Cybersecurity News of the Week, October 9, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Leading the news this week is the conviction of Uber’s former Chief Information Security Officer, Joe Sullivan. Sullivan was found guilty of concealing a felony and obstruction of justice after approving a payment to the cybercriminals who had hacked Uber. The prosecution successfully argued that payment was made in an illegal effort to prevent public disclosure of the breach.

  • Former Uber security chief convicted for concealing a felony:  Uber’s former chief security officer has been convicted of failing to tell US authorities about a 2016 hack of the company’s databases. …  A jury in San Francisco found Joe Sullivan – fired from Uber in 2017 – guilty of obstruction of justice and concealing a felony.  BBC News, October 6, 2022

Meanwhile the Identity Theft Resource Center has released its annual Consumer Impact Report that, among other things, shows a 10x increase in social media account takeover.

  • Identity Theft Report: Social Media Account Takeovers up 1,000% As 40% Of Personal Data Theft Victims Saw Their Information Misused: The Identity Theft Resource Center (ITRC), a San Diego-based nonprofit that has been providing assistance to victims of identity theft since 1999, is sounding a warning of major increases in certain types of personal data theft along with more complex attacks and scams. … The most eye-popping item from the group’s annual 2022 Consumer Impact Report is a 1,000% increase in social media account takeover attacks in 2021. Criminals coming back for more money is also an increasing problem in the wake of a compromise, as they appear to be focusing on identities from which they were initially able to steal a significant amount. And there is an overall increased probability of personal information being misused if it is lost in a data breach. CPO Magazine, October 6, 2022

And on the corporate side, Moody’s reports that 28% of rated corporate debt has “high” or “very high” exposure to cyber-risk. The impact is likely to be to raise the cost of borrowing in industries with heightened risk of a cyber attack.

  • Moody’s turns up the heat on ‘riskiest’ sectors for cyberattacks: About $22 trillion of global debt rated by Moody’s Investors Service has “high,” or “very high” cyber-risk exposure, with electric, gas and water utilities, as well as hospitals, among the sectors facing the highest risk of cyberattacks. … That’s more than one-quarter (28 percent) of the $80 trillion in Moody’s rated debt across 71 global sectors, and it represents a $1 trillion jump from the firm’s 2019 numbers, according to the credit rating biz. The Register, October 3, 2022

Election Security Webinar … Watch the Recording

If you weren’t able to attend our election security webinar, you can watch the recording.

  • What Every Citizen Needs to Know: 2022 Election Cybersecurity: Our democracy depends on getting the mid-term elections right. This means — first and foremost — getting cybersecurity right … Everything from protecting sensitive voter identities, registered voter lists, and voting machines; coming to grips with social media; and ensuring confidence in the outcomes. … Find out what’s really going on from three of the nation’s leading experts in election cybersecurity. How vulnerable are our election systems? How is cybersecurity managed in the 50 states? How do we navigate the coming flood of both mis-information and dis-information? How much confidence can we have in the outcome? Panelists include Brandon Wales, First Executive Director, Cybersecurity and Infrastructure Security Agency (CISA); Kathy Boockvar, Vice President of Election Operations & Support, Center for Internet Security;  Adam Powell III, Executive Director, Election Cybersecurity Initiative, USC Annenberg Center on Communication Leadership and Policy, University of Southern California. Dr. Stan Stahl, SecureTheVillage President and founder moderates.

Cyber Humor

Security Nonprofit of the Week  … Global Cyber Alliance

This week’s security nonprofit is the Global Cyber Alliance (GCA). GCA builds practical, measurable solutions and  easy to use tools, and they work with partners to accelerate adoption around the world. GCA has several specialized toolkits, including a toolkit for small to medium sized businesses  and a toolkit for mission-based organizations. GCA was one of the founders of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity. SecureTheVillage is a proud member of Nonprofit Cyber.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

You have a right to be concerned if you have children who go to LAUSD, if you’re employed by LAUSD, or even if you work for an LAUSD  vendor. SecureTheVillage has published a guide How Hackable Are You? that clearly describes eight basic things you can do to protect yourself and your family from cybercrime. What to do. Why to do it. How to do it.

Another sad story of a scam victim. Please be careful. And teach your family to be careful.

  • My mom fell victim to scammers and is sharing her story so you can protect yourself: The latest scam is the Best Buy or Geek Squad scam. And we found someone who fell victim who never thought it would happen to her. Now she’s sharing her story to warn others . … If you got a call or an email from a scammer, would you realize it in time? Before they got your money or personal information? … You’d like to think so. But do you know the warning signs and red flags to look for? News Channel 5 – Nashville, October 5, 2022

Do you ever log into an app or a website with your Facebook credentials? Or enter your credentials into a new window that pops up on your desktop? Before you do, check that you’re not being scammed.

Here’s a Wirecutter story on the privacy battle. Also check out SecureTheVillage’s Do’s & Don’ts for Online Personal Privacy.

  • How Mobile Phones Became a Privacy Battleground—and How to Protect Yourself: In the 15 years since the iPhone’s debut, the world of data privacy has changed significantly. Since 2007, app-privacy controversies—ranging from the social network Path downloading the contents of people’s address books to every weather app under the sun selling location data—have snowballed, leading to concerns both legitimate and misinformed, as well as the inability of many phone owners to determine which threats are real. But digging through history to understand where the privacy controls of iOS and Android began, and how both mobile operating systems have shifted to give people more control, can give you a better idea of what the true threats are right now. Wirecutter, September 29, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

This week in cybercrime.

  • Ransomware attack delays patient care at hospitals across the U.S.: One of the largest hospital chains in the U.S. was hit with a suspected ransomware cyberattack this week, leading to delayed surgeries, hold ups in patient care and rescheduled doctor appointments across the country. … CommonSpirit Health, ranked as the fourth-largest health system in the country by Becker’s Hospital Review, said Tuesday that it had experienced “an IT security issue” that forced it to take certain systems offline. NBC News, October 7, 2022
  • Bitcoin Defi Protocol Sovryn Gets Hacked for Over $1 Million: Sovryn – a Bitcoin-based decentralized finance protocol – was drained of over $1 million in funds on Tuesday using a price manipulation exploit. … The attack allowed the culprit to drain over $1 million worth of crypto from the protocol. Crypto Potato, October 5, 2022
  • Hackers maintained deep access inside military organization’s network, U.S. officials reveal: U.S. cybersecurity, law enforcement and intelligence officials revealed on Tuesday that sophisticated hackers infiltrated a likely U.S. military contractor and maintained “persistent, long-term” access to their system. CyberScoop, October 4, 2022
  • Russian hacking group targets state-government websites in DDoS campaign: A group of Russian-speaking hackers on Wednesday took responsibility for a denial-of-service attack targeting state government websites, with several states experiencing brief or lengthy outages. … The group, which calls itself Killnet, appeared to have temporarily disabled websites run by the governments of Colorado, Connecticut, Kentucky and Mississippi. StateScoop, October 6, 2022
  • Russian Sanctions Instigator Lloyd’s Possibly Hit by Cyber-Attack: Lloyd’s of London, the London-based insurance market heavily involved in implementing sanctions against Russia, may have been hit by a cyber-attack. On Wednesday, October 5, 2022, the British insurance market revealed it had detected “unusual activity” on its systems and has turned off all external connectivity “as a precautionary measure.” InfoSecurity, October 7, 2022

Meanwhile, organizations using LinkedIn to support their hiring practices are on notice that LinkedIn profiles are not to be trusted.

  • Glut of Fake LinkedIn Profiles Pits HR Against the Bots: A recent proliferation of phony executive profiles on LinkedIn is creating something of an identity crisis for the business networking site, and for companies that rely on it to hire and screen prospective employees. The fabricated LinkedIn identities — which pair AI-generated profile photos with text lifted from legitimate accounts — are creating major headaches for corporate HR departments and for those managing invite-only LinkedIn groups. Krebs on Security, October 5, 2022

Several stories this week have national and international implications. These include two stories pointing towards improved collaboration between the national government, local governments, and the private sector. They also include an executive order on EU-US data privacy, Australia’s response to the Optus breach, and initial analysis of a hack of Mexico’s Defense Ministry.

