This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
SecureTheVillage to pilot a small business cybersecurity program with grant from the Center for Internet Security (CIS®). The project will measurably improve the cybersecurity practices of small to mid-sized organizations. … Alan Paller was the co-founder of the Center for Internet Security and former CIS board member, as well as the founder of the SANS Institute and SANS Technology Institute, the nation’s first regionally-accredited, specialized cybersecurity college and graduate school, and was well-known and highly respected in the industry for building the cyber talent pipeline. He is also credited with driving change in the public and private sectors that would result in quantifiable improvements in cyber resiliency. … The laureate program was established in his memory, and awards up to $250,000 annually to eligible organizations or individuals whose pilot projects, proofs of concept, or existing programs are selected through a competitive application process. … “The Alan Paller Laureate Program recognizes and encourages innovative ideas that will enhance cybersecurity capabilities needed to ensure a safe digital future, supporting society at large,” said Dr. Channing Paller, Alan’s daughter and a board member of the laureate program. “Strengthening institutional cyber capabilities nationwide offers a fitting tribute to a true pioneer in the cybersecurity industry.” From <https://www.einnews.com/pr_news/631383623/center-for-internet-security-announces-grant-recipients-of-alan-paller-laureate-program>
I am proud and humbled by our top story this week. We are especially honored to be an inaugural grant recipient of the Center for Internet Security Alan Paller Laureate Program. Alan was the keynote speaker at the 2012 ISSA Los Angeles annual symposium when I was Chapter President. His presentation, as one would expect, was insightful, provocative, and inspiring. Through this grant, we will be able to extend Alan’s legacy to the many smaller organizations in the Los Angeles region.
The impact of cybercrime on our smaller organizations can be devastating. Big companies lose money and market value. Our smaller companies lose their existence. Big companies are wounded. Small companies are killed. Dreams die. Lives are crippled. Families are torn apart. Future generations never experience their potential. This is the impact of cybercrime on smaller organizations. SecureTheVillage is on a mission to change this. We are grateful for the support of the Center for Internet Security.
New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? The Family Protection Newsletter is for your parents, friends, and all those who need to protect themselves in a digital world. We feature info on how to freeze your credit and what ‘marriage scams’ are in Edition 1. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, May 2, 1:00 pm – 2:00 pm PT.
- Invasion of the Body & Mind (Data) Snatchers: What you need to know. What you need to do. May 25, 11:00 am – 12:30 pm PT.
Cyber Humor
Cybersecurity Nonprofit of the Week … National Cybersecurity Alliance,
Kudos this week to the National Cybersecurity Alliance, a non-profit organization on a mission to create a more secure, interconnected world. The Alliance is an advocate for the safe use of technology, educating everyone on how we can protect ourselves, our families, and our organizations from cybercrime. They create strong partnerships between governments and corporations to amplify their message and to foster a greater “digital” good, encouraging everyone to do their part to prevent digital wrongdoing of any kind. As they say, the real solution to cybercrime isn’t technology, it’s all of us doing our part. Like SecureTheVillage, the National Cybersecurity Alliance is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
Invasion of the Body & Mind (Data) Snatchers: (Video) (Podcast): While Julie’s away, Stan and his guest SecureTheVillage Board Member Alexa McCulloch, riff on the security of our health and wellness information. Whether it’s the data on your Fitbit or the search terms you enter on a hospital’s website, a lot of our private health and wellness information isn’t protected by HIPAA … and even what is, may still end up in the hands of the data brokers. … This week’s podcast is a preview of a hard-hitting webinar Alexa will be moderating on May 25th titled Invasion of the Body & Mind (Data) Snatchers. With her guests René Quashie, Vice President, Digital Health at the Consumer Technology Association and Felix Bustos, CEO and co-founder of ZB Technologies, Alexa will probe how our most sensitive and private information slips through the cracks in our privacy. … Join Alexa and Stan for an overview of some of the challenges we the people have keeping our information private in a system with little regulation, with consumers forced to accept Terms and Conditions full of dense legal jargon, and with a thriving market for the collection and sale of health and wellness data. … And please register for SecureTheVillage’s webinar Invasion of the Body & Mind (Data) Snatchers, moderated by Alexa McCulloch. The webinar airs May 25th at 11AM PT.
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
A sad story but one we must tell in the hope that we can spare someone else from this pain. Please warn your family.
- Navy veteran warns of online security scammers that robbed him of his life savings: West Palm Beach native John McKendrick says he missed all the warning signs. He may be 80 but the U.S. Navy veteran has a master’s and is quite tech-savvy. But still, he says scammers wiped out his bank account. … “This money that they took, it was money I was living on. It was my main account,” McKendrick said through tears. From <https://www.wpbf.com/amp/article/navy-veteran-warns-of-online-security-scammers-that-robbed-him-of-his-life-savings/43733696>
Take the opportunity of World Password Day to double check the security of your passwords.
