At a glance.
- Brave browser privacy issues.
- Scottish Border Council deals with lunch program data leak.
- Hessian court seeks EU guidance on teacher privacy.
- Accellion compromise traced to extortion scheme.
- Industry observations on Clubhouse privacy.
Brave’s privacy feature not actually so private.
Open-source web browser Brave has patched a privacy bug that was exposing users’ browser histories,The Hacker News reports. The flaw impacted Brave’s privacy feature “Privacy Window with Tor,” which, by relaying the user request through a network of Tor nodes, was intended to allow users to visit .onion websites on the dark web without sharing the IP addresses. However, a vulnerability in the browser’s CNAME ad blocker was revealing the addresses of the .onion sites to the user’s ISP or DNS provider. The flaw was first reported on HackerOne's bug bounty platform in mid-January and resolved in a Nightly release two weeks ago, and the patch was rolled out earlier this week.
Scottish skittish after free meal data leak.
FutureScot reports that the Scottish Borders Council inadvertently exposed the data of six hundred free school meal recipients. The council accidentally disclosed the details of fellow claimants when emailing recipients about Covid hardship payments. “Individual email addresses were disclosed, this is personal information. The content of the email also outlined that eligibility for the payment was due to the receipt of free school meals, which we absolutely appreciate is a sensitive matter for individuals.” The council has apologized and is working on mitigations to ensure the issue doesn’t occur again.
Germany seeks advice on teacher privacy from EU court.
The Administrative Court of Wiesbaden has requested advice from the Court of Justice of the European Union (CJEU) on a German court case regarding whether or not teachers’ consent must be obtained in order for their lessons to be recorded on video. As the pandemic has made virtual schooling and remote work more prevalent, the CJEU’s assessment is especially pertinent across the EU, not just for teachers but many professions. While it’s clear under the General Data Protection Regulation (GDPR) that student data from online schooling is considered private and parental consent is required, the status of teacher information is more ambiguous, as the video data could be considered a requirement to fulfil their professional duties. Section 23 of the Hessian Data Protection and Freedom of Information Act, which states that personal employee data can be exposed if necessary for the purposes of employment, is being reviewed against the principles of the GDPR.
Accellion releases details on ransomware operation responsible for compromise.
The CyberWire has been following the recent data breach of widely-used cloud solutions provider Accellion, which has impacted up to one hundred of the company’s clients including Kroger, Singtel, Reserve Bank of New Zealand, and University of Colorado. BleepingComputer reports that the perpetrators have been identified as the Clop and FIN11 threat groups. Accellion and the incident responders at Mandiant have released a joint statement disclosing further details on how the breach went down. The threat actors exploited zero-day vulnerabilities in Accellion’s twenty-year-old File Transfer Appliance (FTA) and employed a previously undocumented webshell called DEWMODE. Though they did not utilize Clop’s file encrypting malware, they did attempt to extort their targets by sending the victims emails threatening to expose the stolen data on Clop’s leak site if ransom demands were not met. Accellion has patched the vulnerabilities and advised clients still using their FTA to switch to Kiteworks, which offers a more secure infrastructure whose code isn't vulnerable to the same exploitation that affected FTA.
We received some comments from Garret Grajek, CEO of YouAttest, who thinks the incident shows how much attention to detail and hard work attackers of this kind are willing to put into their operations:
“The compromise of the legacy Accellion FTA software, a tool used for file transfer, demonstrates that the SolarWinds hack was not an anomaly. And the fact that the hackers chose a legacy version of Accellion and not the latest version, Kiteworks, shows the effort and diligence the hackers are going to to find flaws in all our software systems.
“Whether the hackers attempt an Accellion/SolarWinds infected agent or a more traditional method like embedding malware in an email phishing attack, the bottom line on these attacks is that the hackers will usually follow the same Cyber Kill Chain, where known patterns of activity are conducted. These include Intrusion, exploitation, privilege escalation and lateral movement. The key to detection and damage mitigation is to have the practices and procedures in place to detect these known activities.
"The hacker's gold is either to obtain the credentials of an admin (privileged accounts) or to escalate the privileges of those credentials they've obtained. It is imperative that these malicious privilege-centric actions are detected in our systems.”
Comment on Clubhouse privacy.
Jeremy Turner, Head of Threat Intelligence at Coalition, sees bigger problems for Clubhouse than just recorded chats:
"The Clubhouse breach puts a spotlight on a common problem for technology startups: the benefits of technology are often the prime focus or motivating factor for both developers and users, which can be shortsighted. When a technology’s value is so significant and adoption so swift, the risks come as an afterthought. Startups should be cautious of moving faster than they can keep up with security and privacy considerations. When developers push new technology into the hands of early adopters, the risks are easy to ignore or think of as a problem for tomorrow, when in reality they should develop data security measures as thoroughly as you develop new user experiences. Early-stage development risks always seem to be over the horizon, until they're not."