The CyberWire Daily Podcast 4.2.24
Ep 2037 | 4.2.24

From lawsuit to logoff: Google's incognito mode makeover.

Transcript

Google agrees to delete billions of user records. NIST addresses the NVD backlog. India rescues hundreds of citizens from scam jobs in Cambodia. The UK and US agree to collaborate on AI safety. The FTC tracks an explosion in impersonation fraud. A PandaBuy breach exposes over 1.3 million customers. Prudential Financial informs over 36,000 customers of a data breach. A look at safeguarding sensitive data. Our guest is Jeff Reich, Executive Director of the Identity Defined Security Alliance (IDSA), with insights on identity security best practices. A dash of curiosity reveals a hotel chain vulnerability. 

Today is April 2nd, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Google agrees to delete billions of user records. 

Google has resolved a class action lawsuit, initiated in 2020 by Boies Schiller Flexner, by agreeing to delete billions of records related to users' Incognito Mode browsing activities. The lawsuit accused Google of misleading users into believing their browsing in Incognito Mode would not be tracked, despite the company allegedly using advertising technologies to monitor and collect data on users’ online activities, violating privacy and wiretapping laws. The settlement, reached in December 2023, does not include financial compensation from Google but mandates the company to delete identifiable private browsing data and adjust Incognito Mode's default settings to block third-party cookies for five years. Additionally, Google is required to remove any data that could make browsing identifiable, such as IP addresses and specific browser details. While Google insists the lawsuit was baseless and that it never associated Incognito browsing data with individual users or used it for personalization, the settlement allows individuals to pursue separate damages in state courts.

NIST addresses the NVD backlog. 

The National Institute of Standards and Technology (NIST) faces a significant backlog in processing vulnerabilities for its National Vulnerability Database (NVD), attributing the issue to increased software volumes and changes in interagency support. NIST is working to establish a consortium to tackle these challenges and has reassigned staff to prioritize critical vulnerabilities analysis. Despite a 20% funding cut, cybersecurity experts have urged Congress to support the NVD, labeling it as critical infrastructure essential for defending against cyberattacks. NIST's efforts include long-term strategies and increased collaboration to enhance the NVD's efficiency. However, the backlog has led to concerns over the database's current functionality and transparency, with calls for urgent action to maintain global cybersecurity standards.

India rescues hundreds of citizens from scam jobs in Cambodia. 

The Indian government successfully repatriated 250 citizens from Cambodia, who were deceived by promises of lucrative jobs but were instead forced into cybercrime activities upon arrival. These individuals were coerced into illegal online scams under harsh conditions, controlled by a network involving Chinese and Malaysian operatives. Despite the significant rescue effort, reports suggest around 5,000 more Indians might still be trapped in similar conditions in Cambodia, contributing to scams worth nearly $60 million in six months. The case highlights the crucial role of international collaboration in addressing cybercrime and underscores the evolving challenges in cybersecurity, as well as the risks associated with overseas employment opportunities. Investigations are ongoing to rescue more victims and dismantle this expansive scam network.

The UK and US agree to collaborate on AI safety. 

The UK and US governments have signed a Memorandum of Understanding to establish a unified approach for the independent safety evaluation of emerging generative AI technologies. This collaboration involves the UK's AI Safety Institute and a forthcoming US counterpart, with plans to develop test suites assessing the risks of advanced AI models. They aim to share knowledge, information, and personnel, beginning with a joint testing exercise on a publicly accessible model. This move comes as AI developers like OpenAI, Google, and Anthropic rapidly advance their technologies, prompting urgent action to ensure these innovations are safe. This partnership, the first of its kind globally, underscores a commitment to addressing AI's potential risks to national security and societal well-being. Additionally, it complements broader regulatory efforts in the US and Europe aimed at safeguarding the public from the adverse effects of AI.

The FTC tracks an explosion in impersonation fraud. 

The Federal Trade Commission (FTC) reports that Impersonation fraud losses have tripled over the past three years, reaching over $1.1 billion in 2023. The agency received around 490,000 reports related to business and government impersonation scams, constituting half of all fraud reports in that period. There's been a notable shift in the methods of impersonation, with email and text-based scams increasing significantly, while phone-based scams decreased. The share of fraud involving bank transfers and cryptocurrency payments also rose substantially, contributing to $593 million in losses last year. The FTC highlights a growing trend of scammers impersonating multiple entities within a single scam, blurring the lines between business and government impersonation, complicating the detection and prevention of these fraudulent activities.

A PandaBuy breach exposes over 1.3 million customers. 

Hackers infiltrated the PandaBuy online shopping platform, exposing over 1.3 million customers' personal information. The breach, disclosed on a cybercrime forum by threat actors 'Sanggiero' and 'IntelBroker', exploited critical vulnerabilities in PandaBuy's platform and API. The leaked data encompasses a wide range of personal details, including user IDs, names, contact information, order details, and addresses. The breach, involving nearly 3 million data rows, was confirmed by Have I Been Pwned founder Troy Hunt, who validated 1.3 million email addresses and added them to the HIBP database for affected users to verify their exposure. Despite these developments, PandaBuy has not formally acknowledged the breach, and there are claims of the company attempting to conceal the incident.

Prudential Financial informs over 36,000 customers of a data breach. 

Meanwhile, insurance giant Prudential Financial has informed over 36,000 individuals about a data breach in early February 2024, where personal details were compromised. The incident, reported to the SEC in mid-February, was promptly identified, revealing unauthorized access to administrative data and employee accounts. The Alphv/BlackCat ransomware group, known for recent disruptions including a major US health system, claimed responsibility. Following the breach, identified on February 4, Prudential engaged cybersecurity experts for investigation and response, learning that a fraction of personal data was extracted. Affected data includes names, addresses, and identification numbers. Prudential asserts that the breach has been contained, with enhanced security measures implemented. Although there's no evidence of identity theft or fraud from this breach, the company is offering two years of free credit monitoring to the affected individuals.

A look at safeguarding sensitive data. 

Code42’s president and CEO Joe Payne writes an article for SC Media that addresses the critical intersection between IT security leaders and legal professionals in safeguarding sensitive data and intellectual property against a broad spectrum of threats, including those posed by insiders. Highlighting findings from the 2024 Data Exposure Report, Payne reveals that despite widespread adoption of data protection strategies, a significant majority of organizations still fall victim to data breaches, underscoring the persistent challenge of insider threats.

Payne elaborates on the complexities introduced by the modern workplace, such as the widespread adoption of cloud computing and mobile technology, which complicate data management and security. He references a high-profile case involving Tesla to illustrate the severe legal and financial repercussions that can result from inadequate data protection measures, emphasizing the potential for massive GDPR fines.

The article advocates for a collaborative approach between IT, security, and legal departments to develop comprehensive policies that address insider threats while ensuring compliance with evolving data protection laws. Payne suggests three key strategies for mitigating data risk: swift breach identification, achieving complete visibility over file activity, and implementing ongoing staff training programs on data security policies.

Payne's insights underscore the necessity for a unified strategy that leverages technology, processes, and education to protect against data loss, while acknowledging the challenges of securing data in an increasingly distributed and digitalized enterprise environment. His analysis provides a valuable roadmap for organizations looking to bolster their data protection efforts in the face of both internal and external cybersecurity threats.

 

Next up, we’ve got Jeff Reich from the Identity Defined Security Alliance (IDSA). Jeff and I discuss identity security best practices, identity and access sprawl, and how Generative AI is helping and hurting identity management. 

We’ll be right back

Welcome back. You can find out more information about the IDSA and their upcoming Identity Management Day 2024 in the show notes.

 

A dash of curiosity reveals a hotel chain vulnerability. 

A vulnerability was discovered in an IBIS Budget hotel lobby check-in terminal in Hamburg by an employee of security firm Pentagrid.  The vulnerability leaked room keypad codes for nearly half of the hotel rooms.  This security flaw became apparent when a user entered a sequence of dashes ('------') instead of a valid alphanumeric booking ID into the terminal. This peculiar input caused the terminal to erroneously display a list of bookings complete with room numbers and keypad codes, compromising the security of almost half the hotel rooms.

The vulnerability surfaced due to what appears to be a bug or an overlooked test function within the terminal's software, allowing for an unusual input form—a string of dashes—to bypass the usual security measures that require a valid booking ID for room and code access. This exploit was particularly alarming because it allowed anyone with physical access to the terminal, particularly during unstaffed hours like nighttime, to gain access to room information and, by extension, the rooms themselves without needing to provide any form of legitimate identification or booking confirmation.

 The issue was reported to Accor, the hotel chain operator beginning on January 1, 2024. Despite initial challenges in communication and Accor's reluctance to handle the report outside their preferred reporting program, Pentagrid persisted with notifications. By January 26, Accor confirmed the vulnerability's reproduction and implementation of a fix. The vulnerability, rated medium severity, affected potentially several IBIS Budget hotels across Germany and Europe. 

Is it fair to say this vulnerability was found due to a security professional having a dash of curiosity? 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.