Cybersecurity News of the Week, September 25, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Want to delete your information from the Internet? While there’s much you can do, including using a new tool Google is rolling out on their Android platform, don’t expect to get all your personal information off the Internet … and never think the battle is over.

  • How To Delete Your Personal Information From The Internet: Data broker sites like Spokeo, MyLife and Whitepages are constantly scraping the web to build a profile on you and sell it. Here’s what to do. Huff Post, September 19, 2022
  • Why deleting something from the internet is ‘almost impossible’: Most people may live out their digital lives with the assumption they can delete their posts, messages and personal data from services whenever they choose. But a tech hearing this week threw that core assumption into question. … Peiter “Mudge” Zatko, the former security chief at Twitter, told a Senate committee on Tuesday that the social network does not reliably delete the data of users who cancel their accounts, expanding on bombshell allegations he made in a whistleblower disclosure first reported by CNN and The Washington Post last month. CNN Business, September 18, 2022
  • Google wants to help remove your personal details from its search results: Google has started rolling out a new feature that should help users strengthen their online privacy (opens in new tab) by helping remove personally identifiable information (PII) from search engine results pages. … After opening the Google app on Android devices some users can tap on their profile picture in the top right corner of the screen. There, they will find a new menu item, called “Results about you”. Tapping on that menu item brings them to a new page that explains how they can ask Google to remove personally identifiable information (opens in new tab) from search results. That data includes the likes of phone numbers, postal addresses, email addresses, and more.

Election Security Webinar

Our democracy depends on getting the mid-term elections right. This means — first and foremost — getting cybersecurity right. … Find out what’s really going on from three of the nation’s leading experts in election cybersecurity as SecureTheVillage presents a community webinar on election security. September 28, 11:00 am – 12:30 pm PDT  For an overview of the challenges we’ll be discussing, see this week’s Live on Cyber with Dr. Stan Stahl. Register now!!!

  • What Every Citizen Needs to Know: 2022 Election Cybersecurity: Our democracy depends on getting the mid-term elections right. This means — first and foremost — getting cybersecurity right … Everything from protecting sensitive voter identities, registered voter lists, and voting machines; coming to grips with social media; and ensuring confidence in the outcomes. … Find out what’s really going on from three of the nation’s leading experts in election cybersecurity. How vulnerable are our election systems? How is cybersecurity managed in the 50 states? How do we navigate the coming flood of both mis-information and dis-information? How much confidence can we have in the outcome? Panelists include Brandon Wales, Cybersecurity and Infrastructure Security Agency’s (CISA) first Executive Director; Kathy Boockvar, Vice President of Election Operations & Support, Center for Internet Security;  Adam Powell III, Executive Director, Election Cybersecurity Initiative, USC Annenberg Center on Communication Leadership and Policy, University of Southern California. Dr. Stan Stahl, SecureTheVillage President and founder will moderate.

Cyber Humor

Security Nonprofit of the Week  … Sightline Security

Our kudos this week to Sightline Security, a nonprofit that helps nonprofits secure and protect their critical information. Their mission is to equip, empower, and support global nonprofits to navigate and embed cybersecurity into their organizations with confidence. Kudos to Sightline Security for their cyber support to the vital under-served nonprofit community.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: As a lead-in to our election cybersecurity webinar, join Julie and me as we explore the national and international cyber threats to the 2022 election.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

Credential Stuffing: This story illustrates why you need different passwords for different sites.

  • Okta: Credential stuffing accounts for 34% of all login attempts: Credential stuffing attacks have become so prevalent in the first quarter of 2022 that traffic surpassed that of legitimate login attempts from normal users in some countries. … This type of attack takes advantage of “password recycling,” which is the bad practice of using the same credential pairs (login name and password) across multiple sites. Bleeoing Computer, September 21, 2022

Warning: Don’t fall victim to MFA Fatigue … when the cybercriminal keeps knocking at your door, don’t let him in.

  • MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches: Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue. Bleeping Computer, September 20, 2022

Warning: That ad may be the gateway to a scam.

Warning: Protect your elders.

  • Elder fraud is real. Tell your parents, grandparents and… friends about these scams: Kids, it’s time to have “the talk” with your parents and grandparents. … Cybercrime cost Americans over 50 nearly $3 billion last year, a whopping 62% increase from 2020, according to the FBI’s 2021 Elder Fraud Report. … In fact, the number of victims could be much higher, as seniors are also less likely to report fraud, says the FBI. This is supported by figures from the FTC, which show that while 44% of younger people in their 20’s reported losing money to fraud, only 20% of those in their 70’s did the same. USA Today, September 18, 2022

Digital health care has its advantages. Privacy isn’t one of them.

  • Health apps share your concerns with advertisers. HIPAA can’t stop it: From ‘depression’ to ‘HIV,’ we found popular health apps sharing potential health concerns and user identifiers with dozens of ad companies. … In a nation with millions of uninsured families and a shortage of health professionals, many of us turn to health-care apps and websites for accessible information or even potential treatment. But when you fire up a symptom-checker or digital therapy app, you might be unknowingly sharing your concerns with more than just the app maker. … Facebook has been caught receiving patient information from hospital websites through its tracker tool. Google stores our health-related internet searches. Mental health apps leave room in their privacy policies to share data with unlisted third parties. Users have few protections under the Health Insurance Portability and Accountability Act (HIPAA) when it comes to digital data, and popular health apps share information with a broad collection of advertisers, according to our investigation. The Washington Post, September 22, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

The week in cybercrime, including more from the LAUSD breach.

  • Ransom demand escalates fallout from Los Angeles schools cyberattack: The Los Angeles school district hasn’t responded to the demand, following the advice of federal authorities. The stakes are high as sensitive data may hang in the balance. … Alberto Carvalho is confronting a major ransomware attack just eight months after he joined the Los Angeles Unified School District as superintendent. Late Tuesday, two weeks after LAUSD publicly disclosed the attack, Carvalho confirmed a ransom demand was made by the group that breached the district’s systems. Cybersecurity Dive, September, 21, 2022
  • Hive ransomware claims attack on New York Racing Association: The Hive ransomware operation claimed responsibility for an attack on the New York Racing Association (NYRA), which previously disclosed that a cyber attack on June 30, 2022, impacted IT operations and website availability and compromised member data. Bleeping Computer, September 20, 2022
  • Beaufort woman loses nearly $1 million to scammers posing as FBI agents, cops say  About two months after a Hilton Head woman was scammed out of $130,000 by con artists claiming to be FBI agents, a Beaufort woman reported to the sheriff’s office that she fell prey to a similar trick, losing nearly $1 million. The 77-year-old woman called the sheriff’s office on Sept. 12 to report that she lost a total of $840,457 after a scammer reached out in March, first claiming to be a representative from the VISA Fraud Department, according to a Beaufort County Sheriff’s Office report. The scammers told her they were reaching out regarding a purchase on her account from Best Buy that seemed to be fraudulent. The Island Packet, September 23, 2022
  • Well knock me down with a feather, it’s yet another $160 million crypto hack: 2022 has so far been something of an annus mirabilis for the crypto sector, which in the macro picture has been struggling with the fallout of the gigantic collapse of the Terra ecosystem, while on the micro scale crypto companies of all stripes have suffered hack after hack. … The latest is Wintermute, which is a crypto market maker. The exact way these things operate is complicated, but boils down to their providing liquidity for certain defined cryptocurrencies by both buying and selling them on crypto exchanges: market makers exist in plenty of other industries outside of crypto, and turn a profit by collecting what’s called the bid-ask spread over multiple bets.  PC Gamer, September 22, 2022

Three stories on the national cybersecurity front this week.

  • ‘They Are Watching’: Inside Russia’s Vast Surveillance State: A cache of nearly 160,000 files from Russia’s powerful internet regulator provides a rare glimpse inside Vladimir V. Putin’s digital crackdown. … Four days into the war in Ukraine, Russia’s expansive surveillance and censorship apparatus was already hard at work. The New York Times, September 22, 2022
  • Chinese state media claims U.S. NSA infiltrated country’s telecommunications networks: The U.S. National Security Agency (NSA) gained access to China’s telecommunications network after hacking a university, state media alleged. CNBC, September 22 2022
  • Revealed: US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data: The “Augury” platform includes highly sensitive network data that Team Cymru, a private company, is selling to the military. “It’s everything. There’s nothing else to capture except the smell of electricity,” one cybersecurity expert said. … Multiple branches of the U.S. military have bought access to a powerful internet monitoring tool that claims to cover over 90 percent of the world’s internet traffic, and which in some cases provides access to people’s email data, browsing history, and other information such as their sensitive internet cookies, according to contracting data and other documents reviewed by Motherboard. Vice, September 21, 2022

The hacker alleged to be behind the Uber and Grand Theft Auto breaches is arrested.

Morgan Stanley is fined for egregious violations of what should be standard information security management practices. It’s hard to envision how this could occur without management being asleep at the wheel. $35M in owner profits going up in smoke.

  • $35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned: Astonishing failures” over a 5-year span. … Morgan Stanley on Tuesday agreed to pay the Securities and Exchange Commission (SEC) a $35 million penalty for data security lapses that included unencrypted hard drives from decommissioned data centers being resold on auction sites without first being wiped. … The SEC action said that the improper disposal of thousands of hard drives starting in 2016 was part of an “extensive failure” over a five-year period to safeguard customers’ data as required by federal regulations. The agency said that the failures also included the improper disposal of hard drives and backup tapes when decommissioning servers in local branches. In all, the SEC said data for 15 million customers was exposed. Ars technica, September 20, 2022

This next story reads like something out of the Godfather.

  • At eBay, Lurid Crimes and the Search for Punishment: The victims of a bizarre cyberstalking operation are trying to hold the chief executive and the culture of the company responsible. … “If you are ever going to take her down .. now is the time.” Devin Wenig, the chief executive of the e-commerce company eBay, texted those words to a deputy one summer afternoon three years ago. He was upset about a story he had just read. … Within days, the writer who was the subject of Mr. Wenig’s wrath and her husband were inundated with offensive material, including live cockroaches and spiders, a funeral wreath, a Halloween mask of a bloody pig face and a manual on surviving the death of a spouse. Crude and violent Twitter messages were posted mocking them and revealing their address. Posts on Craigslist falsely advertised they were selling their furniture or, alternatively, interested in sexual partners for bondage and sadism. They were physically stalked. … All of the intimidation and harassment directed at Ina and David Steiner was anonymous and completely confounding. The New York Times, September 16, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in securing their organizations and protecting  privacy.

For executive management.

  • Data Breaches: The Brand Impact: Up to $223b of the World’s Top 100 Brands’ Value could be at risk from a Data Breach, finds Infosys-Interbrand Study. … In a world where technology has gotten weaved into every facet of our lives, we find ourselves living in a data-rich society. And this has made cybersecurity a part of our everyday lexicon, driving our choice in our association with brands. … The downloadable report serves as a guide for businesses to understand their brand’s ‘value at risk’ in the event of a cybersecurity breach and offers insights into implementing a well-defined cybersecurity strategy to maintain constant vigil and protect applications, data, networks and systems from the ever-present cyberthreat landscape. Infosys, September, 2022

For technology management, including a ransomware decryptor

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge