October 2024 News & Tips | Cybersecurity News Roundup
Month's Cyber News in Review
Welcome back to the monthly TCE Strategy newsletter! From TikTok redactions to Intel in the crosshairs of the Chinese government, October has delivered some very significant and actionable cybersecurity news. Let’s see how this month’s cybersecurity news can help us make better decisions about what is Secure Enough for us, the companies we work for, and our families.
If you are going to redact content, be sure to actually redact it.
In a story that is as ironic as it is humorous, we have a new development in the battle between TikTok and 14 USA States that claim TikTok is designed specifically to addict young people to it. Authorities in those states entered into confidentiality agreements with TikTok, so the internal documents, research, etc. that TikTok provided to various State Attorneys General were redacted before being provided to the public. Well, whomever did the redactions simply put black boxes over the redacted text, so a simple copy/paste of all data from the redacted document into a new document undid the redactions. When Kentucky Public Radio published excerpts of the information that was redacted (which was particularly damning to TikTok’s case), a Kentucky State judge sealed the entire lawsuit. There was a lot of talk online about the ethics behind this. Is it right for a news source to publish data that two parties both agreed to keep secret? Is it right for two parties to agree to keep things secret that impact a very public court case? This isn’t an ethics newsletter so I’ll stay out of that end of things. The cybersecurity takeaway here is obvious: If data is to be redacted, the data must not exist in the document/spreadsheet/database/etc. that will be shared with anyone else. Putting a black square over it isn’t a redaction. Making the text the same color as the background isn’t a redaction. If version control is active for a document, even deleting the data in question isn’t a redaction, as reverting to a previous version of the document will bring the data back. If you or your team need to redact certain data, educate yourself on the type of electronic format being used to store that data, and make sure that you are permanently deleting the data you want to delete.
When cybersecurity and politics collide.
Politics and cybersecurity have hit head on several times in the past, but October brought us a new round of government/private sector sparring. The CyberSecurity Association of China publicly stated that the computer chip manufacturer Intel is a national security threat. Given that Intel makes over 25% of its sales in China, this could have huge implications for the company. It seems to me that this isn’t overly surprising, as the USA government has put out warnings or outright bans on several Chinese companies, such as Huawei, Hikvision, and DJI. Last year, the Chinese government put the chip maker Micron under a cybersecurity microscope, and then directed large parts of China not to buy from Micron.
Speaking of Intel, critical BIOS updates were released for all 13th and 14th generation Intel chips.
Intel began shipping 13th generation computer processors in late 2022, and TCE Strategy was one of the many companies that bought computers with these processors in them. Our experience has been extremely poor with the Dell computers we bought in early 2023: reliability, stability and performance issues plague these computers. It turns out that at least part of the stability/reliability problem may be due to an issue with the code used to talk to the processor itself, called the BIOS (Basic Input Output System). Intel has released BIOS updates for most motherboards that is supposed to fix a problem with the processors receiving too much voltage, and burning themselves out in some cases. It is important to apply all available BIOS updates to any computer you have purchased since late 2022. To be honest, updating the BIOS of all computers is a good idea from a cybersecurity standpoint, generally speaking.
The UHG (Change Healthcare) breach tops 100 million victims
TCE Strategy covered the Change Healthcare (owned by United Health Care, or UHG) breach as part of the March and April newsletters, where people across the USA were unable to get prescriptions or other types of healthcare as a result of a weeks-long disruption of Change Healthcare’s services. UHG paid a $22 million dollar ransom, but it’s cybersecurity woes only started there. A second gang called RansomHub decided that they didn’t get their cut of the payment so they demanded more money, which UHG decided not to pay. So, RansomHub chose to sell patient data on the dark web. Fast forward to last week, when a letter came into my mailbox about one of my children’s medical records, diagnoses, medicines, financial/banking information and social security number being leaked as part of this attack. Cybersecurity gets a lot more real when your offspring are part of the collateral damage.
This is the current state of affairs of our data. The only way to stop this is to make it in companies’ financial best interest to stop it. Outside of laws/regulations that are properly enforced and have sufficient penalties for breaking them, I don’t see a better avenue to stop these types of attacks from becoming more frequent.
Takeaway: Freeze your credit with the three major credit reporting companies (Equifax, Experian and Trans Union). Vote for government officials that are likely to put laws in place that will require companies to take securing your data more seriously than they do today.
Until next month, stay safe!
Upcoming Speaking Events
Here is a list of the cities that I will be in over the next several months. Please reach out if you have an event in mind!
Recommended by LinkedIn
December 2-6, Key West, FL
February 11-15, 2025 Las Vegas, NV
March 25-31, 2025 Oklahoma City, OK
April 1-4, 2025 New Orleans, LA
April 15-18, 2025 Las Vegas, NV
May 26-30, 2025 Las Vegas, NV
July 3, 2025 Brainerd, MN
July 8-20, 2025 Dublin, Ireland
October 13-17, 2025 Waikiki, HI
Cybersecurity Tip of the Month
National Cybersecurity Awareness Month
October is National Cybersecurity Awareness Month and even though it’s nearly over, now is a great time to reflect on some general best practices for improving the strength of your personal cybersecurity, courtesy of CISA (Cybersecurity & Infrastructure Security Agency):
Be sure to check out the CISA website linked below for additional cybersecurity resources and follow them for more content related to National Cybersecurity Awareness Month! https://www.cisa.gov/cybersecurity-awareness-month