May 2024 News & Tips | Cybersecurity News Roundup

May 2024 News & Tips | Cybersecurity News Roundup

Welcome back to the monthly TCE Strategy newsletter! From Dell to Microsoft, the amount of egg that these companies have on their cybersecurity faces is likely driving up the price of omelets everywhere. Not to mention that one of the foundations of the Internet came dangerously close to being hacked. And let’s not forget that a company nobody ever heard of lost the personal information of 56 million people. Let’s see how these stories can help us make better decisions about what is Secure Enough for us, the companies we work for, and our families. 

Month's Cyber News in Review

Dell loses 49 million customer records

On May 9th, Dell sent out an email to 49 million people (including me) stating that Dell’s records of their customers' names, physical addresses, “Dell hardware and order information, including service tag, item description, date of order and related warranty information” were copied by cybercriminals. Of course, their letter started with the statement “Dell Technologies takes the privacy and confidentiality of your information seriously”, which is in direct contradiction of the reports stating that an API (Application Programming Interface) designed to be used by Dell’s partners, resellers and retailers was the attack vector for the breach. This is cybersecurity 101: If you have a portal that links to your critical data, it needs to be locked down as tightly as is reasonable and it needs monitoring for obvious signs of abuse. Neither of these things appears to take place here. Furthermore, the cybercriminal claims to have reached out to Dell to alert them to the hole, but “the threat actor says Dell never replied to the emails and didn't fix the bug until approximately two weeks later, around the time the stolen data was first put up for sale on the Breach Forums hacking forum.” The failure to detect 49 million records being harvested and the failure to respond to a cybercriminal’s report for two weeks sounds like the exact opposite of Dell taking “the privacy and confidentiality of your information seriously”.

The consequences of this breach are obvious: Anyone in this list of 49 million customers is now at serious risk of targeted phishing attempts where an attacker reaches out to the victim with accurate information about the Dell products they own, and then claim to be from Dell and that their computer needs an update or fix of some sort. As soon as the victim gives access to their computer, the attacker will inject a virus or perform a ransomware attack, and then demand money to solve the problem they just created. Or, the attacker could run the physical addresses of the victims through Zillow to look for home values, and they insert key logging software on high-net-worth victims, in the hopes of draining their bank accounts or crypto wallets.

TAKEAWAYS: Never trust any email, letter or phone call from someone claiming to be from Dell. Personally, I intend to avoid Dell products altogether. Aside from the consequences of this breach, I’ve found Dell’s product quality to be in significant decline the last few years, and their customer service has fallen to the level of material for a Saturday Night Live skit. 

Microsoft is in the Congressional hot seat

This month, Microsoft is in the news for all the wrong reasons. The ex-White House cyber policy advisor, AJ Grotto, stated that Microsoft’s recent security failures represent a national security issue. He told The Register that “Microsoft had to be ‘dragged kicking and screaming’ to provide logging capabilities to the government by default, and given the fact the mega-corp banked around $20 billion in revenue from security services last year, the concession was minimal at best.” The problem here is simple: large corporations are profit centers. They are not moral or ethical leaders, and in fact there are lots of examples of the exact opposite behavior for corporations inside and outside of the technology sector. Furthermore, it is completely unreasonable to assume that corporations will take cybersecurity any more seriously than governments and consumers require them to. Corporations are not incentivized to do so: consumers and the public sector are supposed to set the guardrails of what reasonable behavior is and isn’t, and large corporations will then figure out the absolute minimum that they can do to stay within those guardrails. In the world of cybersecurity, it’s genuinely difficult for consumers to weigh the risk that a product or service represents to them, just as it is difficult for consumers to judge the safety of their water supply or the food they purchase. Even with guardrails, sometimes corporations will flagrantly violate them, as the profits of doing so are often outweighed by the penalties of doing so, right up until they get caught. VW’s “dieselgate” and Wells Fargo’s $3.7 billion fine for an ”array of violations” are good examples.

TAKEAWAYS: Be wary of products that connect to the Internet: make sure that the value they provide to you outweighs the risk they may represent to you. Vote for government officials that have a history of holding corporations to account, as laws are not sufficient to change behavior. It takes three things to change behavior: Laws, enforcement of those laws, and sufficient penalties for breaking those laws. Without those three things, more issues like the ones described above are certain to occur. 

When one of the foundations of the Internet finds itself on shaky ground

Linux is an operating system that is used by companies everywhere. It is mostly open-source, meaning that it is programmed by well-meaning programmers that provide their coding skills out of altruism. They believe they are serving the greater good by developing useful pieces of code that the entire world is welcome to take advantage of. It was revealed last month that a fascinating hack took place in which a cybercriminal group (or a nation-state) tried to plant a back door in a piece of Linux called “XZ” that would have essentially given the attacker the ability to authenticate into any Linux-based system that upgraded to the new version of “XZ”. The attack came stunningly close to working, and it demonstrates how efficient yet fragile our current method of developing software is. The podcast “Planet Money” has the best article about this that I have come across. It’s well worth 25 minutes of your time to have a listen. 

When your data isn’t yours to control

Last month I wrote about General Motors getting caught selling the driving habits of their customers without their consent. This month, a company called Post Millennial was breached, and its primary website was replaced with a site that leaked information about the thousands of mailing lists that Post Millennial purchased, totaling almost 57 million accounts. I first learned of this breach from the site haveibeenpwned.com, but there has not been a larger notification that I am aware of. My guess is that in the coming weeks there will be many people receiving emails about this, as most States in the USA have breach notification laws that require disclosure of a breach within 60 days of discovery. My guess is that Post Millennial purchased the email lists lawfully, but was then irresponsible with the cybersecurity of their website and lost them to a cybercriminal.

TAKEAWAYS: Support politicians that support legislation that puts citizens’ data privacy over corporate interests. There is already proposed legislation to do this

Until next month, stay safe!

Upcoming Speaking Events

Here is a list of the cities that I will be in over the next few months. Please reach out if you have an event in mind!

May 27-31, Las Vegas, NV

June 2-5, Denver, CO

June 6-9, Waterloo, IA

June 12-16, Oklahoma City, OK

July 2-3, Brainerd, MN

August 3-6, Denver, CO

September 10-11, Tallahassee, FL

September 17-18, Casper, WY

October 15-17, Ponte Vedra Beach, FL

December 2-6, Key West, FL

Cybersecurity Tip of the Month

Lock Screen Settings

Spending more time working from the office? Is springtime finding you working in your favorite coffee shop more often? Here are some tips for good practices around securing your devices with your lock screen. Consider locking your workstation whenever you are going to be away from it—there are keyboard shortcuts to do this quickly on both Macs and Windows computers and the time it takes to log back in is well worth the added layer of security.  

Windows: There are a couple quick and easy ways to lock Windows using your keyboard. You can press the Ctrl+Alt+Del keys together. A screen of options should appear. When it does, click “Lock”. An even quicker way to lock your screen is to press the Windows and L keys at the same time. Your computer should lock instantly. Some other things to enable are facial recognition (if possible on your computer), a strong 6-digit pin, strong password for logging in, and a setting to lock after a certain period of inactivity. If your Windows computer has facial recognition, you can also set it to automatically lock when you walk away.  

Mac: First, it’s a good idea to check your settings and ensure your Mac requires a password immediately after entering sleep or screensaver mode. You can quickly lock your screen with the shortcut CTRL+CMD+Q (be careful not to press CMD+Q as this will shut down the application you are using which could be a problem if you have unsaved work). You can also quickly go to the Apple menu and click Lock. As with Windows, enabling facial recognition, a strong 6-digit pin, strong password, and setting your Mac to lock after a certain period of inactivity help provide additional security.  

iPhone/iPad: iPhones and iPads can easily and quickly be locked using the lock button located on the right side or top of the device. Again, be sure to enable facial recognition or Touch ID if these features are present on your device and have a strong 6-digit pin for logging in. Also check your settings so that auto-lock is enabled after a few minutes of inactivity.

To view or add a comment, sign in

More articles by Bryce Austin, CISM

Insights from the community

Others also viewed

Explore topics