Cybersecurity News of the Week, September 18, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Seven weeks before the midterms, our top story this week is on the election security challenges posed by election-denialists having illegitimate access to election equipment. This includes their ability to introduce system problems that would sow further distrust in the election results.

Election Security Webinar

Our democracy depends on getting the mid-term elections right. This means — first and foremost — getting cybersecurity right. … Everything from protecting sensitive voter identities, registered voter lists, and voting machines; coming to grips with social media; and ensuring confidence in the outcomes. … Find out what’s really going on from three of the nation’s leading experts in election cybersecurity as SecureTheVillage presents a community webinar on election security. September 28, 11:00 am – 12:30 pm PDT Register now!!! Sponsorships available!!!

  • What Every Citizen Needs to Know: 2022 Election Cybersecurity:
    • Kim Wyman, Senior Election Security Advisor, Cybersecurity and Infrastructure Security Agency (CISA), former Washington Secretary of State
    • Kathy Boockvar, Vice President of Election Operations & Support, Center for Internet Security, former Pennsylvania Secretary of State;
    • Adam Powell III, Executive Director, Election Cybersecurity Initiative, USC Annenberg Center on Communication Leadership and Policy, University of Southern California. Dr. Stan Stahl, SecureTheVillage President and founder will moderate.

Cyber Humor

Security Nonprofit of the Week  … The Center for Internet Security

Our kudos this week to the Center for Internet Security (CIS®) and the great work they do to make the connected world a safer place for people, businesses, and governments.  Strong proponents of collaboration and innovation, CIS® is a community-driven nonprofit responsible for the CIS Controls®, CIS Benchmarks™, and CIS Hardened Images®. CIS is also home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®). The Center for Internet Security is also one of the founders of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie and me as we discuss the cyber attack on the Los Angeles Unified School District. We book-end our conversation with a claim by cybercriminal syndicate the Vice Society that they breached LAUSD systems and a warning about the Vice Society published on September 6 by the Cybersecurity and Infrastructure Security Agency that includes several “digital fingerprints” associated with the Vice Society.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

#UpdateNow. The Apple iOS update is separate from iOS 16. If you’re not immediately updating to 16.0, then apply the iOS update below.

Be careful out there. Scams are everywhere.

  • Citizens Beware: Online Scams Spreading Like Wildfire: The number of people hit by online scams soared more than 100% to 847,376 last year from 467,361 in 2019. Clayton News-Daily, September 13, 2022
  • Scams are showing up at the top of online searches: Searchers, beware: That Google, Bing or DuckDuckGo ad might be ‘malvertising’ — phishing campaigns and malware hiding behind legit-looking links. … Add one more to the list of online places bad guys are hiding: the very top of search results. … Nasty scams and malware are preying on your trust by hiding behind the ads that sit on top of search pages. Google, DuckDuckGo and Bing are being paid to put them in front of us, and they haven’t figured out how to stop it. …  It’s called “malvertising,” and if you’re not vigilant at spotting it, you could get burned. The Washington Post, September 16, 2022

The following story on children’s online privacy illustrates some of the motivation for California’s new law (see below) requiring social media companies to pay attention to “children’s health and well-being.”

  • Why ‘sharenting’ is sparking real fears about children’s privacy: “Children don’t get to choose to be on the internet, and what’s more, they don’t get to choose where online they show up.” … “Sharenting,” or parents sharing their child’s likeness or personal information on the internet, has grown in popularity alongside the advent of smartphones and social media. And this practice shines a light on the murky realm of children’s consent, digital data collection, targeted advertising, and real-world dangers resulting from parents’ online activities. The Hill, September 16, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity and privacy stories to keep you informed.

This week in cybercrime.

