The Sixth Sense of the IT Privacy and Security Weekly Update for the Week ending October 31st. 202310/31/2023 Episode 163 We start with the perils of sharing too much on social media and feeling like there's just no recovering from that last round of plastic surgery. Then we touch on a story of an unexpected right hook from the SEC that left one CISO seeing stars. We smell trouble with high numbers of shortened web addresses being delivered by email, text and message apps. for our third story. At four and five we find Ace hardware left with a bad taste in their mouths just as news of a ban on ransomware payments by 40 nations hits our ears We're trying to see through the murk of AI model transparency with a new rating system that may deliver some clarity for our sixth story. And as is often the case, we end this week's update somewhat explosively with a suggestion that should keep all our senses (and quite possibly our homes) intact. Our sixth sense tells us this is the best update yet so grab that Ouija board and let's go! - click the pic for the podcast - US: FBI Issues Warning on Cyberattacks Targeting Plastic Surgery Offices https://www.ic3.gov/Media/Y2023/PSA231017 Cybercriminals are increasingly targeting plastic surgery offices, surgeons, and patients to harvest sensitive information and photographs for extortion. Using spoofed contact information, cybercriminals employ phishing techniques to infiltrate plastic surgery offices, stealing electronically protected health information (ePHI), which includes sensitive data and photos. Cybercriminals use open-source data, including social media, to enrich the stolen ePHI of plastic surgery patients, making it more valuable for extortion. Extortionists contact patients and surgeons through various channels, demanding cryptocurrency payments to prevent the release of sensitive ePHI. They may threaten to share this data with victims' associates and create public websites to pressure payments. So what's the upshot for you? The moral of this story is perhaps it's better to not post about your upcoming plastic surgery on social media. Look what can happen! US: SEC Charges SolarWinds and Its CISO With Fraud and Cybersecurity Failures https://www.securityweek.com/sec-charges-solarwinds-and-its-ciso-with-fraud-and-cybersecurity-failures/ In a case of "Who saw this coming?" the Securities and Exchange Commission (SEC) filed charges against SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, alleging that the software company misled investors about its cybersecurity practices and known risks. The charges stem from alleged fraud and internal control failures related to known cybersecurity weaknesses that took place between the company’s October 2018 initial public offering (IPO) and its December 2020 revelation of a sophisticated cyberattack dubbed “SUNBURST.” The software supply chain cyberattack involved Russia-linked threat actors breaching SolarWinds systems in 2019, or possibly even earlier. The hackers compromised the automated build environment for the company’s Orion monitoring software, and in the spring of 2020 they pushed out malicious Orion updates to SolarWinds customers. According to the complaint filed by the SEC, Austin, Texas-based SolarWinds and Brown are accused of deceiving investors by overstating the company’s cybersecurity practices while understating or failing to disclose known risks. The SEC alleges that SolarWinds misled investors by disclosing only vague and hypothetical risks while internally acknowledging specific cybersecurity deficiencies and escalating threats. A key piece of evidence cited in the complaint is a 2018 internal presentation prepared by a SolarWinds engineer that was shared internally, including with Brown. The presentation stated that SolarWinds’ remote access setup was “not very secure” and that exploiting the vulnerability could lead to “major reputation and financial loss” for the company. Similarly, presentations by Brown in 2018 and 2019 indicated concerns about the company’s cybersecurity posture. So what's the upshot for you? This could backfire with CISOs writing risk reports that end up being so vague they serve no purpose. Additionally the CEO will have culpability if the requests for resources are being ignored. Or …it could gain more traction for CISOs, especially those that don’t hide the truth. Global: Arriving just in time for the holidays: cyberattackers useLink-Shortening Services for Phishing https://www.darkreading.com/threat-intelligence/prolific-puma-hacker-gives-cybercriminals-access-to-us-domains Cyberattackers are using a link-shortening service to obtain top-level .us domains, making their phishing campaigns less detectable. Researchers have identified the threat actor behind this operation, dubbed "Prolific Puma," which has generated up to 75,000 unique domains in the last 18 months, often evading regulations to provide criminals with .us URLs. Shortened links make it easier for attackers to fit malicious URLs into text messages, hide their destinations, and evade automated security products. Unlike other link-shortening services like Bitly or TinyURL, Prolific Puma's service doesn't actively prevent malicious use. Prolific Puma employs a "registered" domain generation algorithm (RGDA) that leverages registrar APIs to create properly registered domains. This provides cyberattackers with more robust and fault-tolerant infrastructure for their operations. Prolific Puma predominantly uses the registrar NameSilo to register .us TLD domains, despite .us being reserved for American citizens and organizations. The rules regarding personal information disclosure are not strictly enforced, and registrants can use bitcoin for added anonymity. Addressing this issue in the cybercrime supply chain requires action from domain registrars, which can use third-party threat intelligence, anomaly detection algorithms, and collaboration with cybersecurity advocacy groups to identify and combat abuse while maintaining privacy considerations. This highlights the exploitation of a link-shortening service, Prolific Puma's use of registered domains, and the need for a multi-pronged effort to combat cybercrime at the domain registration level. So what's the upshot for you? As was always the case, short URLs have an easier opportunity to deliver you to trouble, so take your time. Check what the short URL leads to and then decide if you're going to follow through... or not. US: Ace Hardware gets nailed by a cyber attack https://www.reddit.com/r/sysadmin/comments/17jwvtz/ace_hardware_corp_cybersecurity_incident_10302023/ Ace Hardware appears to have been the latest organization to succumb to a cyberattack, judging by its website and a message from CEO John Venhuizen. The site today warns that the retailer-owned cooperative is unable to process online orders. A memo from Venhuizen indicates the problem is serious. "On Sunday morning, we detected a cybersecurity incident that is impacting the majority of our IT systems." Judging by commentary on social media, things are not going well inside. No deliveries will be made today, October 31, and that Ace Hardware is unable to receive orders from its retailers. Those stores should, however, remain open, and the organization noted there was no known impact to either in-store payment systems or credit card processing. So what's the upshot for you? Ace is the place. This may be an early test case for the "No Ransomware payments" agreement happening later this week. Global: Alliance of 40 countries to vow not to pay ransom to cybercriminals, US says https://www.reuters.com/technology/alliance-40-countries-vow-not-pay-ransom-cybercriminals-us-says-2023-10-31/ In ransomware attacks, hackers encrypt an organization's systems and demand ransom payments in exchange for unlocking them. Often they also steal sensitive data and use it to extort victims and leak it online if the payments are not made. Forty countries in a U.S.-led alliance plan to sign a pledge never to pay ransom to cybercriminals and to work toward eliminating the hackers' funding mechanism, a senior White House official said on Tuesday. The International Counter Ransomware Initiative comes as the number of ransomware attacks grows worldwide. The United States is by far the worst hit, with 46% of such attacks, Anne Neuberger, U.S. deputy national security adviser in the Biden administration for cyber and emerging technologies, told reporters on a virtual briefing. "As long as there is money flowing to ransomware criminals, this is a problem that will continue to grow," she said. So what's the upshot for you? The open discussion happens on Thursday and we have included a link in this update. Global: New Index Finds AI Models Are Murky, Not Transparent At All https://crfm.stanford.edu/fmti/ The new executive order on artificial intelligence (AI) signed by US President Joe Biden outlines how the industry needs to ensure AI is trustworthy and helpful. The order follows high-profile discussions in July and September between AI companies and the White House that resulted in promises about how AI companies will be more transparent about the technology’s capabilities and limitations. Promising to be transparent is a good step forward, but there needs to be a way to measure how well those promises are being kept. One method could be the Foundation Model Transparency Index developed by Stanford University’s Center for Research on Foundation Models. The index graded 10 AI models against 100 different metrics, including how the models are trained, information about the model's properties and functions, and how the models are distributed and used. The scores were calculated based on publicly available data – although the companies were given the opportunity to provide additional information to change the score. What does transparency look like when talking about some of the widely used foundational models? Not great. "No major foundation model developer is close to providing adequate transparency, revealing a fundamental lack of transparency in the AI industry," Stanford researchers wrote in the summary of their findings. So what's the upshot for you? Understanding how the AI models are trained, the biases and what are considered acceptable errors are all part of understanding how the AI offers its responses UA: The future of warfare: A $400 drone killing a $2M tank https://www.politico.eu/article/future-warfare-400-army-strike-drone-unit-2m-tank/ Facing an enemy with superior numbers of troops and armor, the Ukrainian defenders are holding on with the help of tiny drones flown by operators like Firsov that, for a few hundred dollars, can deliver an explosive charge capable of destroying a Russian tank worth more than $2 million. A typical FPV (‘first-person view’ drone) weighs up to one kilogram, has four small engines, a battery, a frame and a camera connected wirelessly to goggles worn by a pilot operating it remotely. It can carry up to 2.5 kilograms of explosives and strike a target at a speed of up to 150 kilometers per hour, explains Pavlo Tsybenko, acting director of the Dronarium military academy outside Kyiv. "This drone costs up to $400 and can be made anywhere. We made ours using microchips imported from China and details we bought on AliExpress. We made the carbon frame ourselves. And, yeah, the batteries are from Tesla. One car has like 1,100 batteries that can be used to power these little guys," Tsybenko told POLITICO on a recent visit, showing the custom-made FPV drones used by the academy to train future drone pilots. "It is almost impossible to shoot it down," he said. "Only a net can help. And I predict that soon we will have to put up such nets above our cities, or at least government buildings, all over Europe." So what's the upshot for you? Think about this. In 10 years time home alarms may also need built in signal jamming capabilities so that last Friday's "slightly loud" get together doesn't end with enraged neighbors blowing up the source. - click the pic for the podcast - And our roundup... We started with the perils of sharing too much on social media. Chin tuck? Good luck! Then we touched on a story where a right hook from the SEC left one CISO seeing stars. Honesty always wins. That should have been the fight plan from the start. In at three, we smelled trouble with all the shortened web addresses (URLs) arriving by email, text and message apps. Our strategy? Always check them before clicking and when in doubt throw them out. At four and five Ace hardware may have been hit with ransomware just as a ban on ransomware payments is agreed by over 40 nations. For our sixth story we cut through some of the murk of AI model transparency with a new rating system from Stanford University that could go some way to delivering clarity on the capabilities and limitations of the AI tech. And finally we learned how drones are changing the battlefront between countries and quite possibly, one day neighbors. "The quote of the week: Equipped with our five senses - along with telescopes and microscopes and mass spectrometers and seismographs and magnetometers and particle accelerators and detectors sensitive to the entire electromagnetic spectrum - we explore the universe around us and call the adventure science." - Edwin Powell Hubble That's it for this week. Stay safe, stay secure, further questions? Just ask the Ouija and we'll see you in se7en!
bernadette
11/8/2023 01:25:58 pm
You read my mind!
Reply
Leave a Reply. |