Security Leftovers

posted by Roy Schestowitz on Nov 19, 2023

• The Independent UK ☛ Multiple vulnerabilities found in PureVPN Linux app

  Researchers say they have found multiple security vulnerabilities affecting PureVPN’s desktop client for Linux. The two vulnerabilities include IP leaking and Remote Code Execution (RCE) in certain conditions. Since the discovery, the VPN provider says it has patched IP leaking, while the RCE issue is yet to be fixed.

• Multiple Critical Vulnerabilities in PureVPN - Remote Code Execution + IP Leak

  This blog post highlights two vulnerabilities found in PureVPN, one being an IP leak, which is as bad as an RCE in the VPN world, and the other being Remote Code Execution in certain conditions. PureVPN is a very popular VPN that has been in the game for more than a decade and has slowly started entering into other security products.

  [...]

  PureVPN responded by acknowledging the IP leak vulnerability and fixed it in the subsequent release. Whereas, the RCE, PureVPN termed as “Won’t Fix” and responded with the following...

• Forbes ☛ A Hacker Faked His Own Death–Then Claimed To Have Sold Marriott Customer Data To Russians, FBI Says

  A hacker told the FBI earlier this year that he sold access to the personal data of Marriott hotel customers on a Russian forum, according to a search warrant obtained by Forbes. He also hacked into a number of U.S. state death certificate registration agencies in an effort to fake his own demise, Department of Justice investigators alleged.

  The defendant, Jesse Kipf from Somerset, Kentucky, was charged last month with hacking into employee accounts at two Marriott contractors earlier this year: Canadian hotel internet service provider GuestTek and online marketing specialist Milestone. With access to their internal networks, Kipf said he was able to view Marriott personal customer information and evidence indicates he sold access to the data on a Russia-based online forum known as Exploit.in, investigators claimed.

• Data Breaches ☛ UK: Former NHS secretary found guilty of illegally accessing medical records

  A former NHS employee has been found guilty and fined for illegally accessing the medical records of over 150 people.

  Loretta Alborghetti, from Redditch, worked as a medical secretary within the Ophthalmology department at Worcestershire Acute Hospitals NHS Trust when she illegally accessed the records.

  In June 2019, a complaint was raised by a patient who was concerned that their medical records had been accessed by an employee. An investigation revealed that Ms Alborghetti had accessed this individual’s records 33 times between March 2019 and June 2019, without consent or a business need to do so.

• CNBC ☛ T-Mobile sued after employee stole nude images from customer phone during trade-in

  T-Mobile

  is once again being accused of failing to protect sensitive consumer data after an employee at one of its retail stores stole nude images from a customer’s phone when she came to trade in an old device, according to a lawsuit filed Friday.

  The incident is similar to at least eight others levied against T-Mobile in the past, according to court records and news reports. The lawsuit comes as wireless companies and other tech giants face increasing pressure from lawmakers to do more to protect customer data.

  The suit, filed in Washington state court, accuses T-Mobile of failing to properly train its retail workers and “turning a blind eye” when employees use their access to steal customer data under the guise they’re helping them with repairs and data transfers.

• Data Breaches ☛ Does claiming you were hacked when you had really just screwed up violate the FTC Act?

  Nowhere in the notification letter does the entity reveal or admit they had an unsecured blob.

• CBC ☛ CEOs of Ontario hospitals hit by ransomware attack break down impact on operations, patients [Ed: Windows TCO]

  For the first time, top leadership from the five southwestern Ontario hospitals hit by a ransomware attack answered questions from the media — acknowledging the significant impact the incident has had on care, as well as the large amount of stolen data.

  During the roughly 50-minute meeting on Friday, each hospital CEO said their facility has been hard hit by the Oct. 23 attack, but recovery is ongoing and they’re getting by with the hard work of staff. With systems down and hospitals unable to access critical information, thousands of patient appointments have been cancelled across the five hospitals, creating backlogs of varying lengths at some of the facilities.

• Hospital CEOs looking for no ransom payment legislation [Ed: Windows TCO]<

  A call for help to various levels of government from CEOs at five Southwestern Ontario hospitals impacted by a ransomware attack.

  The cyberattack began back on October 23, impacting services at Windsor Regional Hospital, Hotel-Dieu Grace Healthcare, Erie Shores Healthcare in Leamington, Bluewater Health in Sarnia, and Chatham-Kent Health Alliance.

  Windsor Regional Hospital President and CEO David Musyj says they were dealing with a different type of criminal, and the last thing you want to do is poke the bear.

  Concerns shared with the CEO's by experts in situations like these is why they decided against paying the ransom, but Musyj says they're looking for action.

• Data Breaches ☛ CEOs of Ontario hospitals hit by ransomware attack provide updates on impact and look for no ransom payment legislation [Ed: Windows TCO]

  We have left hospitals, small businesses, school districts, and local governments to maintain their own cavalries, which is unrealistic if we are going to urge them not to pay ransom, or actually prohibit them from paying ransom.

• Data Breaches ☛ NoEscape gang continues to use DDoS to pressure reluctant victims to negotiate

  No replies from PruittHealth or NoEscape have been received by publication. This post will be updated if or when replies are received.

  PruittHealth was previously known as UHS-Pruitt. Under that name, DataBreaches had reported on some data security breaches in 2013-2014. Although not reported on DataBreaches at the time, PruittHealth Hospice in South Carolina reported an office burglary in April 2016 that affected 1,437 patients.

• Long Beach Declares ‘Local Emergency’ After Cyber Incident

  At a special meeting Friday afternoon, members of the Long Beach City Council approved City Manager Tom Modica’s Proclamation of Local Emergency following a “potential cybersecurity incident” earlier in the week.

  The city said in a news release the move would help smooth and strengthen its response to the event, which happened Tuesday. In an online statement the city said it took several systems offline “out of an abundance of caution” after detecting a network security incident on Tuesday. Those systems will remain offline until the city is certain they can be safely reintroduced to the network. As of Friday, the city was anticipating that could take several days.

• Data Breaches ☛ Was Yakima Valley Radiology the victim of a cyberattack? They’re not answering that.

  On September 24, Karakurt threat actors added Yakima Valley Radiology PC to their leak site. Their listing claimed that they acquired 9.31 GB of files including “financial reports, client lists with contacts, list of patients for 15 years (212579 rows), a database of social security numbers (including staff, doctors) with 766000 rows.”

  Karakurt did not provide any screenshots as proof of claims.

  Yakima Valley Radiology did not respond to a phone message left for them last week by DataBreaches inquiring about Karakurt’s claims, and their website does not provide any email contact for inquiries.

• Hunton Andrews Kurth ☛ Australian Privacy Regulator Sues in Data Breach Case

  Patrick Gunning from King & Wood Mallesons reports that, on November 2, 2023, the Australian Information Commissioner filed proceedings in the Federal Court of Australia against Australian Clinical Labs Limited seeking a civil penalty (i.e., a fine) in connection with the company’s response to a data breach that occurred in February 2022. The case is significant because: (1) it is only the second time that the Australian regulator has brought court proceedings of this kind despite having the power to do so since 2014; and (2) it signals the regulator’s priority in ensuring that cybersecurity incidents are responded to swiftly. The Australian legislature increased maximum penalties for ‘serious’ contraventions of the Privacy Act with effect from December 2022 to at least A$50 million. However, the maximum penalty available in this case will be A$2.2 million because the company’s conduct occurred prior to December 2022.