2023 September Cyber Bytes

Multi-Factor Authentication

MFA is one of the most powerful steps you can take to protect your online accounts

SANS

Factsheet - Multi-Factor Authentication

 

 

Password Best Practices and Password Managers

Protecting sensitive information starts with a secure password. Here are a few tips on how to create secure passwords and keep them safe:

SANS

Factsheet - Passwords and Password Managers

 

 

Mobile Device Security

Smart tips to protect your mobile devices

SANS

Factsheet - Protect Your Mobile Devices

 

 

Social Engineering Attacks

Social engineering is the art of human manipulation. It is when bad guys attempt to fool or trick you into doing something you should not do. Some of the most common social engineering attacks to look out for are:

SANS

Factsheet - Social Engineering Attacks

 

 

What Data Does My Car Collect About Me and Where Does It Go?

By Jen Caltrider, Misha Rykov and Zoë MacDonald on September 6, 2023

What did I learn in researching the privacy and security of 25 of the top car brands in the world? Modern cars are a privacy nightmare and it seems that the Fords, Audis, and Toyotas of the world have shifted their focus from selling cars to selling data.

When all of the 25 car brands we reviewed earn our *Privacy Not Included warning label for failing to respect and protect their customers’ privacy, something is seriously wrong. Car companies, are you hard up on cash? Your swan dive into the data biz is worrying us. It’s just that… Drivers are already paying you for their cars so why are you taking their privacy too? Ugh.

When we first started looking into cars and privacy, only one thing was clear: It’s complicated. Even to the car-markers! In response to a standard set of privacy and security questions we ask companies by email, Mercedes-Benz told us that it wasn’t possible to give us “universal answers.” And they’re kinda right. It is so difficult to get a clear picture of the data comings and goings between vehicles, their apps, their connected services, and more. But did your privacy-researching team take “it’s too complicated” for an answer? Heck no! Determined to help consumers get to the bottom of the privacy and security of cars, here’s what we learned after combing through 25 of the most popular car brands’ (many) privacy policies.

How does my car collect data about me?

Cars have had some kind of computer in them since the 1970’s. What’s new is the number of them and the amount of things they control. If you had the pleasure of driving during the El Camino era before the mid-eighties, you might remember literally rolling down a car window -- by turning a crank. (A clunky move that makes it even harder to look cool hanging out the passenger side of your best friend’s ride.)

Nowadays, it takes just a press of a button to “roll down” your car’s windows as more and more of cars’ features are powered by computer systems that also connect to the internet. And we’re not just talking about state-of-the-art future-cars. Consulting firm McKinsey predicts that 95% of new vehicles sold globally will be connected ones by 2030. “Basic vehicles,” the report says, will bring the most value from data because of their popularity. So if it doesn’t yet, calling a car “smart” will soon feel as retro as saying “smart phone.”

Cars with more advanced features and commands barely even need buttons. There’s touch-sensors and screens that work with barely a boop of the finger, a wave of the foot, or even by asking nicely. The future is now! But having all those microphones, cameras, and sensors sending signals through your car’s computers also means that whenever you interact with your car you create a tiny record of what you just did. Like when you turn the steering wheel or unlock the doors. And usually all that information is collected and stored by the car company.

Other bits of information about you and your passengers can be collected automatically, when you’re just sitting there. Because while your car is waiting to respond to your command, its sensors are, uh, “sensing”. That’s probably why vehicle data hubs, the data brokers of the car industry, can brag about having so many data points like driver fatigue -- which monitors head and eye position -- and heart rate.

Cars’ new bells and whistles mean the potential for more data-collecting sensors, cameras, and microphones. But unlike with apps or smart home devices, most drivers aren’t even aware this data is being collected -- let alone have the power to turn it off.

Another way your car collects data is from the connected services you use from your car’s dashboard, like satellite radio or a GPS route planner. Then there’s the devices you connect to it, like a telematics device: a plug-in that sends information about your driving behavior to your insurance company, or your phone. Car companies can also get data about you from your phone when you download the car’s app.

Finally, there’s the old-fashioned way. Just like (way too many) other products that connect to the internet do, car companies often collect extra information about you on their own from data brokers, car dealers (yes, they know all about you from those test drives), social media, the government, and more places we’ll talk about below.

What data does my car collect about me?

There’s probably no other product that can collect as much information about what you do, where you go, what you say, and even how you move your body (“gestures”) than your car. And that’s an opportunity that ever-industrious car-makers aren’t letting go to waste. Buckle up. From your philosophical beliefs to recordings of your voice, your car can collect a whole lotta information about you.

What you do in your car is more than enough information to paint a detailed picture of you. But your car-maker wants more. They can collect information about how much money you make, your immigration status, race, genetic information, and sexual activity (it’s in there!). Heck, they’ll even help themselves to your photos, your calendar, and your to-do list if you’ll let them.

… But wait, there’s more data car companies collect about you

Thirteen (52%) of the cars we looked at also collect information about the world around your car. Apparently, sensors can record information about the weather, the road surface conditions, traffic signs, and “other surroundings,” whatever that means.

Ugh, that pesky “other” category. As creepy and detailed as these data points are, we’re more worried about what’s not in the fine print. As usual, a lot of the privacy policies use vague language. Six companies mention “demographic data” which is about as descriptive as saying “characteristics” -- another word that popped up a few times. We have similar worries about “sensor data,” because, like we talked about before, sensors can be high tech enough to measure private stuff, like stress level. Also, “images.” Please, car brands, tell us more.

Using broad language is a classic tool that companies use to leave the door open for collecting more data than they’re spelling out in their policies. It makes it pretty much impossible to know all of the information that’s being gathered about you.

“Practically all of the privacy policies we looked at used qualifying language when listing the data points they collect. Words like ‘such as,’ ‘including,’ or ‘etc.’ tell us we are only getting a sample of what is collected and not the full picture.”

They use other cheeky little tactics to gloss over the amount of data they collect, like this Easter egg we found in Honda’s privacy policy. At the end of a long list of categories of personal information they collect, they put “Personal information as described in Cal. Civ. Code § 1798.80(e).” Huh? It turns out that that’s short for just about anything that “identifies, relates to, describes, or is capable of being associated with a particular individual.” Yowza!

(e) “Personal information” means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Through inferences, car companies also create new data about you

Twenty-two of the car brands (88% of the ones we looked at) mentioned creating inferences -- assumptions about you based on other data. And nine of those companies (39%) said specifically that they might sell them to third parties. Hmm. Car companies’ love for inferences might explain why they seem to want to collect as much information about you as possible, even when those data points seem meaningless on their own. Like what “title,” “artist,” and “genre” you listen to in your car. Whether you listen to christian rock, show tunes, or The Joe Rogan Experience podcast on your way to work might not say that much about you… Or maybe it does? Either way, when you combine it with where you work (“employment information”) and all the places you go (“route history”), your track list can probably help fill in some blanks about your “preferences.”

Where does all the data go?

Welp, there’s more not-so-great news, folks. Most of the car companies we looked at commit many of the biggest data privacy no-nos in our books. We already talked about how, according to our standards, they collect too much data about you and how they sell inferences. There’s more. Car brands might combine information collected about you from your car with personal information they get from third parties. Then, they often share (and sometimes sell) that information (plus the “inferences” they created based on it) to all kinds of businesses. Over-collecting, combining, sharing, and selling are all things we do not like to see in privacy policies.

According to their own privacy policies, here are the comings and goings of the data created, collected, shared, and sold by car companies.

When it comes to disclosing who your car shares and sells your data to, vague language strikes again! The privacy policies we read usually only listed the categories of businesses they share with, like “service providers.” When they did name companies, the privacy policies often used more qualifying language like “such as,” “etc.” “and others,” “or similar” to make it clear that they’re only sharing a sample. Other times, the privacy policies only said that data would be shared or sold without saying to who.

After over 600 hours of research, we’re still confused about who car companies are sharing your data with and selling it to. But we do have a pretty good guess about why they’re doing it. Your data is a valuable business asset to these companies. And cars, like we mentioned earlier, can collect more and more detailed personal data than almost any other device or company can. So of course car companies are keen to cash in on that. Nineteen (76%) of the car companies we looked at say they can sell your personal data.

We know this about personal data because of data privacy laws like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States. Both laws say that if a company plans to sell or share your personal data, they have to let you know. So even though the information isn’t as detailed as we’d like it to be, it is listed in the privacy policy.

On the other hand, even the strongest privacy laws don’t apply to so-called “aggregated and anonymized” data. So we can’t know how that information is handled. What we do know is that there’s a booming industry based on selling data from cars. On their website, automotive data broker (or “vehicle data hub”) High Mobility advertises their wide range of data products that include precise location, those two we mentioned earlier (“heart rate” and “driver fatigue”) and 57 other categories. Oh, and! They have a partnership with nine (36%) of the car brands we researched.

“The detailed data collected by car companies is a data broker’s dream. Indeed, Vehicle Data Hubs are rich with that information. Yet we still know so little about how they obtain, process, and sell it. That is the sad irony about the data broker business: they make billions off of our essentially stolen private information while revealing next to nothing about how they operate.”

The more we try to learn about cars and privacy, the more questions we have. Like, what happens to your personal data after it’s shared? And how can time-stamped, precise location data ever be anonymous?

… And where does the data end up?

Even though it might not sound like it, our research at *Privacy Not Included is based on the best-case scenario. We can only really report on what companies say they’ll do with your data in their privacy policies. That’s why we take security standards and track record into account when handing out warning labels. And on that point, it’s a “yikes” across the board for car brands. Seventeen (68%) of the car companies earned our “bad track record” ding for failing to protect and respect their users’ privacy with a leak, breach, or hack recently. Among the greatest hits to their customers’ privacy:

  • Volkswagen and its daughter company Audi suffered a data breach affecting 3.3 million users.
  • Toyota leaked data of 2.15M users over 10 years between 2013 and 2023.
  • In June 2022 Mercedes-Benz disclosed a data leak on the part of a third-party vendor that exposed the personal information of up to 1.6 million prospective and actual customers, including names, street addresses, email addresses and phone numbers.

With all the mysterious sharing and selling on top of these epic-level oopsie daisies, we’re worried about all that super personal and detailed information getting into even wrong-er hands than your car’s parent company. Like law enforcement, hackers, or just about anyone who can purchase from a data broker.

Hackers shut down 2 of the most advanced telescopes

It's unclear exactly what the nature of the cyberattacks were or from where they originated.

Space.com by Brett Tingley published on August 30. 2023

Some of the world's leading astronomical observatories have reported cyberattacks that have resulted in temporary shutdowns.

The National Science Foundation's National Optical-Infrared Astronomy Research Laboratory, or NOIRLab, reported that a cybersecurity incident that occurred on Aug. 1 has prompted the lab to temporarily halt operations at its Gemini North Telescope in Hawaii and Gemini South Telescope in Chile. Other, smaller telescopes on Cerro Tololo in Chile were also affected. 

"Our staff are working with cybersecurity experts to get all the impacted telescopes and our website back online as soon as possible and are encouraged by the progress made thus far," NOIRLab wrote in a statement on its website on Aug. 24.

It's unclear exactly what the nature of the cyberattacks were or from where they originated. NOIRLab points out that because the investigation is still ongoing, the organization will be cautious about what information it shares about the intrusions. 

"We plan to provide the community with more information when we are able to, in alignment with our commitment to transparency as well as our dedication to the security of our infrastructure," the update added. 

The cyberattacks on NOIRLab's facilities occurred just days before the United States National Counterintelligence and Security Center (NCSC) issued a bulletin advising American space companies and research organizations about the threat of cyberattacks and espionage. 

Foreign spies and hackers "recognize the importance of the commercial space industry to the U.S. economy and national security, including the growing dependence of critical infrastructure on space-based assets," the bulletin stated. "They see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise."

This isn't the first time that astronomical observatories have been the target of cyberattacks. In Oct. 2022, hackers disrupted operations at the Atacama Large Millimeter/submillimeter Array (ALMA) in Chile, and NASA has been the victim of cyberattacks for years. In 2021, the agency was affected by the worldwide SolarWinds breach that NASA leadership called a "big wakeup call" for cybersecurity. 

MGM Resorts says cyberattack could have material effect on company

CNBC.com by Rohan Goswami on September 13, 2023

Key Points:

  • MGM Resorts on Wednesday said that a cyber incident that has significantly disrupted properties across the United States for the past three days represents a material risk to the company.
  • At the same time, the major credit rating agency Moody’s warned that the cyberattack could negatively affect MGM’s credit rating, saying the attack highlighted “key risks” within the company.
  • The company’s corporate email, restaurant reservation and hotel booking systems remain offline as a result of the attack, as do digital room keys.

MGM Resorts on Wednesday said that a cyber incident that has significantly disrupted properties across the United States for the past three days represents a material risk to the company.

At the same time, the major credit rating agency Moody’s warned that the cyberattack could negatively affect MGM’s credit rating, saying the attack highlighted “key risks” within the company.

The company’s corporate email, restaurant reservation and hotel booking systems remain offline as a result of the attack, as do digital room keys. MGM on Wednesday filed a 8-K report with the Securities and Exchange Commission noting that on Tuesday the company issued a press release “regarding a cybersecurity issue involving the Company.”

8-Ks as a rule are filed when publicly traded companies want to notify the SEC of an event that can have a material effect on the firm. An MGM spokesperson confirmed the company views the incident as material. The spokesperson later clarified he was not speaking of the company’s position beyond what was in the filing.

The spokesperson declined to comment on the Moody’s warning.

MGM’s share price has declined more than 6% since Monday, the day it first acknowledged the outages, compared to a modest gain in the S&P 500 during the same period.

The FBI told CNBC on Monday it is monitoring the “ongoing” situation. The SEC’s new cyber disclosure rules will not go into effect until the end of the year, so MGM is not yet obligated to provide more information to the SEC than they already have.

On social media, patrons have expressed frustration with the scope and duration of the outage, with some describing how hotel key cards aren’t working. Others expressed concerns about the security of their personal data. In 2020, MGM acknowledged that it had lost the personal information of more than 10 million customers in a hack. The data resurfaced on a hacking forum that same year.

MGM is communicating with the press through noncorporate, commercially available email addresses. Other than a brief update Tuesday confirming that the company had brought its gaming floors back online, MGM has provided little further information.

The SEC did not immediately respond to CNBC’s request for comment.

Online Security for Kids

SANS Ouch! Newsletter on September 6, 2023

Background

Our kids' lives are online today more than ever, from socializing with friends and gaming, to online learning and education. So how can we help our kids make the most of online technology, safely and securely?

Education and Communication

First and foremost, make sure that you foster good open communications with your children. Far too often, parents get caught up in the technology required to block content or determining which mobile apps are good or bad. Ultimately, keeping kids safe is less about technology and more about behavior and values. A good place to start is to create a list of expectations with your kids. Here are some factors to consider (Note that these rules should evolve as kids get older.):

  • Decide on times when they can or cannot go online for fun, and for how long. For example, you may want to be sure children complete all homework or chores before gaming online or social networking with friends, and limit the amount of time they do spend online each day.
  • Identify the types of websites, mobile apps, and games that they can access online and why they are appropriate or not.
  • Determine what information they can share and with whom. Children often do not realize that what they post online is public, permanent, and accessible to anyone. In addition, anything they share privately with their friends can (and often is) shared with others without them knowing.
  • Identify who they should report problems to, such as strange pop-ups, scary websites, or if someone online is being a bully or creepy. It's critical that children feel safe talking to a trusted adult.
  • Just like in the real world, teach children to treat others online as they would want to be treated themselves, with respect and dignity.
  • Ensure children understand that people online may not be who they claim to be, and that not all information is accurate or truthful.
  • Define what can be purchased online and by whom, including in-game purchases.

Over time, the better they behave and the more trust they gain, the more flexibility you may want to give them. Once you decide on the rules, post them in the house. Even better, have your kids contribute to the rules and sign the document so that everyone is in full agreement.

The earlier you start talking to your kids about your expectations, the better. Not sure how to start the conversation? Ask them which apps they are using and how they work. Put your child in the role of teacher and have them show you what they are doing online. Consider giving them some "What if..." scenarios to reinforce the positive digital behaviors you've discussed or agreed upon. Keeping communication open and active is the best way to help kids stay safe in today's digital world.

For mobile devices, consider a central charging station somewhere in your house. Before your children go to bed at night, have a specific time when all mobile devices are placed at the charging station so your children are not tempted to use them when they should be sleeping.

Security Technologies and Parental Controls

There are security technologies and parental controls you can use to monitor and help enforce the rules you set. These solutions tend to work best for younger children. Older kids not only need more access to the internet but often use devices that you may not control or cannot monitor, such as school-issued devices, gaming consoles, or devices at a friend's or relative's house. In addition, older children can often circumvent purely technological attempts to control them. This is why, ultimately, communication, values, and trust with children are so important.

Leading by Example

Remember to set a good example as parents or guardians. When your kids talk to you, put your own digital device down and give them your full attention. Consider not using digital devices at the dinner table, and never text while driving. Finally, when kids make mistakes, treat each one as an experience to learn from instead of simply punishing them. Make sure they feel safe approaching you when they experience anything uncomfortable or realize they have made a mistake online.

LinkedIn accounts hacked in widespread hijacking campaign

Bleepingcomputer.com by Bill Toulas on August 15, 2023

LinkedIn is being targeted in a wave of account hacks resulting in many accounts being locked out for security reasons or ultimately hijacked by attackers. As reported today by Cyberint, many LinkedIn users have been complaining about the account takeovers or lockouts and an inability to resolve the problems through LinkedIn support. "Some have even been pressured into paying a ransom to regain control or faced with the permanent deletion of their accounts," reports Cyberint's researcher Coral Tayar.

"While LinkedIn has not yet issued an official announcement, it appears that their support response time has lengthened, with reports of a high volume of support requests." From complaints seen by BleepingComputer on Reddit, Twitter, and the Microsoft forums, LinkedIn support has not been helpful in recovering the breached accounts, with users just getting frustrated by the lack of response.

"My account was hacked 6 days ago. Email was changed in the middle of the night, and I had no ability to confirm the change or prevent it," wrote an affected user in Reddit thread about the hacks. "No response from them anywhere. It's pathetic. I tried reporting my hacked account, going through identity verification, and even DMing them on @linkedinhelp on twitter. No responses anywhere. What a joke of a company."

Cyberint says there are also signs of a breakout reflected in Google Trends, where search terms about LinkedIn account hack or recovery record an increase of 5,000% over the past few months. The attackers appear to be using leaked credentials or brute-forcing to attempt to take control of a large number of LinkedIn accounts.

For accounts that are appropriately protected by strong passwords and/or two-factor authentication, the multiple takeover attempts resulted in a temporary account lock imposed by the platform as a protection measure. Owners of these accounts are then prompted to verify ownership by providing additional information and also update their passwords before they're allowed to sign in again.

When the hackers successfully take over poorly protected LinkedIn accounts, they quickly swap the associated email address with one from the "rambler.ru" service. After that, the hijackers change the account password, preventing the original holders from accessing their accounts. Many of the users also reported that the hackers turned on 2FA after hijacking the account, making the account recovery process even more difficult.

In some cases observed by Cyberint, the attackers demanded a small ransom to give the accounts back to the original owners or outright deleted the accounts without asking for anything. LinkedIn accounts can be valuable for social engineering, phishing, and job offer scams that sometimes lead to multi-million dollar cyber-heists. Especially after LinkedIn introduced features that combat fake profiles and inauthentic behavior on the platform, hijacking existing accounts has become much more pragmatic for hackers.

If you maintain a LinkedIn account, now would be a good time to review the security measures you've activated, enable 2FA, and switch to a unique and long password. BleepingComputer has contacted LinkedIn requesting a comment on the reported situation, but we have not received a response by publication time.