DarkReading.com reported that “This growing reliance on the cloud is bringing new security challenges to an already complex problem, experts say. That’s because as enterprise IT stakeholders’ understanding of and confidence in implementing the cloud has improved, so has the sophistication of threat actors that want to leverage its complexity for their own malicious intent.”  The February 9, 2023 article entitled “7 Critical Cloud Threats Facing the Enterprise in 2023” (https://www.darkreading.com/cloud/7-critical-cloud-threats-facing-enterprise-2023) included these comments from Gartner:

Securing the cloud has been an unwieldy and daunting task since the beginning: The idea of using an enterprise architecture built on delivering computing services over the internet naturally represents a unique threat surface. But cloud computing is rapidly becoming a ubiquitous part of the IT landscape, with Gartner estimating that more than 95% of new digital workloads will be deployed on cloud-native platforms by 2025 — a dramatic increase from 30% in 2021.

Here are the 7 Critical Cloud Threats:

  1. Third-Party Software & Supply Chain Risks
  2. Cloud Ransomware
  3. Advanced Persistent Threats (APTs)
  4. Multicloud Sprawl
  5. Shadow Data
  6. Overpermissioning in the Cloud
  7. Human Error, Misconfigurations, & Data Misuse

Anyone surprised? I doubt it!

First posted at https://www.vogelitlaw.com/blog/critical-cloud-threats-in-2023

The US Securities and Exchange Commission (SEC) issued a press release that the SEC had “charged Payward Ventures, Inc. and Payward Trading Ltd., both commonly known as Kraken, with failing to register the offer and sale of their crypto asset staking-as-a-service program, whereby investors transfer crypto assets to Kraken for staking in exchange for advertised annual investment returns of as much as 21 percent.”  The February 9, 2023 Press Release entitled “Kraken to Discontinue Unregistered Offer and Sale of Crypto Asset Staking-As-A-Service Program and Pay $30 Million to Settle SEC Charges” (https://www.sec.gov/news/press-release/2023-25) included these comments:

To settle the SEC’s charges, the two Kraken entities agreed to immediately cease offering or selling securities through crypto asset staking services or staking programs and pay $30 million in disgorgement, prejudgment interest, and civil penalties.

According to the SEC’s complaint, since 2019, Kraken has offered and sold its crypto asset “staking services” to the general public, whereby Kraken pools certain crypto assets transferred by investors and stakes them on behalf of those investors. Staking is a process in which investors lock up – or “stake” – their crypto tokens with a blockchain validator with the goal of being rewarded with new tokens when their staked crypto tokens become part of the process for validating data for the blockchain. When investors provide tokens to staking-as-a-service providers, they lose control of those tokens and take on risks associated with those platforms, with very little protection. The complaint alleges that Kraken touts that its staking investment program offers an easy-to-use platform and benefits that derive from Kraken’s efforts on behalf of investors, including Kraken’s strategies to obtain regular investment returns and payouts

This is clearly an important move by the SEC and should send important messages to the Crypto world!

Originally posted at https://www.vogelitlaw.com/blog/kraten-staking-as-a-service-settles-for-30-million-with-the-sec

BankInfoSecurity.com reported that “More than 4 billion people have accounts on Facebook and Instagram, making them the most popular social media platforms on the planet. Members share photos, life events and opinions to attract followers, build businesses and stay connected with friends and family. But there’s a darker side to these social platforms.”  The January 26, 2023 article entitled “Account Takeover Claims Grow 1,000% as Scams Hit People, Banks, Government Agencies” (https://tinyurl.com/57wtndsc) included these comments:

Social media account takeover complaints to the Identity Theft Resource Center jumped more than 1,000% last year. Theft, impersonation and fake accounts on Facebook and Instagram – social properties of Meta – are fueling a massive increase in scams and illegal activity. In fact, federal authorities say about 50% of account takeover cases today originate on social media.

“We have all these platforms, but who’s taking care of your security? Who’s taking care of your privacy? I don’t think anybody really is. Frankly, I think the efforts are lame.” – Chris Ingram, author, former radio personality and Facebook identity theft victim

“These social media scams are bigger parts of underlying scams we’re seeing out there,” says Stephen Dougherty, financial fraud investigator with the U.S. Secret Service. “We are seeing a lot of social media impersonation and social media misinformation being used to carry out scams such as romance scams, which we all know are very, very impacting for the victims involved because not only are they at financial loss usually, a lot of times they can be flipped and used as money mules to perpetrate bigger cyber and even financial crimes such as business email compromise.” 

What do you think? Do you want to continue using Facebook & Instagram?

First posted at: https://www.vogelitlaw.com/blog/facebook-amp-instagram-account-takeover-scams-people-banks-amp-government-agencies

HealthCareInfoSecurity.com reported that “A “large number of unusual transactions” may have gone unnoticed by investigative authorities before the exchange’s belated registration with Dutch authorities in September, the bank said Thursday.”  The January 27, 2023 article entitled “Coinbase Fined 3.3 Million Euros by Dutch Central Bank’’ (https://tinyurl.com/52h62ebz)  included these comments:

“Concealing the criminal origin of the proceeds of crime enables perpetrators of these crimes to remain out of the reach of investigative authorities and to enjoy the accumulated wealth undisturbed,” De Nederlandsche Bank, or DNB, said. Since May 2020, Dutch law has required crypto companies operating in the Netherlands to register as money transmitters.

Coinbase told Reuters it disagreed with the DNB’s decision, which it said “includes no criticism of our actual services,” and said it is considering an appeal.

Coinbase in January agreed to a $100 million settlement over similar issues with New York financial regulators (see: AML, Cybersecurity Noncompliance Costs Coinbase $100M).

Not good news for Coinbase! https://www.vogelitlaw.com/blog/coinbase-fined-33-million-euros

HealthCareInfoSecurity.com reported that “The $1.7 trillion omnibus spending bill signed into law last week by President Joe Biden contains new cybersecurity requirements for medical devices that make it a game changer for strengthening security within the healthcare ecosystem…”  The January 4, 2023 report entitled “Exclusive: FDA Leader on Impact of New Medical Device Law” (https://tinyurl.com/mmbj6cc6) included these comments from Dr. Suzanne Schwartz (director of the Office of Strategic Partnerships and Technology Innovation at the U.S. Food and Drug Administration- FDA):

After a good number of years informing the ecosystem how critical cybersecurity is to patient safety and the security of the healthcare and public health critical infrastructure, we now have validation and acknowledgment of its criticality by having this put into law,…

Even though we have said over and over that cybersecurity of medical devices is not optional and not voluntary, we’ve never had until now the power of statute, of actual legislation, requiring manufacturers to address cybersecurity of medical devices,…

Putting that link between reasonable assurances of safety and effectiveness of medical devices to medical device cybersecurity – that is highly significant for us…

Seems like great news to me! What do you think?

BankInfoSecurity.com reported about Twitter “the uptime problems come amid ongoing concerns about the long-term security of Twitter’s systems – and user data privacy – following last month’s mass layoffs at the company, which included an exodus of cybersecurity staff.”  The December 29, 2022 report entitled “As Twitter Downplays Outage, Security Concerns Persist” (https://tinyurl.com/39yudbce) included these comments: 

Downdetector, a website that aggregates user reports of being unable to access a site or service, reported a spike in downtime beginning Wednesday evening.

“It basically forced me to log out and now i can’t log in again. been trying every now and then for the past 30mins,” a Downdetector user reported shortly thereafter.

Twitter’s API status page has continued to report all systems operational, claiming there has been no disruption.

Twitter earlier this year agreed to a U.S. Federal Trade Commission consent order that requires it to maintain a robust privacy and information security program for the next two decades. The FTC is taking a closer look at Twitter’s security and privacy controls following the mass layoffs, Bloomberg reported.

What do you think?

HomeLandPrepNews.com reported that “the House as a bipartisan, bicameral push to make federal agencies more proactive on cybersecurity protections. Much of the onus would be on the Office of Management and Budget (OMB), though, to prioritize the acquisition and migration of federal agencies’ information technology to post-quantum cryptography, as well as create guidance for other agencies to assess their critical systems.”  The December 13, 2022 report entitled “National security updates en route as Quantum Computing Cybersecurity Preparedness Act passes Congress” https://tinyurl.com/39ruad42 included these comments from Senator Rob Portman (R-OH) which was signed into law on December 23, 2022:

Quantum computing will provide for huge advances in computing power, but it will also create new cybersecurity challenges,…

 I’m pleased the Senate passed our bipartisan legislation to require the government to inventory its cryptographic systems, determine which are most at risk from quantum computing, and upgrade those systems accordingly.

We all need to stay tuned to see how the new laws are implemented!

GovInfoSecurity.com reported  “A hacking group the Ukrainian government says is a unit of Russian intelligence attempted earlier this year to compromise a large petroleum refining company based inside a NATO member, new research charges.” A December 20, 2022 report entitled “Russian Hackers Targeted Oil Refinery Firm in NATO Country” (https://tinyurl.com/3jww3m78) included these comments:

The group, variously dubbed Gamaredon, Primitive Bear, or UAC-0010, has been active since around the time that Russian aggression sparked ongoing conflict in Ukraine, in 2014 or 2013. A Ukrainian assessment traces the group to the self-proclaimed “Office of the FSB of Russia in the Republic of Crimea and the city of Sevastopol” and says its staff includes former Ukrainian law enforcement officials. 

Trident Ursa, as Palo Alto Networks’ Unit 42 threat intelligence calls the threat actor, is “one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine,” the company says in a Tuesday report detailing the threat actor’s recent activities. 

I’m sure no one is surprise at this news!

DarkReading.com reported that Microsoft issued a report about “this new botnet is used to launch distributed denial-of-service (DDoS) attacks on Minecraft servers, which might sound like kid stuff. But enterprises should take note because of the botnet’s ability to target both Windows and Linux devices, spread quickly, and avoid detection, the Microsoft team added.”  This December 16, 2022 report entitled “New Botnet Targeting Minecraft Servers Poses Potential Enterprise Threat” (https://www.darkreading.com/attacks-breaches/new-botnet-targeting-minecraft-serversa-potential-enterprise-threat-) included these comments from Patrick Tiquet (vice president of security architecture at Keeper Security):

The concern in this scenario is that there are a large number of servers that can potentially be compromised and then weaponized against other systems, including enterprise assets,…

Gaming servers such as Minecraft are typically managed by private individuals who may or may not be interested in or capable of patching and following cybersecurity best-practices. As a result, this vulnerability could continue unmitigated on a large scale for an extended period of time and could potentially be leveraged to target enterprises in the future.

Very bad news, but not much of a surprise!

HealthCareInfoSecurity.com reported “Federal regulators slapped a California dental practice with a $23,000 fine and corrective action plan after its owner responded to negative Yelp reviews by posting patient data online.”  The December 14, 2022 article entitled “Dental Practice Hit With HIPAA Fine for Posting PHI on Yelp” (https://tinyurl.com/2p9b4acn) included these comments:

Federal investigators found that New Vision Dental, a practice located in the eastern exurbs of greater Los Angeles, responded to criticism by revealing the protected health information of patients.

A complaint submitted in 2017 to the Office of Civil Rights within the Department of Health and Human Services said the practice “habitually” responded to criticism by posting the real names of Yelpers submitting reviews under monikers as well as “detailed information about patient visits and insurance.”

In addition to paying a $23,000 fine, New Vision Dental must remove any social media postings made since 2014 that include patient data and issue breach notices to affected individuals.

I’m sure no one is surprised, but of course this is the only dental practice sanctioned for this behavior since “In 2019, OCR settled a case with Texas-based Elite Dental Associates of Dallas for $10,000 after a patient complained that the practice had responded by sharing real name information and details of the patient’s health condition (see: HHS Gives Dental Practice Posting PHI on Yelp a Bad Review