A thesis statement for this month's Cyber Capsule might be "You're Doing It Wrong." Whether it's easily guessable passwords, manipulated URLs, or waiting longer than prudent to report a data breach, most of our items look at the cost of sloppy data management. The manipulated URL blurb may ring a bell for some of our older readers. In its first days, a major online retailer had a similar issue. Customers could add items to their shopping carts, and then "check out" without paying, simply by manipulating the URL. Retailers have since learned their lesson.

CONSIDER THIS – IT'S A POTPOURRI

1. Better Passwords for Fun and Profit. On January 3, an Office of Inspector General of the U.S. Department of the Interior watchdog report revealed that certain U.S. Department of the Interior's security practices left a lot to be desired. Many employees use weak passwords (e.g., Password1234), leaving the department vulnerable to attack. During its investigation, the agency's Office of Inspector General said weak passwords could compromise 21% of the department's active accounts, including 362 accounts of senior U.S. government employees and 288 accounts with elevated privileges. Further, the department also failed to implement multifactor authentication. However, the Office of the Inspector General did suggest some better practices:

   • Prioritize implementing personal identity verification (PIV) or other department-approved multifactor authentication (MFA) methods that cannot be bypassed;

   • Develop and implement a process to track and validate MFA status for all department information systems;

   • Revise password complexity and account management policies;

   • Implement controls to monitor, limit, or prevent commonly used, expected, or compromised passphrases and passwords;

   • Prioritize the inventory, monitoring, and enforcement of existing controls;

   • Revise account management policy to prohibit related accounts from using the same passphrases and passwords;

   • Implement guidance requiring temporary passphrases and passwords to be unique and complex; and

   • Establish procedures and accountability mechanisms to ensure compliance with policies regarding account management monitoring and timely disabling of inactive accounts.

2. "Hi, FCC. It's Me. It Happened Again." On January 6, the Federal Communications Commission (FCC) issued proposed rules for telecom companies, requiring telecommunications carriers to notify several government agencies, including the FCC, the Secret Service, and Federal Bureau of Investigation (FBI), of a breach as soon as practicable. The proposed rules also seek to expand the definition of breach to include inadvertent access, use, or disclosures of customer information. The comments period ended on February 6.

3. Is It Supposed to Do That? On January 9, a security researcher discovered a way to bypass certain security safeguards used by a major credit reporting agency. Typically, when a consumer seeks a copy of credit report, the consumer must successfully answer several multiple-choice questions. The security researcher discovered that with the individual's name, address, birthday, and Social Security number, a user can bypass the multiple-choice questions and obtain a credit report by making a simple change to the URL — specifically, changing the last part of the URL from "/acr/oow/" to "/acr/report."

4. All Eyes on SEC. On January 11, the Securities Exchange Commission (SEC) sought a court order, compelling a law firm to disclose the names of its clients impacted by the firm's 2020 cyberattack. In that cyberattack, hackers associated with the Hafnium cyber-espionage group gained access to the law firm's computer networks around November 2020, accessing private information about the firm's clients, including 298 publicly traded companies. The law firm refused to disclose the client names, citing attorney-client privilege.

5. Another One Bites the Dust. On January 26, the FBI and its foreign law enforcement partners ended a month-long investigation, culminating in the seizure of websites and servers belonging to a ransomware collective known as Hive. The FBI accessed over 300 decryption keys, saving victims more than $130 million in extortion payments.

AS THE WORLD TURNS

1. Who Said Threat Actors Are Heartless? On January 1, LockBit apologized for the attack on SickKids, Canada, and released a free decryptor for the hospital.

2. New Year, New Technique. The BlackCat ransomware group recently devised a new way to publish exfiltrated data. Typically, a threat actor group will publish stolen data on the dark web. The BlackCat Group, however, cloned the victim's website and published the stolen data on the cloned site sitting on the clear web.

3. PII Still Number One. A January 5 study of the top 100 breaches from July 2021 to July 2022 revealed that threat actors seek PII 42.7% of the time.

4. Attacks on the Rise. New research by Check Point revealed that the number of cyberattacks in 2022 rose by 38%, as compared to 2021. The U.S. experienced a 57% increase in cyberattacks compared to 2021.

5. Big 5. A January 18 report revealed there were 2,800 ransomware victims in 2022, with LockBit, BlackCat, Conti, Black Basta, and Hive responsible for half of them.

6. Are Threat Actors Also Quiet Quitting? A January 19 report by Chainalysis revealed that that threat actors only generated $456.8 million in revenue in 2022 — a sharp decline from $765.6 million in 2021.

FORGET ME NOT

1. DDoS-er Denied Service. In December 2022, the Department of Justice seized the website of John Dobbs, a former operator of a DDos-for-hire service. Dobbs was charged with one count of aiding and abetting computer intrusions and responsible for launching 30 million distinct DDoS attacks.