Cybersecurity News of the Week, October 30, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

This weeks Top of the News contains four stories that point the way towards our shared future.

I like the messages in the first three. Who can not like the fact that passwords are going away? It’s also nice to see Europe changing the power-structure surrounding Meta, Amazon, Google, and other Internet behemoths. I’d like the United States to do the same. And the new form of cryptography in the third story is truly mind-blowing. It lets people share information while keeping that same information secure. It’s based on some incredibly deep mathematics – called homomorphic encryption – underlying it.

  • In the Future, There Will Be No Passwords—Because You Keep Giving Yours Away: Your smartphone’s ability to scan your face and read your fingerprint are the key to better online security. … Passwords have long been the linchpin in the machinery protecting our online accounts. Increasingly, they are seen instead as a weak link—one that some companies want to do away with entirely. The Wall Street Journal, October 22, 2022
  • Europe Prepares to Rewrite the Rules of the Internet: The Digital Markets Act will force Big Tech platforms to break open their walled gardens in 2023, says the EU’s new ambassador to Silicon Valley…. Next week, a law takes effect that will change the internet forever—and make it much more difficult to be a tech giant. On November 1, the European Union’s Digital Markets Act comes into force, starting the clock on a process expected to force Amazon, Google, and Meta to make their platforms more open and interoperable in 2023. That could bring major changes to what people can do with their devices and apps, in a new reminder that Europe has regulated tech companies much more actively than the US. Wired, October 28, 2022
  • Can a new form of cryptography solve the internet’s privacy problem?: Techniques which allow the sharing of data whilst keeping it secure may revolutionise fields from healthcare to law enforcement. … Rachel is a student at a US university who was sexually assaulted on campus. She decided against reporting it (fewer than 10% of survivors do). What she did, however, was register the assault on a website that is using novel ideas from cryptography to help catch serial sexual predators. … The organisation Callisto lets a survivor enter their name in a database, together with identifying details of their assailant, such as social media handle or phone number. These details are encrypted, meaning that the identities of the survivor and the perpetrator are anonymous. If you hacked into the database, there is no way to identify either party. … However, if the same perpetrator is named by two people, the website registers a match and this triggers an email to two lawyers. Each lawyer receives the name of one of the survivors (but not the name of the perpetrator). The lawyers then contact the survivors to let them know of the match and offer to help coordinate any further action should they wish to pursue it. The Guardian, October 29, 2022

I find this last story somewhat dystopian … It’s not that I’m bothered by the potential convenience that “everywhere, all the time” brings although this will have it’s own challenges. What I’m most bothered about is that we are nowhere near having sufficient control over our own privacy to safely manage the world envisioned by the story.

  • Why the Future of the Computer Is Everywhere, All the Time: ‘Ambient computing’ is coming, and it promises to change how we interact with the world. But there are still a lot of challenges—and concerns—to overcome. … Imagine this scenario in the not-too-distant future. You’re awakened at 6:11 a.m. by the gentle sounds of tinkling bells and birdsong, even though you live in a 12th-floor apartment. Your alarm clock uses radar to track your breathing, and wakes you gently, with sound and light, when it detects you’re in a lighter phase of sleep. The Wall Street Journal, October 29, 2022

Cyber Humor

Security Nonprofit of the Week  … National Cybersecurity Alliance,

Kudos this week to the National Cybersecurity Alliance, a non-profit organization on a mission to create a more secure, interconnected world. The Alliance is an advocate for the safe use of technology, educating everyone on how we can protect ourselves, our families, and our organizations from cybercrime. They create strong partnerships between governments and corporations to amplify their message and to foster a greater “digital” good, encouraging everyone to do their part to prevent digital wrongdoing of any kind. As they say, the real solution to cybercrime isn’t technology, it’s all of us doing our part.  The National Cybersecurity Alliance is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie and me as we discuss cybercrime numbers from the most recent IC3 report. CA leads the nation with over $1B in reported cybercrime losses. Our estimate in LA is that we lose $160 million in reported losses which translates to something like $1.6B in total cybercrime.  We then segue into a discussion of reasonable security and the things we can all do to protect each other’s information like we discussed in our recent online workshop on reasonable security.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

As we write every week, be careful out there. To quote from Casablanca, one of my favorite movies, “I beg of you, monsieur, watch yourself. Be on guard. This place is full of vultures. Vultures everywhere. Everywhere!” Remember, on the Internet trust no one.

  • That customer service number? It could be a scam: Customer service numbers are easy to spoof. Here’s how to sniff out a fake. … When George Hart got an email saying there’d been fraudulent activity on his PayPal account, the 76-year-old knew better than to take the message’s word for it. The Washington Post, October 28, 2022
  • These misspelled websites are spreading nasty malware — how to stay safe: Typosquatting continues to be a favorite tactic among cybercriminals. … Unlike with Word and other office software, your browser’s address bar doesn’t have a spell checker which is why look-alike domains are often used in phishing attacks and to spread malware. Tom’s Guide, October 24, 2022
  • These malware dropper apps have thousands of Play Store downloads — delete them now: Malware dropper apps are a lot harder to spot than malicious apps. … A new set of malware dropper apps have been discovered on the Google Play Store, with these apps using fake updates to install banking trojans on the devices of unsuspecting users. Tom’s Guide, October 28, 2022

And train your kids.

  • Kids today are ‘overly confident’ about their skills online—losing $101.4 million to hackers last year: You might think today’s teens are as tech-savvy as they come. But being digital natives doesn’t make them immune to online scams. … People under the age of 20 lost $101.4 million to online scams in 2021, according to a recent study from cybersecurity startup Social Catfish, which cited figures from the Federal Bureau of Investigation’s Internet Crime Report. … That’s compared with just $8.3 million in 2017, marking a nearly 1,126% increase in just four years — larger than any other age group in that same period. CNBC, October 26, 2022

And please please please stay up-to-date on updates.

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

There’s a lot of money to be made by stealing and selling personal health information. This makes health care organizations prime cybercrime targets. Sadly, too many health care organizations do too little to defend themselves. That’s why we see stories like these so frequently.

  • Australian health insurance giant Medibank confirms hacker had access to data of all 3.9 million customers: Medibank has revealed all of its 3.9 million customers have had their data exposed to a hacker, in a significant escalation of the cyber-attack on the Australian health insurer. … In an update to the Australian Stock Exchange on Wednesday, the company said that since Tuesday’s announcement that all customer data may have been exposed, the investigation into the breach has now established the hacker had access to all Medibank, ahm and international student customers’ personal data, and significant amounts of health claims data. … The personal information includes name, address, date of birth, some Medicare card numbers and gender. The health information includes the claim codes made by customers. The Guardian, October 25, 2022
  • Alert: This ransomware preys on healthcare orgs via weak-ass VPN servers: Federal agencies are warning of a threat group called Daixin Team that is using ransomware and data extortion tactics to target US healthcare organizations. … In a recent advisory, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Department of Health and Human Services (HHS) said the group has attacked multiple entities since at least June, deploying ransomware to encrypt data on servers used for a range of services, including electronic health records (EHRs), diagnostic, imaging, and intranet services. The Register, October 24, 2022

We’re covering two more cybercrime stories this week.

  • Bed Bath & Beyond reviewing possible data breach: Bed Bath & Beyond Inc (BBBY.O) said on Friday a third party had this month improperly accessed its data through a phishing scam by accessing the hard drive and certain shared drives of one of its employees. Yahoo!finance, October 28, 2022
  • Thomson Reuters collected and leaked at least 3TB of sensitive data: Thomson Reuters, a multinational media conglomerate, left an open database with sensitive customer and corporate data, including third-party server passwords in plaintext format. Attackers could use the details for a supply-chain attack. … Media giant with $6.35 billion in revenue left at least three of its databases open. … At least 3TB of sensitive data exposed including Thomson Reuters plaintext passwords to third-party servers. … The dataset was open for several days – malicious bots are capable of discovering instances within mere hours. …. Threat actors could use the leak for attacks, from social engineering attacks to ransomware. Cybernews, October 28, 2022

On the defensive side, CISA has released cybersecurity performance goals for the 16 critical infrastructure industries including energy, food, finance, transportation, etc.

  • CISA announces cybersecurity performance goals for critical infrastructure: The Cybersecurity and Infrastructure Security Agency released long-awaited performance goals aimed at setting baseline vital practices for critical infrastructure. … The agency created the voluntary goals to broadly apply across all 16 critical infrastructure sectors with a particular focus on the smaller organizations that lack the resources for a robust cybersecurity plan. Cyber Scoop, October 27, 2022

LinkedIn is also rolling out defensive measures to cut-down on the numbers of fraudulent accounts. This follows a story last week that we covered by Brian Krebs.

  • LinkedIn’s new security features combat fake profiles, threat actors: LinkedIn has introduced three new features to fight fake profiles and malicious use of the platform, including a new method to confirm whether a profile is authentic by showing whether it has a verified work email or phone number. … Over the past couple of years, LinkedIn has become heavily abused by threat actors to initiate communication with targets to distribute malware, perform cyberespionage, steal credentials, or conduct financial fraud. … Today, LinkedIn announced that it has begun to display more information about accounts to verify their authenticity, actively hunt for fakes using AI, and warn users when they receive suspicious messages…. The first step to fighting fake accounts on LinkedIn is introducing a new “About this profile” section that gives users information like when the user created their profile, if the holder has verified their number, and if they linked a work email. Bleeping Computer, October 26, 2022

We’re covering two stories on the legal front this week, one on an action by the Federal Trade Commission and the second by an arraignment by the Department of Justice.

