homepage
Open menu
Contact Sales

SANS NewsBites

California Takes First Step Towards Applying Privacy Regulations to Vehicle Manufacturers; Patch All PaperCut Print Management Software; Support Local Efforts to Improve K-12 Cybersecurity

August 8, 2023  |  Volume XXV - Issue #62

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2023-08-06

California Will Review Connected Vehicle Makers’ Data Privacy Practices

The California Privacy Protection Agency (CPPA) has announced that its Enforcement Division will review the privacy practices of connected vehicle (CV) manufacturers “and related CV technologies.” Noting that “modern vehicles are effectively connected computers on wheels,” CPPA Executive Director Ashkan Soltani said the Enforcement Division will examine how the companies are complying with California data privacy laws.

Editor's Note

Back in 2017, the National Highway Traffic Safety Administration and the Federal Trade Commission held a workshop on connected vehicles and privacy, but other than some loose voluntary guidelines, no US federal movement on this issue – good to see California applying pressure. Just as in mobile phones, the issue of who owns the lucrative location data alone justifies some level of regulation and since the US has decades of failing to pass national privacy legislation, it will most like come at the state level first.

John Pescatore
John Pescatore

As a start, connected vehicles must be able to operate safely while not connected. The expected lifetime of a car typically far exceeds the lifetime of the technology used to connect the vehicle to the network. Early adopters of this technology already had issues as 2G and 3G connectivity was turned off by cellular network operators. Will a car you purchase today still be able to connect in 10+ years?

Johannes Ullrich
Johannes Ullrich

Used to be that your car collected and stored telemetry data, and the dealer had to connect to the vehicle to download information, which helped with diagnostics and reconstruction of events. Now that cars are connected, and include navigation apps, a lot more data is collected and shared with the manufacturers, and not a lot of information is shared about what they do with it, other than for safety purposes. Increased transparency about how that data is used and what can and cannot be opted out of is needed.

Lee Neely
Lee Neely

This will be an interesting review by the CPPA. Yes, cars are increasingly using data collected from sensors to hone algorithms to fully realize autonomous driving. Yes, today most consumers connect their mobile device to vehicles, willingly sharing personal details with app manufacturers. And yes, newer vehicles are starting to integrate cameras, biometrics, and driving preferences as part of the vehicle experience. By connecting their device, or setting up their profile, has the consumer ‘opted in’ to the data collection practice? I suspect manufacturers will be updating their data sharing agreements as a result of the review.

Curtis Dukes
Curtis Dukes

This issue can only become more important as we progress toward full self-driving and rely on vehicle-to-vehicle communication for improved safety. California leads and we all benefit.

William Hugh Murray
William Hugh Murray

2023-08-07

Updates Available to Address PaperCut Path Traversal Vulnerability

A path traversal vulnerability in PaperCut NG and MF print management software could be exploited to upload, read, or delete arbitrary files and achieve remote code execution. Users are urged to upgrade to PaperCut NG/MF version 22.1.3 or newer.

2023-08-07

White House Aims to Improve K-12 Cybersecurity

The Biden-Harris Administration has announced plans to help K-12 schools improve their cybersecurity practices. On Monday, August 7, the White House hosted a Back to School Safely: Cybersecurity Summit for K-12 Schools. Among the initiatives: The US Department of Education plans to establish a Government Coordinating Council for federal, state, local, tribal, and territorial education leaders and will release three K-12 Digital Infrastructure briefs; CISA will conduct tailored assessments, facilitate exercises, and provide cybersecurity training for 300 K-12 entities during the 2023-2024 school year; AWS has committed $20 million to a K-12 cyber grant program; and Cloudflare will provide free cybersecurity solutions to smaller (under 2,500 students) school districts.

The Rest of the Week's News

2023-08-07

Colorado Dept. of Higher Education Discloses Data Breach

The Colorado Department of Higher Education (CDHE) has disclosed that it suffered a cybersecurity incident in June that compromised personal information of an as yet unspecified number of individuals. The breach affects people who attended a Colorado institution of higher education between 2007 and 2020, a Colorado public high school between 2004 and 2020, carried a Colorado K-12 public education license between 2010 and 2014, or participated in various assistance and initiative programs between 2007 and 2017.

Editor's Note

CDHE will be notifying affected students when they complete their analysis, which is excellent. While there may not be indications the information is being used yet, there is no way to predict when it will be. That said, if you were a student in the ranges above, I’d be pro-active to implement credit/identity monitoring (or double check your profile if you already have it.)

Lee Neely
Lee Neely

Given the large number of institutions affected, it appears to be a pretty egregious data breach. For those affected, avail yourself of the free credit monitoring and identity theft protection services; your identity is potentially at stake.

Curtis Dukes
Curtis Dukes

“The stolen information includes full names, social security numbers, dates of birth, addresses, proof of addresses (e.g., statements/bills), photocopies of government IDs, and for some, police reports or complaints regarding identity theft.” The lesson for the rest of us is not to keep this data unless absolutely necessary. If necessary to keep it, keep it encrypted.

William Hugh Murray
William Hugh Murray

2023-08-07

Microsoft Fixes Vulnerability Reported by Tenable

Microsoft has addressed an information disclosure vulnerability in its Power Platform Custom Connectors using Custom Code. The flaw was reported to Microsoft by Tenable in late March; Tenable noted that the vulnerability is due to “insufficient access control to Azure Function hosts.” Microsoft initially addressed the issue on June 7, but a recent blog post from Tenable observed that there was still a subset of Microsoft customers who remained vulnerable to the issue. Microsoft addressed this issue on August 2.

2023-08-07

CISA Updates Its Cybersecurity Strategic Plan

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an updated version of its Cybersecurity Strategic Plan. CISA notes that the plan is aligned with the National Cybersecurity Strategy. The plan describes three overarching goals: addressing immediate threats, hardening the terrain, and driving security at scale.

2023-08-07

Cyber Incident Affects Hospitals in Multiple States

The US Federal Bureau of Investigation (FBI) is investigating a ransomware attack that has affected hospitals in multiple US states. The incident was first noticed last week, when the systems of California-based Prospect Medical Holdings, which has facilities in Connecticut, Pennsylvania, Rhode Island, and Texas. The attack has resulted in cancelled elective surgeries and the closure of emergency rooms and other facilities and services.

2023-08-05

FCC, CISA: US Federal Government “Lagging Behind on BGP Security Practices”

In a blog post, US Federal Communications Commission (FCC) Chairperson Jessica Rosenworcel and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly acknowledge that the US is lagging behind on Border Gateway Protocol (BCP) security practices. Last week, the FCC and CISA held a workshop last week with other federal agencies “to develop a common understanding of the latest BGP security improvements that are underway and planned—and what can and should be done to accelerate progress in both the near term and beyond.”

2023-08-07

North Korean Hackers Target Russian Aerospace Engineering Company

North Korean state-sponsored hackers have infiltrated systems at Russian aerospace engineering firm NPO Mashinostroyeniya. The company designs and manufactures missiles and space craft. The intrusion was detected by researchers at SentinelOne.

Internet Storm Center Tech Corner

Are Leaked Credential Dumps Used by Attackers?

https://isc.sans.edu/diary/Are+Leaked+Credentials+Dumps+Used+by+Attackers/30098

Update: Researchers Scanning the Internet

https://isc.sans.edu/diary/Update+Researchers+scanning+the+Internet/30102

Malicious OpenBullet Configuration Files

https://www.kasada.io/threat-intel-openbullet-malware/

Abusing Cloudflare Tunnels

https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/

New PaperCut RCE Vulnerability

https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/

Microsoft mitigates Power Platform Custom Code information disclosure vulnerability

https://msrc.microsoft.com/blog/2023/08/microsoft-mitigates-power-platform-custom-code-information-disclosure-vulnerability/

Microsoft Publishes Token theft Playbook

https://learn.microsoft.com/en-us/security/operations/token-theft-playbook