- On World Password Day, use these tips to make your passwords even stronger: Take advantage of the tools built into your device to lock down your accounts. https://www.macworld.com/article/1807351/password-manager-passkey-biometrics-2fa-security-key.html
Apple and Google collaborating to limit Air Tag stalking
- Apple and Google are working together to limit AirTag stalking: Apple and Google’s proposal would alert users if an unknown Bluetooth tracker is traveling with them, no matter what kind of phone they have. https://www.theverge.com/2023/5/2/23707920/apple-google-airtag-stalking-bluetooth-tracker-alert-standard
Section 3 – Cybersecurity News for the Cyber-Concerned.
Meanwhile another week demonstrating again the too common failure of government agencies to manage cybersecurity. Here in CA, we learned this week that San Bernardino County paid cybercriminals more than a $1,000,000 after a cyberattack took out the computers of the Sheriff’s Department. With all duo respect to County spokesperson David Wirt, I’m glad the County anticipated the attack and had insurance. Everyone needs to anticipate a cyber attack in today’s world. But if you anticipated an attack why didn’t you make sure you would be able to detect the attack, respond to it, and recover from it without having to pay cyberscum to get your systems working? One doesn’t ignore traffic lights because one has insurance.
Across the country, Suffolk County on Long Island is still recovering from a cyberattack that we first reported in December. This week we learned they had no recovery plan in place. How can a County Government serving more than 1,000,000 residents not have a recovery plan? This is a clear example of cyber-negligence.
San Bernardino and Suffolk County are strong lessons to every organization. The enemy is inside the gates. Be prepared. It’s not rocket science. It’s doing the basics well. From the top down and from the bottom-up. We must do better and we can do better.
- San Bernardino County paid $1.1 million ransom to hacker of Sheriff’s Department computers: San Bernardino County acknowledged this week that it has paid a $1.1 million ransom to a hacker who uploaded malware to the Sheriff’s Department’s computer system. For weeks, the county said little publicly about the hack, other than to call it a “network disruption.” … David Wert, a county spokesman, said the county had anticipated such a computer invasion and had taken out insurance. He said that of the $1.1 million payout, the county’s share was $511,852 and that the insurance company paid the rest. From <https://www.sbsun.com/2023/05/04/san-bernardino-county-paid-1-1-million-ransom-to-hacker-of-sheriffs-department-computers/>
- Suffolk cyberattack: Special counsel says county didn’t have recovery plan in place : A special Legislative committee met for the first time Monday to probe the Suffolk County cyberattack. … The attack impacted 500,000 people, with hackers gaining access to 470,000 driver’s license numbers, 26,000 Social Security numbers, and 71 county systems. Officials say they were able to gain access through the county clerk’s network. From <https://longisland.news12.com/suffolk-cyberattack-special-counsel-says-county-didnt-have-recovery-plan-in-place>
- Dallas disrupted by hackers – courts closed, police and fire sites offline: Hacker sabotage has disrupted several public services in Dallas, closing courts and knocking emergency services websites offline, officials said on Thursday. From <https://www.reuters.com/world/us/dallas-disrupted-by-hackers-courts-closed-police-fire-sites-offline-2023-05-04/>
- Ransomware group behind Oakland attack targets city in Massachusetts: The cybercrime group that launched a devastating attack on the city of Oakland has taken credit for yet another breach of a local government — this time naming the Massachusetts city of Lowell as its latest victim. From <https://therecord.media/lowell-massachusetts-city-ransomware-attack-play-cybercrime>
Two important AI stories this week. The second, by luminary Bruce Schneier, is a brilliant case-study of what to expect in the 2024 election.
- ‘The Godfather of A.I.’ Leaves Google and Warns of Danger Ahead: For half a century, Dr. Geoffrey Hinton nurtured the technology at the heart of chatbots like ChatGPT. Now he is leaving Google so that he can freely share his concern that artificial intelligence could cause the world serious harm. Free link to New York Times story
- Large Language Models and Elections: Earlier this week, the Republican National Committee released a video that it claims was “built entirely with AI imagery.” The content of the ad isn’t especially novel—a dystopian vision of America under a second term with President Joe Biden—but the deliberate emphasis on the technology used to create it stands out: It’s a “Daisy” moment for the 2020s. From <https://www.schneier.com/blog/archives/2023/05/large-language-models-and-elections.html>
Washington has a new data privacy law.
- New Health Data Privacy Law in Washington Protects Location Records, Ensures Access to Personal Data: The state of Washington’s new health data privacy law expands protections for residents, including restrictions on the sharing of location data that would shelter abortion seekers who might face legal trouble in their home states. … Though the new law was spurred by the overturn of Roe v. Wade, it provides some additional data protections that go beyond the realm of abortion concerns. Health consumers of all types will now have greater visibility into stored data, and the ability to request corrections and deletions. The bill specifically addresses sources that fall into the “HIPAA gap,” such as fitness apps and period trackers. From <https://www.cpomagazine.com/data-protection/new-health-data-privacy-law-in-washington-protects-location-records-ensures-access-to-personal-data/>
The government made some significant busts this week even as it is still recovering from an attack on the Marshals’ Technical Operations Group (TOG).
