Amazon Fined for Ring and Alexa Privacy Abuses; More Years-Old Toyota Data Breaches Discovered; Make Sure You Can Detect Qakbot

This is a small fine when you look at Amazon’s overall revenue, but the Ring product line is about a $200M business – hopefully a Ring line of business manager is now a convert to why building security in is good for profitability.

Back when Ring was new, (pre-Amazon), it was a little distressing the level of access their support staff had to my device. Now that they are part of a larger entity, there is no excuse to not limit access and restrict information sharing. Amazon claims to have addressed this years ago. With today's privacy rules, running fast and loose isn't going to fly; you need to make sure you're using separation of duties, implement data protection and deletion practices in accordance with all applicable regulations such as COPPA, GDPR, HIPAA, CCPA, etc.

While Amazon may dispute the charges, this settlement indicates that Amazon believed their data privacy policies were loose enough to have violated privacy protection rules. The settlement should become a case study for every organization that maintains user data. The study should focus on data collection; data use by company employees; reporting of data misuse; and data retention. The $30.8 million settlement seems a small price to pay for such an egregious violation of data privacy protection rules.

It will be interesting to see if the Irish Data Protection Commission (Amazon’s EU Headquarters is based in Dublin, Ireland) will investigate if the same issues impact the data of any EU residents. If so, this could be a costly lesson on respecting the human rights of their customers for Amazon.

Three possibilities here: oversight or poor management, where $30.8 million might focus management's attention, or it is part of the business plan and $30.8 million is merely a cost of doing business?

This is another great case for credentialed cloud penetration testing. Given read-all type credentials, your pen tester can use tools like ScoutSuite to look across all your cloud properties and start digging for misconfigurations like this. This assumes, of course, that the defender knows where all their cloud accounts are!

The 2023 SANS SOC survey coming out soon shows strong improvement in time to detect across many companies, with many moving from months to days. Toyota seems to measure time to detect in years, if not decades – hugely outside acceptable business practices.

Developers and System Administrators tend to configure things similarly for consistency, particularly when they have a configuration that works. The trick is to not stop checking for weaknesses after one is discovered and fixed. Make sure that you're training staff on current best practices to keep them current, and actively support requests to go back and retrofit past configurations.

I always watch for Qakbot’s techniques as, for many years they have been very effective in gaining a foothold in environments. Make sure to keep an eye on their techniques as copycat actors are also watching.

With more and more users on a reliable high-speed connection, the home IP space is a viable target rich environment to launch attacks. While it's convenient to stand up test and less secure services on a home network, we need to pay attention to possible compromise, implementing available security features in our home routers and systems. Remember that VLAN feature in your router you've been wanting to test? Keep an eye on QakBot TTPs for copycat access attempts. Provide users with good guidance on securing their home networks, even if raising the bar only slightly. Every bit helps.

JetPack provides a variety of services, grouped into security, performance and growth, and has released 102 updates going back to version 2.0. After you verify that you're on a patched version, make sure you're also on the current 12.1.1 version. If you’re not, make plans to migrate so you're supported.

This is a good move by the WordPress team; there is nothing better than to force this type of patch when you can.

This vulnerability highlights that security/quality assurance testing while important, cannot test for every possible code defect – the vulnerability has been around for 11 years. Given the large install base and criticality of the vulnerability, a ‘forced’ install of the patch became necessary. Perhaps if we automated [forced] patching for all critical vulnerabilities, it would change the exploit advantage an adversary has today.

In physical security, if you were told of a gaping hole in your store’s front entrance, the time to patch would be very low. Same mindset is needed for any security control, especially those on the perimeter.

I just spent some time digging into this because I’ve only seen Zyxel in ISP deployments on edge, as in Zyxel Modems. ShadowServer does have Data Showing what appears to be Zyxel Firewalls actively participating in attacks, and the number of devices is more significant than I expected. Perhaps they are much more prevalent globally than locally in the US. Either way, if you do have one of these devices, reformat.

This flaw (CVE-2023-28771) is one of the three weaknesses actively targeted by the Mirai IZ1H9 variant we reported in NewsBites vol. 25 num. 42. Zyxel also released fixes for two other flaws (CVE-2023-33009 and CVE-2023-33010) both with CVSS scores of 9.8. While the CISA KEV catalog allows until June 21 to patch, you need to make sure you're got all three updates. At this point, because of active exploitation, seriously consider a factory reset to ensure the device is clean.

This is but one of three critical vulnerabilities [CVSS score 9.8] recently patched by Zyxel. It shouldn’t take an organization 30-days to patch a critical vulnerability, let alone three from the same vendor. At this point, organizations that have not yet patched would fail the standard of reasonableness test used by courts to adjudicate responsibility for cyber breaches.

The good news is that if you are using Barracuda’s SaaS email security services you are not at risk. The bad news is that it took Barracuda over 6 months to detect exploitation of the vulnerability – very poor time to detect performance.

Like the previous article on Zyxel, these devices are probably rare in well-funded enterprises. You may see them in places that don’t have the largest security budgets. This may mean that these organizations may not even realize a patch is available. Keep an eye out on your edge equipment regularly, as these seem to be the target selection of choice.

Barracuda provides IOCs on their bulletin below. Check your devices for any indications of compromise. If you detect compromise, the recommendation from Barracuda is to contact them to obtain a replacement virtual or hardware appliance rather than attempting to clean your current device.

The concern is to prevent another Edward Snowden incident and focuses on classified systems where DoE's Nuclear Weapons Enterprise (NWE) does its most sensitive work. While individual national labs are monitoring and responding to user activity, these flaws are directed at the overarching program at the agency level. The takeaway for the rest of us is that we should be tracking user behavior, actively limiting access based on need-to-know, or enterprise roles if you prefer, to include both monitoring, reviewing and reporting. When getting your arms around insider threats, make sure you've got clearly defined goals, expectations, roles and responsibilities. And when you do start monitoring, be prepared for uncomfortable discoveries of what your users are truly doing.

The government has a rather robust Insider Threat Protection Program. In fact, insider threat training is an annual requirement for both employee and government contractor. Clear and simple, it’s a failure of senior DoE leadership to effectively administer an important program to protect against insider threats.

Insider threat remains sparse in both sources and rate. The risk is high because the consequences are high. DoE insiders are a risk to national security. They are also a risk to the jobs of DoE managers. We have now seen multiple instances in government of those with clearances, IT privileges, no "need to know," lax supervision, and no Privileged Access Management (PAN) software, resulting in major leaks of classified data.

It’s a well-known fact that the healthcare sector is and has been a priority target for ransomware gangs. Couple that with Harvard Pilgrim Health Care’s annual operating budget, it gives pause in how well the executive team was executing their cybersecurity program. It’s not like there isn’t ample cybersecurity guidance available [see: Blueprint for Ransomware Defense] to protect against ransomware attack.

The exfiltrated information affects users as far back as 2012, due to the range of data in the compromised systems. HPHC is providing credit monitoring and identity theft protection to impacted individuals. No ransomware gang has taken credit for the breach, and HPHC's systems are online, presumably more secure than previously.

Unlike the HPHC attack above, the LockBit ransomware gang is taking credit for this breach. Seems odd that the same group that previously publicly apologized for breaking into Canada's largest children's hospital, including offering free decryption for those affected, continues to go after healthcare targets. The message is to assume you're a target regardless of claims to the contrary and to prepare accordingly.

Ransomware continues its uptick for 2023 with the healthcare sector being a priority target of ransomware gangs. Every healthcare provider that maintains patient records should revisit their cybersecurity program and implement freely available best practice guidance, such as the Blueprint for Ransomware Defense, to protect against future attack. Unfortunately, the only winner in these attacks are the vendors that provide credit monitoring services.

Mountain View Hospital is working to actively reschedule appointments for affected patients, and their cafe services are still operating on a cash-only basis. Some services are operating on a paper, rather than electronic, records keeping basis. The challenge when falling back to paper is digitizing those records when recovery is completed. Make sure your BC/DR plans don't omit this part of the process, or it'll never happen.

Maintaining the ability to treat patients is the priority. That said, clinical data will not be recorded. Even if recorded on paper, it may never be digitized and available.