Wireless Carriers Fined for Selling Customer Location Data, Kaiser Permanente Patient Data Exposed Through Tracking Tools, UK: No More Weak IoT Device Passwords

The carriers are pushing back on the FCC saying it was the third-party who violated the requirement to properly obtain consent to release the data. The FCC says that was their responsibility, highlighting the need to better understand what the legal requirements are on data brokers who collect and resell this data. While there isn't a lot you can do in this scenario, you can cross check how your third party providers are protecting your data and understand what conditions, if any, exist where they could share it.

Lee Neely

Carriers have a responsibility for collecting location data to support law enforcement and emergency services (e911) but that doesn't mean they should make it available for sale. Absent a US privacy rights law, expect companies to produce new ways to use data they routinely collect to add to their bottom line.

Curtis Dukes

This is a violation of a law, so the fine is valid from what I am reading. What is interesting is that the providers must have thought differently or something else must have been considered because this went on for years after they had brought up the fine.

Moses Frost

The HHS Office has hundreds of ongoing investigations of security failures by covered institutions that have been initiated just since the start of 2024. KaiserÕs illegal tracking practices have already triggered a 2023 class action lawsuit and large fines will surely follow. Important to inform management about the almost certainty that the financial gain from betraying customers trust by installing such tracking tools is almost certainly going to be less that the costs of getting caught doing so.

John Pescatore

Those web tracking and analytics tracking codes are really appealing with the insights they provide on your site usage. A study last year by University of Pennsylvania and Carnegie Mellon found 98.6% of non-federal acute care hospitals in the U.S. use third-party tracking tools on their websites. The problem is these third-party trackers may reveal more information than you intend. HHS published guidance on trackers in 2022: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html), which provides insight on their use and what can be revealed. Even if you're not protecting HIPAA data, it gives you a sense of what to be concerned about for your shop.

Lee Neely

On-line tracking tools have become invaluable to chart a customer's journey as they engage a company's website or mobile app. Unfortunately, if you don't read the fine print, you don't realize the third-party also has access to the data. CISOs: make this part of the discussion as you implement your information security program.

Curtis Dukes

This law is interesting in that it goes beyond "passwords". The law itself just outlines the rulemaking and enforcement process, allowing for details to be adjusted in the future. Currently, the rules focus on passwords, but also specify the requirement for a point of contact to report security issues, something that has been a problem in the past for researchers who found problems in devices. It also requires manufacturers to publish a defined support period and defines a recall procedure for defective devices. It will be interesting to see how this law will be applied and how manufacturers react.

Johannes Ullrich

This has origins in the Mirai botnet attack from 2017, which leveraged default passwords on these devices. Unfortunately, that wasn't enough for the needed systemic move away from these credentials, so now regulations are starting to come into play to force the issue, not just requiring better credential management but also security updates with documented lifecycles. The UK put some teeth into this regulation, devices not meeting the security requirements could face recall and the responsible companies fined up to $12.53 Million or 4% of their global revenue, whichever is higher. The EU is working on similar legislation in their Cyber Resilience Act, which is neither fully ratified nor expected to apply until 2027.

Lee Neely

Embedded default passwords are like lead in gasoline, red dye #2 in food, gas tanks in the trunks of cars, etc. Anyone selling products that contain those known dangerous ingredients should face fines first and in coming years, prosecution.

John Pescatore

The risk with passwords is not that they can be easily guessed but that they are reusable. In the case of appliances, discovered on one, usable against all other instances of the same appliance. We must get over the idea that the issue is weak passwords: it is passwords per se.

William Hugh Murray

The use of default passwords has become a thing over the last year. We've seen default passwords used to attack water systems. We've seen default passwords used to collect SOHO routers as part of a bot network. The UK ban will hopefully force a change and implementation of secure by design principles by vendors. Other nations should adopt these measures to send a demand signal to IoT vendors.

Curtis Dukes

As London Drugs reacts to the incident, taking appropriate steps to contain and recover from the incident, their guidance and actions are becoming inconsistent. Advising customers to call their pharmacy, changed to go to the stores, which are closed after they took the phone system offline. Make sure that you're coordinating your response actions with customer communications to not result in impossible guidance. These are good scenarios to incorporate in your next tabletop exercise.

Lee Neely

I'm not sure what this ultimately gains attackers outside of, say, identity theft; outages are more serious. Imagine not being able to get critical medicine because your pharmacist is closed.

Moses Frost

FBCS rebuilt their systems and implemented additional security measures to prevent recurrence. Affected individuals are being provided with 12 months of free credit monitoring services. The trend of breaching sensitive information is not slowing, highlighting the need to make sure that you're protected. If you have a monitoring service, make sure that the information is current and comprehensive, that your credit is appropriately locked down, and you know what to do if you get a breach notification.

Lee Neely

A collection of sensitive data that one rarely, if ever, thinks about in an unregulated business.

William Hugh Murray

When a business partner has an incident, limiting their access, particularly via connected systems, until they have a clean bill of health seems like a good idea. The trick is developing the criteria for taking such action, to include what getting a clean bill of health means. Make sure you consider the different communication paths, VPN, API, etc. for the risks of each of those connections.

Lee Neely

It would be interesting to learn more about why about half of the notices did not result in any updates.

Johannes Ullrich

Better to have a friendly warning from CISA than a breach notification. CISA is scanning Internet-facing systems subscribed to their Cyber Hygiene Vulnerability Scanning program, which has over 7,600 participating organizations. There is an expectation that if warned, you're going to take action to remediate the identified weakness in a timely fashion. Even if you're not eligible to participate, leverage the CISA #StopRansomware Guide for things you can do, many of which are no-cost actions.

Lee Neely

The rule changes clarify the applicability to health/health tracking apps and similar technology such as wearable fitness devices and mobile health apps. The change includes breaches related to sharing of health data with third-party data brokers and advertisers, without user authorization. The expanded definition of a covered healthcare provider includes any website, app, etc. that provides a mechanism to track anything from bodily functions to fitness and sleep as well as medical diagnosis and treatment. It's expected that this will cover 193,000 entities, many of which are likely unaware of the rule change. If you're handling PHR in any form and were previously excluded from the HIPAA breach and notification requirements, read the updated HBNR: it's likely you are now in scope when the rule goes into effect.

Lee Neely

This guidance is a result of Executive Order 14110: Safe, Secure and Trustworthy Development and Use of Artificial Intelligence. From a practical perspective, use this to guide your path into AI. Most vendors have, and are about to incorporate or upgrade AI in their products, and you need to understand the risks and questions to ask. Those of you heading to RSA next week will be inundated with AI at every turn; the technology is really exciting. Being prepared with a plan for governance and AI risk acceptance will help you choose wisely.

Lee Neely

A good set of guidance that reemphasizes common cybersecurity best practices. The three AI risk types are the same for most any application: can the app be used for offensive purposes, can the app be attacked, and was the app designed securely? Bottom line, if you're effective in implementing your information security and risk management program, use of AI shouldn't be an issue.

Curtis Dukes

The Quantum-Resistant encryption option is intended to be backwards compatible. However, some devices are rejecting the connection when the unexpected option is provided rather than simply failing back to current TLS options. Google strongly suggests working with the vendors to fix their implementation. In the meantime, you can disable X25518Kyber768 in Chrome using the PostQuantumKeyAgreementEnabled enterprise policy, (true - Kyber enabled, false - disabled, not-set - default behavior) this option is expected to be deprecated in the future.

Lee Neely

Given that most of the data that flows in the Internet is sensitive for only weeks to months, there is no reason why PQS encryption needs to be enabled by default at this time. It is sufficient that it be available for the protection of the small amount of data that might still be sensitive years from now when attacks against RSA become efficient.

William Hugh Murray

Kudos to Google for pushing a post quantum algorithm to defend against nation-state store now, decrypt later attacks. One of the realities of post quantum cryptography is larger key sizes that require a system update. The catch though, is when to push the new algorithms to impact the fewest systems. Google decided now was as good a time as any to make the transition to post quantum cryptography and I can't blame them.

Curtis Dukes

Credential stuffing isn't new, and residential proxies have often been used to anonymize various brute force attacks. OWASP published a Credential Stuffing Prevention Cheat Sheet six years ago. OWASP does highlight multi factor authentication, not blocklists, as a way to mitigate credential stuffing attacks. Lists of residential proxies are ephemeral and will not prevent credential stuffing, just reduce the likelihood. Maybe this is more an attempt to highlight a new value add feature.

Johannes Ullrich

This is simply another data point confirming a changing trend in threat actor TTPs. Cyber attackers no longer hack into systems, they prefer to simply log into systems. This is often the first step in the living-off-the-landÓ approach, making it far more difficult to detect, stop and effectively recover from incidents. We see the same in phishing attacks, the majority of which are not about infecting the victim's system but harvesting their credentials.

Lance Spitzner

Attackers are using residential proxies or other services that route traffic on behalf of a legitimate subscriber to emulate the behavior and connections from mobile devices and browsers of normal users, leveraging pilfered credentials to access systems without raising alarms. You may be able to detect some activity watching for impossible connections, but the better play would be replay and phishing resistant MFA. Take a hard look at implementing breached password notification, to include expectations for changing breached passwords and account lockout settings. Consider requiring both device and user authentication for remote connections to raise the bar on VPN connections.

Lee Neely

Stuffing attacks rely upon their efficiency of cheap computing capacity, like that in botnets.

William Hugh Murray