Subject: 5 cybersecurity predictions for 2023
Source: Help Net Security
The cyber game is now an entire underground economy wrapped around cyberattacks. Thanks to increased international friction and the activity of groups such as Lapsus$, cybercriminals have upped the ante on cybercrime in order to turn a profit. Atakama outlines its top cybersecurity predictions for 2023.
Daniel H. Gallancy, CEO of Atakama adds: “Cyberthreats will continue to proliferate in number and grow in sophistication throughout 2023. While basic security practices will prevent many breaches, organizations are going to need more advanced solutions to protect themselves from the devastating consequences of a successful attack.”
- human error
- Internet of Things
- shadow IT
Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum.Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors.
The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public.
Source: Wired via beSpacific
Wired – “The FBI’s biggest-ever investigation included the biggest-ever haul of phones from controversial geofence warrants, court records show. A filing in the case of one of the January 6 suspects, David Rhine, shows that Google initially identified 5,723 devices as being in or near the US Capitol during the riot. Only around 900 people have so far been charged with offenses relating to the siege. The filing suggests that dozens of phones that were in airplane mode during the riot, or otherwise out of cell service, were caught up in the trawl. Nor could users erase their digital trails later. In fact, 37 people who attempted to delete their location data following the attacks were singled out by the FBI for greater scrutiny. Geofence search warrants are intended to locate anyone in a given area using digital services. …–
And from Wired:
Andrew Ferguson, a professor of law at American University, agrees. “And that worries me because the January 6 cases are going to be used to build a doctrine that will essentially enable police to find almost anyone with a cellphone or a smart device in ways that we, as a society, haven’t quite grasped yet,” he says. “That is going to undermine the work of journalists, it’s going to undermine political dissenters, and it’s going to harm women who are trying to get abortion services.”
Other wired articles: https://www.wired.com/category/security/
Source: Ars Technica
Not surprisingly, female customers bear the brunt of the privacy violations.If you’ve ever worried about the privacy of your sensitive data when seeking a computer or phone repair, a new study suggests you have good reason. It found that privacy violations occurred at least 50 percent of the time, not surprisingly with female customers bearing the brunt.
Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device. Devices belonging to females were more likely to be snooped on, and that snooping tended to seek more sensitive data, including both sexually revealing and non-sexual pictures, documents, and financial information.
The flaws aren’t just theoretical. After examining millions of publicly available documents with blacked-out redactions—including from the US court system, the US Office of the Inspector General, and Freedom of Information Act requests—the researchers found thousands of documents that exposed people’s names and other sensitive details….
Nov. 30 (UPI) — South Dakota Gov. Kristi Noem has banned state employees and contractors from using social media platform TikTok on their electronic devises over fears the smartphone application could be used to collect U.S. user data for China.The ban, which goes into immediate effect, was imposed Tuesday via executive order that prohibits users of state-owned electric devices from using them to download the TikTok application and to visit the social media company’s website.
The announcement comes amid growing concerns that the Chinese Communist Party could force the social media platform’s Chinese-based company ByteDance to collect data for it from U.S. users.
Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates (“regulated entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies. These online tracking technologies, like Google Analytics or Meta Pixel, collect and analyze information about how internet users are interacting with a regulated entity’s website or mobile application.Some regulated entities regularly share electronic protected health information (ePHI) with online tracking technology vendors and some may be doing so in a manner that violates the HIPAA Rules. The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.
Today’s bulletin addresses potential impermissible disclosures of ePHI by HIPAA regulated entities to online technology tracking vendors. The Bulletin explains what tracking technologies are, how they are used, and what steps regulated entities must take to protect ePHI when using tracking technologies to comply with the HIPAA Rules. Specifically, the Bulletin provides insight and examples of:
As Musk continues to make sweeping changes to Twitter, including reinstating banned users, ditching moderation plans, and decimating teams designed to protect users, the company’s former Head of Trust & Safety thinks safety on the app can no longer be guaranteed.And it’s not just former staffers that hold these concerns. As Musk continues to remove the platform’s checks and balances, advertisers are dropping like flies — with 50 of the top 100 agencies fleeing the app within the past week.
As recent events have shown, the safety and security of Twitter users have never been Musk’s top priority. But could this freefall in ad revenue be enough to change the billionaire’s tact?
More shocking still, a recent report by Bloomberg has revealed that Musk has significantly reduced the size of the team responsible for tackling child sexual exploitation on the platform. The team, which was already being pushed to its limits before Musk’s takeover, has been cut in half, leaving ten people left to tend to all cases of child exploitation on the app.
Posted in: AI, Big Data, Blockchain, Congress, Criminal Law, Cryptocurrency, Cybercrime, Cybersecurity, Employment Law, Legal Research, PrivacyPosted in: Civil Liberties, Communications, Computer Security, Cybercrime, Cyberlaw, Cybersecurity, Email, Freedom of Information, Legal Research, Search Engines, Social Media, SpywarePosted in: Cybersecurity, Education, Financial System, Gadgets/Gizmos, Privacy, Social Media, Viruses & Hoaxes
The Spanish National Police have arrested 55 members of the ‘Black Panthers’ cybercrime group, including one of the organization’s leaders based in Barcelona.The gang was operating four specialized activity cells dedicated to social engineering, vishing (voice phishing), phishing, and carding, having a very organized structure.
The arrested leader coordinated the cells and recruited new members and money mules.
“The criminal group consisted of a network structure, made up of interconnected and perfectly defined action cells, whose division of tasks dealt with knowledge, accessibility to stolen information, and experience,” reads the police’s announcement.
The ultimate goal of the gang was to perform SIM swapping attacks, which is to port a target’s phone number to the attacker’s device. By porting the number, the attackers now gain access to the victim’s text messages and can use it to bypass 2FA protection on their bank accounts and empty them.
For the SIM swapping, the fraudsters used a combination of phishing, vishing, and call forwarding to impersonate the identities of their targets when talking to mobile service provider customer support agents.
In some cases, the scammers even acted as service technicians for local reseller offices of the targeted telecom firms, stealing the account credentials of their employees.
As cybersecurity researchers detail a flaw that allowed them to unlock and start Honda and Nissan cars from anywhere in the world, border and immigration agencies are buying up tech to exploit weaknesses in vehicle security.For anyone with a Honda or Nissan car, it was possible for a hacker with a laptop to unlock or start their vehicles, locate them and raid personal data stored inside, cybersecurity researchers warned on Wednesday. They could even honk the horn.
The hack highlighted a weakness in modern vehicles’ internet-connected systems, in particular those that track vehicle use and location, while hooking up to drivers’ cellphones and sucking in user data. They’re the same technologies that are regularly being exploited by federal law enforcement agencies, with immigration and border cops investing more than ever before on tools that extract masses of data—from passwords to location—from as many as 10,000 different car models.
The latest vulnerability was due to a now-fixed flaw in the cars’ shared telematics system—which records data like speed, and brake and door use—created by SiriusXM, according to researcher Sam Curry. The only data he needed to start the hack was a car’s identifying number, known as a VIN, easily retrievable from a windshield on many models. Using what the researcher called a “simple” computer program, Curry could take the VIN number and send it to a SiriusXM server as a kind of fake identification, tricking it into believing he was the real car owner. The program would then ask SiriusXM to pull the personal data stored in the car, turn on the ignition or perform other functions.