Short Memories, Flat Roofs, and Christmas Scams 
0
Dan Gavin
Short Memories, Flat Roofs, and Christmas Scams 

I remember the winter of 1980. Each time it snowed, we kids took advantage, building snow forts, snow caves, snowmen. It was magic . . . for about fifty minutes, at which point the melted slush would begin to soak through my canvas Keds and K-Mart blue jeans, freezing my toes. Even magic has a shelf life. Of course, if someone asks me to recall that winter, frozen toes and sopping jeans aren’t what come to mind. Kids tend to have short memories. They remember the joy of Christmas: the abundant snowfall, the hours of ensuing glee (usually minus the then-ensuing frostbite). Snow filtered through the lens of nostalgia becomes a magical white powder. But ask me to examine those memories further; ask me whether snow has a dark side. It does. Certainly, it’s capable of infiltrating shoes and freezing children’s toes. It’s also capable of collapsing roofs if you aren’t careful.  

My best friend’s dad—Tabby, we called him—was careful. He spent hours that year shoveling snow off the flat roof of his house. (Why anyone builds flat-roof houses in cities north of the Sun Belt remains a mystery to me.) He had heard reports that other flat-roofers had been forced to shovel snow from their homes after their ceilings had collapsed beneath the weight. Tabby was determined to beat the odds—determined, but also lucky. Lucky to have heard those reports in advance. Lucky to recognize the dark side of snow. Not all had that luxury.  

The same holds true now, in the digital age. Adults aren’t much better at recognizing dark sides than kids, and unlike the magic of snow, computers are something of a novelty. So, the dangers are, perhaps, lesser known. That doesn’t mean they aren’t real. In other contexts, we understand that trust is a privilege. We laugh to think back on the days when kids would hitchhike, buy cigarettes for their dads, bike alone after dark—the days when moms would leave their babies parked in buggies outside the grocery store. We joke offhand about people who neglect to lock their doors at night, who neglect to shovel their flat roofs. And it’s with a degree of hypocrisy that we do; too many people neglect to protect their digital assets the way they protect their physical ones. 

The most effective computer security defense today is called “Zero Trust”. All that means is that access permissions must be proven before access is granted. Think of it like the front door to your house. You don’t want to come home tonight and find a stranger making a sandwich, right? So, you lock the door, right? If so, you’re practicing a version of Zero Trust.  

What throws us about computers, I think, is the lack of a physical barrier. We see our front doors every day and understand that intruders can walk through them. Or, in the case of snow, we come across buildings with flat roofs and understand that snow can weigh them down. In both cases, the risk is omnipresent. We have visible reminders to prepare for the worst. But a computer’s connection to the internet is invisible, provided you don’t know where to find it. There are baddies in the world who do know. But you, hypothetical reader, do not, so you ignore the risk, or fail to notice it. And the baddies find your virtual door, and they walk right into your virtual kitchen and eat your virtual lunch. The only way you’ll know is if they tell you. Sometimes they leave a note. “I ate your lunch.” (Actually, they’ll tell you they encrypted all your files. They’ll give them back . . . for a small fee. Merry Christmas.) 

And if ransomware isn’t enough to chill you to the bone, we have Christmastime scams. According to Google, there’s been a massive surge in scams this year via email. Three of the biggest types include celebrity scams, invoice scams, and extortion scams. It stands to reason, then, that the latter two would pack quite a punch during a season that emphasizes gift purchases and avoidance of naughtiness. Yesterday I received an email from a frantic client; his scammer claimed to have installed malware on his phone and recorded him doing things Santa wouldn’t condone. Not to fear; there’s no stocking coal at the end of this story. Just a lot of hot air.  

In closing, your Cochise County Cyber Guys from CyberEye are here for you. Have a merry Christmas. (If only there was some snow to go with it. But then, we have a lot of flat-roof buildings around here. Perhaps an absence of snow is one security miracle we ought to be grateful for.) 

The original article appeared in the Sierra Vista Herald and can be found here.

Change Healthcare Hack Sparks New Cybersecurity Regulations 
0
Dan Gavin
Change Healthcare Hack Sparks New Cybersecurity Regulations 

On February 12, 2024, hackers from the ransomware group ALPHV used credentials found on the dark web to log in remotely to the Change Healthcare network servers. Because the company did not require multi-factor authentication, the hackers gained full access to one of its key servers and, after a week, dropped ransomware, shutting down much of the network. 

If that wasn’t bad enough, in April, ALPHV executed a double-extortion attack by hitting Change with a second round of ransomware. They claimed to have 4TB (a huge amount) of the company’s data containing personally identifiable information belonging to active US military personnel and other patients: medical records, payment information, etc. ALPHV warned that they would sell the data to the highest bidder if the ransom was not paid within twelve days. Change admitted to paying the $22M ransom. 

The hacks caused serious cashflow issues for small and medium-size healthcare providers and delays in processing claims. (Change Healthcare, a subsidiary of UnitedHealth Group, is one of the world’s largest health payment processing companies. It is a clearing house for 15 billion claims yearly, accounting for 40% of national claims.) The government stepped in to offer short-term loans until the claims could be processed. 

Although Change reacted quickly to avoid spreading the ransomware to the UnitedHealth network, they failed to notify customers and vendors as required by the Health Insurance Portability and Accountability Act (HIPAA) . In May, more than 100 medical associations banded together to urge federal regulators to hold Change responsible. In June, notifications went out to patients, providers, and vendors. 

Three months later, after two hearings on the matter, the Senate Committee on Finance decided to draft a law called the Health Infrastructure Security and Accountability Act (HISAA) to work in conjunction with HIPAA. According to the FBI, the healthcare sector is the #1 target of ransomware. They claim that the hacks are entirely preventable and are a direct result of lax cybersecurity practices by healthcare providers. They add that healthcare has some of the weakest cybersecurity rules of any federally regulated industry. 

If passed, HISAA will establish newer, stronger, stricter security requirements applicable to HIPAA-covered entities and business associates. That includes large and small organizations alike. The Cybersecurity and Infrastructure Agency will decide minimum requirements; annual risk assessments involving disaster planning, recovery planning, and incident handling must be developed by an independent auditor; organizational leadership will be required to sign a document affirming their compliance. And thanks in large part to Change Healthcare’s lateness in notifying the public of the ALPHV security breach, transparency requirements will also tighten up tremendously. HHS must be notified within 24 hours. Affected individuals must be notified within 48, and if the breach affects more than 500 people, the media must be notified within 72.  

The bill has teeth due to its heavy penalties and fines for non-compliance. HISAA would establish tiered monetary penalties up to $5000 per day for failure to meet the new minimum and enhanced security requirements. 

HISAA has not yet been signed into law. It promises to provide the oversight and enforcement structure that was largely missing from HIPAA. This may cause additional burdens that local healthcare providers will have to bear. They can thank Change Healthcare for the increased scrutiny. If you are a local healthcare provider, you are not alone. Your friendly neighborhood Cyber Guys can help guide you along the path to solid cybersecurity defenses and compliance with any new cyber laws. 

This article was originally published in the Sierra Vista Herald here.

Corporate Transparency Act Takes a Knock-Out punch
0
Dan Gavin
Corporate Transparency Act Takes a Knock-Out punch

The city might have appeared completely grey if not for the scattered, omnipresent flecks of color plastered over walls, over windows, on screens and billboards, and in the minds of the populace—Party-issued posters of a familiar man with a thick, bushy mustache, captioned, “BIG BROTHER IS WATCHING YOU.” George Orwell’s 1984 is, in essence, about control. The allegorical Party featured in the novel forces its followers into complete submission through surveillance and propaganda. Meanwhile, in the real world in 2024, the federal Corporate Transparency Act (CTA) has been described as Orwellian. It requires extensive disclosure of personal information about business owners, which some feel is an invasion of privacy and government overreach 

The CTA was enacted in January of 2021. It required over 32 million businesses with less than $5M in annual revenue to report beneficial ownership information to the Financial Crimes Enforcement Network (FinCEN). The deadline to report is January 1, 2025—or was, rather. But on December 3, 2024, a Texas district court issued a preliminary injunction, halting enforcement of the CTA nationwide. The plaintiffs argued that the CTA compels speech and association, infringing on First Amendment protections. They also raised concerns about privacy violations under the Fourth Amendment (unreasonable search and seizure).  

The presiding Judge Amos Mazzant wrote, “ . . . the government is unable to provide the court with any tenable theory that the CTA falls within Congress’s power. And even in the face of the deference that the court must give Congress, the CTA appears likely unconstitutional.” He added that corporate regulation has typically fallen under the states’ jurisdiction. 

At the time of the injunction, just over 8 million of the 32 million businesses had reported to FinCEN. Had the CTA not been put on hold, the remaining businesses would soon be subject to fines amounting up to $500 per day. The injunction is therefore critical to the livelihood of small businesses. The federal government has already appealed the case to the Fifth District Court. 

With the new administration beginning in January, it’s unclear what further steps may be taken to limit or halt enforcement of the CTA. Working jointly with Congress, the administration could revisit the actual contents of the law, amending transparency expectations or enforcement policies. They could deprioritize the funding of resources for enforcement. They might even manage to repeal the law altogether. 

If a chief goal of the CTA is, as FinCEN claims, to uncover money laundering schemes, the fact that one criterion for exemption is a prior year federal income tax reporting of over $5M seems odd. Any money-laundering company would need way more than $5M in revenue to conceal its crimes. Banks with revenue in the billions have been fined for money laundering in the past. In 2012, for instance, HSBC was fined $1.9B for laundering money for drug cartels and countries under sanctions. Later, in 2018, Dankse Bank was involved in a $230B money laundering scandal. And in 2020, Deutsche Bank was fined $150M for involvement in laundering activities related to Jeffrey Epstein.  

And it isn’t just banks. In my research, I still haven’t found one conviction for a business with less than $5M in revenue. The Unitech Group, a real estate firm, allegedly started and managed over 52 shell companies to launder money with a revenue of $36M. The Los Zetas Drug Cartel used an Oklahoma horse ranch and numerous shell companies to conceal and transfer millions of dollars of drug money to Mexico with revenues of over $13B. Other common businesses involved in money laundering include nightclubs and art dealers, again, with revenues well over $5M. 

You would think, then, that such businesses would be the focus of any transparency acts designed to prevent money laundering. Why does there need to be another huge government database containing private information, which the government has proven they cannot guard safely? (Think back to April 2024, to the Social Security Administration hack. 2.9 billion records were breached.)  

Was Judge Mazzant correct to describe the law as quasi-Orwellian? Is Big Brother trying to track the small business owner, infringing on his First and Fourth Amendment rights? 

Original article published in the Sierra Vista Herald here.

A Whirlwind of Trouble as Salt Typhoon Hacks Cellular Wiretap Infrastructure 
0
Dan Gavin
A Whirlwind of Trouble as Salt Typhoon Hacks Cellular Wiretap Infrastructure 

The morning of December 4, 2024 was a cold one, with a high temperature of 46 degrees—the sort of weather people generally prefer to observe from the comfort of their heated homes. But US senators had just received news about a cyberattack of unprecedented scope, so instead they gathered in Washington, D.C. for a classified briefing. The attackers were a highly skilled group known as Salt Typhoon. As I write this article, their attack is still going on. In fact, if you use a phone, it’s likely affecting you right now. 

Way back in October 2024, the Wall Street Journal first reported the attack. They suggested a link between Salt Typhoon and the Chinese government. Of course, you might be thinking. It’s always that. This time, though, the motives behind the operation are more mysterious. 

You really only need to worry about this if you have a phone—specifically, a phone with a Verizon, AT&T, or T-Mobile plan. Those seem to be the provider networks infiltrated by Salt Typhoon. I say “seem” because reports have been inconsistent. T-Mobile claims they’ve seen no evidence of malicious presence in their infrastructure. Verizon, on the other hand, admits a command-and-control (C2) presence. But all the providers mentioned above participated in the briefing on December 4. If nothing else, this demonstrates their mutual concern.  

The question is, what specific data has Salt Typhoon accessed? And how could it affect you? The participating service providers claim the attack only affected the infrastructure used to wiretap specific targets. That said, we don’t know the extent to which these providers have been logging information. And whatever that extent is, Salt Typhoon has access to it as well. Under Section 702 of the Foreign Intelligence Surveillance Act (FISA), the FBI cannot target US citizens randomly. But if the infrastructure to tap is in place, and can be turned on for anyone the FBI decides to surveil, it’s quite possible that Salt Typhoon could do the same without FISA-based reservation. Meaning anyone could be a potential target. 

Regardless of your paranoia level, there is something you can (and probably should) do: namely, following the counsel of Jeff Greene, the Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). “Our suggestion, what we have told folks internally, is not new here,” he says. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.” 

What your Cochise County Cyber Guys recommend is an app called Signal. You can get it on either iPhone or Android, and once you do get it, you can install the companion app on your PC or MacOS. With Signal, you can send and receive encrypted files, text chats, individual and group calls. You can even hold Zoom-style meetings with screen sharing. All this is end-to-end encrypted. That means even Salt Typhoon (and the FBI) won’t know what you’re up to. 

Having said all this, we don’t condone illegal activity. We just think you have a constitutional right to privacy. Everyone does. 

This article was originally published in the Sierra Vista Herald here.

Copyright © 2025 CyberEye Call us at: ‪(520)224-8981