  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers: The Federal Trade Commission is taking action against the online alcohol marketplace Drizly and its CEO James Cory Rellas over allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers. Drizly and Rellas were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers. … “Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.” Federal Trade Commission, October 24, 2022
  • British Hacker Charged for Operating “The Real Deal” Dark Web Marketplace: Daniel Kaye, who went by a litany of pseudonyms Popopret, Bestbuy, UserL0ser, and Spdrman, has been charged with five counts of access device fraud and one count of money laundering conspiracy. … Kaye was indicted in April 2021, and subsequently consented to his extradition from Cyprus to the U.S. in September 2022. … The Real Deal specialized in the sales of hacking tools and stolen login credentials. The Hacker News, October 27, 2022

This next story is troublesome. If the former British PM had her phone hacked, what did the hacker … presumable a nation state … get? Were sources compromised? Stay tuned.

We conclude this section with a deep story from The Hacker News on the rise of supply-chain attacks, like the Solar Winds attack that resulted in the breach of thousands of the company’s customers.

  • How the Software Supply Chain Security is Threatened by Hackers: In many ways, the software supply chain is similar to that of manufactured goods, which we all know has been largely impacted by a global pandemic and shortages of raw material. … However, in the IT world, it is not shortages or pandemics that have been the main obstacles to overcome in recent years, but rather attacks aimed at using them to harm hundreds or even thousands of victims simultaneously. The Hacker news, October 25, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in securing their organizations and protecting privacy.

The cyber-insurance market continues its struggles to remain profitable with the epidemic rise in claims.

  • If You’re Hacked, You May Not Have a Claim: Insurance companies increasingly treat cyber aggression as an uncovered act of war. … Lloyd’s of London announced in August that its insurance policies will no longer cover state-backed acts of cyber aggression. This kind of hacking isn’t exactly war, but it’s certainly not the garden-variety mishap that insurance ordinarily covers. Private companies need to prepare. Those that do stand to be rewarded by consumers and markets. … “It is important that Lloyd’s can have confidence that syndicates are managing their exposures to liabilities arising from war and state backed cyber-attacks,” Tony Chaudhry, underwriting director at Lloyd’s, noted in a bulletin to the insurance giant’s underwriters. He explained that the company’s cyber insurance policies must contain “a suitable clause excluding liability for losses arising from any state backed cyber-attack.” The Wall Street Journal, october 23, 2022

Meanwhile life is getting tougher for the people in the trenches. The stress leads to burnout, exacerbated by the worker shortage. And the work never stops.

  • Stress Is Driving Cybersecurity Professionals to Rethink Roles: Burnout has led one-third of cybersecurity staffers to consider changing jobs over the next two years, potentially further deepening the talent shortage, research shows. … The stress and strain of cyberattacks on the staff tasked with protecting businesses is driving droves of desperately needed security practitioners to rethink their roles. … New research from Mimecast reveals a huge mental health toll being exacted from cybersecurity professionals with every ransomware, data theft, or other cybersecurity incident. DARK Reading, October 24, 2022
  • Global Cybersecurity Workforce Gap Up 26% to 3.4M, Finds (ISC)²’s 2022 Study: The cybersecurity workforce gap has increased by 26.2% in 2022 compared to last year. This is despite the addition of 464,000 professionals to the cybersecurity industry, according to the International Information System Security Certification Consortium or (ISC)². … Cybercriminals have kept the global infosec community busy this past year, considering an 11% increase (464,000) in the cybersecurity workforce, from 4.183 million to 4.7 million between 2021 and 2022, is way too inadequate compared to the 26.2% increase in the demand for security talent. Spiceworks, October 26, 2022
  • VMware patches vulnerability with 9.8/10 severity rating in Cloud Foundation: Exploit code was released this week for a just-patched vulnerability in VMware Cloud Foundation and NSX Manager appliances that allows hackers with no authentication to execute malicious code with the highest system privileges. … VMware patched the vulnerability, tracked as CVE-2021-39144, on Tuesday and issued it a severity rating of 9.8 out of a possible 10. The vulnerability, which resides in the XStream open source library that Cloud Foundation and NSX Manager rely on, posed so much risk that VMware took the unusual step of patching versions that were no longer supported. The vulnerability affects Cloud Foundation versions 3.11, and lower. Versions 4.x aren’t at risk. Ars technica, October 28, 2022
  • Cisco Warns AnyConnect VPNs Under Active Cyberattack: Older bugs in the AnyConnect Secure Mobility Client are being targeted in the wild, showcasing patch-management failures. … A pair of known security vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows is being actively exploited in the wild, despite being patched for two-plus years. DARK Reading, October 26, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge