FTC secures first databroker settlement banning sale of sensitive location data
Also, iOS spyware abused Apple's own ECC, breach victim says it can't figure out what hackers took, and some critical vulns
Infosec in brief The US Federal Trade Commission has secured its first data broker settlement agreement, prohibiting X-Mode Social from sharing or selling sensitive location data.
In its complaint, the FTC accused X-Mode, which sold its assets to successor firm Outlogic in 2021, of selling raw non-anonymized location data collected through its own apps and an SDK for embedding in third-party applications.
The X-Mode SDK has been found in hundreds of apps downloaded billions of times on both Apple and Android devices.
"By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance," chair Lina Khan said of the settlement.
According to the FTC complaint [PDF], X-Mode/Outlogic has for years collected and sold data associated with mobile advertising IDs, which can easily be matched to an individual mobile device to figure out what locations an individual has visited.
If that sounds familiar, it's the same allegations the FTC leveled against data broker Kochava when it filed a complaint against that company in 2022.
According to the FTC's complaints against Kochava and Outlogic, data collected and sold by the companies could easily be used to link individuals to places of worship, homeless and domestic violence shelters, addiction facilities, reproductive health clinics, and other sensitive locations.
The threat of data misuse by governments and individuals since the overturning of Roe vs Wade has made the collection of this data type an even more pressing issue to address.
Per the settlement [PDF], Outlogic will be required to delete all data it has previously collected, and requires the company to honor opt-out requests. The FTC said the company had not previously asked users for consent to have their location data collected.
Additionally, Outlogic will be required to maintain a list of sensitive locations for which it won't gather data, and must implement procedures to ensure buyers of its location data can't associate what they've purchased with sensitive locations.
"The FTC's action against X-Mode makes clear that businesses do not have free license to market and sell Americans' sensitive location data," Khan said.
Critical vulnerabilities: Patch Wednesday, Thursday, and Friday too!
Patch Tuesday week usually means this section of the security roundup is brief, but not this time.
Cisco, for example, waited until Wednesday to notify everyone that the Cisco Unity Connection web management interface was being made vulnerable by a "specific API" that was operating without authentication. The issue (CVE-2024-20272) has been patched, but Cisco warns it could give an attacker root access, so install ASAP.
- CVSS 10.0 – CVE-2023-51438: Several Siemens SIMATIC products with maxView Storage Manager on Windows are improperly validating input, opening the door to unauthorized access.
- CVSS 9.8 – Multiple CVEs: Siemens SIMATIC CN 4100 devices running software prior to v2.7 contain a series of vulnerabilities that could allow an attacker to login as root or cause denial of service.
- CVSS 9.6 – Multiple CVEs: Rapid Software's Rapid SCADA, v5.8.4 and prior, contain a bunch of vulnerabilities that could give an attacker RCE capabilities, privilege escalation, and the like.
- CVSS 8.3 – CVE-2023-44250: Fortinet's FortiOS and FortiProxy HA cluster are improperly managing privileges, allowing an authenticated attacker to elevate their actions.
It was also a busy week in known exploits land, with several previously identified vulnerabilities found under active exploitation:
- CVSS 9.8 – CVE-2023-29300: Some versions of Adobe ColdFusion are affected by a deserialization of untrusted data vulnerability that could result in arbitrary code execution.
- CVSS 9.8 – CVE-2023-38203: It's a different CVE, but this Adobe ColdFusion vulnerability is essentially the same in scope as above.
- CVSS 9.8 – CVE-2023-27524: Apache Superset up to and including v2.0.1 is vulnerable to takeover unless administrators change the SECRET_KEY setting, which will initialize a default value if not modified.
- CVSS 9.8 – CVE-2023-29357: Identified last year, this Microsoft SharePoint Server elevation of privilege vulnerability is being exploited by attackers.
- Facebook, Instagram now mine web links you visit to fuel targeted ads
- Iranian cyberspies target US defense orgs with a brand new backdoor
- MongoDB warns breach of internal systems exposed customer contact info
- EU lawmakers finalize cyber security rules that panicked open source devs
iOSpionage campaign used Apple's own ECC against it
Cast your mind back to summer 2023, and you may recall Kaspersky researchers discovered malware they dubbed "TriangleDB" which had infected their own devices. The nasty code was capable of snooping on all sorts of sensitive data, as well as taking recordings from device microphones and cameras.
Kaspersky said in an update to its breakdown of the TriangleDB malware, that it looks like the miscreants behind it were abusing Apple's own error correction code to gain access to a device's memory.
According to Kaspersky, TriangleDB made use of an unknown hardware feature in Apple SoCs that was previously believed to be a debugging feature. Armed with knowledge that it's actually an error correction code (ECC), the researchers say the hardware feature is designed to provide direct memory access to a device's cache.
This raises additional questions – specifically how those behind TriangleDB managed to find the feature, Kaspersky said. Russian officials previously accused Apple of working with US officials to develop spyware targeting devices in the country.
Breached healthcare firm says it can't figure out what data hackers took
Texas-based healthcare services provider HMG is the latest medical organization to be hit by a data breach, but one with a twist: The company said it has no idea what data was actually stolen.
In a statement this week, HMG revealed it didn't manage to identify an August breach affecting 40 of its facilities until November – three months after the digital break-in occurred. Attackers reportedly gained access to a server containing unencrypted files including medical records and other information such as patient names, dates of birth, SSNs, and additional sensitive personal and healthcare data.
"HMG attempted to identify the specific data that was compromised but we have now determined that such identification is not feasible," the company said. And it doesn't appear HMG is even sure it's resolved the issue, saying only that it "believes that the breach has been mitigated."
HMG encourages those affected to monitor account statements and credit reports, but unlike similar breaches elsewhere, it doesn't appear the company is springing for complimentary credit monitoring. ®