- FBI, Ukraine seize cryptocurrency exchanges for abetting cybercriminals: The FBI and Ukrainian law enforcement have taken down nine cryptocurrency exchanges allegedly catering to cybercriminals. … According to a FBI release published Monday, the agency’s Detroit field office and Virtual Currency Response Team, along with the Ukraine National Police and the Prosecutor General’s Office, “conducted coordinated, court authorized activity involving nine virtual currency exchange services.” https://therecord.media/cryptocurrency-exchanges-seized-by-fbi-ukraine
- Popular service used by cybercriminals to verify stolen credit card info shut down: U.S. authorities announced Wednesday that they shut down a popular credit card verification service used by cybercriminals and indicted a Russian citizen suspected of running the scheme. https://therecord.media/try2check-cybercrime-tool-shut-down-founder-kulkov-charged
- Police operation ‘SpecTor’ arrests 288 dark web drug vendors and buyers: An international law enforcement operation codenamed ‘SpecTor’ has arrested 288 dark web vendors and customers worldwide, with police seizing €50.8 million ($55.9M) in cash and cryptocurrency. … The vendors were active on a marketplace known as ‘Monopoly Market’ that sold drugs to customers worldwide in exchange for Bitcoin and Monero cryptocurrency. … Monopoly Market was launched in 2019 but was later seized by law enforcement in December 2021. https://www.bleepingcomputer.com/news/security/police-operation-spector-arrests-288-dark-web-drug-vendors-and-buyers/
- Computer system used to hunt fugitives is still down 10 weeks after hack: A secretive technology arm that the U.S. Marshals Service uses to find suspects has struggled to get back up and running. … A key law enforcement computer network has been down for 10 weeks, the victim of a ransomware attack that has frustrated efforts by senior officials to get the system back up and running — raising concerns about how to secure critical crime-fighting operations. Free link to Washington Post story
This week in the courts.
- The Merck appeal: cyber insurance and the definition of war: Pharmaceutical giant Merck’s won an appeal that might see it claim $1.4 billion from insurers due to the NotPetya ransomware attack. The decision hinged on the definition of war and it could also affect how insurance terms are defined in the future. … Pharmaceutical firm Merck recently won an appeal that could mean its insurers will have to pay up on a $1.4-billion judgment related to the NotPetya cyberattack in 2017. The New Jersey appellate division judges hearing the appeal judge noted that the plain definition of war applies to the various insurance policies and that a cyberattack against an accounting firm not engaged in hostilities, while criminal and based on ill-will, was not tantamount to an act of war. From <https://www.csoonline.com/article/3695573/the-merck-appeal-cyber-insurance-and-the-definition-of-war.html>
- Ex-Uber CSO given three-year probation sentence, avoids prison after guilty verdict: Former Uber chief security officer Joe Sullivan was given three years probation by a U.S. federal judge on Thursday following a headline-grabbing conviction last year over his handling of a data breach. … Federal judge for the Northern District of California William Orrick decided against giving Sullivan any prison time in a tense hearing that involved deep debates over how cybersecurity executives should handle law enforcement investigations. … Orrick told Sullivan that he has a duty to become an evangelist among CISOs and spread the message that transparency and disclosure is paramount in situations like the one he faced. … “When you go out and talk to your friends, to CISOs, tell them that you got a break not because of what you did, not even because of who you are,” Orrick said. “But because this was just such an unusual one-off — the first of its kind. If there are more, people should expect to spend time in custody regardless of anything.” From <https://therecord.media/former-uber-cso-avoids-prison-sentenced-to-three-year-probation>
Section 4 – Managing Information Security and Privacy in Your Organization.
Two excellent articles from the Harvard Business Review. As we wrote above, the business impact of a breach on large company can be measured in lost dollars. The situation is different for small organizations. For small organizations, the impact is too often fatal. Jobs are lost. Lives are upended. Families are crippled. Don’t let this be you.
- Boards Are Having the Wrong Conversations About Cybersecurity: Headlines increasingly highlight the consequences of poor cybersecurity practices. Board members with cybersecurity experience are trying to get their fellow members’ attention on it. And board members want to provide oversight, even though they just don’t have the right questions to ask. Boards need to discuss their organization’s cybersecurity-induced risks and evaluate plans to manage those risks. With the right conversations about keeping the company resilient, they can take the next step to provide adequate cybersecurity oversight. https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity.
- The Devastating Business Impacts of a Cyber Breach: Cybersecurity risks are becoming more systematic and more severe. Although the short-term impacts of a cyberattack on a business are quite severe, the long-term impacts can be even more important, such as the loss of competitive advantage, reduction in credit rating, and increase in cyber insurance premiums. They should not be ignored. To address these concerns effectively, companies need to: 1) Have a cybersecurity champion on the board to help set the tone for the organization, and 2) develop a long-term cybersecurity strategy, which should be a priority for every organization. https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach.
