At a glance.
- Google pays up for misrepresenting customer data handling.
- Update on the alleged AT&T data breach.
- Outdated Veterans Affairs platform putting patient data at risk.
- Excrement delivery service vulnerability.
Google pays up for misrepresenting customer data handling.
Google has agreed to pay $60 million in penalties for misleading users on the collection of personal location data. Last year the Australian federal court found the tech giant guilty of violating consumer laws by not making it sufficiently clear it would still collect and access location data from Android mobile devices when a user’s location history was set to “off” but their web and app activity was “on.” The Guardian adds that Google was also found to be in breach of two other consumer laws regarding misleading representations about a service’s performance characteristics, and the Australian Competition and Consumer Commission said the division sent a message to digital platforms to be more transparent about how consumer data is being used. After a long-running court dispute, on Friday the $60 million penalty was agreed to as “fair and reasonable” between the parties.
Update on the alleged AT&T data breach.
As we noted last week, a 3.6 gigabyte archive of stolen data allegedly tied to AT&T was found circulating on a popular file sharing site on the dark web. The telecom giant has denied a connection the database, which included the Social Security numbers of 23 million Americans, but the analysts that found it say there are several indicators that the data belongs to AT&T, including email addresses ending with “att.net,” “SBCGLobal.net” or “Bellsouth.net.” An AT&T spokesperson told the Record by Recorded Future, “It may be associated with a previous data incident at a credit agency. Potentially affected customers would have received a notice at that time, directing them to the credit agency for more information. We have a dedicated team that does forensic analysis on data such as this and based on that work we can determine if data originates from us or somewhere else.” AT&T has declined to clarify what credit agency was involved or how that breach might have occurred.
Outdated Veterans Affairs platform putting patient data at risk.
At the DefCon security conference in Las Vegas on Saturday, Security Innovation researcher Zachary Minneker presented findings about a vulnerability in the US Department of Veterans Affairs (VA) records platforms, known as VistA (short for Veterans Information Systems and Technology Architecture). The weakness involves the encryption used to protect the connection between the network server and individual computers, which was developed for VistA in the 1990s. When VistA was first created in the 1970s, it was considered cutting edge, but in the half-century since, a lack of resources has left the platform on its last legs. A new-and-improved, $10 billion medical records system designed by Cerner Corporation is in the works, but in June the VA was compelled to delay a general rollout until 2023 due to outages of pilot deployments. In the meantime researchers say VistA’s vulnerabilities could be putting patient data at risk. Minneker told WIRED, “If you were adjacent on the network without TLS, you could crack passwords, replace packets, make modifications to the database. In the worst-case scenario, you'd essentially be able to masquerade as a doctor. This is just not a good access control mechanism for an electronic medical record system in the modern era.” Minnekar has tried to share his findings with the VA through the department's vulnerability disclosure program and Bugcrowd third-party disclosure option, but his warnings have gone unheeded, likely because the Cerner system is already in the works.
You’ve got to be sh*tting me.
As its name suggests, ShitExpress is a prank web service that lets users send a box of excrement, along with a personalized message, to a recipient of their choice. Describing its service as “a simple way to send a piece of shit in a box around the world," the platform allows customers to choose the type of poop they’d like to send and even customize the packaging to their liking, all while promising complete anonymity. BleepingComputer reports that prolific threat actor pompompurin, who was visiting ShitExpress to send a “gift” to cybersecurity researcher and rival Vinny Troia, discovered an SQL injection vulnerability in the platform that allowed him to download the entire database. Now the hacker is taking the term “data dump” to new heights by sharing ShitExpress customers’ often hilarious messages on a hacking forum. "I gained access a day before I leaked it, and I notified the website owner after dumping the data. [I'm] not sure if they've acknowledged or anything as of yet," pompompurin stated. When asked for comment, ShitExpress stated, "We have spotted some unusual activity on our server 4 days ago and found out that one of our scripts is vulnerable to SQL injection. It's purely our fault -- a human error that could happen to anyone. It was found by one of our customers. We fixed the error immediately.” They added that since the gifts are sent anonymously, the exposed data fortunately can do little more than illicit laughs, though pompompurin points out that many of the messages could be traced to the customer based on email address. Unfortunately, all they can do is wait for the shit to hit the fan.