesn’t build user profiles that can be used to display personalized advertising. Tech Radar, May 25, 2011
- State privacy laws are being written by tech companies to minimize protections: Some state privacy laws use wording written by tech companies and their lobbyists, says a new report today. A formerly Apple-backed lobbying group has previously been cited as pushing for weaker privacy protection based on this wording. 9to5 Mac, May 26, 2022
Cyber-Surveillance. It’s not just Pegasus and the NSO Group attacking iPhones.
- Multiple Governments Buying Android Zero-Days for Spying: Google: An analysis from Google TAG shows that Android zero-day exploits were packaged and sold for state-backed surveillance…. At least eight governments around the world have purchased a package of Android zero-day exploits from a company called Cytrox and are using them to install spyware on targets’ mobile phones. The development highlights the sophistication of off-the-shelf surveillance offerings, according to a recent report. DARKReading, May 23, 2022
Meanwhile, Australia’s attempt to digitize driver’s licenses seems to have hit a roadblock.
- “Tough to forge” digital driver’s license is… easy to forge: In late 2019, the government of New South Wales in Australia rolled out digital driver’s licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would “provide additional levels of security and protection against identity fraud, compared to the plastic [driver’s license]” citizens had used for decades. … Now, 30 months later, security researchers have shown that it’s trivial for just about anyone to forge fake identities using the digital driver’s licenses, or DDLs. Gizmodo, May 24, 2022
On the good news side, we offer the following three stories.
- Darknet market Versus shuts down after hacker leaks security flaw: The Versus Market, one of the most popular English-speaking criminal darknet markets, is shutting down after discovering a severe exploit that could have allowed access to its database and exposed the IP address of its servers. Bleeping Computer, May 25, 2022
- Some Facebook users are receiving $397 checks over data privacy violations—and these tech companies could be next: If you’ve ever been tagged in a photo online, you might have some cash coming your way — and soon. CNBC, May 25, 2022
- Twitter agrees to pay millions in fines after US government alleges privacy violations: (CNN Business)Twitter has agreed to pay $150 million in fines after the US government sued the social media company on Wednesday, alleging that it misled consumers about how it protects their personal data. CNN May 25, 2022
Section 4 – Data Care in the Organization
Stories to support executives and top management in securing their organizations.
Our next two stories are mandatory reading for security professionals and the people they report to.
- SolarWinds: Here’s how we’re building everything around this new cybersecurity strategy: The SolarWinds supply chain attack was one of the biggest cyber incidents there’s ever been. Here’s how the company has dealt with the aftermath. ZD Net, May 24, 2022
- Chris Wysopal: Open source is becoming a national security risk: The Veracode CTO explains what set the Log4j vulnerabilities apart, how it raised awareness of issues around open source security, and where he sees progress. CSO, May 25, 2022
#UpdateNow. CISA continues to provide super support identifying vulnerabilities that are being actively exploited.
- CISA adds 75 actively exploited bugs to its must-patch list in just a week: Patch these security flaws if the software is still running on your systems, the US cybersecurity authority has warned. ZD Net, Masy 27, 2022