Cybersecurity News of the Week, May 8, 2022

A weekly aggregation of important cybersecurity and privacy news helping you meet your data care challenges and responsibilities.

Stan’s Top-3

Our lead stories this week are warnings about online bank fraud. First is a new FBI warning about Business Email Compromise (BEC). The second is a warning about Zelle scams. NEVER transfer money based on an email, text, or other form of non-personal request. ALWAYS confirm the legitimacy of the request and the correctness of the account information. Vultures everywhere.

Facebook makes the Top-3 again this week with Gizmodo’s interesting analysis of its ranking algorithms.

Cyber Humor

The Front Page 

Other front page cybersecurity and privacy stories.

The rest of the front page is again focused on the cybersecurity impact of Russia’s invasion of Ukraine, starting with an interesting twist that might have far-reaching implications for our own cybersecurity talent shortage.

This story intrigues me. Might we train prisoners to be cybersecurity workers, offering them great careers and perhaps shortened sentences? Might this be an equity play? Intriguing.

  • Russia to Rent Tech-Savvy Prisoners to Corporate IT?: Faced with a brain drain of smart people fleeing the country following its invasion of Ukraine, the Russian Federation is floating a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation’s prison population to perform low-cost IT work for domestic companies. KrebsOnSecurity, May 2, 2022

The good news is that Ukraine and its friends continue taking the battle to Russia. The dangerous news is we don’t know where this ends.

  • Anonymous Claims Responsibility For Cyberattack Against Russian Rosneft: Russian energy giant Rosneft has been hit by a major cyberattack, according to various news reports in Germany. Oil Price, May 3, 3022
  • Hacking Russia was off-limits. The Ukraine war made it a free-for-all: Experts anticipated a Moscow-led cyber-assault; instead, unprecedented attacks by hacktivists and criminals have wreaked havoc in Russia. … For more than a decade, U.S. cybersecurity experts have warned about Russian hacking that increasingly uses the labor power of financially motivated criminal gangs to achieve political goals, such as strategically leaking campaign emails. Washington Post, May 1, 2022
  • Russians plunder $5M farm vehicles from Ukraine — to find they’ve been remotely disabled: (CNN)Russian troops in the occupied city of Melitopol have stolen all the equipment from a farm equipment dealership — and shipped it to Chechnya, according to a Ukrainian businessman in the area. CNN, May 1, 2022
  • Nobody Knows Where the Red Line Is for Cyberwarfare: Is offense the best defense? Or would threats of retaliation keep an enemy in check? … A common explanation for why the Soviet Union never used nuclear weapons during the Cold War was the expectation that any attack would likely prompt a devastating nuclear response. The fear of mutually assured destruction was enough to keep both the USSR and the U.S. from launching a nuclear attack, even as they spent decades building up huge stockpiles of weapons. Bloomberg, May 2, 2022

Meanwhile millions of Russians are using VPNs to get the news Putin’s state-controlled media is blocking.

Security Nonprofit of the Week … Please Take Their MFA Survey.

This week’s security nonprofit, the Cyber Readiness Institute, is conducting a global survey to gauge the awareness and implementation of multifactor authentication (MFA) among small and medium-sized businesses. The survey is supported by CRI Members: Mastercard, Apple, GM, and Principal Financial Group. You can view the survey here through 11:59 EST on May 16. We urge you to take this survey as it will provide valuable information to the community as we defend ourselves against cybercrime. Thanks in advance for your help.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we discuss the latest in cybersecurity. Interpol says “We can’t arrest our way out of cybercrime.” So what do we do to manage to manage our security and privacy?  This leads to a discussion of data care, and the things we can all do to keep ourselves and our community safe from cybercrime.  SecureTheVillage, May 4, 2022

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

#UpdateNow. Keeping your devices updated is a critical component of data care. The following is a reminder that this principle even applies to security software.

At the same time, users have to be careful that the updates they apply are legitimate.

What you put in your mental health app should stay in your mental health app. Not so.

While we all hate passwords, they’re still a necessary element of sound data care. Make sure yours are long, complex, and unique.

What secrets does your digital footprint hold?

Section 3 – General Cybersecurity and Privacy Stories

Cybersecurity and privacy stories for those wanting a deeper look.

These stories tell us more about the capabilities of the cybercriminal underground. Do not underestimate them. They’re smart, they’re committed, and they’re organized.

Lest you need convincing, these next stories demonstrate the point.

Even as we can’t arrest our way to cybersecurity, our Department of Justice is hard at work doing what it can.

Meanwhile a security researcher has discovered vulnerabilities in cybercriminal malware that might be exploitable to prevent a ransomware attack from successfully encrypting a victim’s files. Stay tuned.

This pair of stories from Motherboard is interesting. The first would qualify as an egregious violation of privacy; the second is SafeGraph’s response to the publicity. In the absence of strong GDPR-style privacy laws, it would seem to take strong negative publicity to counteract the profit opportunities in data collection.

Connecticut has become the 5th state to pass a data privacy law. The law moves in the direction of GDPR where users must affirmatively agree to their information being collected and sold. This is unlike most of the U.S. where it’s the responsibilities of users to “just say no,” if the law in their state even gives them this opportunity. And, as in the SafeGraph stories above, without stories like Motherboard’s users don’t even know to say no.

Beyond privacy is surveillance. More fallout from the NSO Group Pegasus scandal as Spain acknowledges its cyber-surveillance of Catalan independence leaders.

Section 4 – Data Care in the Organization

Stories to support executives and top management in securing their organizations.

Another warning. This one targeting people engaged in Mergers and Acquisitions.

More corporate upgrades for your IT team.

  • F5 Releases Security Advisories Addressing Multiple Vulnerabilities: F5 has released security advisories on vulnerabilities affecting multiple products, including various versions of BIG-IP. Included in the release is an advisory for CVE-2022-1388, which allows undisclosed requests to bypass the iControl REST authentication in BIG-IP. An attacker could exploit CVE-2022-1388 to take control of an affected system. CISA, May 4, 2022

On the defensive side, the National Institute of Standards and Technology (NIST) has released updated guidance on managing supply  chain risk. Vital reading for the CIO, CTO, CISO.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge