At a glance.
- Report: Security gaps allow for identity attacks.
- Proton Mail vulnerability allowed for email theft.
- Driving into a privacy pothole.
- Healthcare provider discloses effect of third-party data incident.
Report: Security gaps allow for identity attacks.
Osterman Research has released a report (commissioned by Silverfort) on the identity attack surface of organizations, and the data shows that organizations are lacking when it comes to protecting themselves from identity threats. The authors write, “Attacks that target it use compromised credentials to gain malicious access to these resources—prominent examples of which are account takeover, lateral movement, and internal ransomware spread. Hence, the protection of this attack surface manifests in the ability to detect and prevent such access in real time.”
Over 80% of organizations said they’d suffered an identity-related breach that exploited compromised credentials, and for nearly 50% a breach had occurred in the past year. Despite this, over 65% of the organizations do not not have strong enough multifactor authentication protection, and only one in only one in eight have more than 70% of their resources and access methods protected with MFA. Nearly 80% of respondents were unable to prevent threat actors from using service accounts from gaining malicious access in real time, due in part to the fact that only 5.7% of organizations have full visibility of those accounts. The researchers also examined organizations’ use of privileged account management (PAM), which enforces elevated access controls over privileged accounts.
Nearly three-quarters of the organizations analyzed are having difficulty fully implementing PAM solutions, often due to a lack of resources. Only 20% of organizations said they’re confident they can successfully defend against threats to their identity attack surface. The report concludes, “The results fundamentally undermine the assumption that the mere existence of MFA and PAM in an environment is enough to protect the entire identity attack surface.”
Proton Mail vulnerability allowed for email theft.
Researchers at Sonar have uncovered a critical bug in Proton Mail, a popular encrypted email solution that’s used by nearly 70 million people. While the issues have been fixed, the vulnerabilities could have allowed hackers to download web users’ emails and impersonate victims. As the report explains, a piece of open-source code caused a Cross-Site Scripting issue that made it possible for threat actors to bypass encryption and exfiltrate users’ decrypted email messages. The hack would involve the attacker sending two emails to the victim, and in some cases, the user did not even have to click on a malicious link to trigger the hack; merely viewing the two emails was enough. Sonar informed Proton Mail of the issue on June 3 of last year, and by July 6 the platform had deployed a fix to production. It’s worth noting that Sonar also discovered bugs in email platforms Skiff and Tutanota; these vulnerabilities will be covered in future public blog posts.
Driving into a privacy pothole.
New car? New privacy problems. A new report from Mozilla’s *Privacy Not Included project indicates that new internet-connected car models from every major car maker fail even the most basic privacy standard tests. All twenty-five of the brands analyzed – which include household names like BMW, Ford, and Tesla – were found to be collecting copious amounts of driver data. As Gizmodo notes, this includes not just info that might be expected, like driving habits and destinations, but also details about race, facial expressions, and even sexual activity and immigration status. Jen Caltrider, program director of the *Privacy Not Included project, explains, “Many people think of their car as a private space…But that perception no longer matches reality. All new cars today are privacy nightmares on wheels that collect huge amounts of personal information.” According to Mozilla, the worst privacy violator was Nissan. Not only does the carmaker collects a heap of data ranging from health diagnoses to genetic info, but the privacy policy states that the carmaker “reserves the right to share and sell “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” to data brokers, law enforcement, and other third parties.
Nissan spokesperson Lloryn Love-Carter responded, “When we do collect or share personal data, we comply with all applicable laws and provide the utmost transparency.” Other standouts include Kia, which reserves the right to monitor the driver’s “sex life,” and Mercedes-Benz, whose cars come with privacy-plagued app TikTok pre-installed on the infotainment system. Mozilla was unable to get the car manufacturers to respond to questions about how or if the data collected is being encrypted. Many of the carmakers are signatories to the Alliance for Automotive Innovation’s “Consumer Privacy Protection Principles,” but despite the reassuring name, Mozilla says these principles are essentially empty promises that are both non-binding and vague. (For what it’s worth, the Alliance says the principles are “enforceable by the Federal Trade Commission.”)
Healthcare provider discloses effect of third-party data incident.
Johnson & Johnson Health Care Systems, Inc. (“Janssen”) disclosed that it found a vulnerability that could have permitted unauthorized access to an application and third-party database that supports Janssen CarePath. Both the app and database are managed for Janssen by IBM. They reported it to IBM, whose investigation found that on August 2, 2023, an unauthorized party had gained access to personal information stored in the database. What data, if any, were compromised remains unclear, but the information could have extended to "names, contact information, date of birth, health insurance information, and information about medications and associated conditions." Individuals whose data may have been affected are being offered the usual monitoring and protection services.
We heard from two industry experts on the incident. Dror Liwer, co-founder of Coro, urged companies to monitor the security of their vendors. “It’s critical that companies continuously monitor the security posture of their third-party vendors," Liwer wrote. "A giant that sells security products and services such as IBM gets breached and leaks its client’s customer’s data should be a red flag to the industry at large. The basics must be covered: Ongoing vendor cyber readiness audits, and a clear data retention policy that is strictly enforced on the vendor. The more of your data your vendors retain for longer, the bigger the exposure.”
Erich Kron, security awareness advocate at KnowBe4, laments that this isn't an isolated case. “This is another unfortunate example of an organization being impacted by their suppliers. While IBM was the technology service provider behind the application and database, the customers are going to remember that their information was lost by Johnson & Johnson Health Care Systems," he said. “The information that was disclosed, although it did not contain Social Security numbers, could be very valuable for bad actors looking to commit Medicare fraud, or even possibly extorting customers by threatening to release what could be potentially embarrassing medical conditions or procedures. In addition, this information could be used to create extremely targeted social engineering attacks that reference this information to make them seem legitimate. While IBM says there is no indication that the data has been misused yet, victims should certainly not let their guard down. It could take months or even longer for the misuse of this information to be discovered."
And individuals should take steps to protect themselves. Here's some of the bait that's likely to be dangled in front of them. “Potential victims of this breach should be very cautious with emails, phone calls, or even text messages that refer to past medical procedures or conditions, or reference any of the other information that was exposed. Organizations should consider this a lesson in potential issues through vendors, and should ensure that they have a plan to deal with the possibility of issues such as this prior to it happening to them.”
(Added,4:30 PM ET, September 7th, 2023.) Nikhil Girdhar, Senior Director of Data Security at Securiti, wrote to make the case for a shift in the general approach to healthcare data security. "The recent data breach involving Johnson & Johnson's CarePath application underscores the pressing need for a tactical overhaul in healthcare data security. As the sector moves swiftly towards digitization, patient data becomes a prized asset for cybercriminals. This mandates a critical reassessment of Data Security Posture Management (DSPM) strategies across healthcare organizations," Girdhar wrote. "In an environment where patient data is dispersed across multiple platforms, the challenge for security teams—often operating with finite resources—is to effectively pinpoint and secure vulnerable assets. A data-centric approach can optimize resource allocation by focusing on high-value assets. This enables more precise application of safeguards such as least-privilege access controls, data masking, and configuration management, particularly for key applications like Carepath. The paradigm must also shift from an 'if' to a 'when' mindset regarding breaches. Prioritizing data encryption is not just advisable; it's essential. Moreover, automating incident analysis can accelerate notifications to impacted parties, enabling them to take proactive measures to protect their information. When integrated, these steps forge a formidable defense against increasingly advanced cyber threats, offering security teams the tactical advantage they need."