Cybersecurity News of the Week, October 6, 2024

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Corner

October is Cybersecurity Awareness Month. Which makes it a perfect time for the following story, a story that clearly raises awareness about how misaligned our cyber defenses are. Change your router password now, say the experts. Good advice, ranking number 12 in the SecureTheVillage How Hackable Are you baker’s dozen.

But then look at the research. Research that’s consistent with decades of personal observations here in LA. The overwhelming majority of us haven’t a clue about changing the password on our routers. It’s as foreign to most of us as changing the carburetor on our cars. We turn on the water, we get water. We flip a light switch and light goes on or off. We connect our computers and smartphones to the little black box in the corner and expect to get our news, our video streams, our kid’s homework assignments, and all the other cool cyber-stuff. We don’t expect to have to secure it.

As so many others point out, this is, in part, a matter of public economic policy. A router manufacturer has little incentive to add security into its products. Adding security will increase costs. Consumers neither know about nor care about security. This makes it hard for the manufacturer to recoup those extra costs in the marketplace. Adding security and passing on the costs puts the manufacturer at a competitive disadvantage to its competitors.

The situation is not unlike automobile safety in the 1960s. My first car didn’t have seatbelts. People weren’t demanding safety in our cars. It was a time of power and shiny tail fins. Any manufacturer adding seat belts would be put at an economic disadvantage. Its costs would increase while its ability to pass those costs to its customers wouldn’t.

This Critical Password Warning should make us all aware of the need to align our cybersecurity incentives so they meet the needs – and the realities of our people. This is why ideas like Security by Design and Security by Default (and their privacy lookalikes) need to be turned into meaningful requirements on the makers of technology.

Router manufacturers know how to build and maintain routers so that people don’t have to. So too does AT&T, Verizon, and all the other companies that put these boxes in our homes.

To protect our people, it’s time to change the economic incentives. This is why SecureTheVillage will continue to urge the next Administration and Congress to pass and implement common sense regulations on our technology developers. Security by Design. Security by Default. Privacy by Design. Privacy by Default.

We’re in this together.

  • New Critical Password Warning—86% Of All Router Users Need To Act Now: Change your router password now, experts say. … If you are reading this, you are almost certainly doing so without realizing you could be leaving the door open to hackers. New research has revealed that an astonishing 86% of broadband users have little idea about cybersecurity, or at least the security of the device they use to connect to the internet. That’s the number of people who have never changed their broadband router admin password from the factory default, and that’s a grave concern, security experts have warned.

From SecureTheVillage

  • Upcoming Events
  • Smaller business? Nonprofit? Take your security to the next level. Apply Now! If you’re a small business or nonprofit in the greater Los Angeles area, apply NOW for LA Cybersecure™. Protect your organization with our innovative team-based learn-by-doing program with coaching and guidance that costs less than two cups of coffee a week.
  • IT Service Provider / MSP? Grow revenues. Take your client’s security to the next level. Apply Now!  If you’re an IT service provider in the greater Los Angeles area, apply NOW for LA Cybersecure™. With our innovative team-based learn-by-doing program, you’ll have both that “seat at the table” and the peace of mind that you’re providing your clients with the reasonable IT security management they need. … The LA Cybersecure™ Program is funded in part by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
  • SecureTheVillage FREE Newsletters. Sign up or share with a friend!
    • Cybersecurity News of the Week & Weekend Patch Report. Our award winning newsletter. Essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned.
    • Family Protection Newsletter: Our monthly newsletter for non-cyber experts. For your parents, friends, and those who need to protect themselves in a digital world.
  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basic controls and download our free updated 13-step guide.
  • Please Support SecureTheVillage: We need your help if we’re to build a world of CyberGuardians TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village.TM

Security Nonprofit of the Week … Common Good Cyber

Kudos this week to Common Good Cyber, a new and important player in meeting the cybersecurity challenge. The goal of Common Good Cyber is to identify and implement innovative models for sustaining groups, organizations, and individuals involved in critical cybersecurity functions for the broader Internet community. Kudos also to the nonprofits who have come together to create and support this global initiative. Global Cyber Alliance. Cyber Threat Alliance. CyberPeace Institute. Forum of Incident Response and Security Teams (FIRST). Global Forum on Cyber Expertise (GFCE). Institute for Security & Technology (IST). Shadowserver Foundation. Watch the Video: Common Good Cyber – Together, We Can Build A Stronger Internet

Cyber Humor

Section 2: Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

 Cybercriminals in Russia have found another way to break into your computer. Offer a website to turn any photo into deepfake nude. Along with the deepfake comes a ransomware attack.

The next two stories continue to illustrate how America’s lack of privacy controls on data brokers harms all of us.  At the very least, we need a national law to follow California’s CPRA and require companies to implement reasonable security practices. And we have to impose steep civil costs and penalties to them when they’re breached unless they can demonstrate they have reasonable controls.

Gizmodo filed a Freedom of Information Act (FOIA) request with the FTC for consumer complaints about Truth Social. I’d love to see an FOIA request about Facebook, X, or any of the common dating sites. I’m sure they’d find the same thing. These social platforms are rife with cybercriminals looking for the next person they can victimize. Cybercriminals are equal opportunity thieves. They’ll steal from MAGAs and they’ll steal from diehard Democrats.

  • Truth Social Users Are Losing Ridiculous Sums of Money to Scams: Donald Trump launched Truth Social in 2022 as a social media platform where the MAGA faithful could hang out. … But new documents obtained by Gizmodo reveal the site has been flooded with scammers who are swindling users out of enormous sums of money. We’re talking about people who’ve lost hundreds of thousands of dollars in a relatively short period of time. … Gizmodo submitted a Freedom of Information Act (FOIA) request with the FTC for consumer complaints about Truth Social filed in the past two years. The complaints about scams are shocking, if only because there are such large sums of money involved. And we’re publishing a sample of the full, unedited complaints below.

Section 3: Cybersecurity and Privacy News for the Cyber-Concerned.

A great story in The Washington Post about Jarod Koopman of the Internal Revenue Service and his great work protecting us in cyberspace. Kudos Jarod. Thank you for your service.

  • The Cyber Sleuth: . … At an early-morning Brazilian jujitsu class in Hamburg, N.Y., sweat flies as men pair off and pounce on each other, grappling and grunting on the mats. The fighters are so entangled that it’s hard to tell which hand or foot belongs to which body. Jarod Koopman, the black-belt instructor, pins a student named Mike to the floor and with a shift of his hip renders him immobile. Mike weighs 280 pounds; Jarod, 180. Brazilian jujitsu was created to do this: enable a smaller person to bring down a much bigger one. … Koopman teaches this class about three times a week, then changes out of his heavy cotton gi into the business shirt and pressed slacks of a professional accountant. When he sits down at his computer, what he will do at work is much the same as what he does at the dojo. This work has, among other things, led to the rescue of 23 children from rape and assault, the seizure of a quarter-million child abuse videos, and the arrest of 370 alleged pedophiles. It has resulted in the largest-ever seizure of cryptocurrency headed to Hamas, al-Qaeda and the Islamic State. When Changpeng Zhao, chief of the world’s biggest cryptocurrency exchange, Binance, reported to prison in June, it was because Koopman’s small cybercrime team had uncovered evidence of the firm’s money laundering for terrorists and sanctions-busting for Iran, Syria and Russia. In the past 10 years, this work has returned more than $12 billion to victims of crime and to the U.S. Treasury.

Two more stories of success to kick-off Cybersecurity Awareness Month.

  • How the FBI and Mandiant caught a ‘serial hacker’ who tried to fake his own death: Jesse Kipf was a prolific hacker who sold access to systems he hacked, had contacts with a notorious cybercrime gang, and tried to use his hacking skills to get off the grid for good. … In the early hours of January 20, 2023, a doctor’s user account logged onto the Hawaii Electronic Death Registration System from out of state to certify the death of a man named Jesse Kipf. The death certificate listed the cause as “acute respiratory distress syndrome” due to COVID-19 a week earlier. And with that, Kipf was unceremoniously registered as deceased in several government databases. … On the same day, a hacker nicknamed “FreeRadical” posted the same death certificate on a hacking forum in an attempt to monetize the access they had to the system. “Access level is medical certifier which means you can create and certify a death in this panel,” the hacker wrote.
  • The US and Microsoft disrupt a Russian hacking group targeting American officials and nonprofits: WASHINGTON (AP) — A hacking group tied to Russian intelligence tried to worm its way into the systems of dozens of Western think tanks, journalists and former military and intelligence officials, Microsoft and U.S. authorities said Thursday. … The group, known as Star Blizzard to cyberespionage experts, targeted its victims with emails that appeared to come from a trusted source — a tactic known as spear phishing. In fact, the emails sought access to the victims’ internal systems, as a way to steal information and disrupt their activities. … Star Blizzard’s actions were persistent and sophisticated, according to Microsoft, and the group often did detailed research on its targets before launching an attack. Star Blizzard also went after civil society groups, U.S. companies, American military contractors and the Department of Energy, which oversees many nuclear programs, the company said.

Does an insurance company’s willingness to pay ransom encourage ransomware attacks? And if so, how might we the people manage this?

  • White House official says insurance companies must stop funding ransomware payments: Insurance companies must stop issuing policies that incentivize making extortion payments in ransomware attacks, a senior White House official said on Friday. … Writing an opinion piece in the Financial Times newspaper, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, warned that ransomware was “wreaking havoc around the world.. … Attempts to engage with the insurance industry on this front have not yet delivered any promises, let alone formal agreements, although Neuberger said it could play a “constructive role” by “requiring and verifying implementation of effective cyber security measures as a condition of underwriting its policies, akin to the way fire alarm systems are required for home insurance.”

The Wall Street Journal reports on a long-term cyber-attack against our wiretap system with potentially far-ranging implications.

  • U.S. Wiretap Systems Targeted in China-Linked Hack: AT&T and Verizon are among the broadband providers that were breached. …A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests. … For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk. The attackers also had access to other tranches of more generic internet traffic, they said. … The widespread compromise is considered a potentially catastrophic security breach and was carried out by a sophisticated Chinese hacking group dubbed Salt Typhoon. It appeared to be geared toward intelligence collection, the people said. 

Meanwhile, in this week’s cybercrime news, a breach at Rackspace has Rackspace blaming its vendor and the vendor blaming its vendor. Every organization must be responsible for managing its “software supply chain.” This is mandatory if we are to have Security by Design and Security by Default.

  • Zero-Day Breach at Rackspace Sparks Vendor Blame Game: A breach at Rackspace exposes the fragility of the software supply chain, triggering a blame game among vendors over an exploited zero-day. … Enterprise cloud host Rackspace has been hacked via a zero-day flaw in ScienceLogic’s monitoring app, with ScienceLogic shifting the blame to an undocumented vulnerability in a different bundled third-party utility.

In other cybercrime news, Wayne County MI was hit by a cyberattack Wednesday and seems to already be mostly back online (as of Sunday morning). Not so, Columbus, OH. We first reported their incident on July 28, more than two months ago. It doesn’t expect to be fully back online until the end of the month. Different attacks? Different preparations? There should be much we can learn.

  • Michigan’s largest county suffers cyberattack: Wayne County, Michigan, which contains Detroit, suffered a cyberattack that disabled many government services. … Wayne County, Michigan, the largest county in the state with more than 1.75 million residents, is dealing with a cyberattack that shut down all its government websites and limited the operations of several functions, including financial transactions, case management and estate sales. … Doug Lulgjuraj, a spokesperson for the county, which contains Detroit, told local affiliates that he expects the county’s website, which was still inaccessible on Thursday afternoon, to be “fully operational” by Friday, which would restore access to several online services, such as property tax payments and property records.
  • Columbus seeks $7 million from City Council for cyberattack response, recovery: The Columbus Department of Technology plans to ask Columbus City Council at its Monday meeting for over $7 million—including $3 million in new money —to pay for the city’s ongoing response to a July ransomware attack, according to a Friday press release from Mayor Andrew Ginther’s office. … The city also announced Friday 72% of its 441 technology systems have been restored, and 5% have been partially restored nearly three months after the ransomware attack was discovered. The city’s goal is to have its systems up and running “at peak efficiency” by the end of October, Ginther said in the release.

Section 4: Securing the Organization.

Here’s an in-depth article about the shifts in priorities, tactics, and spending.

A warning about all those automated AI meeting Assistants. Make sure your people know about their dangers.

  • AI assistants are blabbing our embarrassing work secrets: Workplace AI tools can do tasks by themselves. Getting them to stop is the problem. … Corporate assistants have long been the keepers of company gossip and secrets. Now artificial intelligence is taking over some of their tasks, but it doesn’t share their sense of discretion. … Researcher and engineer Alex Bilzerian said on X last week that, after a Zoom meeting with some venture capital investors, he got an automated email from Otter.ai, a transcription service with an “AI meeting assistant.” The email contained a transcript of the meeting — including the part that happened after Bilzerian logged off, when the investors discussed their firm’s strategic failures and cooked metrics, he told The Washington Post. … The investors, whom he would not name, “profusely apologized” once he brought it to their attention, but the damage was already done. That post-meeting chatter made Bilzerian decide to kill the deal, he said.

Phishing attacks are evolving. Time to revisit defenses, including awareness training.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge