Cybersecurity News of the Week, October 15, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

This week’s Top of the News offers two stories Illustrating the dystopian dangers of AI, big data, and disinformation.

  • ‘Too dangerous’: Why even Google was afraid to release this technology: Imagine strolling down a busy city street and snapping a photo of a stranger then uploading it into a search engine that almost instantaneously helps you identify the person. … This isn’t a hypothetical. It’s possible now, thanks to a website called PimEyes, considered one of the most powerful publicly available facial recognition tools online. … On TikTok, PimEyes has become a formidable tool for internet sleuths trying to identify strangers, with videos notching many millions of views showing how a combination of PimEyes, and other search tools, can, for example, figure out the name of a random cameraman at a Taylor Swift concert. … While the company claims it is a service that can help people monitor their online presence, it has generated controversy for its use as a surveillance tool for stalkers, collecting countless images of children and for adding images of dead people to its database without permission. … Without any federal laws on the books in the U.S. governing facial recognition technology, services copying PimEyes are expected to proliferate in the coming years. … Consider the consequences, says journalist Kashmir Hill, of everyone deciding to use this technology at all times in public places. … “Something happens on the train, you bump into someone, or you’re wearing something embarrassing, somebody could just take your photo, and find out who you are and maybe tweet about you, or call you out by name, or write nasty things about you online,” said Hill, a reporter for The New York Times who recently published a book on facial recognition technology called “Your Face Belongs to Us.”
  • A.I. Obama’ and Fake Newscasters: How A.I. Audio Is Swarming TikTok: TikTok accounts are spreading falsehoods with help from A.I.-generated voices. … In a slickly produced TikTok video, former President Barack Obama — or a voice eerily like his — can be heard defending himself against an explosive new conspiracy theory about the sudden death of his former chef. … In fact, the voice did not belong to the former president. It was a convincing fake, generated by artificial intelligence using sophisticated new tools that can clone real voices to create A.I. puppets with a few clicks of a mouse.

Small and Midsize Organizations. Take your security to the next level. As part of our LA Cybersecure initiative, SecureTheVillage has launched a Pilot Program to enable 50 small to midsize organizations to measurably improve their cybersecurity readiness. The LA Cybersecure Pilot Program is partially funded by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.  Find out more and register now.

Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 

How Hackable Are You? Take our test. Find out how hackable you are and download our free updated 13-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short test as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

Cyber Humor

Cybersecurity Nonprofit of the Week … Cyber Readiness Institute

Our kudos this week to the Cyber Readiness Institute (CRI) and the great work they do helping our medium-size and smaller organizations manage their information security challenges. CRI’s Cyber Readiness Program helps organizations protect their data, employees, vendors, and customers. This free, online program is designed to help small and medium-sized enterprises become more secure against today’s most common cyber vulnerabilities. Their free Cyber Leader Certification Program is a personal professional credential for those who have completed the Cyber Readiness Program. Both are highly recommended. Like SecureTheVillage, the Cyber Readiness Institute is a fellow-member of Nonprofit Cyber. Dr. Stahl is a proud member of CRI’s Small Business Advisory Council.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

The 23andMe Breach: Critical Accounts Unguarded When MFA is Optional: (Video) (Podcast): The #23andMe security lapse repercussions go beyond just the user’s personal genetic data. With this breach, their relatives are at risk. The data taken from 23andMe, likely through #credentialstuffing, could cover more than HALF of the company’s 14 million customers, based on the number of people who have opted to make their data visible to relatives, including distant cousins. … As we dive into the shortcomings of optional multi-factor authentication for critical online accounts, we ask: Is the industry doing enough? Plus, get updates on LA CyberSecure, our pilot program boosting cybersecurity for local businesses and nonprofits. … Don’t leave your digital life to chance! Subscribe to #LiveOnCyber with Stan Stahl, PhD and Julie Michelle Morris for your weekly 15-min update. Be a proactive #CyberCitizen! Learn more and apply to join the LA CyberSecure pilot program today:

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Rigorous patching is one of our Top-5 recommendations for staying safe from hackers. This week again illustrates why as Microsoft updated more than 100 vulnerabilities in Windows and CISA warns that an Adobe vulnerability patched in January is. And CISA is warning that an Adobe bug that was patched in January is being actively exploited. Last week, Apple released patches for zero-days, vulnerabilities that were being actively exploited before a patch was available. Our Weekend Patch Report identifies common programs that need updating.

  • Patch Tuesday, October 2023 Edition: Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS…. Apple last week shipped emergency updates in iOS 17.0.3 and iPadOS 17.0.3 in response to active attacks. …  For anyone keeping count, this is the 17th zero-day flaw that Apple has patched so far this year.
  • CISA Warns of Actively Exploited Adobe Acrobat Reader Vulnerability: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. … A patch for the flaw was released by Adobe in January 2023.

Another sad story of getting scammed. Please warn the people you love. And stay safe yourself.

  • I’m embarrassed to admit it, but it’s true: I fell for a costly gift card scam. Here’s how.: If you think no one could ever convince you to go buy multiple $500 gift cards and send them the codes, you might be right. You also might be wrong. … It’s all especially humiliating because I’ve done a bunch of Googling and reading about this type of scheme since falling for it, and apparently, fraudsters have been using some variation of it to dupe people for years. In other words, not only should I have known better just in general, I should have known better specifically because the warning signs about this have been “out there” for some time. … Alas, I’m sharing my story — and it’s a family story, really — in the hopes that you can learn something from our mistakes.

Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.

National cybersecurity in the news.

  • Vietnam tried to hack U.S. officials, CNN with posts on X, probe finds: The attempts appear to have been unsuccessful, but came as the U.S. and Vietnam were negotiating an agreement that President Biden signed last month in Hanoi. … Vietnamese government agents tried to plant spyware on the phones of members of Congress, American policy experts and U.S. journalists this year in a brazen campaign that underscores the rapid proliferation of state-of-the-art hacking tools, according to forensic examination of links posted to Twitter and documents uncovered by a consortium of news outlets that includes The Washington Post.
  • Former US Cyber Director Inglis on Israel, Russia and ONCD’s future: Chris Inglis, the first-ever national cyber director, said Tuesday that cyberattacks would likely become a part of the unfolding conflict between Israel and Hamas, but he is confident in Israel’s ability to defend itself both on the battlefield and in cyberspace. … “Cyber is involved in everything… it’s certainly involved in this and I think in two ways,” said Inglis, who stepped down from his post in February. “One, cyber, the digital infrastructure, is being used to synchronize, coordinate activities, whether that’s diplomacy or actions on the battlefield, and therefore needs to work well, needs to work with optimal performance.” … The other front is the “information war” between the two sides to push their perspectives, according to Inglis.

An excellent in-depth story from the Wall Street Journal on how the government buys up bulk data from information brokers that it uses in surveillance.

  • How Ads on Your Phone Can Aid Government Surveillance: Federal agencies buy bulk data, collected from ads you might never see, that can yield valuable information about you. … Technology embedded in our phones and computers to serve up ads can also end up serving government surveillance. … Information from mobile-phone apps and advertising networks paints a richly detailed portrait of the online activities of billions of devices. The logs and technical information generate valuable cybersecurity data that governments around the world are eager to obtain. When combined with classified data in government hands, it can yield an even more detailed picture of an individual’s behaviors both online and in the real world. A recent U.S. intelligence-community report said the data collected by consumer technologies expose sensitive information on everyone “in a way that far fewer Americans seem to understand, and even fewer of them can avoid.”

Former Uber CISO Joseph Sullivan is appealing his conviction on charges related to a 2016 data breach at the company. The story is important in putting CISOs in the cross-hairs of the law.

  • Uber’s Ex-CISO Appeals Conviction Over 2016 Data Breach: Joe Sullivan’s lawyers have claimed his conviction on two felony charges is based on tenuous theories and criminalizes the use of bug bounty programs. … Former Uber CISO Joseph Sullivan’s conviction earlier this year on charges related to a 2016 data breach at the company should not be allowed to stand because it threatens the use of bug bounty programs among enterprise organizations, his lawyers argued in an appeal this week. … In a brief filed Tuesday with the US Court of Appeals for the Ninth Circuit, Sullivan’s legal team described him as the victim of a “profoundly flawed” verdict that was based on tenuous theories about his responsibilities as the security chief at Uber.

The EU is about to require organizations to disclose exploited vulnerabilities within 24 hours of their discovery. While a positive step towards providing information allowing organizations to defend themselves, it’s also incredibly dangerous as it may alert adversaries to weaknesses.

  • Security Pros Warn That EU’s Vulnerability Disclosure Rule Is Risky: The Cyber Resilience Act’s requirement to disclose vulnerabilities within 24 hours could expose organizations to attacks — or government surveillance…. The European Union (EU) may soon require software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of an exploitation. Many IT security professionals want this new rule, set out in Article 11 of the EU’s Cyber Resilience Act (CRA), to be reconsidered. … The rule requires vendors to disclose that they know about a vulnerability actively being exploited within one day of learning about it, regardless of patch status. … In an open letter signed by 50 prominent cybersecurity professionals across industry and academia, among them representatives from Arm, Google, and Trend Micro, the signatories argue that the 24-hour window is not enough time — and would also open doors to adversaries jumping on the vulnerabilities without allowing organizations enough time to fix the issues.

