Cybersecurity News of the Week, September 4, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, motivate, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Our first two stories this week deal with freedom of speech in the face of the every real threat of political violence stoked by hate-fomenting websites. These stories discuss how things have gotten worse since Mar-A-Lago culminating in a decision by Cloudflare, an Internet security company, to stop protecting Kiwi Farms, one of the worst of the worst.

  • Cyber threat investigator sees “major uptick in threats” against federal authorities since Mar-a-Lago FBI search: The threats to the Florida magistrate who signed off on the FBI search warrant for Mar-a-Lago were “almost immediate,” according to the deputy director of the U.S. Marshals Service, in an exclusive interview for “CBS Mornings.” … Roberto Robinson told CBS News senior investigative correspondent Catherine Herridge that Judge Bruce Reinhart’s address was posted online —a tactic called doxing — and his teams are “on it.”  Cbs News, September 2, 2022
  • Under pressure, security firm Cloudflare drops Kiwi Farms website: Company’s CEO says the firm had detected imminent threats and that law enforcement could not keep up with them … Reversing course under growing public pressure, major tech security company Cloudflare announced Saturday that it will stop protecting the Kiwi Farms website, best known as a place for stalkers to organize hacks, online campaigns and real-world harassment. … Cloudflare Chief Executive Matthew Prince, who this past week published a lengthy blog post justifying the company’s services defending websites such as Kiwi Farms, told The Washington Post he changed his mind not because of the pressure but a surge in credible violent threats stemming from the site. The Washington Post, September 3, 2022

Privacy legislation is in the news again this week. Washington continues debating the terms of a National privacy law. One of the open questions is whether a Federal law will be a “floor” or a “ceiling” on the States. Meanwhile California has passed a first-of-its-kind child privacy law that seems destined to upend things. Stay tuned as the bill awaits Governor Newsom’s signature.

  • Pelosi expresses reservations about bipartisan privacy bill: A bipartisan privacy bill aimed at reining in the tech and data industries just hit a serious roadblock: House Speaker Nancy Pelosi has issues with the legislation. … Without the speaker’s support, the bill likely won’t make it to a floor vote in the House. … Speaker Nancy Pelosi raised issues with the American Data Privacy and Protection Act preempting state laws, specifically the ones in her home state of California. Politico, September 1, 2022
  • Privacy bill triggers lobbying surge by data brokers: Brokers say a potential privacy bill could hamper their work with law enforcement and overly restrict their industry. Politico, August 28, 2022
  • California Age-Appropriate Design Code final passage brings mixed reviews: While U.S. Congress is working to devise appropriate regulations for children’s online privacy and content moderation, finalization is not on the immediate horizon. The inaction led the California Legislature to take matters into its own hands with final passage of Assembly Bill 2273, the California Age-Appropriate Design Code Act. … The bill, which awaits enactment by Gov. Gavin Newsom, D-Calif., after unanimously passing the State Assembly and Senate, is an online safety bill containing unique privacy requirements to protect minors age 17 and under. If enacted, the bill would enter into force Jan. 1, 2024. iapp, August 31, 2022
  • The US May Soon Learn What a ‘Kid-Friendly’ Internet Looks Like: The California Age-Appropriate Design Code would launch a huge online privacy experiment. And it won’t just affect children. … NO ONE WOULD describe the internet as “kid-friendly.” Parents fret over how to keep their kids safe from the internet’s myriad dangers, from bullies to predators to surreptitious surveillance. A new California bill is poised to remove some of the burden from parents—and force tech companies to take more responsibility to protect kids online. Wired September 1, 2022

Election Security Webinar

Our democracy depends on getting the mid-term elections right. This means — first and foremost — getting cybersecurity right. … Find out what’s really going on from three of the nation’s leading experts in election cybersecurity as SecureTheVillage presents a community webinar on election security. September 28, 11:00 am – 12:30 pm PDT Register now!!! Sponsorships available!!!

  • What Every Citizen Needs to Know: 2022 Election Cybersecurity: Our democracy depends on getting the mid-term elections right. This means — first and foremost — getting cybersecurity right … Everything from protecting sensitive voter identities, registered voter lists, and voting machines; coming to grips with social media; and ensuring confidence in the outcomes. … Find out what’s really going on from three of the nation’s leading experts in election cybersecurity. How vulnerable are our election systems? How is cybersecurity managed in the 50 states? How do we navigate the coming flood of both mis-information and dis-information? How much confidence can we have in the outcome? Panelists include Kim Wyman, Senior Election Security Advisor, Cybersecurity and Infrastructure Security Agency (CISA); Kathy Boockvar, Vice President of Election Operations & Support, Center for Internet Security;  Adam Powell III, Executive Director, Election Cybersecurity Initiative, USC Annenberg Center on Communication Leadership and Policy, University of Southern California. Dr. Stan Stahl, SecureTheVillage President and founder will moderate.

The importance of navigating the flood of mis-information and dis-information is illustrated by our next story. The security device that two counties in Washington are refusing to use was built by the Center for Internet Security. We’ll talk about this with Panelist Kathy Boockvar, the Center’s Vice President of Election Operations & Support.

  • Some Republicans in Washington state cast a wary eye on an election security device: In northeast Washington state, a remote region nestled against the Canadian border, the politics lean conservative and wariness of government runs high. … Earlier this year, a Republican-led county commission there made a decision that rippled across Washington — triggering alarm at the secretary of state’s office, and now among cybersecurity experts who have worked for the past six years to shore up the security of America’s voting systems. NPR, August 28, 2022

Cyber Humor

Security Nonprofit of the Week … Open Cybersecurity Alliance

Kudos this week to the Open Cybersecurity Alliance (OCA). The Alliance develops standardized data interfaces to support an open ecosystem where cybersecurity tools interoperate without the need for custom integrations. OCA is a nonprofit, global collaboration of software providers, end users, government agencies, research institutes , and individuals committed to enabling the free exchange of information, insights, analytics, and response across cybersecurity tools. An open source project, OCA operates under the OASIS Open governance process, which ensures transparency, inclusiveness, and safety, with a path to standardization and reference in international policy and procurement. Like SecureTheVillage, the Open Cybersecurity Alliance is a member of Nonprofit Cyber.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl:  Julie and I took a pre-Labor Day break to spend time with our families. The link is to last week’s LinkedIn Live on the importance of keeping software up to date.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

#UpdateNow. Google released two updates for Chrome last week. Make sure you got them both.

#NeverTrust. Be careful out there.

  • Hackers hide malware in James Webb telescope images: Hackers hide malware in James Webb telescope images. … Threat analysts have spotted a new malware campaign dubbed ‘GO#WEBBFUSCATOR’ that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware. Bleeping Computer, August 30, 2022
  • This PDF reader app has a million downloads on the Play Store – but it’s just adware: Malicious PDF reader serves up annoying full screen ads, … One of the most popular PDF reader apps on the Google Play Store is actually just a vehicle to deliver potentially harmful adware, experts have warned. … An investigation by Malwarebytes found that the imaginatively-named “PDF reader – documents viewer” app did nothing of the sort, but instead flooded user devices with annoying full screen adverts, even when not in use. Tech Radar, September 2, 2022
  • Microsoft finds TikTok vulnerability that allowed one-click account compromises: Microsoft said on Wednesday that it recently identified a vulnerability in TikTok’s Android app that could allow attackers to hijack accounts when users did nothing more than click on a single errant link. The software maker said it notified TikTok of the vulnerability in February and that the China-based social media company has since fixed the flaw, which is tracked as CVE-2022-28799. ars Technica, August 31, 2022

Watch Michael B. Jordan and Tessa Thompson take care of cyber criminals in a new PSA from Amazon, part of the company’s Protect and Connect Program.

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

This week in cybercrime is pretty much what every week looks like. I can’t emphasize enough that it’s jungle out there. And it’s even worse if you play in the crypto-jungle. This is why we emphasize the critical importance we all have to take the necessary steps to protect ourselves. … From the Board Room to the Living Room.

  • Neopets says hackers had access to its systems for 18 months: Neopets has released details about the recently disclosed data breach incident that exposed personal information of more than 69 million members. … Findings of the investigation launched on July 20, 2022 revealed that attackers had access to the Neopets IT systems from January 3, 2021 until July 19, 2022. … The company learned about the breach only after a hacker offered to sell a Neopets database for four bitcoins.  Bleeping Computer, September 1, 2022
  • Student loan data breach leaks 2.5 million social security numbers: Bad actors may have gained access to millions of users’ information between June and July. … Student loan data breach leaks 2.5 million social security numbers. … A data breach on student loan servicer Nelnet Servicing has caused the confidential information of  over 2.5 million users to be leaked. Nelnet Servicing provides technology services including a website portal to two student loan companies, Edfinancial and OSLA services. Cyber Security Hub, August 31, 2022
  • More than 20,000 SSNs stolen during ransomware attack on San Francisco 49ers: One of the NFL’s most popular franchises — the San Francisco 49ers — began sending breach notification letters out Thursday, after more than 20,000 people’s sensitive information was accessed during a ransomware attack earlier this year. The Record, September 2, 2022
  • Samsung says a data breach revealed some customers’ names, birthdays, and more: Samsung is warning customers about a cybersecurity incident in July, where “an unauthorized third party acquired information from some of Samsung’s U.S. systems,” including things like names, birthdays, contact info, and product registration information. The company says it discovered the breach on August 4th, and is currently investigating it with “a leading outside cybersecurity firm.” The Verge, September 2, 2022
  • LastPass was hacked — again: The good news is that no passwords appear to have been revealed from the password-saving site. The bad news is that its source code has been compromised. ZD Net Innovation, August 29, 2022
  • Thousands lured with blue badges in Instagram phishing attack: Instagram phishing uses blue-badge lure on over 1,000 users a day. … A new Instagram phishing campaign is underway, attempting to scam users of the popular social media platform by luring them with a blue-badge offer. … Blue badges are highly coveted as Instagram provides them to accounts it verified to be authentic, representing a public figure, celebrity, or brand. … The spear emails in the recently observed phishing campaign inform recipients that they Instagram reviewed their accounts and deemed them eligible for a blue badge. … Users falling for the scam are urged to fill out a form and claim their verification badge in the next 48 hours. Bleeping Computer, September 1, 2022
  • FBI issues warning after crypto-crooks steal $1.3 billion in just three months: Amid a wave of hacks that have cost investors billions of dollars worth of cryptocurrency, the FBI is calling on decentralised finance (DeFi) platforms to improve their security. … In a warning posted on its website, the FBI said that cybercriminals are increasingly targeting DeFi platforms to steal cryptocurrency, often exploiting vulnerabilities in smart contracts to part investors from their money. Tripwire, September 1, 2022

As we’ve been reporting for several weeks, the cyber insurance industry is in great flux as insurers struggle to manage their exposure in the face of ever-increasing cyber-attacks.

  • Cyber-Insurance Firms Limit Payouts, Risk Obsolescence: Businesses need to re-evaluate their cyber-insurance policies as firms like Lloyd’s of London continue to add restrictions, including excluding losses related to state-backed cyberattackers. … Companies will need to re-evaluate their cyber-insurance premiums after major insurance companies have adopted exclusions for catastrophic cyberattacks conducted by “state-backed” actors. … This limits the risk that companies can offset with cyber insurance, security and risk experts tell Dark Reading — making taking out a policy potentially not worth it. DARK Reading, August 29, 2022
  • Changing cyber insurance guidance from Lloyd’s reflects a market in turmoil: Rising ransomware attacks and higher payout demands have battered the insurance industry, leaving many organizations exposed and vulnerable…. A critical, but long-anticipated decision by Lloyd’s last week to phase out coverage for state-sponsored cyberattacks illustrates an insurance market that has been under increasing financial pressure for years. It also raises questions for U.S. companies about their preparedness and long-term risks amid more dangerous and sophisticated threats. Cybersecurity Dive, August 29, 2022

National cybersecurity is also in the news this week with two stories.

  • ‘May the best spy win’: Australia’s intelligence chiefs open up on cyber threats – and feminism: Two of the country’s top spy bosses have offered a rare insight into the escalating threat from cyber-attacks, and Australia’s defensive and offensive responses. … “All’s fair in love and war and espionage,” said Rachel Noble, the director general of the Australian Signals Directorate (ASD), when asked if it was hypocritical for the west to call out cyber-attacks from other countries, when it is carrying out its own. … “Of course we spy on other countries,” she said during an appearance at the Lowy Institute. “May the best spy win. The Guardian, September 2, 2022
  • NATO Countries Hit With Unprecedented Cyber Attacks: Montenegro, Estonia and new NATO applicant Finland are just three of the countries being hit hard by sophisticated cyber attacks. What’s happening and who’s next? Government technology, September 4, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in securing their organizations and protecting  privacy.

As if things weren’t bad enough, cybercriminals are now threatening to shut down the networks of victims until an additional ransom is paid. Cybercriminals now (1) encrypt the victim’s data and hold it for ransom, (2) copy the victim’s data, threatening to release it unless a further ransom is paid, and (3) threaten to bring down the organization’s network until a ransom is paid. And, as the second story shows, the cyber criminals continue to get better and better at their craft.

  • LockBit ransomware gang adding DDoS attacks to its threats: The LockBit ransomware gang is adding a third weapon to its arsenal of threats: Denial of service attacks. IT World Canada, August 29, 2022
  • Cyber Signals: 3 strategies for protection against ransomware: The “as a service” business model has gained widespread popularity as growing cloud adoption has made it possible for people to access important services through third-party providers. Given the convenience and agility of service offerings, perhaps it shouldn’t be surprising that the “as a service” model is being used by cybercriminals for nefarious purposes. Microsoft Security, August 30, 2022

Meanwhile, CISA and the rest of government are doing what they can to support organization’s manage their information risk. It’s imperative for IT organizations to follow CISA’s lead. It’s also imperative for executives to provide leadership, setting clear expectations that everyone is to play their role in protecting the organization’s information and its information systems.

  • NSA and CISA share tips to secure the software supply chain: The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released tips today on securing the software supply chain. … This guidance is designed by the Enduring Security Framework (ESF)—a public-private partnership that works to address threats to U.S. critical infrastructure and national security systems—to serve as a collection of suggested practices for software developers. Bleeping Computer, September 1, 2022
  • CISA Adds 10 New Known Actively Exploited Vulnerabilities to its Catalog: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics. The Hacker news, August 29, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge