NewsBites Volume XXVI – Issue 01

Top of the News

2024-01-04

Orange España Mobile Outage

Spanish mobile carrier Orange España has acknowledged that it experienced an outage earlier this week. The incident was caused by a threat actor accessing Orange’s RIPE Network Coordination Center account using a weak password. RIPE, or Réseaux IP Européens, is “the Regional Internet Registry for Europe, the Middle East, and Central Asia.”

Editor's Note

According to some reports, the RIPE account used by Orange did not use MFA. At this point, it is inexcusable for a critical infrastructure account like this to not be protected by multi factor authentication. Even highly qualified network engineers may succumb to malware.

Johannes Ullrich

This incident highlights the tug between operations management and cybersecurity. From an operations perspective, workflow accounts are often shared and have simple passwords associated with the login. From a security perspective, accountability is important and is reflected in individual accounts with unique passwords. From a risk perspective, better to err on the side of security, especially when it comes to password complexity.

Curtis Dukes

While most popular enterprises offer strong authentication options to their customers and users, for perception of cost and inconvenience, many fail to use this essential measure internally, even, as in this case, for privileged users. Make the implementation of strong authentication a high priority for 2024.

William Hugh Murray

Hospital Fined Over Web Tracker

The Attorney General of the State of New York has fined New York Presbyterian (NYP) Hospital $300,000 over its use of third-party tracking tools on its website and patient portal. The tools had not been vetted for potential policy or legal violations. NYP operates 10 hospitals in the New York City area and has more than 2 million patient visits annually.

Editor's Note

Using third party trackers isn't great. Maybe I missed the news, but I have not seen any fines for more serious issues like sending initial passwords in the clear via email or using client side JavaScript as sole input validation.

Johannes Ullrich

This one is an example of a long running failure to have privacy requirements for any product/service procurement where customer data will be tracked or stored. Security/privacy teams have to assert themselves into the procurement process and into making sure marketing heads understand why privacy is legally a concern.

John Pescatore

Are you using trackers on your web site? Are you certain? Are you aware what they store and who has access to that data? More importantly, if you’re using a tracker do you know what it can and cannot do, and do you have appropriate management approval?

Lee Neely

Over 13 states have adopted a data privacy statute or similar law. Data collected by these tracking tools is protected by state laws. This should serve as a wake-up call for every organization that employs third-party tracking tools, to review their data privacy policies and use of third-party tracking tools.

Curtis Dukes

It is interesting to see how the state of New York will go over entities like this. Specifically trackers and analytics are such a normal part of our Web life.

Moses Frost

New LastPass Master Password Requirements

The LastPass password manager application is now requiring that all master passwords have a minimum length of 12 characters. Although the 12-character minimum has been the LastPass default since 2018, users have had the option of setting shorter passwords until now. Users who have passwords with fewer than 12 characters will be prompted to change them. LastPass has experienced several security incidents over the past few years.

Editor's Note

LastPass is asking you to do two things if you haven’t already. First, re-enroll your MFA token (Google Authenticator, LastPass Authenticator, MS Authenticator) and second confirm that you’ve got a password of 12 or more characters. Note they are still using the old complexity requirements - at least one of upper, lower, numeric and special character, as well as modern guidance of not using information tied to you, sequential characters, etc. Make sure you’re selecting something you can remember and enter reliably.

Lee Neely

Some important changes, but the problem isn't so much password length, but the fact that the password is user selected. Competitors use a randomly generated string in addition to the user's password to encrypt password vaults. User passwords will always be week and to some extend guessable no matter the length.

Johannes Ullrich

I’m a huge fan of password managers but they are also a single point of failure. In many ways you could consider your password for your Password Manager your most important password. Not sure if LastPass is taking the right approach here, especially after their security issues. What I think would be fantastic is making the MFA the default option. If you did not want MFA, you have to manually disable it and then require something longer than 12 characters. I’m a big fan of passphrases as they are easier to remember and type, but have the entropy needed. I personally prefer the standard of at least 16 characters.

Lance Spitzner

The Rest of the Week's News

2024-01-04

HealthEC Data Breach Affects Millions of Patients

HealthEC LLC, “a population health technology company that provides services to other entities,” has reported a data security breach that affects nearly 4.5 million patients. The incident occurred in July 2023 and was reported to the US Department of Health and Human Services Office for Civil Rights on December 21.

Victoria (Australia) Court System Cyber Incident Compromised Recorded Court Proceedings

The Court Services Victoria (CSV) has disclosed that a cybersecurity incident that may have compromised transcriptions and audio and video recordings of court and tribunal proceedings. The intrusion was detected on December 21; the breach affects proceedings that took place between November 1 and December 21.

Editor's Note

This is an example of an incident report that never says why/how the attack succeeded. This is kind of like a road sign that has “Something Happened” vs. “Fallen Rocks.” The information they did include shows they the attackers were active for two weeks without the Court noticing and there was still exposure for 2 weeks after the attackers announced, “YOU HAVE BEEN PWND.” Those are not good metrics for Court IT security – good item to use to check isolation and monitoring if you have similar systems.

John Pescatore

Personal Data Taken in Estes Express Lines Ransomware Attack

Freight shipping company Estes Express Lines has acknowledged that ransomware operators stole personal data belonging to 20,000 customers. Estes disclosed the incident in early October 2023. The company did not pay the ransom demand.

Editor's Note

Estes Express gets credit for promptly reporting the cyber-attack via social media and not paying the ransom demand. Unfortunately, they fell a bit short in formally notifying their customers of the data loss and offering of free identity monitoring services.

Curtis Dukes

Defunct Ambulance Service Data Breached

A data breach affecting a defunct ambulance service in Boston has compromised personal information of at least 900,000 individuals. Transformative Healthcare disclosed the breach, which affected Fallon Ambulance Service, a subsidiary that ceased operations in December 2022. The breach occurred in early 2023. The data were kept archived on an IT system for legal purposed.

Editor's Note

This is in the no good deed goes unpunished category. When creating an archive of data for future use, legal hold, etc., make sure you’ve carefully documented how the information is protected and accessed. At some point you’re going to want to consider when that offline storage may be the proper solution.

Lee Neely

Two aspects come to light with this cyber incident: 1) data retention and storage; and 2) acquisition due diligence. While companies have legal obligations to retain data, if it’s no longer required for operational purposes place it in off-site storage. Due diligence should have surfaced the cyber incident prior to acquisition. Regardless, Coastal Medical Transportation Systems is now liable for the data breach.

Curtis Dukes

First KEV Additions of 2024

On Tuesday, January 2, the US Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: a heap buffer overflow vulnerability in Google Chromium WebRTC and a remote code execution vulnerability in Spreadsheet::ParseExcel. Federal Civilian Executive Branch agencies are required to mitigate these issues by January 23.

Editor's Note

While Perl has largely fallen out of favor with developers, you should be checking for legacy or lingering Perl code which may have security issues. Either keep that code updated or replace it with code written in tools/languages your developers are using today.

Lee Neely

“Top 5” 2024 Cybersec Compliance Deadlines

Over the next year, cybersecurity professio0nals will face several compliance deadlines, including the Payment Card Industry Data Security Standard v 4.0 with a deadline of March 31, new Federal Trade Commission (FTC) breach reporting rules that take effect on May 13, and a June 15 deadline for smaller companies to comply with the Securities and Exchange Commission’s (SEC’s) new breach disclosure rules.

Editor's Note

Note that PCI/DSS v4.0 comes with 13 new requirements due March 31st. Requirements include identifying the relevant roles and responsibilities of security team members and third-party service providers, determining the scope of an organization’s cardholder data environment (CDE), defining a “customized approach” to compliance, and performing targeted risk analyses. You may wish to engage your internal assessor (ISA), or current QSA as they have been training up on the new requirements.

Lee Neely

Chrome Stable Channel Update

Google has released its first Chrome update of 2024. The new release fixes six security issues, four of which were submitted by external researchers. Three of the vulnerabilities are use-after-free issues in ANGLE, WebAudio, and WebGPU. The fourth is a heal buffer overflow in ANGLE. All four are rated high severity. Chrome 120.0.6099.199 for Mac and Linux and 120.0.6099.199/200 for Windows will be rolled out over the next few days and weeks.

Editor's Note

It is hard to find good numbers, but it is pretty clear that more than half of the vulnerabilities in big name software, like Google, Microsoft, Apple, etc., continue to be found by external researchers. By definition, this means no new releasee of a product/service can be trusted until a lot of outsiders have pounded on it. Since business demands often drive “no, we have to move now,” better to have those outsiders be part of a well-managed bug bounty effort.

John Pescatore

Now that we’re back from the holiday break, it’s a good time to scan for systems that don’t have the updated version deployed. Make sure you’ve got data from 2024 for each endpoint, and watch for users which are still waiting on the “reload/relaunch to update” step. Give thought to deploying a setting which sets the max age on the update before the restart is forced.

Lee Neely

Prefer single purpose built software. Browsers have long since passed the threshold of complexity beyond which they should not be relied upon for sensitive applications.