There was a major Distributed Denial of Service (DDoS) attack this week. Who? Why? Is this a test before our enemies launch DDoS attacks on our banks and our traffic signals?

The MOVEit debacle continues.

  • SEC is investigating MOVEit mass-hack, says Progress Software: U.S. securities regulators have opened a probe into the MOVEit mass-hack that has exposed the personal data of at least 64 million people, according to the company that made the affected software.
  • How MOVEit Is Likely to Shift Cyber Insurance Calculus: Progress Software plans to collect millions in cyber insurance policy payouts after the MOVEit breaches, which will make getting coverage more expensive and harder to get for everyone else, experts say. … In its recent Security and Exchange Commission (SEC) filing, Progress Software, the company behind the MOVEit file transfer software that’s been used to breach dozens of major organizations, says it plans to try and fully collect on its $15 million cyber insurance policy. But how is that fat $15 million payout likely to effect how insurers approach their own businesses?

As expected, 23andMe has been sued. One issue will be whether it was reasonable, given the nature of the information needing protection, for 23andMe to fail to require users to implement MFA. Stay tuned as this case may help define “reasonableness.”

  • 23andMe Faces Class Action Lawsuit Following Data Breach: In a move that has come to be expected following most cyberattacks, two victims of the recent 23andMe data breach have filed a class action lawsuit. … The suit, filed in U.S. District Court for the Northern District of California, alleges negligence, invasion of privacy, unjust enrichment, and breach of implied contract.

This week in cybercrime.

  • LockBit’s $80M Ransom Demand To CDW Is Third Largest Ever: The cybercriminal gang is threatening to leak stolen CDW data if its payment demand isn’t met by a Thursday deadline.
  • Alameda Trader Phished for $100 Million After Clicking Malicious Google Link, Says Ex-Engineer: FTX’s sister trading firm Alameda Research prioritized speed at the expense of proper security practices, claims a former employee. … In yet another lengthy thread on X (formerly known as Twitter), former Alameda Research software engineer Aditya Baradwaj revealed how FTX’s sister fund grappled with multiple security incidents, ultimately losing at least $190 million in trading funds. … One of the most significant exploits detailed by Baradwaj reportedly involved a trader at Alameda losing more than $100 million of the firm’s funds. … The incident unfolded when the trader clicked on a malicious link for a DeFiapp that had been promoted to the top of Google Search results.
  • Air Europa customers urged to cancel cards following hack on payment system: Customers of Spanish airline Air Europa were on Tuesday advised by the company to cancel their credit cards following a cyberattack affecting its online payment system. … The company, based on the island of Mallorca, did not announce how many customers were affected nor when the attack took place.
  • Shadow silent on data breach as hacked data appears genuine: A data breach at French cloud gaming provider Shadow may be worse than the company initially suggested, according to a sample of the stolen data seen by TechCrunch. … In an email sent to affected customers this week, Paris-based Shadow said that a hacker carried out an “advanced social engineering attack” against one of its employees that allowed access to customers’ private data. In the email, Shadow CEO Eric Sèle said this includes full names, email addresses, dates of birth, billing addresses and credit card expiry dates.
  • Manufacturing giant dealing with ‘disruptive’ cyberattack: Simpson Manufacturing Company, a major U.S. manufacturer of building materials said on Tuesday that it is dealing with a cyberattack disrupting its business operations – becoming the latest manufacturing firm in recent weeks to face operational issues due to a cyber incident.

Section 4 – Managing  Information Security and Privacy in Your Organization.

Warn your people.

  • LinkedIn Smart Links Abused in Phishing Campaign Targeting Microsoft Accounts: A recently identified phishing campaign is relying on LinkedIn smart links to bypass email defenses and deliver malicious lures into Microsoft users’ inboxes, email security firm Cofense reports. … A legitimate feature connected to LinkedIn’s Sales Navigator services, smart links allow businesses to promote websites and advertisements, redirecting users to specific domains. … Threat actors, however, are relying on the feature to redirect users to malicious websites that attempt to steal their credentials and personal information, abusing the inherent trust that email gateways have in LinkedIn.

New resources for managing IT security from CISA.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge