Privacy nightmare or useful tool?
Some say Microsoft’s Recall should be. A breach of a Texas healthcare provided affects over four hundred thousand. Police in the Philippines shut down services following a breach. Ivanti patches multiple products. GitHub fixes a critical authentication bypass vulnerability. Researchers discover critical vulnerabilities in Honeywell’s ControlEdge Unit Operations Controller. The DoD releases their Cybersecurity Reciprocity Playbook. Hackers leak a database with millions of Americans’ criminal records. Mastercard speeds fraud detection with AI. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey, diving into Domain 5: Identity and Access Management. Remembering a computing visionary.
Today is Wednesday, May 22, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Some say Microsoft’s Recall should be.
The UK's Information Commissioner's Office (ICO) is questioning Microsoft about its new feature, Recall, which takes frequent screenshots on Copilot+ PCs. Privacy advocates are concerned about potential risks, calling it a "privacy nightmare." Microsoft states that Recall is optional, keeps data local, and is designed with privacy in mind. Users can control what Recall captures, and private browsing on Edge is excluded. However, the ICO emphasizes the need for rigorous risk assessments before product releases.
Recall allows users to search past activity, including files and browsing history, by capturing screenshots every few seconds. Critics, such as Dr. Kris Shrishak, warn this could deter people from accessing sensitive information. Legal experts express concerns over privacy and consent, especially regarding confidential and proprietary information.
Additionally, Mozilla's privacy team highlighted that stored screenshots could expose sensitive data like passwords and financial information if a hacker gains physical access to the device. This raises further security concerns, given the history of infostealer malware targeting local data.
Overall, while Microsoft assures users of built-in privacy protections, critics argue that Recall could significantly undermine security and privacy, urging consumers to disable the feature unless significant changes are made.
My favorite online comment I’ve seen so far suggested that maybe, through the deployment of Recall, perhaps Microsoft will make it the year of Linux on the desktop.
A breach of a Texas healthcare provided affects over four hundred thousand.
On Monday, CentroMed, a supplier of healthcare services in Texas, reported a data breach to the Texas Attorney General after discovering unauthorized access to sensitive patient information. This breach included names, addresses, dates of birth, Social Security numbers, financial account details, medical records, health insurance info, and treatment information. The breach, detected on April 30, 2024, impacted approximately 400,000 individuals. CentroMed has notified affected patients, advising them to be vigilant against fraud and identity theft. This incident is separate from a prior breach on June 12, 2023, which affected 350,000 Texans.
Police in the Philippines shut down services following a breach.
The Philippine National Police (PNP) has indefinitely suspended all online services following an alleged breach of its online systems, including the Firearms and Explosives Office and the Logistics Data Information and Management System. PNP spokesperson Col. Jean Fajardo announced the suspension as a precaution to enhance security and integrity. Frontline services remain available at regional offices and Camp Crame. The PNP is coordinating with the Department of Information and Communications Technology (DICT) to investigate and prevent further data exposure. The hacker "PH1NS" has been identified as the perpetrator, with potential links to breaches in other government agencies.
Ivanti patches multiple products.
Ivanti released patches for multiple products, addressing critical vulnerabilities in Endpoint Manager (EPM). Six SQL injection flaws in EPM (CVE-2024-29822 through CVE-2024-29827) with a CVSS score of 9.6 were fixed. These bugs could allow unauthenticated attackers to execute arbitrary code. Ivanti also patched an unrestricted file upload vulnerability in Avalanche and several other high-severity flaws. No evidence suggests these vulnerabilities have been exploited. Ivanti reaffirmed its commitment to enhancing security and vulnerability management practices.
GitHub fixes a critical authentication bypass vulnerability.
GitHub fixed a critical authentication bypass vulnerability (CVE-2024-4985, CVSS V4 Score: 10.0) in GitHub Enterprise Server (GHES) affecting instances using SAML single sign-on (SSO) with encrypted assertions. Exploiting this flaw could allow attackers to spoof SAML responses, gaining administrator rights and full access without authentication. The vulnerability was reported through GitHub’s Bug Bounty program. Users are advised to update promptly to secure their systems.
Researchers discover critical vulnerabilities in Honeywell’s ControlEdge Unit Operations Controller.
Cybersecurity firm Claroty discovered critical vulnerabilities in Honeywell’s ControlEdge Unit Operations Controller (UOC), including one which allows arbitrary code execution via an undocumented function. Another flaw involves path traversal, enabling file reading. These vulnerabilities could let attackers gain full control of controllers. Claroty reported these issues, leading Honeywell to release patches and advisories. Additionally, CISA published an advisory covering 16 vulnerabilities in Honeywell’s systems, primarily discovered by Armis, which could expose sensitive information or allow privilege escalation.
The DoD releases their Cybersecurity Reciprocity Playbook.
The U.S. Department of Defense (DoD) Chief Information Officer announced the release of the DoD Cybersecurity Reciprocity Playbook, providing guidance on implementing cybersecurity reciprocity within DoD systems. The playbook outlines benefits, risks, and example use cases, emphasizing the re-use of security authorization packages to save time and resources. It highlights the importance of cooperation and trust among Authorizing Officials (AOs) for efficient system authorization. The playbook aims to enhance cybersecurity posture by promoting interagency collaboration and standardized security practices.
Hackers leak a database with millions of Americans’ criminal records.
A cybercriminal known as EquationCorp and USDoD has leaked a database they claim contains the criminal records of millions of Americans, with 70 million rows of data from 2020 to 2024. The data includes full names, birth dates, aliases, addresses, arrest and conviction dates, and sentences. The source of the data is so far unknown. Observers wonder if USDoD, linked to the original BreachForums and involved in a TransUnion breach, may use this leak to attract users for a new data leak site.
Mastercard speeds fraud detection with AI.
Mastercard says they are deploying generative AI to enhance its fraud detection capabilities, doubling the speed at which it identifies compromised cards. This technology scans transaction data across billions of cards and millions of merchants, better predicting card details and alerting Mastercard to new fraud patterns. It reduces false positives by up to 200% and increases the speed of identifying at-risk merchants by 300%. The AI solution targets the growing issue of stolen card numbers being sold online.
Following our break, we have our Learning Layer featuring the continuing saga of Joe’s quest to complete CISSP training with Sam’s guidance. If you’d like, try your hand at a sample question in the show notes while we are on break.
That was N2K’s Sam Meisenberg and my Hacking Humans co host Joe Carrigan preparing for Joe to tackle the CISSP exam.
Next up, we’ve got a crossover from our N2K T-Minus Daily podcast. Host Maria Varmazis speaking with guest Rebel Space Technologies CEO and co-founder Carrie Hernandez Marshall about the need to extend cybersecurity into space.
You can learn more about Carrie Hernandez Marshall and her company Rebel Space Technologies in our show notes.
Welcome back
Remembering a computing visionary.
C. Gordon Bell, a true visionary in the world of computing, passed away on May 17 at the age of 89. Bell, often called the “Frank Lloyd Wright of computers,” made profound contributions to the technology landscape. Educated at MIT, Bell began his groundbreaking career at Digital Equipment Corporation in 1960, where he designed the PDP-8, the first commercially successful minicomputer. Introduced in 1965, the PDP-8 revolutionized computing by offering a smaller, more affordable alternative to the massive, costly computers of the time.
Bell's innovations extended beyond hardware; he was pivotal in the early days of the ARPANET, the precursor to the modern internet. His visionary approach continued throughout his career, from leading research and development at Digital Equipment Corporation to advising and joining Microsoft, where he further explored the frontiers of technology.
One of Bell's most forward-thinking projects was MyLifeBits, an experiment in capturing and documenting every aspect of his daily life digitally. This concept, which seemed fantastical at the time, anticipated the data-rich, interconnected world we live in today.
Born in Kirksville, Missouri, Bell overcame significant childhood health challenges, channeling his early interest in electronics into a lifelong passion for innovation. His legacy includes not only the technological advancements he spearheaded but also his enduring influence on the computing world. Bell's work has left an indelible mark on the industry, inspiring future generations to think creatively and push the boundaries of what technology can achieve. His visionary spirit and contributions will be remembered and celebrated for years to come.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.