Orange España RIPE Compromise Causes Outage; Web Tracker Fine For Hopsital

According to some reports, the RIPE account used by Orange did not use MFA. At this point, it is inexcusable for a critical infrastructure account like this to not be protected by multi factor authentication. Even highly qualified network engineers may succumb to malware.

This incident highlights the tug between operations management and cybersecurity. From an operations perspective, workflow accounts are often shared and have simple passwords associated with the login. From a security perspective, accountability is important and is reflected in individual accounts with unique passwords. From a risk perspective, better to err on the side of security, especially when it comes to password complexity.

While most popular enterprises offer strong authentication options to their customers and users, for perception of cost and inconvenience, many fail to use this essential measure internally, even, as in this case, for privileged users. Make the implementation of strong authentication a high priority for 2024.

Using third party trackers isn't great. Maybe I missed the news, but I have not seen any fines for more serious issues like sending initial passwords in the clear via email or using client side JavaScript as sole input validation.

This one is an example of a long running failure to have privacy requirements for any product/service procurement where customer data will be tracked or stored. Security/privacy teams have to assert themselves into the procurement process and into making sure marketing heads understand why privacy is legally a concern.

Are you using trackers on your web site? Are you certain? Are you aware what they store and who has access to that data? More importantly, if you’re using a tracker do you know what it can and cannot do, and do you have appropriate management approval?

Over 13 states have adopted a data privacy statute or similar law. Data collected by these tracking tools is protected by state laws. This should serve as a wake-up call for every organization that employs third-party tracking tools, to review their data privacy policies and use of third-party tracking tools.

It is interesting to see how the state of New York will go over entities like this. Specifically trackers and analytics are such a normal part of our Web life.

LastPass is asking you to do two things if you haven’t already. First, re-enroll your MFA token (Google Authenticator, LastPass Authenticator, MS Authenticator) and second confirm that you’ve got a password of 12 or more characters. Note they are still using the old complexity requirements - at least one of upper, lower, numeric and special character, as well as modern guidance of not using information tied to you, sequential characters, etc. Make sure you’re selecting something you can remember and enter reliably.

Some important changes, but the problem isn't so much password length, but the fact that the password is user selected. Competitors use a randomly generated string in addition to the user's password to encrypt password vaults. User passwords will always be week and to some extend guessable no matter the length.

I’m a huge fan of password managers but they are also a single point of failure. In many ways you could consider your password for your Password Manager your most important password. Not sure if LastPass is taking the right approach here, especially after their security issues. What I think would be fantastic is making the MFA the default option. If you did not want MFA, you have to manually disable it and then require something longer than 12 characters. I’m a big fan of passphrases as they are easier to remember and type, but have the entropy needed. I personally prefer the standard of at least 16 characters.

This is in the no good deed goes unpunished category. When creating an archive of data for future use, legal hold, etc., make sure you’ve carefully documented how the information is protected and accessed. At some point you’re going to want to consider when that offline storage may be the proper solution.

Two aspects come to light with this cyber incident: 1) data retention and storage; and 2) acquisition due diligence. While companies have legal obligations to retain data, if it’s no longer required for operational purposes place it in off-site storage. Due diligence should have surfaced the cyber incident prior to acquisition. Regardless, Coastal Medical Transportation Systems is now liable for the data breach.

It is hard to find good numbers, but it is pretty clear that more than half of the vulnerabilities in big name software, like Google, Microsoft, Apple, etc., continue to be found by external researchers. By definition, this means no new releasee of a product/service can be trusted until a lot of outsiders have pounded on it. Since business demands often drive “no, we have to move now,” better to have those outsiders be part of a well-managed bug bounty effort.

Now that we’re back from the holiday break, it’s a good time to scan for systems that don’t have the updated version deployed. Make sure you’ve got data from 2024 for each endpoint, and watch for users which are still waiting on the “reload/relaunch to update” step. Give thought to deploying a setting which sets the max age on the update before the restart is forced.

Prefer single purpose built software. Browsers have long since passed the threshold of complexity beyond which they should not be relied upon for sensitive applications.