California Takes First Step Towards Applying Privacy Regulations to Vehicle Manufacturers; Patch All PaperCut Print Management Software; Support Local Efforts to Improve K-12 Cybersecurity

Back in 2017, the National Highway Traffic Safety Administration and the Federal Trade Commission held a workshop on connected vehicles and privacy, but other than some loose voluntary guidelines, no US federal movement on this issue – good to see California applying pressure. Just as in mobile phones, the issue of who owns the lucrative location data alone justifies some level of regulation and since the US has decades of failing to pass national privacy legislation, it will most like come at the state level first.

As a start, connected vehicles must be able to operate safely while not connected. The expected lifetime of a car typically far exceeds the lifetime of the technology used to connect the vehicle to the network. Early adopters of this technology already had issues as 2G and 3G connectivity was turned off by cellular network operators. Will a car you purchase today still be able to connect in 10+ years?

Used to be that your car collected and stored telemetry data, and the dealer had to connect to the vehicle to download information, which helped with diagnostics and reconstruction of events. Now that cars are connected, and include navigation apps, a lot more data is collected and shared with the manufacturers, and not a lot of information is shared about what they do with it, other than for safety purposes. Increased transparency about how that data is used and what can and cannot be opted out of is needed.

This will be an interesting review by the CPPA. Yes, cars are increasingly using data collected from sensors to hone algorithms to fully realize autonomous driving. Yes, today most consumers connect their mobile device to vehicles, willingly sharing personal details with app manufacturers. And yes, newer vehicles are starting to integrate cameras, biometrics, and driving preferences as part of the vehicle experience. By connecting their device, or setting up their profile, has the consumer ‘opted in’ to the data collection practice? I suspect manufacturers will be updating their data sharing agreements as a result of the review.

This issue can only become more important as we progress toward full self-driving and rely on vehicle-to-vehicle communication for improved safety. California leads and we all benefit.

This vulnerability appears to be more difficult to exploit compared to older vulnerabilities. But all this will do is buy us a bit more time to patch. Attackers have exploited the prior PaperCut vulnerabilities to great effect and are likely working on an exploit for this new issue.

Horizon3 has released a command you can use on a PaperCut server to see if it’s vulnerable, but they haven’t released a guide on preventing abuse. First things first: patch your PaperCut servers, make sure they are only accessible to systems which need to access them, and make sure to subscribe to security bulletins from Horizon3.

Good to see private industry supporting this needed effort. Not only is connected technology the norm in classroom education, but the pandemic pointed out some level of remote learning will always be needed. Just as schools do fire drills and safety education, cybersafety and remote preparedness drills should be part of the mix.

The education sector has seen a rash of ransomware events over the past year. Glad to see that the administration is making supporting K-12 a priority in 2023-2024. What’s also heartening is that the private sector is lending a hand to support the education sector. I would urge every academic institution to use the CIS Critical Security Controls, starting with Implementation group 1, as the minimum cybersecurity standard. States like Utah, New Hampshire, and California are, and can provide valuable lessons learned to the education community.

Our schools remain targets, so any help they can get will contribute to the bar. As a school, be sure to leverage the free assessment tools offered from CISA; they should help bolster the case to getting a grant from AWS, or the services from Cloudflare.

CDHE will be notifying affected students when they complete their analysis, which is excellent. While there may not be indications the information is being used yet, there is no way to predict when it will be. That said, if you were a student in the ranges above, I’d be pro-active to implement credit/identity monitoring (or double check your profile if you already have it.)

Given the large number of institutions affected, it appears to be a pretty egregious data breach. For those affected, avail yourself of the free credit monitoring and identity theft protection services; your identity is potentially at stake.

“The stolen information includes full names, social security numbers, dates of birth, addresses, proof of addresses (e.g., statements/bills), photocopies of government IDs, and for some, police reports or complaints regarding identity theft.” The lesson for the rest of us is not to keep this data unless absolutely necessary. If necessary to keep it, keep it encrypted.

Affected customers were notified by Microsoft via Microsoft 365 Admin Center (MC665159) starting on August 4th; you need to be an enterprise admin to read the message as it was sent with a data privacy tag. Take a moment to ping your MS 365 global admin to see if you were notified. Microsoft states no customer remediation is needed, and has published a guide on creating these custom connections. Make sure that you’re following the guidance with current and future custom connections.

This is a really interesting discussion. Tenable privately alerts Microsoft to a critical vulnerability: a good thing. Microsoft issues a patch 60-ish days later; perhaps a reasonable response time. Further analysis by Tenable results in an incomplete fix and more communication with Microsoft. My questions: What’s a reasonable time a vendor should be given to provide a fix? What other factors impact that timeline? And what steps has the vendor taken to protect customers affected by the vulnerability while the patch is being developed? Only the vendor can answer those questions but perhaps it’s time to establish a minimum response time for every vendor to aim for.

The report calls for collaboration to improve security. I’ve heard tales from firefighters dispatched to work the Canadian wildfires this year, and they are all in it together: all are focused on the end goal. As cyber professionals, we could take a page from their playbook and follow the CISA guidance to ensure we have secure designs, quick detection and mitigation, with priority for critical assets.

All laudable goals by CISA as part of its updated cybersecurity strategic plan. As part of these planning cycles, it would also be helpful for CISA to highlight its successes and yes, its shortcomings in executing the previous strategic plan. It demonstrates that the government is evolving with the changing cyber threat.

It seems like many medical services facilities do proactive exercises to see how they would deal with a large-scale emergency, like an airplane crash nearby, and to develop playbooks to use in case something of that scale ever happens. Obviously, this kind of effort needs to happen around a cybersecurity incident, as well.

It seems that 2023 is seeing an uptick in ransomware attacks affecting the healthcare and education sectors. In addition to institutions periodically reviewing their cybersecurity program, each should also perform a table-top exercise of their cybersecurity incident response plan. While it may not prevent a ransomware attack, it can go a long way to limit the impact on vital services provided.