Mon Dieu! Nearly half the French population have data nabbed in massive breach
PLUS: Juniper's support portal leaks customer info; Canada moves to ban Flipper Zero; Critical vulns
Infosec In Brief Nearly half the citizens of France have had their data exposed in a massive security breach at two third-party healthcare payment servicers, the French data privacy watchdog disclosed last week.
Payments outfits Viamedis and Almerys both experienced breaches of their systems in late January, the National Commission on Informatics and Liberty (CNIL) revealed, leading to the theft of data belonging to more than 33 million customers. Affected data on customers and their families includes dates of birth, marital status, social security numbers and insurance information. No banking info, medical data or contact information was compromised, the CNIL added.
"This is the first time that there has been a violation of this magnitude [in France]," Yann Padova, digital data protection lawyer and former secretary general of the CNIL told French radio network Franceinfo. Padova believes the breach is the largest in France's history.
Viamedis was reportedly compromised through a phishing attack that targeted healthcare professionals, and used credentials stolen from such professionals to gain access to its systems. Almerys didn't disclose how its compromise occurred, but it's possible the ingress was similar in nature – it admitted the attacker gained access through a portal used by healthcare providers.
The CNIL said that it's working with Viamedis and Almerys to ensure those affected are informed – as is required under the EU's General Data Protection Regulation – but it'll likely take some time to get the word out to nearly half the country.
In the meantime, French officials are warning that the stolen data could be combined with data from other breaches to be used in phishing attacks or social engineering schemes. An investigation has been opened, the CNIL said, to determine whether either organization is at fault for the breach.
Juniper reportedly leaks customer info
Networking biz Juniper reportedly leaked information about the devices its customers owned, according to a Krebs on Security report.
The source of the leak was Juniper's support portal, which was apparently found by a 17-year-old intern to allow searches on the name of any customer – and then to produce a list of devices they had acquired and registered with Juniper.
Juniper has fixed the flaw, which appears to stem from improper configuration of the Salesforce SaaS it uses to power its support site.
– Simon Sharwood
Critical vulnerabilities of the week
Cisco is warning of some serious cross-site request forgery vulnerabilities in its Expressway Series devices that could give an attacker the ability to perform arbitrary actions on compromised devices.
There are three CVEs to be concerned with: CVE-2024-20252, CVE-2024-20254 and CVE-2024-20255, all of which affect the API for the collaboration hardware. "These vulnerabilities are due to insufficient CSRF protections for the web-based management interface of an affected system," Cisco explained. Patches are available, so get 'em installed on both Expressway-C and Expressway-E devices.
Elsewhere:
- CVSS 9.8 – Multiple CVEs: ProPump and Controls Osprey Pump Controller software prior to release 20230518 is affected by a whole slew of vulnerabilities that could give an attacker administrative control.
In known exploited vulnerability news:
- CVSS 10.0 – CVE-2023-22527: Arctic Wolf security researchers say exploitation of previously reported Atlassian Confluence Server vulnerabilities is continuing, with controllers of C3RB3R ransomware now trying to make use of the template injection flaw.
- CVSS 8.8 – CVE-2023-4762: A known type confusion bug in Chromium's V8 JavaScript engine (in Chrome versions prior to 116.0.5845.179) that was previously exploited to install Predator spyware is still being exploited.
No more tricks: Canada wants to ban the Flipper Zero
Canadian citizens who want to get their hands on the "multi-tool device for geeks" known as the Flipper Zero ought to move fast – the government wants to ban them for fear they're being used to help criminals steal cars.
The government plans to pursue "all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero," Canadian public safety officials declared after a summit this week on combating auto theft.
The Flipper is a cool piece of hardware that's able to do a lot of stuff – but anyone familiar with the miniscule device is probably already shaking their head at the idea that the device, with its sub-GHz antenna, can help crooks steal cars.
Yes, some models are vulnerable to having wireless key fob codes sniffed. But most modern cars can't be cracked by the Flipper thanks to the use of rolling codes – supposing they're properly implemented, that is.
Besides, why hack a car when you can steal a Kia with some brute force and an old USB cable?
Updated to add
"Flipper Zero can’t be used to hijack any car, specifically the ones produced after the 1990s, since their security systems have rolling codes. Also, it’d require actively blocking the signal from the owner to catch the original signal, which Flipper Zero’s hardware is incapable of doing", Alex Kulagin, COO of Flipper Devices told The Register in a statement.
“Flipper Zero is intended for security testing and development, and we have taken necessary precautions to ensure the device can’t be used for nefarious purposes".
Florida man sentenced for dark web ID theft scheme … while already in prison
No, he didn't get caught with a tiny Linux box running Tor from under his mattress. Damien Dennis's long run as a con artist is just still catching up with him.
Currently serving 12 years in prison for bank fraud and aggravated identity theft in Florida, Dennis pled guilty this week to additional aggravated ID theft charges out of Georgia that appear related to his previous conviction.
Dennis was sentenced in Florida in 2022 for using fake IDs populated with real information to open bank accounts and take out fraudulent loans, in one case making off with $20k in cash using another person's identity.
Dennis didn't just buy and use stolen PII, though – he also crafted it into profiles to sell to other criminals, and offered guidance on how to use the dodgy dossiers to commit bank fraud.
The DoJ has added two years to Dennis's sentence for the trouble and fined him $250,000 as well. ®