  • U.S. cybersecurity agency leader Jen Easterly on partnerships, workforce, making tech accountable: Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, visited Seattle to listen and build bridges, not to point fingers or rattle cages. … Easterly, a U.S. Army veteran, two-time Bronze Star winner, and former National Security Agency counterterrorism deputy, explained Thursday that the agency focuses neither on regulation, intelligence, nor law enforcement, but rather on partnerships — describing cybersecurity as a “team sport.” Geek Wire, September 30, 2022
  • GAO: Recommends Feds collaborate more effectively when ransomware strikes local governments: When ransomware strikes local governments, officials usually call in the feds. … But while federal agencies provide key support to state, local, and tribal governments hit with ransomware, their misalignment in some cases has hindered response efforts, according to a report released by the Government Accountability Office (GAO) this week.  … In one example highlighted in the report, an entity hit by a nation-state cyberattack called the FBI’s 24-hour incident response number, but the call “went immediately to voicemail” and the agency never responded. The lack of response from the FBI — which is the agency responsible for investigating and assisting with nation-state attacks — hindered the locality’s capacity to analyze the attack, GAO found. … The watchdog agency recommended on Tuesday that the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Secret Service work to better communicate their responsibilities with each other and local governments who need their help. The Record, October 6, 2022
  • Biden signs executive order on EU-U.S. data privacy agreement: The order will set surveillance limits and establish a new court for European citizens to redress privacy concerns with US intelligence agencies. … The order will create a new body within the U.S. Department of Justice that will oversee how American national security agencies are able to access and use information from both European and U.S. citizens. … U.S. President Joe Biden signed an executive order Friday that would limit the ability of American national security agencies to access people’s personal information as part of a transatlantic data sharing agreement with the European Union. Politico, October 17, 2022
  • Australian government considers centralising digital ID verification on myGov in wake of Optus breach: The Australian government is considering using myGov or its myGovID system to centralise digital identity authentication in the wake of the Optus data breach, but critics warn any single system could have its own cybersecurity weaknesses. The Guardian, october 6, 2022
  • Mexico Military Is Hacked, Exposing Abuse and Efforts to Evade Oversight: Hackers infiltrated the Mexican Defense Ministry, publishing millions of emails that detail the military’s growing influence over the civilian government. … A major hack targeting Mexico’s Defense Ministry has shed light on the country’s most secretive and powerful institution, documenting its expanding influence over the civilian government, attempts to evade cooperation on a landmark human rights investigation and spying on journalists using the spyware known as Pegasus. The New York Times, October 6, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in securing their organizations and protecting privacy.

Reasonable Security Workshop: Not to be missed. …Executives, CFOs, In-house council, Chief Information Officers, Information Security Officers, Privacy Consultants, Trusted Advisors … As part of Cybersecurity Awareness Month, SecureTheVillage is hosting its 3rd-annual webinar on the topic of reasonable security. … Ask ten cybersecurity professionals what “reasonable security” is and you’ll likely get ten different answers. That’s because – truth be told – what counts as “reasonable security” is a work in progress.

  • What Every Business Leader Needs – A Reasonable Approach to Reasonable Security: Join SecureTheVillage and our expert panel of information security professionals on Thursday, October 20, 11:00 am – 2:00 pm PDT for a workshop-style conversation on how to think through reasonable security. Leave with a framework for ensuring your information security practices are reasonable.
    •  Your information risk exposure
    •  Your information risk tolerance
    •  Your information risk management practices

Have you ever watched water come to a boil. First you get the occasional bubble breaking through the surface. Then more bubbles break through. Then the bubbles break through faster. And faster. Soon the water comes to a slow boil. Shortly afterwards, you have a rapid boil. For those paying attention, the cyber crime waters are coming to a boil. And this is bringing CIOs and CISOs into closer working relationships.

  • Heightened Cyber Threat Brings CIOs, CISOs Closer: The work dynamic between IT and cyber leaders is changing as digital fortification becomes more urgent. ‘Everybody’s top of mind is cybersecurity,’ says one CISO. … In a year of high-profile cyberattacks, chief information officers say cybersecurity has sprinted up their agenda and got them working more closely than ever with chief information security officers. … A combination of factors—the shift to hybrid work, the sophistication of cybercriminals and the digital front accompanying Russia’s invasion of Ukraine—have pushed digital security to the forefront of the CIO brief, they say. The Wall Street Journal, September 30, 2022

And another reminder to please follow CISA’s alerts. Patch those vulnerabilities!!!

  • Alert (AA22-279A): Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors: This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. CISA, October 6, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge