Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
In this issue:
Month's News in Review
Upcoming Speaking Events
TCE Strategy in the News
Must Read Articles This Month
Cybersecurity Tip of the Month
Enjoy this month's newsletter? You can use this link to post on social media or send to friends! Thanks for sharing!
This Month's News in Review
A belated Happy New Year to all TCE Strategy newsletter readers! I hope your January is going well. 2024 is starting off with a cybersecurity what-not-to-do list in a more diverse set of industries than I’ve seen in a long time. Let’s see how they can help us make better decisions about what is Secure Enough for us, the companies we work for, and our families.
MFA on Twitter accounts is a really, really good idea
For those of you that are long-term subscribers to this newsletter, you have heard me wax poetic about the virtues of MFA (Multi-Factor Authentication, sometimes called 2FA for 2-Factor Authentication) for any and all accounts that you care about. Email accounts, banking accounts, social media accounts, and so on. In a stunning set of breaches, two separate organizations that really, really should know better fell victim to having their Twitter accounts (no, I’m not calling Twitter “X” because that makes it sound like the secret ingredient that turned people into the Joker in the 1989 Batman movie) taken over by people trying to pump cryptocurrencies. First it was the cybersecurity company Mandiant that had a criminal take over their Twitter account and send people to a site that tried to drain any cryptocurrency wallets they had installed on their computer. Mandiant sort-of-claimed that they had MFA but were hacked anyway, but the language they used did not come out and explicitly say that that their MFA was enabled. Then just one week later the USA’s Security and Exchange Commission (SEC)’s Twitter account was hacked, and the hacker sent out a tweet claiming that Bitcoin ETF’s were approved by the SEC, which promptly bumped up the price of Bitcoin. The SEC came clean and said that they did not have MFA enabled on their account.
When companies or organizations that specialize in cybersecurity or have the power to move financial markets don’t use cybersecurity best practices, what hope is there for the rest of us? Please turn on MFA on your email accounts, your social media accounts, and any other account that you care about.
“Deepfake” AI-generated explicit pictures may soon be made illegal
As Deepfake AI technology continues to get better and better, people are using it to crop a person’s face onto images or videos of another person’s scantily-clad body. These doctored images are then being shared on the Internet, often specifically to harass the person whose face is being used in the images. This is extremely uncool, but it does not appear to be illegal in most states, nor at a Federal level. A bipartisan bill called the “AI Labeling Act of 2023” was recently introduced that would make it a crime to make and distribute such content without the subjects’ consent. I’m a fan, but I’ve not yet found what the proposed penalties are for violating this new Act. Hopefully this passes and has some real teeth against those that abuse technology in this way.
A cybercriminal gets control of a business email account using a phishing scheme, unpatched vulnerability, malicious website, etc.
The cybercriminal then uses this new AI tool called “Business Invoice Swapper” that looks through a user’s email box for legitimate invoices and catalogues them.
The AI tool then creates fake invoices that look very similar to the legitimate invoices that a user is accustomed to receiving, but the payment accounts belong to the criminals.
This sort of service makes it very easy for non-technical criminals to use very technical tools to trick people into sending money to the wrong accounts. There isn’t an easy fix for this, as the same cybercriminal group that offers the “Business Invoice Swapper” tool also offers a tool that helps crack email accounts that have MFA enabled. Yikes… My recommendations are as follows:
Use a complex and unique password for all email accounts. Keep your passwords in a password storage vault such as Dashlane or 1Password (not Apple Keychain) to make it easier to use different passwords for everything.
Turn on MFA on all email accounts AND BE VERY CAREFUL WHICH MFA REQUESTS YOU ACCEPT. Do not just click “yes” blindly if you get an MFA push notification. Never give out an MFA code (normally a 6- or 8-digit text message) to anyone, especially someone that calls you claiming to be from Google (Gmail) or Yahoo or any other email provider.
Be very careful clicking on website links in emails. If in doubt, do not click.
Car manufacturers hack diesel tailpipe emissions, Take 2
“Dieselgate” was a huge story where VW (and Audi and Porsche, as VW diesel engines are used in those brands) taught their diesel cars to sense when they were being emissions tested and to run as cleanly as possible, but only when they were being tested. As soon as someone closed the hood or turned the steering wheel, VW cars would start running in a more-polluting manner, but it saved VW money by not having to use DEF (Diesel Exhaust Fluid) or other technologies in their cars to meet emission standards. It worked well for them, right up until they got caught. After billions of dollars in fines, the matter was put to rest.
At least it was for VW. In a stunning case of déjà vu, Cummins (makers of diesel engines for Dodge/Ram ¾ and 1 ton pickup trucks, along with lots of buses and RVs) has agreed to a $2 billion fine for using electronic “defeat devices” that allow much higher emissions levels in everyday driving, but run cleanly when they detect that they are being emissions tested. For me, the initial shock here was huge, but then I read that they are recalling vehicles from 2013-2019, which means that they started before VW got caught doing it in 2015. What surprises me is that they kept doing it until at least 2019. Did they think that somehow the EPA wouldn’t retest ALL diesel vehicles in real-world scenarios to find cheaters? Whatever their thinking was, severe negative return-on-investment for their emissions hacking seems to be the best incentive to get to good. Cummins will recall and repair for free more than 600,000 Ram vehicles, and they are mandated to fix at least 85% of all vehicles in the next 3 years. It will be interesting to hear how they convince 85%+ of their customers to actually bring in their vehicle to be “fixed”. What incentive does a customer have to help Cummins fix this mess?
Finally, some good cybersecurity news about iPhone thefts
For all iPhone users, I wrote last March about a ring of thieves that steal iPhones from people at bars, restaurants, etc. and then drain their bank accounts. Apple has finally responded with a new feature in iOS v17.3 called “Stolen Device Protection,” which provides significant safeguards against this type of theft. When turned on, this feature demands Face ID or Touch ID authentication for several actions, including viewing passwords or passkeys stored in iCloud Keychain, applying for a new Apple Card, turning off Lost Mode, erasing all content and settings, using payment methods saved in Safari, etc. This is a big step forward and I recommend upgrading to v17.3 whenever it comes out, which may have already occurred depending on when you are reading this.
Until next month, stay safe!
Upcoming Speaking Events
Here is a list of the cities that I will be in over the next few months. Please reach out if you have an event in mind!
February 9th, Prior Lake, MN
February 27-29, Clearwater, FL
March 7-10, Albuquerque, NM
March 27-29, St. Louis, MO
April 2-4, Reno, NV
April 8-9, Des Moines, IA
April 17-18, Wichita, KS
May 27-31, Las Vegas, NV
August 3-6, Denver, CO
September 10-11, Tallahassee, FL
Please pick an AV solution other than Kaspersky. This is scary reading.
This is easily the best article I've ever read on the inherent concerns that AI poses for our society. Well done Bruce Schneier.
Cybersecurity Tip of the Month
It's the time of year where many are busy making resolutions as they look ahead to the future, so why not make a New Year's resolution to evaluate your personal cybersecurity practices and implement habits that will keep you safe and secure? All of these tips are a great place to start!
1) Change your passwords. Changing passwords yearly can help ensure that any accounts with usernames and passwords that may have been accessed in a data breach are not compromised. Password keepers can help make this task much simpler.
2) Check auto-update settings on all devices. Having auto-updates enabled on phones, tablets, and computers is a great way to stay protected and can easily be done in the settings menu.
3) Enable multi-factor authentication (MFA) wherever possible. I’ve mentioned MFA frequently as a helpful way to ensure you are the only one who can access your account. MFA can be enabled on personal email accounts, corporate email accounts, bank accounts, and social media.
4) Back up your personal data. This practice can keep you safe from unexpected losses of important data. Backing up personal data should be a monthly habit, but if it’s been a while for you, do it now.
5) Secure Your Social Media Profiles. Adjust privacy settings on your social media accounts to control who can see your personal information. Be mindful of the information you share online, as it can be used by cybercriminals for social engineering attacks.
6) Invest in Antivirus Software. Install reputable antivirus and anti-malware software on your devices. Regularly scan your system for potential threats and take immediate action if any issues are detected.
7) Educate Yourself. Stay informed about the latest cybersecurity threats and best practices. Awareness is a powerful tool in preventing cyberattacks. Follow reputable cybersecurity blogs and news sources to stay up-to-date on emerging threats.
By adopting these cybersecurity measures, you can significantly reduce the risk of falling victim to online threats. Cheers to a safe and secure 2024!