Contractor loses entire Japanese city's personal data in USB fail
Also, Chrome add-ons are great for fingerprinting, and hacked hot tubs splurge details
In brief A Japanese contractor working in the city of Amagasaki, near Osaka, reportedly mislaid a USB drive containing personal data on the metropolis's 460,000 residents.
The unidentified man, who was a contractor with the city working to disburse pandemic subsidies, placed the drive containing all the records into his bag, which he took with him on a night out on the town earlier this week.
It's unknown how good of a time the man had, but he did reportedly end up passing out in the street, Japanese news source NHK reported the company who employed him as saying, elaborating on an incident report from the Amagasaki city government. The company told the newspaper that, upon waking, the contractor found his bag was missing.
The incident report states that the memory stick contained names, birth dates, addresses, tax details, banking information, and social security records – all of it very private and potentially harmful if stolen.
Amagasaki officials said the data on the USB stick was encrypted, and offered apologies for harming the public's trust in their administration.
All the worry came to naught, though. After searching the area with police, the bag and the USB stick were found. Amagasaki officials said there's no evidence anyone attempted to access the information.
CISA fields advisor recommendations, warns that Log4j is still around
The Cybersecurity and Infrastructure Security Agency (CISA) held its third Cybersecurity Advisory Committee meeting this week, where it made a laundry list of recommendations on its programs and policies.
After six months of prognostication here's a quick rundown of the recommendations made by advisors from Mastercard, Apple, the University of Washington, and other organizations, which met in six subcommittees:
- CISA needs to prioritize developing a strong workforce by improving its talent acquisition process to compete with the private sector
- Create a new chief people officer at CISA
- CISA should launch a nationwide "311" program to provide an emergency call line for SMBs hit by cyber attacks
- CISA needs to expand its "More Than a Password" MFA campaign by reaching out to NGOs, other government agencies, and private sector partners
- CISA should take all necessary steps to ensure all companies working with the US Federal Government have fully adopted MFA by 2025
- Streamline the incident reporting and vulnerability reporting processes
- Establish a central platform to handle intake of suspected vulnerabilities
- Improve communication between security researchers, agencies and vendors
- Address the risks of misinformation, disinformation, and malinformation in American society
Of the recommendations, two were mentioned by more than one subcommittee: expanding the More Than a Password campaign, and establishing the SMB 311 line.
CISA director Jen Easterly said that the next meeting would focus on strategies to develop a national alert system for cyber risks.
CISA also released a cybersecurity alert this week warning that Log4Shell is still around and actively being exploited. Together with the US Coast Guard Cyber Command, CISA released an advisory stating that hackers and state-sponsored APT groups are still exploiting Log4Shell on devices that haven't been patched.
CISA said the info it reported was derived from two related incidents. It wasn't immediately clear how the Coast Guard was involved.
Chrome add-ons can be used to fingerprint browsers
Modern privacy software has undone much of the methods for browser fingerprinting, but it'll have a hard time undoing this problem with Chrome, which seems to be inherent to the way the browser handles extensions.
- There are 24.6 billion pairs of credentials for sale on dark web
- Costa Rican government held up by ransomware … again
- Ransomware attack sends US county back to 1977
- Conti: Russian-backed rulers of Costa Rican hacktocracy?
Browser fingerprinting involves gathering information left behind by sessions that identify the browser, or the person behind it, well enough to serve ads and tailor online experiences. In the case of Chrome extensions, says a security researcher going by z0ccc on GitHub, the combination in any given browser can easily ID users.
Chrome stores a list of its extensions in a web-accessible resource file that any web page can view. z0ccc was able to build a demo website that scans for over 1,000 Chrome browser extensions and returns a percentage-based chance that another user was using the exact same extensions.
In this hack's case, only 0.003 percent of Chrome users have the same set of add-ons used, meaning the extension fingerprint would be pretty likely to be identified from a pool of other visitors.
For those concerned there's no place safe from browser fingerprinting online, z0ccc said that Firefox uses unique extension IDs for every browser instance, and thus can't be fingerprinted the same way. Microsoft Edge is vulnerable, however.
Smart Jacuzzi not so smart with user data
A security researcher trying to set up their Jacuzzi SmartTub discovered an easily exploited flaw that gave them access to personal info of hot tub owners from around the world.
SmartTub, like other IoT products, lets users control their appliance from outside the home using an app. The bug in Jacuzzi's SmartTub system comes from its web portal, which uses a white-labeled Auth0 login page.
"I entered my details, thinking this was a website alternative to the mobile app. I was greeted with an Unauthorized screen. Right before that message appeared, I saw a header and table briefly flash on my screen... I was surprised to discover it was an admin panel populated with user data," said the researcher, who goes by Eaton Works.
All it took for Eaton to break into the admin panel was using web debugging tool Fiddler to intercept and modify an HTTP response to give himself admin access. "Once into the admin panel, the amount of data I was allowed to was staggering," Eaton exclaimed.
Details on each tub, owner name and email address, dealer location, and more were available to view on customers from around the world. Eaton said it also appeared he could edit any data he wanted to, though he didn't confirm if changes would be saved.
Jacuzzi wasn't very willing to talk to Eaton about his findings either. "Dialog was not established until Auth0 stepped in. Even then, communication with Jacuzzi/SmartTub eventually dropped off completely, without any formal conclusion or acknowledgement they have addressed all reported issues," Eaton reported.
Eaton added that the admin panel has been taken offline, and can't be accessed via the web anymore. Eaton also has other security concerns with Jacuzzi not addressed in their report, and is open to speaking to the hot tub maker to help.
Mitel VoIP zero-day found exploited in the wild
CrowdStrike security researchers have discovered a flaw in Mitel VoIP appliances being actively exploited to launch ransomware attacks.
The novel exploit was found by CrowdStrike when investigating a failed ransomware attack on a customer. "All of the identified malicious activity had originated from an internal IP address" discovered to be "a Linux-based Mitel VoIP appliance sitting on the network perimeter," CrowdStrike said.
All the attacker needed to gain access to the VoIP appliances was to send a pair of GET requests: one to mask traffic to a malicious address, and a second to inject a command that pointed the GET request to attacker-controlled infrastructure.
CrowdStrike said the attack was stopped before ransomware could be deployed, and said Mitel has released a patch that addresses the problem. Of the exploit itself, CrowdStrike said that edge appliances like Mitel VoIP devices have extremely limited security or endpoint detection options available, making timely patching a must.
Additionally, CrowdStrike emphasize security best practices, like isolating critical assets from perimeter devices, segmenting a network, maintaining an up-to-date asset inventory, keeping a short leash on service accounts and requiring MFA, especially for access to critical assets. ®