It’s a cold, hard fact that hackers don’t really care about their victims or their victims’ data or business. They are greedy, evil human beings that just want the money.

The newest trend for hackers is to develop and launch cyber-attacks that deploy destructive malware. This means that when a threat actor infiltrates a business’ system, it exfiltrates the data, and in the process deploys destructive malware that destroys the victim’s data if the ransom isn’t paid. The North Korean hackers used this type of malware during the attack on Sony years ago.

Threat actors are motivated by money. First, they deploy ransomware that encrypts files so the victim has no access to its data unless it pays for the encryption key. Security professionals understand that backing up data to recover it in the event of an attack can minimize the damage and a company could recover its data without paying the ransom.

Then the threat actors figured out that exfiltrating the data and threatening to publish the data on a shame website (a double extortion attack) gave the victim another reason to pay the ransom. Many companies refuse to pay the ransom in a double extortion situation, preferring to face the consequences.

Since companies are refusing to pay in cases of double extortion attacks, the threat actors are now developing destructive code that will corrupt the data or entire servers of the victim in the event the victim refuses to pay the ransom.

According to ZDNet, cybersecurity researchers at Cyderes and Stairwell have found that

at least one ransomware group is testing “data destruction” attacks. This would be dangerous for ransomware victims because while it’s often possible to retrieve encrypted files without paying a ransom, the threat of servers being completely corrupted if extortion demands aren’t met could push more victims towards giving in.

The suspected ransomware group is BlackCat, which might be a rebrand of BlackMatter, “which in turn was a rebrand of Darkside, the ransomware operation behind the Colonial Pipeline attack.”

Sadly, the researchers predict that the prevalence of data exfiltration and destruction will only increase.

A class action lawsuit, Seirafi et al v. Samsung Electronics America, Inc., Case 4:22-cv-05176-KAW, filed recently in the Northern District of California, alleges that Samsung’s unnecessary personal information collection, and failure to secure that information, violate the California Consumer Privacy Act (CCPA). This lawsuit was inspired by two recent data breaches that allegedly included personal data of American users. The plaintiffs go beyond the facts of the breaches, though, to allege that Samsung should never have collected that information in the first place.

The California Consumer Privacy Act provides: “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” According to the plaintiffs, Samsung acted unreasonably by requiring them to register accounts to use smart televisions and other devices. If this theory succeeds, tech companies could find that locking devices behind online registration is more risk than it’s worth.

In response to Dobbs v. Jackson Women’s Health Organization, California Governor Gavin Newsom recently signed AB 1242 into law, which “prohibits law enforcement and California corporations from cooperating with out-of-state entities regarding a lawful abortion in California.”

In particular, AB 1242 prohibits California companies that provide electronic communication services from complying with out-of-state requests from law enforcement regarding an investigation into, or enforcement of, laws restricting abortion.

Sponsored by California Assembly member Rebecca Bauer-Kahan and California Attorney General Rob Bonta, AB 1242:

takes an innovative legal approach to protect user data. The bill prohibits California law enforcement agencies from assisting or cooperating with the investigation or enforcement of a violation related to abortion that is lawful in California. This law thereby blocks out-of-state law enforcement officers from executing search warrants on California corporations in furtherance of enforcing or investigating an anti-abortion crime. For example, if another state wants to track the movement of a woman traveling to California seeking reproductive health care, the state would be blocked from accessing cell phone site tower location data of the woman by serving a warrant to the tech company in California. In addition, if another state wants Google search history from a particular IP address, it could not serve an out-of-state search warrant at Google headquarters in CA without an attestation that the evidence is not related to investigation into abortion services. Although the first state to enact such a law, as California often is when it comes to privacy rights, we anticipate that other states will follow suit and that these laws will be hotly contested in litigation.

It was heartbreaking to watch the reports of Hurricane Ian as it landed on the west coast of Florida. The damage and losses left in its wake will be overwhelming and catastrophic for Floridians; the toll will become clearer over the next few days. While we all feel a sense of hurt and loss for them and want to help.

Many organizations will mobilize to offer assistance to victims in the days and weeks to come. At the same time, scammers will be looking to tug on our heartstrings to try to get us to send money to fraudulent organizations pretending to help the victims of the hurricane.

This is an old trick to prey on good-natured individuals to divert funds when we are most vulnerable [ view related posts]. Help those in need, but be wary of scammers in the process. Here are some tips to avoid being scammed:

  • Research the organization you are interested in donating to, and make sure you are on the organization’s legitimate website when donating through a website.
  • Donate to charities you have donated to before, which you know to be legitimate and experienced in responding to disasters.
  • Be wary of any solicitations for donations of gift cards, cash, cryptocurrency or wires.
  • Be wary of responding to a random email requesting a donation and don’t click on links or attachments provided in a solicitation.
  • Don’t trust a solicitation in an email or text, even if a legitimate charity’s logo is included.
  • Be cautious about donating to crowdsource funding sites.

Donating to help victims is a worthy effort. Use these tips to make sure your donation gets into the right hands and makes a difference.

California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act (the Act) into law last week. This new law will require those online service providers likely to be accessed by children under 18 years old to comply with heightened privacy requirements, including incorporating privacy-by-default and privacy-by-design into their products. The 18-year age threshold for defining a child online is several years higher than the federal standard set by the Children’s Online Privacy Protection Act, which protects data collected from online users under 13. The bulk of the new bill requires online service providers to complete a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by children. The bill additionally prohibits businesses from using children’s data for any purpose other than the reason for which it was originally collected and requires them to prioritize children’s well-being over business considerations.

Notably, the Act requires businesses to declare whether their product, service, or algorithms could “harm” children without defining the scope of “harm.” At this point, the statute could be read to either require material harm or to treat violations as damage per se. It’s also unclear which group(s) would be responsible for clarifying these new rules and regulations. The Act establishes the California Children’s Data Protection Working Group to advise the Legislature on issues involving technology and child welfare, which will likely release policy statements. However, the Act vests enforcement power with the Attorney General, who may seek injunctions and fines of up to $2,500 for each negligent breach and $7,500 for each intentional breach. Finally, the Act’s findings declare that this law should be read in concert with the California Privacy Rights Act, which also established the California Privacy Protection Agency responsible for regulating and enforcing consumer privacy in the state. The California Age-Appropriate Design Code Act will take effect on July 1, 2024.

The FBI issued a Private Industry Notification targeted to the health care sector on September 12, 2022, warning that it has “identified an increasing number of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features.”

The potential threats identified include outdated software that is unable to be patched or hasn’t been patched, devices using default configurations that can be exploited by threat actors, and devices that did not incorporate security features during the development stage.

The FBI uses industry research to outline that “as of January 2022…53% of connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities. Approximately one third of health care IoT devices have an identified critical risk potentially implicating technical operations and functions of medical devices.”

The identified medical devices that “are susceptible to cyber-attacks include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps. Malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.”

Unpatched medical devices truly present a life-or-death risk to health care organizations and patients.

The Notification outlines a number of recommendations to address the security of medical devices, including endpoint protection, identity and access management, asset management, vulnerability management, and required training for employees.

Ireland’s Data Privacy Commissioner will reportedly fine Instagram for its handling of children’s data. According to an investigation that began in 2020, Instagram published emails and phone numbers for children ages 13 to 17 who operated business accounts. Business accounts typically post this information by default. Meta, Instagram’s parent, plans to appeal the €405 million fine. It has also added new features to the platform designed to lock down children’s accounts automatically. This is the third GDPR fine the regulator has hit Meta with in the last year; the Irish Commissioner recently fined WhatsApp €225 million and Facebook €17 million. Many tech companies base their EU operations in Ireland, giving this Commissioner’s office considerable influence in this area.

Hackers caused a massive traffic jam in Moscow by exploiting the ride-sharing app Yandex Taxi and using it to summon dozens of taxis to a single location. While Yandex has not confirmed the attacker’s identity, the hacktivist group Anonymous claimed responsibility on Twitter. The group has been actively taking aim at Russian targets in response to the Russian Federation’s ongoing invasion of Ukraine.

Yandex claims that it has implemented new algorithms to detect this type of attack in the future and will compensate the affected drivers.

This traffic jam is a new application of an old hacktivist tactic: flood the system to make it unusable. Other techniques in this vein include blackouts (which target fax machines) and distributed denial of service (which targets websites and networks). No word yet on whether this new rideshare jam exploit will merit a snappy title.

Provider groups and privacy advocates have joined together to put pressure on Congress to pass two bipartisan bills designed to bolster children and teens’ privacy.

The Kids Online Safety Act (S. 3663) and the Children and Teens’ Online Privacy Protection Act (S. 1628) were both passed out of the Senate subcommittee with bipartisan support. That’s a real feat these days.

According to a letter urging Senators Charles Schumer and Mitch McConnell to advance these bills to the Senate floor this fall, the bills have “the potential to significantly improve young people’s wellbeing by transforming the digital environment for children and teens.” The letter outlines the stark effect online activities have on children and teens, backed by scientific publications. According to the advocates, which include the American Psychological Association and the American Academy of Pediatrics, evidence “is abundantly clear of the potential severe impacts social media platforms can have on the brain development and mental health of our nation’s youth, including hazardous substance use, eating disorders, and self-harm.”

The summary of the findings outlined in the letter is sobering and worth a read. The letter was signed by 145 organizations. I am calling my Senators’ offices voicing my support for the bills and asking them to urge Senators Schumer and McConnell to advance the bills during the fall session. If you support these bills, you may wish to let your Senators know as well.

Password manager LastPass, reportedly used by more than 33 million users, recently announced that it was hacked, and although it reports that no passwords of users were compromised in the incident, unfortunately, its source code was stolen.

 According to LastPass

“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally…

“Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We have included a brief FAQ below of what we anticipate will be the most pressing initial questions and concerns from you. We will continue to update you with the transparency you deserve.” 

LastPass has informed its customers that they do not need to take any mitigation steps, including changing their passwords. This is good news, since that would be a bit of a nightmare for users. This is one of the “cons” in using a password manager [view related post].

Password manager platforms are ripe for attack and are obvious targets of cyber-attackers. LastPass has had its share of incidents and will no doubt continue to be a target due to the large number of customer accounts and administrative Master Passwords, which, if compromised, would be a treasure trove for criminals.

LastPass is being praised for its timely response and announcement of the issue. It will continue to update users as its investigation continues. Food for thought: you might consider changing your master password anyway. It won’t hurt.