Cybersecurity News of the Week, September 24, 2023

Keeping cybersecurity and privacy top of mind.

Stan’s Top of the News

This week’s Top of the News is about the struggle between the rights of people to be protected from sexual exploitation and the rights of people to have their communications be private. It’s a challenge because there appears to be no middle ground. If Signal, Messenger, WhatsApp, and other communication platforms provide their users with end-to-end encryption there will be little law enforcement can do to prevent the exploitation of children by those using the platforms. And Signal Foundation President Meredith Whittaker has said that Signal will leave the UK if it passes a bill forcing the Signals of the world to include a way for law enforcement to detect child abuse activity within encrypted messages. Stay tuned as we navigate our rights to collective security and individual privacy.

• Meredith Whittaker reaffirms that Signal would leave UK if forced by privacy bill: Onstage at TechCrunch Disrupt 2023, Meredith Whittaker, the president of the Signal Foundation, which maintains the nonprofit Signal messaging app, reaffirmed that Signal would leave the U.K. if the country’s recently passed Online Safety Bill forced Signal to build “backdoors” into its end-to-end encryption. … “We would leave the U.K. or any jurisdiction if it came down to the choice between backdooring our encryption and betraying the people who count on us for privacy, or leaving,” Whittaker said. “And that’s never not true.” … The Online Safety Bill, which was passed into law in September, includes a clause — clause 122 — that, depending on how it’s interpreted, could allow the U.K.’s communications regulator, Ofcom, to break the encryption of apps and services under the guise of making sure illegal material such as child sexual exploitation and abuse content is removed. … Ofcom could fine companies not in compliance up to £18 million ($22.28 million), or 10% of their global annual revenue, under the bill — whichever is greater. … Whittaker didn’t mince words in airing her fears about the Online Safety Bill’s implications. … “We’re not about political stunts, so we’re not going to just pick up our toys and go home to, like, show the bad U.K. they’re being mean,” she said. “We’re really worried about people in the U.K. who would live under a surveillance regime like the one that seems to be teased by the Home Office and others in the U.K.”
• Meta encryption plan will let child abusers ‘hide in the dark’, says UK campaign: In Home Office initiative, survivors urge Mark Zuckerberg to rethink changes to Messenger and Instagram. … Mark Zuckerberg’s plan to roll out encrypted messaging on his platforms will let child abusers “hide in the dark”, according to a government campaign urging the tech billionaire to halt the move. … The Facebook founder has been under pressure from ministers over plans to automatically encrypt communications on his Messenger service later this year, with Instagram expected to follow soon after. … On Wednesday the Home Office launched a new campaign, including a statement from an abuse survivor, urging Zuckerberg’s Meta to halt its plans until it has safety plans in place to detect child abuse activity within encrypted messages. … A video to be distributed on social media features a message from one survivor, Rhiannon-Faye McDonald, who addresses her concerns to Mark Zuckerberg. “Your plans will let abusers hide in the dark,” she says as she urges the Meta CEO to “take responsibility”. McDonald, 33, was groomed online and sexually abused at the age of 13, although she did not encounter her abuser on Meta platforms. … The campaign was launched a day after the online safety bill, which privacy campaigners fear could undermine encryption, completed its passage through parliament.

New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

• How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

• Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, October 3, 1:00 pm – 2:00 pm PT.
• What Every Business Leader Needs – A Reasonable Approach to Reasonable Security. Don’t miss our 4th Annual Reasonable Cybersecurity Webinar, October 12, 11:00 am – 12:30 pm PT. Register Now.

Cyber Humor

Security Nonprofit of the Week … Global Cyber Alliance (GCA)

Special kudos this week to cybersecurity nonprofit Global Cyber Alliance (GCA) on being granted the United Nations ECOSOC (Economic and Social Council) Special Consultative Status.  GCA builds practical, measurable solutions and  easy to use tools, and they work with partners to accelerate adoption around the world. GCA recently partnered with the Public Interest Registry  to develop an explainer video on cybersecurity risks to mission-based/non-profit organization and how to use the cybersecurity toolkit for those organizations to address those risks. The video is embedded in the mission-based organization toolkit. GCA was one of the founders of Nonprofit Cyber, the first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity. SecureTheVillage is a proud member of Nonprofit Cyber.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

The Breach of Titans: How Reasonable was the Security Failure? (LinkedIn) (Podcast): The iconic casinos MGM and Caesars become the latest victims of cyber warfare. A question: Was it reasonable for the security of such giants to falter? From social engineering tactics, deepfakes, the future of AI in cyber warfare, the pressing need for businesses—both big and small—is a posture of proactivity in their defenses. #CyberCitizens, the digital realm is a double-edged sword. As technology advances, so do the threats. How do we stay vigilant? How do we ensure that our defenses are adequate? …Tune in, subscribe, and be a part of this crucial conversation. Subscribe to Live on Cyber with Stan Stahl, PhD and Julie Michelle Morris, your weekly 15-min update on the latest in privacy and information security affecting your business and community.

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Two stories about scams this week. In the first, security company Sophos uncovered a gang specializing in a type of romance scam called ‘pig butchering’ to steal more than $1,000,000 from unsuspecting victims in the last 3 months. In the second, several scam victims tell their stories. Both are vivid reminders of the dangers of the Internet.

• $1M crypto-romance scam exposed by Sophos: A pig-butchering ring that stole more than $1 million from victims in three months has been uncovered by cybersecurity firm Sophos. … The rather lurid term, translated from the Chinese “shā zhū pán,” refers to a hybrid form of romance scam that persuades targets to invest in fake cryptocurrency schemes. … Sophos launched its investigation after one of the victims, who goes by the pseudonym “Frank” to protect his identity, came forward with his story. Frank says he lost $22,000 earlier this year after someone claiming to be a German woman called “Vivian” approached him on dating app MeetMe. … The inquiry by Sophos researchers “uncovered a total of 14 domains associated with the scam operation, as well as dozens of nearly identical fraud sites that, together, netted this one ‘ring’ of pig butchers more than $1 million in three months.”
• You’ve Got (Scam) Mail: Is everyone being swindled all the time and just not talking about it? … I decided to find out firsthand: I put out a call on Instagram and was almost instantly flooded with peoples’ stories of being swindled through LinkedIn when applying for a job, on eBay when buying things, on Craigslist when looking for an apartment. Often, the targets were in vulnerable positions: desperate for work or housing, or experiencing momentous life changes.

Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.

Two stories of the MGM / Caesars breach. The first on inadequate leadership by the Board. The second on the quality of the teams of cybercriminals that worked together to bring both casinos down.

• Caesars And MGM Boards Lose Cybersecurity Gambles: Despite the staggering, well-documented rise in cybercrime, the SEC’s long-awaited cybersecurity regulations exclude board tech expertise requirements. … Two recent cyberattacks on prominent casino chains, MGM Resorts and Caesars, offer clear and compelling examples of the risks of poor boardroom digital era readiness and why proxy statement governance disclosures warrant a closer read. … As widely reported, Caesars paid $15 million in a ransomware attack. Just days later, in a “vishing” (voice phishing) scheme, hackers impersonated an employee using LinkedIn information to fool MGM’s IT help desk for systems access. The breach disrupted MGM casino operations, reduced daily revenue and cash flow by an estimated 10-20% and dented its market cap by nearly $2 billion. … Notably, both casinos seated boards without credible IT experience. That reality was tucked in their 2023 proxy statements — either by disclosure or sleight of hand.
• ‘Power, influence, notoriety’: The Gen-Z hackers who struck MGM, Caesars: About a year ago, the U.S. security firm Palo Alto Networks began to hear from a flurry of companies that had been hacked in ways that weren’t the norm for cybercriminals. … Native English-speaking hackers would call up a target company’s information technology helpdesk posing as an employee, and seek login details by pretending to have lost theirs. They had all the employee information needed to sound convincing. And once they got access, they’d quickly find their way into the company’s most sensitive repositories to steal that data for extortion. … Known in the security industry variously as Scattered Spider, Muddled Libra, and UNC3944, these hackers were thrust into the limelight earlier this month for breaching the systems of two of the world’s largest gambling companies – MGM Resorts and Caesars Entertainment Ltd. Behind the scenes, it has hit many more companies, according to analysts tracking the intrusions – and cybersecurity specialists expect the attacks to continue.

On the same subject of Board responsibility, the attack on Clorox is likely to bring additional clarity to the SEC’s new cyber rules.

• Clorox Cyberattack Brings Early Test of New SEC Cyber Rules: Company’s eight disclosures to date show how figuring material impact of a cyberattack is unfamiliar ground, legal and cyber experts say. … A cyberattack on cleaning-products maker Clorox is providing an early test for new rules on disclosing cyberattacks, in a case that is being closely watched by business leaders.  … Clorox is one of the first large U.S. companies to suffer a cyberattack since the Securities and Exchange Commission’s rigorous new cybersecurity rules went into effect Sept. 5. … Since an initial notice posted on its website and one filed with the SEC on Aug. 14, Clorox has issued six more, including another 8-K filing, each adding details about operational disruptions as the episode unfolds. The company said the financial impact is still unknown. 

A piece of good news for the upcoming 2024 election as many of the companies making election equipment opened their systems to external third-party security reviews.

• Hackers Let Loose on Voting Gear Ahead of US Election Season: Ethical hackers were given voluntary access to digital scanners, ballot markers, and electronic pollbooks, all in the name of making the voting process more resilient to cyber threats. … Election machine manufacturers are opening their wares to hackers in an effort to harden voting security ahead of next year’s US Presidential Election. … This week’s first-ever Election Security Research Forum featured organized pen testing and bug research for digital scanners, ballot marking devices, and electronic pollbooks, with a primary focus on the technology that voters may encounter at a polling site. The forum also enabled security researchers to engage with the vendors of the systems. … Notably, this marked the first time such manufacturers voluntarily offered their systems for third-party review as part of a vulnerability disclosure process, according to the Forum.

On the subject of the 2024 election, the New York Times offers an essay on trust as the Internet fills with Deep Fakes and other forms of misinformation, mal-information, and disinformation. Expect the 2024 election to be a digital sh-t show.

• The Internet Is About to Get Much Worse: Greg Marston, a British voice actor, recently came across “Connor” online — an A.I.-generated clone of his voice, trained on a recording Mr. Marston had made in 2003. It was his voice uttering things he had never said. … Back then, he had recorded a session for IBM and later signed a release form allowing the recording to be used in many ways. Of course, at that time, Mr. Marston couldn’t envision that IBM would use anything more than the exact utterances he had recorded. Thanks to artificial intelligence, however, IBM was able to sell Mr. Marston’s decades-old sample to websites that are using it to build a synthetic voice that could say anything. Mr. Marston recently discovered his voice emanating from the Wimbledon website during the tennis tournament. … His plight illustrates why many of our economy’s best-known creators are up in arms. We are in a time of eroding trust, as people realize that their contributions to a public space may be taken, monetized and potentially used to compete with them. When that erosion is complete, I worry that our digital public spaces might become even more polluted with untrustworthy content.

Cyber insurance claims continue to rapidly rise.

• Cyber insurance claims spiked in first half of 2023 as ransomware attacks surged: report: A cyber insurance firm reported a significant jump in the number of claims during the first half of the year, adding that damages caused by attacks has also increased. … An analysis from San Francisco-based Coalition found that ransomware was the “largest driver of the increase in claims frequency,” which was up 12% on last year through the end of June. Overall, ransomware was involved in nearly 1 in 5 cyber incidents involving insurance claims, with Royal, BlackCat and LockBit 3.0 the three most common variants.

This week in cybercrime, including even more fallout from the MOVEit breach.

• City of Fort Lauderdale loses $1.2 million in phishing scam, police in Florida say: The City of Fort Lauderdale was bilked out of $1.2 million dollars in what police in South Florida are saying was a phishing scam. … The city made the large payment on September 14 for what they believed was a legitimate bill from Moss Construction, according to the Fort Lauderdale Police Department.
• National Student Clearinghouse data breach impacts 890 schools: U.S. educational nonprofit National Student Clearinghouse has disclosed a data breach affecting 890 schools using its services across the United States. … In a breach notification letter filed with the Office of the California Attorney General, Clearinghouse said that attackers gained access to its MOVEit managed file transfer (MFT) server on May 30 and stole files containing a wide range of personal information.
• University of Minnesota says 2021 data leak may have compromised student info as far back as 1989: The University of Minnesota confirmed on Thursday that a 2021 breach of a university database may have compromised personal information of students and staff dating back to 1989.
• Dallas says Royal ransomware breached its network using stolen account: The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. … Royal gained access to the City’s network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4. … During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts. … The gang also prepared the ransomware deployment phase by dropping Cobalt Strike command-and-control beacons across the City’s systems. At 2 AM on May 3rd, Royal started deploying the ransomware payloads, using legitimate Microsoft administrative tools to encrypt servers. … So far, the Dallas City Council has set a budget of $8.5 million for ransomware attack restoration efforts, with the final costs to be shared later.
• FBI steps up search for members of cybercrime group 2 years after announcing it had taken its systems down: The FBI has stepped up its search for members of a multimillion-dollar cybercrime group more than two years after the bureau and its European allies announced they had taken down the group’s computer systems, according to newly unsealed court documents reviewed by CNN. … The court records show how difficult it can be to shut down cybercriminal gangs, often based in Eastern Europe and Russia, that operate like well-oiled multinational corporations and fleece Americans out of millions of dollars. Unless they’re arrested, the hackers can sometimes recover from law enforcement seizures of their computer infrastructure and rebuild their fraudulent empires.
• NY college forced to invest $3.5 million in cybersecurity after breach affecting 200,000: New York state’s attorney general is forcing a college to invest $3.5 million into cybersecurity after a 2021 data breach leaked troves of sensitive information about almost 200,000 people. … ttorney General Letitia James and Marymount Manhattan College (MMC) announced an agreement on Thursday that will see the New York City liberal arts institution invest heavily to address data security deficiencies exposed during a 2021 ransomware attack. … “When institutions like Marymount Manhattan College fail to properly protect online data, thousands of New Yorkers are put at risk as a result,” James said in a statement. “In the modern digital age, companies and universities alike must do a better job at safeguarding the personal information with which they are entrusted. This agreement will help ensure that future classes of MMC students, faculty, and alumni will have their online data protected.”

Section 4 – Managing  Information Security and Privacy in Your Organization.

Be prepared. If you’re the head of a company, you need to prepare for a cyberattack. For small and medium size organizations, I would change the third question to read “do you have contact information for your attorney and insurance broker.”

• 6 Actions CEOs Must Take During a Cyberattack: Many have warned over the years of the growing cyber threats and some have offered thoughtful advice for how to strengthen an organization’s protection and resilience. Three questions can help determine whether enough has been done: First, have you participated in a cyber tabletop exercise recently? Second, do you have the contact information of your chief information security officer saved somewhere other than your work phone or computer? (Remember, if your company’s networks suffer a ransomware attack, your work devices may be inaccessible.) Third, do you know your point of contact in government in case of a cybersecurity incident?

One of the cybersecurity mantra’s is that our people are our greatest risk. As the next story reports, the insider risk is becoming increasingly costly. And the most costly category is the lack of mindfulness by users who make mistakes and ignore warnings.

• Insider risks are getting increasingly costly: The cost of cybersecurity threats caused by organization insiders rose over the course of 2023, according to a new report from the Ponemon Institute and DTEX Systems. … The potential monetary losses from security incidents caused by insider activity — purposeful or accidental — is sharply on the rise, as businesses continue to misunderstand the threat they pose. … Ponemon classified insider threats into three categories. First, threats that arose because of malicious insiders looking to harm the company, like disgruntled employees. Second, threats that arose because an outside attacker “outsmarted” a vulnerable employee, who was taken in by a phishing scam or similar. Finally — in the most costly category — the report described negligent or mistaken insiders, who ignored warnings from security systems or misconfigured a system.