Pete Recommends – Weekly highlights on cyber security issues, April 6, 2024

Subject: AT&T Confirms Data Breach Affecting 73 Million Current and Former Customers
Source: Gizmodo

AT&T has automatically reset the pass codes of 7.6 million current customers. It will be offering complimentary identity theft and credit monitoring.

Of the 73 million people affected, 65.4 million were former AT&T customers. In the case of the 7.6 million current customers, AT&T has automatically reset their passcodes. Passcodes are four-digit codes used by AT&T customers to add an extra layer of security to their accounts, in addition to their passwords, and are presented during some operations such as calling customer service. Customers whose passcodes have been reset have been contacted by AT&T.

Furthermore, AT&T explained that the data set appeared to contain information from 2019 or earlier. In its statement, AT&T indicated that it would be taking measures to help those potentially affected, such as offering complimentary identity theft and credit monitoring services.

Notably, the data set involved in the breach may have been on the dark web for some time, according to Bleeping Computer. The outlet reports that in 2021, a hacker known as Shiny Hunters purported to be selling the stolen data of 73 million AT&T customers, which included names, addresses, phone numbers, and birth dates, among others. At that time, Shiny Hunters attempted to sell the data for $200,000 and incremental offers of $30,000. AT&T denied that its system had been breached in response to Bleeping Computer in 2021.

Subject: CISA Publishes New Webpage Dedicated to Providing Resources for High-Risk Communities
Source: CISA

Today, CISA published a new dedicated High-Risk Communities webpage comprised of cybersecurity resources to support civil society communities at heighted risk of digital security threats, including cyber hygiene guidance, a repository of local cyber volunteer programs, and free or discounted tools and services.Despite their vulnerability to advanced cyber threats, many civil society organizations operate on lean budgets and cannot significantly invest in cybersecurity. CISA’s High-Risk Communities webpage provides resources specifically for civil society organizations, such as:

  • Project Upskill, a suite of cyber hygiene guides designed to arm individuals of high-risk organizations with simple steps to meaningfully improve their cyber hygiene.
  • Cybersecurity Resources for High-Risk Communities, which offers a wide selection of free or steeply discounted tools and services.
  • Cyber Volunteer Resource Center, a repository of cyber volunteer programs across the country that provide free, hands-on cybersecurity support to under-resourced organizations.

For more information on the initiative, read Associate Director Clayton Roman’s blog post, JCDC Working and Collaborating to Build Cyber Defense for Civil Society and High-Risk Communities. Visit Joint Cyber Defense Collaborative to learn more about the planning effort that aided in developing these valuable resources.

Subject: Cyber Safety Review Board: Microsoft security culture ‘inadequate’
Source: GeekWire

[h/t Sabrina] Microsoft comes under intense scrutiny and pointed criticism in a 34-page report released Tuesday by the Cyber Safety Review Board (CSRB), a group created by the U.S. Secretary of Homeland Security in 2021 to review major cybersecurity incidents.

The report focuses on a high-profile incident in May and June 2023, when the Chinese hacking group known as Storm-0558 is believed to have compromised the Microsoft Exchange Online mailboxes of more than 500 people and 22 organizations worldwide, including senior U.S. government officials.

The CSRB report takes Microsoft to task for its security culture, describing it as “inadequate” and saying it “requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

The report also criticizes Microsoft’s public communications, noting that the company waited until last month to correct a September 2023 blog post about the root cause of the breach after repeated questions from the board.

At the conclusion of CSRB’s review, the report said, Microsoft still didn’t know exactly how Storm-0558 obtained the critical 2016 Microsoft Services Account (MSA) signing key that was used in the 2023 intrusion.

At one point, the report says Microsoft’s leaders need to consider refocusing its product development, prioritizing security features over new product features, effectively reviving the spirit of the “Trustworthy Computing” initiative that Microsoft co-founder Bill Gates famously instituted in 2002.

Filed Under: Microsoft
Tagged With: cybersecurityExchange Onlinehacking


Subject: Does wiretap law apply to cookies on hospital websites?
Source: Becker’s Health IT

The Massachusetts Supreme Judicial Court will hear a case April 3 on whether hospitals violated a state law prohibiting wiretapping when they had third-party analytics tools on their websites, the Boston Globe reported.A Massachusetts woman sued New England Baptist Hospital and Beth Israel Deaconess Medical Center, both in Boston, alleging that cookie technology on their websites violated her privacy by transmitting her data to third parties such as Google and Facebook for targeted advertising, according to the April 3 story. The defendants argued that using the state’s Wiretap Act as a standard aims to “interpret the language of this pre-internet age statute in a way that creates unintended, absurd, and calamitous internet age consequences.”

Latest articles on Cybersecurity:
HHS to launch cybersecurity prep ‘one-stop shop’ following Change attack
Hackensack Meridian Health fined $100K for HIPAA violation

California system in downtime after cyberattack



Subject: ‘Law Firm’ of AI Generated Lawyers Is Sending Fake Threats as SEO Scam
Source: 404 Media

404 Media: “Last week, Ernie Smith, the publisher of the website Tedium, got a “copyright infringement notice” from a law firm called Commonwealth Legal: “We’re reaching out on behalf of the Intellectual Property division of a notable entity, in relation to an image connected to our client,” it read.  I am familiar with these sorts of emails, which are frightening to get. In an earlier, wilder day of media, it was relatively common for news websites to use images that were tagged as “Creative Commons” on Flickr and sites like it….

Smith began looking into the law firm. And he found that Commonwealth Legal is not real, and that the images of its “lawyers” are AI generated…”

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: DA says he shut down 21 sites stealing millions through crypto scams
Source: AP via Newser

NEW YORK (AP) — Authorities in New York City said Thursday they disrupted an online fraud operation that stole millions of dollars by duping victims into making phony cryptocurrency investments. Brooklyn District Attorney Eric Gonzalez said his office seized 21 web domains that were being used by scammers in so-called “pig butchering” schemes, a term that refers to gaining victims’ trust through dating apps or other sites and steering them toward bogus investments. “Pig butchering is a growing type of scam that defrauds residents of Brooklyn and the entire country out of billions of dollars every year,” Gonzalez said in a statement. “My office’s strategy is to disrupt these schemes by seizing and shutting down their online infrastructure, and to educate the public.”He urged people not to trust crypto investments that seem too good to be true and warned against downloading apps from unverified crypto websites.

Subject: GPS Signals in Tel Aviv Go Haywire as Israel Fears Iranian Missile Strikes
Source: Gizmodo

GPS signals in Tel Aviv, Israel were scrambled Thursday, causing services like smartphone maps and food delivery to go haywire, according to a new report from the Times of Israel. And while it hasn’t been officially confirmed, it appears the Israeli military may be responsible for the GPS disruptions as the country anticipates a retaliatory missile strike from Iran in the coming days.

“What wartime GPS scrambling looks like,” one Tel Aviv resident wrote on X. “I took a 6-minute trip on a rental scooter in Tel Aviv and the app thinks I traveled 200km to Beirut.”

It became common for Israel to scramble GPS signals over its northern airspace after the terrorist attacks of October 7, 2023, in an effort to confuse missiles launched by Hezbollah from Lebanon. But Thursday’s GPS spoofing—which interfered with apps like Waze, Google Maps, and Gett Taxi—appeared to be the first time the tactic was deployed in the major city of Tel Aviv since the war began.

The U.S. has conducted GPS spoofing exercises, though there are no known cases of the country using it in war. Ukraine, Russia, and China have also deployed the tactic in recent years. But it’s not still clear whether Israel’s attempt at confusing an Iranian rocket will work. The world may find out sooner rather than later.

Subject: Meta to label broader range of AI-generated content

Meta said on Friday it plans to label more content that is manipulated or created by artificial intelligence as part of an updated review process and policy after feedback from its Oversight Board.The tech giant said it will begin labeling video, audio and image content on Facebook, Instagram and Threads with a “Made with AI” marking beginning in May on content that bears “industry standard image indicators” and when people disclose that images were made with AI.”If we determine that digitally-created or altered images, video or audio create a particularly high risk of materially deceiving the public on a matter of importance, we may add a more prominent label so people have more information and context,” Meta said….The Oversight Board urged Meta to update its approach at manipulated images to “reflect a boarder range of content that exists today” and provide proper context about the content with labels.In February, the Oversight Board took Meta to said Meta’s policy on AI-generated content was too narrow and provided a loophole for bad actors to get around the initial intent of identifying such manipulated content while protecting free speech.

Posted in: AI, Cryptocurrencies, Cryptocurrency, Cybercrime, Cybersecurity, Economy, Healthcare, Legal Research, Privacy, Social Media, Spyware, Viruses & Hoaxes