  • Hacker Used Internal U-Haul Tool to Look Up Customer Information: A hacker broke into systems belonging to logistics company U-Haul and accessed an internal tool used for searching customer contracts, according to an announcement from U-Haul published on the company’s website. Vice, September 13, 2022
  • $1.13M stolen from Eagle Mountain City in ‘organized cybercrime’ scheme, officials say: Eagle Mountain City discovered it was the victim of an “organized cybercrime” scheme resulting in the loss of $1.13 million, according to a Monday news release. … Through the use of an email impersonation scheme, the thieves portrayed themselves as a vendor that is working with the city on a major infrastructure project, officials said, and received the money through an “automated clearing house” transfer, a type of electronic payment. The Salt Lake Tribune, September 12, 2022
  • IHG hack: ‘Vindictive’ couple deleted hotel chain data for fun: Hackers have told the BBC they carried out a destructive cyber-attack against Holiday Inn owner Intercontinental Hotels Group (IHG) “for fun”. … Describing themselves as a couple from Vietnam, they say they first tried a ransomware attack, then deleted large amounts of data when they were foiled. … They accessed the FTSE 100 firm’s databases thanks to an easily found and weak password, Qwerty1234. BBC, September 17, 2022
  • Uber was breached to its core, purportedly by an 18-year-old. Here’s what’s known: “I announce I am a hacker and Uber has suffered a data breach,” intruder says on Slack. … Uber employees on Thursday discovered that huge swaths of their internal network had been accessed by someone who announced the feat on the company Slack channel. The intruder, who sent screenshots documenting the breach to The New York Times and security researchers, claimed to be 18 years old and was unusually forthcoming about how it occurred and just how far it reached, according to the news outlet, which broke the story. Ars technica, September 16, 2022
  • North Korean Lazarus Group Hacked Energy Providers Worldwide: A malicious campaign conducted by the North Korean threat actor Lazarus Group targeted energy providers around the world between February and July 2022. … The campaign was previously partially disclosed by Symantec and AhnLab in April and May, respectively, but Cisco Talos is now providing more details about it. Infosecurity, September 12, 2022
  • Cisco Data Breach Attributed to Lapsus$ Ransomware Group: A month after confirming its systems were breached, networking giant Cisco reported that the attack was a failed ransomware attempt conducted on behalf of the Lapsus$ group. … The cybercriminals obtained access to Cisco’s systems with a social engineering attack that began with an attacker taking control of an employee’s personal Google account, where credentials saved in the victim’s browser were being synchronized. Then, in a series of sophisticated voice phishing attacks, the gang convinced the victim to accept multifactor authentication (MFA) push notifications, giving crooks the ability to log in to the corporate VPN as if they were the victim. DARK Reading, September, September 12, 2022

Twitter whistleblower Peiter “Mudge” Zatko testified before Congress that Twitter’s claim that it “takes your privacy and security seriously” are just empty words. It’s profits that they take seriously.

  • Twitter whistleblower says security holes cause ‘real harm to real people’: A Twitter whistleblower on Tuesday testified before Congress that Twitter executives misled the public about the failed state of its data security practices. … Peiter “Mudge” Zatko testified before a Senate committee that the company’s failure to secure sensitive data causes “real harm to real people,” prompting senators to grapple with Washington’s inability to effectively regulate major social networks. The Washington Post, September 13, 2022

We have several stories this week of government cybersecurity action, starting with two “first in the nation” bills signed into law by California Governor Gavin Newsom.

The Biden Administration has also been quite active this week. This includes the White House, the Department of Justice, and the Treasury Department.

  • Biden admin launches $1B cyber grant program for state, local governments: The Biden administration on Friday launched a long-awaited federal cybersecurity grant program that will funnel up to $1 billion to state and local governments to upgrade their digital defenses. … The effort was created last November when President Joe Biden signed a $1.2 trillion infrastructure spending deal into law. It is administered by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) and will award an initial tranche of $185 million directly to states before the end of the fiscal year. The Record, September 16, 2022
  • White House releases post-SolarWinds federal software security requirements: Agencies will require software vendors to self-certify that they’re following secure development practices under new White House guidance, but it leaves the door open for departments to mandate third-party security assessments as well. … The new guidance from the Office of Management and Budget, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” stems from last year’s cybersecurity executive order. Federal News Network, September 14, 2022
  • Biden White House just put out a framework on regulating crypto — here’s what’s in it: The Biden White House has just released its first-ever framework on what crypto regulation in the U.S. should look like. … The framework outlines the ways in which the financial services industry should evolve to make borderless transactions easier, as well as how to crack down on fraud in the digital asset space. … The new guidelines follow an executive order issued in March, in which President Joe Biden called on federal agencies to examine the risks and benefits of cryptocurrencies and issue official reports on their findings. CNBC, September 17, 2022
  • Justice Department Forms National Network of Prosecutors Focused on Crypto Crime: New effort is part of trend toward putting more resources to target illegal activities involving digital currencies … The Justice Department has tapped more than 150 federal prosecutors across the country to bolster law enforcement’s efforts to combat the rise in crime linked to the use of cryptocurrencies such as bitcoin, officials said. … The Digital Asset Coordinators Network is intended to designate subject-matter experts in U.S. attorneys’ offices on the complex technical and legal complications posed by cryptocurrency cases, the officials said. The Biden administration is announcing the new effort Friday alongside the release of a broader set of frameworks from other agencies concerning regulatory approaches to developing the digital currency ecosystem. The Wall Street Journal, September 16, 2022
  • 3 Iranian citizens charged in broad hacking campaign in US: The Justice Department said Wednesday that three Iranian citizens have been charged in the United States with ransomware attacks that targeted power companies, local governments and small businesses and nonprofits, including a domestic violence shelter. … The charges accuse the hacking suspects of targeting hundreds of entities in the U.S. and around the world, encrypting and stealing data from victim networks, and threatening to release it publicly or leave it encrypted unless exorbitant ransom payments were made. In some cases, the victims made those payments, the department said. AP News, September 14, 2022
  • US sanctions affiliates of Iran’s IRGC for ‘malicious’ cyber acts: The United States has imposed sanctions on 10 individuals and two entities that it says are linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and are involved in “malicious” cyber actions, including ransomware activity. … In a statement on Wednesday, the US Department of the Treasury accused the “group of Iran-based malicious cyber actors” of compromising networks based in the US and other nations since at least 2020. Aljazeera, September 14, 2022

Meanwhile the 5th U.S. Circuit Court of Appeals lifted a block on Texas’ ability to enforce their prohibition on social media companies ability to ban dangerous speech. Expect this law to have considerable unintended consequences.

  • Texas social media “censorship” law goes into effect after federal court lifts block: A Texas law prohibiting large social media companies from banning users’ posts based on their political viewpoints will go into effect after a federal appeals court on Friday lifted a block placed on the statute. … The ruling Friday from the 5th U.S. Circuit Court of Appeals likely means the case, which could have wide implications for online speech, will go before the U.S. Supreme Court again. The Texas Tribune, September 16, 2022

South Korea has fined Google and Meta for violating that country’s privacy law.

  • Google, Meta fined $71.8M for violating privacy law in South Korea: South Korea has hit Google and Meta with a fine of ~$71.8 million (100 billion KRW) after finding they violated the country’s privacy law, South Korean authorities said on Wednesday. … The watchdog said in its statement that Google and Meta did not receive legitimate consent in the process of collecting information from users who visit their websites and use other websites as well as apps for customized advertisements. TechCrunch, September 14, 2022

The EU has begun to wrap its arms around the challenge of securing smart devices, like refrigerators, light switches, door bells, and cameras.

  • The EU unboxes its plan for smart device security: European Union lawmakers have proposed a new set of product rules to apply to smart devices that’s intended to compel makers of Internet-connected hardware — such as ‘smart’ washing machines or connected toys — to pay fulsome attention to device security. … The proposed EU Cyber Resilience Act will introduce mandatory cybersecurity requirements for products that have “digital elements” sold across the bloc, with requirements applying throughout their lifecycle — meaning gadget makers will need to provide ongoing security support and updates to patch emerging vulnerabilities — the Commission said today. Tech Crunch, September 15, 2022

Our final stories in this section this week all have national security implications.

  • Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research: Hackers tied to the Iranian government have been targeting individuals specializing in Middle Eastern affairs, nuclear security, and genome research as part of a new social engineering campaign designed to hunt for sensitive information. … Enterprise security firm Proofpoint attributed the targeted attacks to a threat actor named TA453, which broadly overlaps with cyber activities monitored under the monikers APT42, Charming Kitten, and Phosphorus. … It all starts with a phishing email impersonating legitimate individuals at Western foreign policy research organizations that’s ultimately designed to gather intelligence on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC). The Hacker News, September 13, 2022
  • NATO Documents Stolen in Breach of Portuguese Armed Forces, Found for Sale on Dark Web: A theft of NATO documents of “extreme gravity” from the government of Portugal appears to have been caused by a breach in security protocol, allowing files that should have been air-gapped to be accessible via the internet. The documents later surfaced for sale on a dark web site. CPO Magazine, September 15, 2022
  • China Is Running Covert Operations That Could Seriously Overwhelm Us: In my three-decade career with Britain’s Secret Intelligence Service, China was never seen as a major threat. … If we lost sleep at night, it was over more immediate challenges such as Soviet expansionism and transnational terrorism. China’s halting emergence from the chaotic Mao Zedong era and its international isolation after Chinese soldiers crushed pro-democracy demonstrations at Tiananmen Square in 1989 made it seem like an insular backwater. … It’s a different picture today. China has acquired global economic and diplomatic influence, enabling covert operations that extend well beyond traditional intelligence gathering, are growing in scale and threaten to overwhelm Western security agencies. … leaders of democracies need to internalize the sea change that has taken place in China and ensure that engagement with Beijing is tempered by a hardheaded sense of reality. The New York Times, September 14, 2022. By Nigel Inkster, a former director of operations and intelligence at Britain’s Secret Intelligence Service.

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in securing their organizations and protecting  privacy.

The California  Consumer Privacy Act (CCPA) and the follow-on California Privacy Rights Act (CPRA) both have implications for protecting employee personal information. SecureTheVillage CyberLeader and attorney Robert Braun covers this in the following story.

  • California Consumer Privacy Act and Employee Personal Information: In 2018, the California Legislature adopted the California Consumer Privacy Act (CCPA) and became the first state to enact a comprehensive law designed to protect the privacy of consumers’ personal information. Businesses that are subject to the CCPA are required, among other things, to respond to consumers who wish to view the personal information collected by the business, delete personal information, and opt-out of the sale of personal information. The CCPA was amended in 2020 when California voters approved the California Privacy Rights Act of 2020 (CPRA), which added additional requirements and restrictions regarding the collection, use, sale and sharing of personal information. Robert Braun, Esq., Cybersecurity Lawyer Forum, September 15, 2022

And if you use Teams, consider running it in the Edge browser until Microsoft patches what could be a major flaw in the design of Teams.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge