At a glance.
- New hack de-anonymizes website users.
- Amazon admits to sharing Ring footage with police without user permission.
- Pac-Man player data potentially exposed.
- Scammers pose as PayPal to steal customer data.
- Customer data stolen from Bandai Namco.
- Comments on the PFC breach.
New hack de-anonymizes website users.
Researchers from the New Jersey Institute of Technology have detected a new technique that could allow attackers to de-anonymize website visitors on any major browser. Wired explains that the hack hinges on an attacker convincing a target to load a malicious website that allows the attacker to determine whether that visitor controls a particular public identifier, like an email address or social media account. The attacker can analyze the victim’s browser activity to determine whether they are logged into an account on an array of other platforms like YouTube, Facebook, or Twitter. What’s more, the hack works against every major browser, including Tor, which is known for its focus on anonymity. Reza Curtmola, one of the study authors, explains, “And what makes these types of attacks dangerous is they’re very stealthy. You just visit the website and you have no idea that you’ve been exposed.” Curtmola adds that activists, journalists, and members of minority groups will be likely targets of such attacks.
Amazon admits to sharing Ring footage with police without user permission.
Tech giant Amazon has admitted to providing footage captured on Amazon Ring smart-doorbells to law enforcement agencies eleven times this year without user consent or a warrant, AP News reports. The admission came in a letter from Amazon to US Senator Edward Markey, a Massachusetts Democrat who asked Amazon about its Ring’s surveillance practices and engagement with law enforcement. The company has previously stated that it will not release customer data to police without consent, a warrant, or evidence of an “an exigent or emergency” circumstance. In the letter, Amazon’s vice president for public policy Brian Huseman explained that the eleven instances fell into the emergency category, stating “Ring made a good-faith determination that there was an imminent danger of death or serious physical injury to a person requiring disclosure of information without delay.” CNN adds, the letter also stated that Ring currently partners with over two thousand law enforcement agencies, five times the number of partnerships noted in November 2019, according to Markey. “This revelation is particularly troubling given that the company has previously admitted to having no policies that restrict how law enforcement can use Ring users’ footage, no data security requirements for law enforcement entities that have users’ footage, and no policies that prohibit law enforcement officers from keeping Ring users’ footage forever,” Markey told the Intercept. When asked for response, Amazon spokesperson Mai Nguyen told the Verge, “It’s simply untrue that Ring gives anyone unfettered access to customer data or video,” while reiterating that Amazon is authorized to release Ring footage in cases of emergency.
Privacy advocates have previously questioned whether police should have access to video doorbell recordings, as footage could be used against activists or other vulnerable groups. For example, non-profit digital rights group the Electronic Frontier Foundation (EFF) reported the Los Angeles Police Department requested Ring footage of Black Lives Matter protests from in 2020. EFF policy analyst Matthew Guariglia told Ars Technica, "...The problem is that the people who are deciding what constitutes exigent circumstances and what constitutes the type of emergency, all of these very important safeguards, are Ring and the police, both of whom, as far as I know, don't have a great reputation when it comes to deciding when it's appropriate to acquire a person's data."
Scammers pose as PayPal to steal customer data.
Help Net Security details a phishing kit that allows attackers to impersonate popular digital wallet service PayPal. By mimicking PayPal’s logo and website design, the operation directs users to a series of pages and forms aimed at harvesting their personal data. The information can then be used for identity fraud or money laundering. Researchers Larry Cashdollar and Aline Eliovich explained, “One of the unique aspects of this phishing kit is its attempts to directly evade security companies by providing multiple different checks on the connecting IP address to ensure that it doesn’t match specific domains or originate from security organizations.” Still, savvy users should be able to detect that the copycat pages are fakes, as PayPal’s genuine site would never ask for credit or banking account details and allows a one-time password for login.
Customer data stolen from Bandai Namco.
Japan-based video game developer Bandai Namco has confirmed it suffered a cyberattack last week at the hands of ransomware group ALPHV, also known as Black Cat. Computer Weekly reports that rumors of an attack first surfaced on July 11 when VX Underground revealed via Twitter that ALPHV had threatened to expose data stolen from Bandai Namco on its leak site. “After we confirmed the unauthorised access, we have taken measures such as blocking access to the servers to prevent the damage from spreading,” Bandai Namco said, They added that there’s a possibility that customer data had been compromised, but they were still conducting an investigation to determine the scope of the breach. As ITPro notes, though ALPHV is known for its ransomware operations, claiming attacks on a number of international universities, Swissport, and Moncler, Bandai Namco has not yet disclosed whether the attackers have made any ransom demands.
Demi Ben-Ari, CTO, Co-Founder and Head of Security for Panorays, notes that sometimes subsidiaries are best treated like third parties:
“The company’s confirmation that systems were accessed through a third-party entity of theirs (a subsidiary under the Holdings group) paints a clear example that there must be better management of these types of entities in regard to an organization’s greater security framework. Just as if they were a “regular 3rd party”, these entities must be assessed with the same cyber risk framework as the parent organization. Basic steps can be taken such as improving overall cyber hygiene across the organization, as well as continuous monitoring and engagement with these types of third parties. Third party partners should also be regularly vetted both internally and externally to determine any risk factors that may reflect on the parent company.”
Lisa Plaggemeier, Interim Executive Director of the National Cybersecurity Alliance (NCA) notes the enduring attraction the gaming industry holds for cybercriminals:
“The gaming industry continues to be a regular target for threat actors. Now Bandai Namco joins a high profile target list that also includes Electronic Arts, Capcom and CD Projekt Red among others. Bandai’s confirmation that ALPHV (a DarkSide rebrand) was able to access systems through a third party reinforces the need for better third party risk management measures in an industry notoriously thin on resources and personnel. But leadership in the sector can even optimize low-tech deterrence measures to minimize risk, including evaluation of downstream third-party vendor partners, ensuring proper use of multi-factor authentication (MFA), as well as doubling down on proper privilege and identity access management (PAM/IAM) internally. DarkSide used the same methods in the Colonial Pipeline attack, which spotlights how vulnerable third-party partner ecosystems can be.
"Additionally, if attackers were able to access any user data stored on Bandai Namco’s systems related to online multiplayer games it publishes, like Genshin Impact and Elden Ring, that could create a whole new set of threats for gamers. Any sensitive info gleaned can likely be further used for phishing and social engineering attacks against users in the guise of publisher or as online gaming service provider personnel (e.g., XBOX Live or PSN). For reference, we’ve put together a guide for parents and kids on how to keep their data safe when gaming online.”
Comments on the PFC breach.
We've received a number of industry comments on the data breach affecting Professional Finance Company (PFC). Arti Raman, CEO and Founder of Titaniam, noted that, while PFC has so far detected misuse of the exposed data, unfortunately that might not last:
“In the recent data breach confirmed by PFC, an unauthorized third party accessed and disabled some of PFC’s computer systems. While the company's statement said that none of the personal data had been misused, the data is now in the hands of cybercriminals. As hacks and extortion become more and more frequent, to truly minimize the risk of potential extortion and lost clear text data, a data security platform, specifically data-in-use encryption, also referred to as encryption-in-use, is the only option for complete protection and peace of mind.
"In the last 18 months, companies have been misled into believing that investing in backup and recovery solutions is the answer to their ransomware woes. However, the State of Data Exfiltration & Extortion Report 2022 recently revealed that traditionally used tools are ineffective 60% of the time.
"If companies want to stand up to data-related extortion then data-in-use encryption is the technology of choice for unmatched immunity. Should adversaries gain access to data, by any means, data-in-use encryption keeps the sensitive data encrypted and protected even when it is being actively utilized. This helps neutralize all possible data-related leverage and limits the need for breach disclosure.”
Neil Jones, director of cybersecurity evangelism at Egnyte, emailed that healthcare and collection data represent a particularly troubling compbination:
"The recent data breach at Professional Finance Company is especially concerning, because healthcare debt collection information inherently includes PII (Personally Identifiable Information) and PHI (Protected Health Information), which are treasure troves for cyber-attackers.
"In this case, the breach involved the sensitive data of nearly 2 million patients. Although there's no current evidence that the breached information has been used maliciously, it is not uncommon for attackers to wait for just the right moment to post their breached data to the Web.
"There are several key lessons that can be learned from this incident: 1) Organizations need to combine ransomware detection solutions with effective data recovery programs. 2) Companies need to have incident response plans in place, to effectively notify their customers, employees, business partners and the news media of potential breaches. 3) During these dynamic times, routine technological audits need to occur on a more frequent basis than they did before, to prevent vulnerabilities from being exploited."
Aaron Sandeen, CEO and co-founder of Cyber Security Works, sees an object lesson in the need for early warning:
“As ransomware attacks continue to devastate the healthcare industry, leaders must increase their cybersecurity visibility of known and unknown assets. To fully safeguard their firm from potential assaults, cybersecurity professionals must enhance the frequency with which they validate and seek early warning capabilities.
"Patching the vulnerabilities that threat groups and attackers exploit is one of the actions that businesses can take to avoid disaster. Especially as new ransomware organizations develop, knowing how exposed you are to ransomware attacks and monitoring your security posture through ongoing vulnerability management and proactive penetration testing is vital to bolstering your defenses. Security and executives in the healthcare field must invest in the protection of their assets.”
Tim Prendergast, CEO of strongDM, sees a lesson in the importance of strong access manaagement:
“The PFC incident highlights how crucial strong access management and infrastructure are to maintain strong security. Right now, attackers are increasingly looking for improperly stored or secured valid credentials because they’re essentially VIP passes into databases, and servers - everything companies don’t want to be leaked publicly. Once attackers get those valid credentials, they can wreak havoc internally. As a result, we’re now seeing maybe one of the worst healthcare security breaches in 2022 that’s impacting over one million people and whole hospitals, and it’s because of a third-party access breach. Rather than point fingers, because in truth this could have happened to anyone, it is important for CISOs to re-evaluate the visibility and control of access across both applications and infrastructure."