At a glance.
- Irish privacy group sues a New York advertising shop over real-time bidding.
- Sextortion comes to ransomware.
- Medical data at risk from unpatched VMware instances.
- Supply chain issue for networked security and monitoring cameras.
Irish privacy advocates sue IAB over real-time bidding.
BBC News reports that the Irish Council for Civil Liberties (ICCL) is suing the Interactive Advertising Bureau (IAB) for alleged privacy violations resulting from real-time ad bidding. The IAB is a New York-based agency that develops digital ad industry standards, and tech giants like Google, Facebook, and Amazon are among its members. In real-time bidding, during the short time it takes for a website to load, digital ad space on that site is auctioned off to advertisers. Data about the user -- information about their interests based on browser history, as well as details about the device -- are shared between ad brokers and buyers. "Every time we load a page on a commercial website or use an app, the website or app tells tens or hundreds of companies all about us, so that their clients can decide whether to bid on the opportunity to show you an ad," explains Johnny Ryan of the ICCL. Though the data is anonymized using audience taxonomy, a publicly available coding system designed by IAB Tech Lab, opponents argue that the sheer amount of data being exchanged without user consent represents the world’s largest data breach. Ryan filed a similar complaint with the Irish Data Protection Commissioner's Office back in 2018 when the General Data Protection Regulation was established, but that investigation is still ongoing.
Sextortion comes to ransomware.
A ransomware gang has leaked a victim’s nude images as an extortion tactic, Motherboard reports. Details about the incident are sparse because the identity of the victim, the name of the target company, and the threat group are being withheld in order to avoid inadvertently aiding the cybercriminals’ efforts. After exfiltrating data from the target’s system, the gang began slowly publishing the data on their extortion website in order to pressure the target to pay, eventually posting the personal pictures. While releasing explicit images is not a typical approach for attackers, in 2017 a threat group stole explicit images from a plastic surgery clinic and threatened to post them, though they never followed through. (It's not exactly "revenge porn," because there's no question of vengeance, but it may be close enough for Motherboard's headline.)
VMware vulnerabilities potentially threaten medical data.
JDSupra explains, critical vulnerabilities in software created by cloud computing company VMware have compelled the US Department of Health and Human Services’ Office for Civil Rights in Action to release an advisory warning of potential exploitation. As Trustwave reports, VMware released patches to repair the issues in May, and the advisory, which originated from the Cybersecurity and Infrastructure Security Agency (CISA), urges organizations using the VMware vCenter Server and VMware Cloud Foundation to install the necessary updates as soon as possible. As the software is heavily used in the healthcare sector, CISA advises that healthcare providers take the necessary precautions to protect sensitive medical data.
Risk of unauthorized access to networked camera feeds.
CISA, the US Cybersecurity and Infrastructure Security Agency, yesterday issued an alert concerning a vulnerability in ThroughTech's P2P Software Development Kit, a supply chain risk for networked camera vendors who use the P2P SDK. The issue is being tracked as CVE-2021-32934; it has a CVSS v3 base score of 9.1. The issue arises in the supply chain of security cameras and baby (and pet) monitoring devices.
The risk the vulnerability poses is unauthorized viewing of video. Security firm Nozomi has published an account of the issue. They point out that it’s difficult for users of networked cameras to identify the provenance of peer-to-peer functionality or the security of the software that delivers it, and so they recommend, therefore, that “the best way to prevent captured audio/video content from being viewed by strangers over the internet is to disable P2P functionality.”
We heard from James McQuiggan, security awareness advocate at KnowBe4, who cautions against dismissing this kind of security problem as old news:
“While it's nothing new that Internet of Things (IoT) devices are susceptible to various attacks based on their vulnerabilities, it is crucial to understand they need to be protected and updated when patches become available from the manufacturer.
"In this particular case, users and organizations will be relying on the developers of this third-party IoT camera to update it with the proper software and firmware, and make it available to customers.
"Organizations must mitigate the risk of these cameras being attacked, which are subject to network attacks. Isolating the devices to a segmented network and not allowing internet access can reduce the likelihood of data exfiltration via the exploit available.”