Cybersecurity News of the Week, September 17, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

This week’s Top of the News is the massive cyberattack on MGM and Caesars. In this “fog of war” there is much we don’t know. But what we do know isn’t pretty. It appears that the $14B MGM was brought down by a social engineering attack where an IT Administrator failed to follow basic information security controls. Given that everything from slot machines to guest room keys was affected at multiple hotels, it also appears that MGM’s networks were poorly configured.

Even as we have to wait to learn more details, what we hear should be enough for every organization to take a close look at their information security controls. Are IT personnel trained and educated – and on guard – to require strong confirmation before resetting passwords? Has the network been carefully “segmented” so a breach of one segment doesn’t immediately allow a breach of other segments. The analogy is an ocean liner which is designed so a breach of one compartment doesn’t allow incoming water to flood the entire ship.

  • Vegas casinos are still reeling from a massive cyberattack: Some of the biggest hotels on the Las Vegas strip have been hobbled for five days now, following a cyberattack on MGM Resorts that has inconvenienced travelers and ramped up the day-to-day stresses of hotel employees. And, for now at least, there’s no apparent end in sight. … Lines to check into rooms at casinos ranging from the Excalibur to Aria were sometimes hours long, as reservations systems remained down most of the week (and are still slow). Guests have not been able to use digital keys to their rooms nor charge meals to their account. Many slot machines have been nonfunctional as well, and mobile check-in is not currently being offered.
  • A phone call to helpdesk was likely all it took to hack MGM: Slot machines and hotel room key cards stopped working at MGM casinos on the Strip. … A cyber criminal gang proficient in impersonation and malware has been identified as the likely culprit for an attack that paralyzed networks at US casino operator MGM Resorts International. … The group, which security researchers call “Scattered Spider,” uses fraudulent phone calls to employees and help desks to “phish” for login credentials. It has targeted MGM and dozens of other Western companies with the aim of extracting ransom payments, according to two people familiar with the situation. … The operator of hotel casinos on the Las Vegas Strip, including the Bellagio, Aria, Cosmopolitan, and Excalibur, preemptively shut down large parts of its internal networks after discovering the breach on Sunday, one of the people said.
  • Hackers behind MGM cyberattack thrash the casino’s incident response: MGM rushed through response owing to incompetent staff, had multiple system vulnerabilities, and did not care about customer safety, alleged ransomware group ALPHV who also blamed VX underground for spreading misinformation. … In an interesting turn of events, ransomware group ALPHV (aka BlackCat) released a statement on their leak site, thrashing both MGM Resorts International and the cybersecurity firm VX undergrounds for mishandling the ongoing cyberattack on MGM. … In a long message intended “to set the record straight,” ALPHV detailed what has happened in the ransomware seizure of MGM’s critical assets so far, noting MGM hastily locked out key services indicating a poor response team.
  • Caesars Paid Ransom After Suffering Cyberattack: Caesars Entertainment paid roughly half of a $30 million ransom that hackers demanded after a cyberattack late this summer, another example of a major casino operator suffering from an attack as MGM Resorts grapples with the fallout of a recent incident.

New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

Cyber Humor

Cybersecurity Nonprofit of the Week  …  The Center for Internet Security

Our kudos this week to the Center for Internet Security (CIS®). CIS® is a community-driven nonprofit responsible for the CIS Controls®, CIS Benchmarks™, and CIS Hardened Images®. Strong proponents of collaboration and innovation, CIS is also home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®). SecureTheVillage is a recipient of a grant from the Center’s Allen Paller Laureate Program to support our launch of a Pilot Program to measurably improve the cybersecurity of small and midsize organizations. The Center for Internet Security is one of the founders of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

Driving into a Privacy Abyss: The Unchecked Harvesting of Our Data: (LinkedIn) (Podcast): Most (84%)  car manufacturers SHARE or SELL your data (Mozilla). The modern world has turned our vehicles into data-harvesting machines. With startling revelations from The Mozilla Foundation’s new report, we learn that almost every major car brand’s new internet-connected models have become a data privacy nightmare. But the threat doesn’t stop at our driveway. Join Stan and Julie for this week’s episode of LiveonCyber as they delve into the alarming findings on car data collection, the perils of data brokers, and the urgent need for stronger data protection measures.

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

The Atlantic has two excellent privacy stories this week. The first offers lots of tips for privacy protection. The second is a powerful essay why we need to update COPPA, the Children’s Online Privacy Protection Act. Are you listening Congress?

  • The Atlantic’s Guide to Privacy: In 2023, digital privacy is, in many ways, a fiction: Knowingly or not, we are all constantly streaming, beaming, being surveilled, scattering data wherever we go. Companies, governments, and our fellow citizens know more than we could ever imagine about our body, our shopping habits, even our kids. The question now isn’t how to protect your privacy altogether—it’s how to make choices that help you draw boundaries around what you most care about. Read on for our simple rules for managing your privacy, and get a list of personalized recommendations.
  • Kids Deserve Privacy Online. They’re Not Getting It: Today’s children face a world of constant surveillance. Their very sense of self is at stake. … Childhood is the crucible in which our identities and ambitions are forged. It’s when we sing into our hairbrushes and confide in our diaries. It’s when we puzzle out who we are, who we want to be, and how we want to live our lives. … But to be a modern child is to be constantly watched by machines. The more time kids spend online, the more information about them is collected by companies seeking to influence their behavior, in the moment and for decades to come. By the time they’re toddlers, many of today’s children already know how to watch videos, play games, take pictures, and FaceTime their grandparents. By the time they are 10, 42 percent of them have a smartphone. By the time they are 12, nearly half use social media. … All in all, by the time a child reaches the age of 13, online advertising firms have collected an average of 72 million data points about them.

The following story illustrates one facet of the privacy challenges we face. Google and Fitbit scrape up all the data they can while we the people have no idea what is being done with it. As Julie and I discuss in this week’s podcast, we need transparancy and we need to put into law a default opt-out unless we choose to opt-in. This is our data. We have the right to decide what is done with it. And we need laws to enforce our ability to exercise our rights. Are you listening Congress?

  • Where is all your health data going? The Google and Fitbit scandal explained: On August 31, 2023, Fitbit and Google came under fire (again) for how the tech giant has been treating its users’ potentially sensitive health data. … The best Fitbits are terrific devices that monitor heart rate, sleep, calories burned, workouts, menstrual cycle patterns, and more. But for a long time, concerns have been raised about how this data is being used, especially whether it’s being used to complement Google’s massive data-driven targeted advertising operation. … So where is all your data going? … Could data from our smartwatches be used to hike up health insurance premiums? Could period tracking data be accessed by the US government to understand more about who’s getting abortions after the overturn of Roe v. Wade? Is GPS information from our watches relayed to advertisers (or even the police)? These are very extreme examples of serious privacy infringements, and while it’s unlikely any of the above is happening often, without strict privacy laws this is what our future could look like. 

Update your browsers now as they are under attack with an exploit for a patched vulnerability. A failure to patch opens your computer to being taken over by cyber scum. And take this as a reminder to use our Weekend Patch Report to keep your computer programs up-to-date. This is one of the most important things you can do to stay cyber-safe.

Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.

National security and the important work being done by the Biden-Harris Administration lead this section of the news. All of these actions will make us more cybersecure tomorrow. However, they are not a replacement for all of us … from the Board Room to the living room … doing our part today. It’s our responsibility to practice good data care just as it’s our responsibility to lock our doors and brush our teeth.

  • The U.S. is getting hacked. So the Pentagon is overhauling its approach to cyber: The new approach to cybersecurity comes following attacks on critical U.S. companies and federal agencies, and as the Pentagon eyes Chinese hacking efforts with increasing concern. … A series of high-profile cyberattacks from Russia, China and criminal networks in recent years have served as a wake up call to the Defense Department that cyberwarfare has changed. … And that reckoning has forced one of its most secretive branches — U.S. Cyber Command — to come to an unusual conclusion: Going it alone is no longer an option. … Hackers are increasingly infiltrating private companies and government agencies far outside the Pentagon’s usual purview, and the hacks are being perpetrated by cybercriminals who honed their strategies abroad before striking the United States. … So Pentagon leaders have started opening up communications with other federal agencies and the private sector on cyber threats to elections and other critical systems, and increasing assistance to foreign allies. They’ve codified the changes in a new cyber strategy released Tuesday, first reported by POLITICO.
  • CISA advisory committee urges action on cyber alerts and corporate boards: An advisory committee to the Cybersecurity and Infrastructure Security Agency delivered a long list of recommendations on Wednesday that encourage the agency to take measures to increase the cybersecurity expertise on corporate boards of directors, develop a national cybersecurity alert mechanism and better protect high-risk communities from surveillance.  … These policy measures were just a few of more than 100 recommendations made to CISA Director Jen Easterly, who called the findings “transformative.”
  • NSA, U.S. Federal Agencies Advise on Deepfake Threats:  The National Security Agency (NSA) and U.S. federal agency partners have issued new advice on a synthetic media threat known as deepfakes. This emerging threat could present a cybersecurity challenge for National Security Systems (NSS), the Department of Defense (DoD), and DIB organizations.
  • White House Calls for Stronger Open-Source Security: The White House called upon companies to conduct exercises using inventories known as software bill of materials, which detail the components of a product or program. … The Biden administration pushed for stronger security standards in open-source software development at a two-day summit which included technology companies, banks and industry groups. … Anne Neuberger, deputy national security adviser for cyber and emerging technology, said the Biden administration wanted to see companies expand their use of inventories known as software bill of materials, which detail the components of a product or program. The White House also called upon companies to conduct exercises using those inventories, to see how easily a vulnerability or flaw can be remedied.
  • CISA Announces Open Source Software Security Roadmap: The Cybersecurity and Infrastructure Security Agency (CISA) published the Open Source Software Security Roadmap today that articulates how the agency will enable the secure usage of open source software within the federal government and support a healthy, secure, and sustainable global open source software ecosystem.

Kudos to our elected officials for standing up to the data industry lobbyists!!! Last week we wrote of the need for the CA Assembly to pass a bill creating a single centralized mechanism where we the people could tell data brokers to delete our data … in contrast to having to separately notify each of more than 500 data brokers. The Assembly passed the bill this week where it now goes to Governor Newsom  for his signature. Are you watching Congress?

California passes first-in-the-nation data broker deletion tool: Lawmakers in California are continuing to speed ahead of the federal government in writing legislation to address privacy concerns. … A privacy bill that passed in the California legislature this week would create a first-of-its-kind, centralized mechanism allowing consumers to request brokers to delete their personal information. The legislation represents the latest example of U.S. states zooming ahead of the federal government in trying to protect Americans’ data.

We all need to be very concerned about disinformation as we head into the 2024 elections. And X is not a friend of democracy.

  • Bots on X worse than ever according to analysis of 1m tweets during first Republican primary debate: Researchers identify sprawling bot network of 1,305 accounts active during Republican debate and Donald Trump interview. … Bot activity on the platform formerly known as Twitter is worse than ever, according to researchers, despite X’s new owner, Elon Musk, claiming a crackdown on bots as one of his key reasons for buying the company. … “It is clear that X is not doing enough to moderate content and has no clear strategy for dealing with political disinformation,” associate professor Dr Timothy Graham tells Guardian Australia.

Kudos to law enforcement in the Netherlands. Here’s an excellent story of how cyber-experts and boots-on-the-ground police officers in the Netherlands worked together on a major takedown of a cybercrime gang.

  • The ‘game-changing’ attitude behind a very creative dark web takedown: What do you get when you pair hard-bitten cops with cyber whiz kids? One of the largest, most creative dark market takedowns in the history of the internet. … In 2017, police with the Netherlands’ National High Tech Crimes Unit did more than shut down Hansa, once Europe’s most popular dark web market. For nearly a month, a group of computer nerds and boots-on-the-ground police officers took it over — running the site from the inside, setting up cyber booby traps and showing how a marriage of technical and tactical specialists can enable an operation for the ages.

Lest you think it’s safe to download pirated software, here’s a warning. When you download pirated bootlegged software you don’t know what else you might also be downloading. Don’t trust!!

  • Pirated Software Likely Cause of Airbus Breach: A major data breach at Airbus revealed earlier this week stemmed from a RedLine info-stealer likely hidden in a pirated copy of Microsoft software, according to researchers. … The European aerospace giant said it has launched an investigation into the incident.

As we point out regularly, information security is hard, very hard. And it’s even harder for a global nonprofit with employees scattered around the world. Our hearts go out to Save the Children. We wish them a speedy and full recovery.

  • Save the Children International hit with cyberattack, but says operations weren’t impacted: The global charity organization Save the Children International confirmed that it was recently hit with a cyberattack after a ransomware group claimed to have breached the organization’s systems. … A spokesperson for the charity — which has been providing aid to children in developing countries for more than a century — said the hackers gained unauthorized access to parts of their network but did not say when the attack occurred. The organization has about 1,300 employees across 100 countries, and provided assistance to 118 million children in 116 countries in 2022.

Section 4 – Managing  Information Security and Privacy in Your Organization.

Too many leaders in too many small and midsize organizations look to the people who take care of the computers and the network to protect them. And they do to some extent. But not nearly enough. It’s true that IT security is necessary for information security. But IT security is not sufficient. Information security is more than IT security. Information security requires leadership from the top.

  • The Importance of Mission-Fueled Leadership in Cybersecurity: Why empathy for the human side of cybersecurity matters, and how it will help to protect an organization. … Cybersecurity professionals are tackling some of the world’s most pressing issues. If handled improperly, cyberattacks can harm society and ruin businesses. But still, there is a larger mission at hand. … Achieving true security, at least from a leadership perspective, requires more than just technical knowledge and expertise. Industry leaders have lost a fundamental part of what makes the cybersecurity sector so important: empathy and passion for doing good in the world through their work.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge