This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Corner
Dear Ford Motor. Are you crazy? Do you really think people are going to appreciate your egregious violation of our privacy? You want to listen to my conversation and track where I’m driving so you can serve up ads? I’m curious if you ran any focus groups. What percent of them said they want you to serve them ads? I repeat. Are you crazy?
And Congress … Can we finally get opt-in like GDPR. I don’t want to have navigate to some obscure dashboard setting to opt-out of Ford’s crazy scheme.
- Ford seeks patent for tech that listens to driver conversations to serve ads: Ford Motor Company is seeking a patent for technology that would allow it to tailor in-car advertising by listening to conversations among vehicle occupants, as well as by analyzing a car’s historical location and other data, according to a patent application published late last month. … “In one example, the controller may monitor user dialogue to detect when individuals are in a conversation,” the patent application says. “The conversations can be parsed for keywords or phrases that may indicate where the occupants are traveling to.” … The tech — labeled as “in-vehicle advertisement presentation” — will determine where a car is located, how fast it is traveling, what type of road it is driving on and whether it is in traffic. It also will predict routes, speeds and destinations to customize ads to drivers, the application said.
From SecureTheVillage
- Upcoming Events
- A Reasonable Approach to Reasonable Security. Moving to January 2025. Stay tuned. SecureTheVillage’s 5th Annual Reasonable Security Summit.
- Smaller business? Nonprofit? Take your security to the next level. Apply Now! If you’re a small business or nonprofit in the greater Los Angeles area, apply NOW for LA Cybersecure™. Protect your organization with our innovative team-based learn-by-doing program with coaching and guidance that costs less than two cups of coffee a week.
- IT Service Provider / MSP? Grow revenues. Take your client’s security to the next level. Apply Now! If you’re an IT service provider in the greater Los Angeles area, apply NOW for LA Cybersecure™. With our innovative team-based learn-by-doing program, you’ll have both that “seat at the table” and the peace of mind that you’re providing your clients with the reasonable IT security management they need. … The LA Cybersecure™ Program is funded in part by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
- SecureTheVillage FREE Newsletters. Sign up or share with a friend!
- Cybersecurity News of the Week & Weekend Patch Report. Our award winning newsletter. Essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned.
- Family Protection Newsletter: Our monthly newsletter for non-cyber experts. For your parents, friends, and those who need to protect themselves in a digital world.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basic controls and download our free updated 13-step guide.
- Please Support SecureTheVillage: We need your help if we’re to build a world of CyberGuardians TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village.TM.
Cybersecurity Nonprofit of the Week … The CyberPeace Institute
Kudos this week to the CyberPeace Institute, an independent and neutral nongovernmental organization whose mission is to ensure the rights of people to security, dignity and equity in cyberspace. The CyberPeace Institute is home to the Humanitarian Cybersecurity Center (HCC). The HCC provides expert support and practical free cyber assistance to non-governmental Organizations (NGOs), tailored to their needs and located anywhere in the world. Through its Cyber Attacks in Times of Conflict Platform #Ukraine, the CyberPeace Institute is tracking cyberattacks and operations targeting critical infrastructure and civilian objects in Ukraine. The CyberPeace Institute is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.
Cyber Humor
Section 2: Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
Another sad story of loss. Please alert your family, friends and neighbors.
- California man loses life savings, owes more than $30K in taxes after falling prey to sophisticated scam: California man loses life savings, owes more than $30K in taxes after falling prey to sophisticated scam. … On top of losing his life savings to scammers, Chester Frilich of Concord, California is facing a tax bill of over $30,000 which could end in him losing his home. … As reported by ABC7 News, his problems began when he received a call from somebody claiming to be from Xfinity, who claimed his account was used to upload pornographic videos. An hour later, he heard from “Jason Brown” with the Federal Trade Commission, listing all of his credit cards and telling him he was under investigation for wire fraud. … In order to clear the issues, the scammers posing as the FTC said they would help him move his money to a “secure account,” which involved him sending thousands of dollars of gold and cash through couriers and UPS.
Here’s a good in-depth story of the ways hackers can bypass 2FA. You want to use 2FA whenever you can. But don’t think it’s a silver bullet, able to ward off cyber-criminals. There are no silver bullets.
- 6 ways hackers sidestep your two-factor authentication: 2FA is very secure, but not invulnerable. There are tricks and loopholes that hackers can exploit to take over an account. … To really protect your accounts, you should be aware of 2FA’s vulnerabilities.
Section 3: Cybersecurity and Privacy News for the Cyber-Concerned.
Two stories this week on fraud. The FBI reports cryptocurrency losses are up 45% over last year. Meanwhile people are being trafficked in Southeast Asia, enslaved and forced to rip off Americans.
- FBI: Reported cryptocurrency losses reached $5.6 billion in 2023: The FBI says that 2023 was a record year for cryptocurrency fraud, with total losses exceeding $5.6 billion, based on nearly 70,000 reports received through the Internet Crime Complaint Center (IC3). … This marks a 45% increase in losses compared to the previous year, driven primarily by investment fraud, which accounted for 71% of the total cryptocurrency losses. Other types of fraud contributing to the statistics include tech support scams, call center fraud, and government impersonation.
- Inside Thailand’s $2 Billion Scam Industry Now Targeting Americans: “The Chinese gangs taught me how to make my profile look credible, gain followers and post regularly. After finishing my training, I started identifying my victims through social media platforms like Facebook, Instagram and Line,” said Narin, a 20-year-old from northern Thailand. … This wasn’t just an isolated incident but part of a troubling trend. Thailand leads Asia in scam calls and text messaging, with a staggering 78.8 million incidents reported since last year, according to the country’s Office of the National Economic and Social Development Council.
An excellent analysis in The New York Times by the founder of Civic Texts on the shifting social media landscape.
- Has the Tide Turned for TikTok, Telegram and X?: Three major events have shaken up the social-media world in the past two weeks. First, French authorities detained Pavel Durov, the iconoclastic billionaire behind the online platform Telegram. Then, a judge suspended the microblogging service X in Brazil. Soon after, a federal appeals court in Pennsylvania ruled that the mother of a 10-year-old child who died copying a TikTok self-asphyxiation video can sue the service, circumventing a blanket legal immunity the company has long claimed. … While each of these events took place in a different country with its own laws, together they demonstrate a sudden shift in the balance of power between governments and technology companies. We are nearer to the end of impunity for tech titans who have evaded accountability for the offline harms and societal disruptions wrought by the platforms that built their fabulous wealth. … By Alexander B. Howard. Mr. Howard is the founder of Civic Texts, an online publication focused on emerging technologies, digital democracy and public policy.
Kudos to White House National Cyber Director Harry Coker Jr. for launching Service for America.
- White House launches cybersecurity hiring sprint to help fill 500,000 job openings: National Cyber Director Harry Coker Jr. unveiled the program as part of an effort to fill a continued gap in cyber, technology and AI positions. … Service for America, a program developed alongside the Office of Management and Budget and the Office of Personnel Management, is a recruitment and hiring push that will help connect Americans with available jobs in cybersecurity, technology and artificial intelligence. … The program’s major emphasis is to reach job candidates without traditional qualifications, such as computer science or engineering backgrounds.
Backdoor modems found in Chinese-made port cranes raises possibility of sabotage.
- Chinese-made port cranes in US included ‘backdoor’ modems, House report says: A newly released congressional examination found that China placed various technological backdoors, such as modems, into ship-to-shore cranes that could give access to the machines. … The 51-page, Republican-led study, conducted by the House Select Committee on China and the House Homeland Security Committee, said “these cellular modems, not requested by U.S. ports or included in contracts, were intended for the collection of usage data on certain equipment. This constitutes a significant backdoor security vulnerability that undermines the integrity of port operations.” … Speaking at a Center for Strategic and International Studies event earlier this week, Rob Silvers, DHS undersecretary for policy, noted the Biden administration has called for investing billions of dollars in cranes to counter Beijing’s potential influence.
Another database of extremely private personal information that wasn’t protected by a password.
- Confidant Health database exposed 5.3 terabytes of patient information: A cybersecurity researcher discovered an exposed Confidant Health database containing thousands of records such as personal identifiable information, psychosocial assessment documents, health insurance information, ID cards, and more. In total, the database contained 126,276 files (equivalent of 5.3 terabytes). A separate folder contained 1,755,571 logging records. Some of these files contain audio and video files. … The research indicates the database was not protected by a password.
The week in cybercrime.
- Payment gateway data breach affects 1.7 million credit card owners: Payment gateway provider Slim CD has disclosed a data breach that compromised credit card and personal data belonging to almost 1.7 million individuals. … In the notification sent to impacted clients, the company says that hackers had access to its network for nearly a year, between August 2023 and June 2024. … Slim CD is a provider of payment processing solutions that enables businesses to access electronic and card payments via web-based terminals, mobile, or desktop apps.
- More than 3 million Medicare users had information leaked in MOVEit breach: Sensitive information belonging to 3.1 million people across several states was breached during the cybercriminal campaign last year that targeted the popular MOVEit file transfer service. … The Centers for Medicare & Medicaid Services (CMS) — the federal agency that manages the Medicare program — and the Wisconsin Physicians Service Insurance Corporation (WPS) said on Friday that they have begun notifying people whose personal information leaked after hackers exploited a vulnerability in the MOVEit software.
- Car rental giant Avis data breach impacts over 299,000 customers: American car rental giant Avis notified customers that unknown attackers breached one of its business applications last month and stole some of their personal information. … According to data breach notification letters sent to impacted customers on Wednesday and filed with California’s Office of the Attorney General, the company took action to stop the unauthorized access, launched an investigation with the help of external cybersecurity experts, and reported the incident to relevant authorities after learning of the breach on August 5.
- Fortinet Confirms Customer Data Breach via Third Party: The incident is a reminder why organizations need to pay attention to how they store and secure data in SaaS and cloud environments. … Fortinet has confirmed the compromise of data belonging to a “small number” of its customers, after a hacker using the somewhat colorful moniker “Fortibitch” leaked 440GB of the information via BreachForums this week. … The hacker claimed to have obtained the data from an Azure SharePoint site and alleges they leaked it after the company refused to negotiate with the individual on a ransom demand. The situation once again highlights the responsibility that companies have to secure data held in third-party cloud repositories, researchers say.
- Columbus director testified to lack of staff, bigger budgets before city cyberattack: COLUMBUS, Ohio (WSYX) — More than a week after ABC6 News requested budgets and testing schedules from the Columbus Department of Technology, the city has yet to provide records. However, the director for the Department of Technology testified before the city council this week in the first weekly update stemming from July’s massive cyberattack. … The ransomware attackers stole the data of hundreds of thousands of people who have interacted with the city, including victims of crime. … Currently, IT Director Sam Orth said a quarter of the city’s system remains offline, and there are more databases that have been compromised and not yet revealed to the public.
Section 4: Securing the Technology.
Beyond Patch Tuesday, lots of other patches this week.
- Cisco Patches High-Severity Vulnerabilities in Network Operating System: Cisco has announced security updates that patch eight vulnerabilities in IOS XR software, including six high-severity bugs.
- Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability: Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild.
- CISA Adds Three Known Exploited Vulnerabilities to Catalog : CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2016-3714: ImageMagick Improper Input Validation Vulnerability
- CVE-2017-1000253: Linux Kernel PIE Stack Buffer Corruption Vulnerability
- CVE-2024-40766: SonicWall SonicOS Improper Access Control Vulnerability