Eliana Willis

A US medical training school exposed the personally identifiable information (PII) of thousands of students. 

On Wednesday, vpnMentor published a report on the security incident, in which an unsecured bucket was left exposed online. The server, which did not have authentication controls in place and was, therefore, accessible by anyone to view, contained 157GB of data, or just under an estimated 200,000 files.  After discovering the open system, the researchers traced the owner as Phlebotomy Training Specialists. The LA-based organization offers phlebotomy certification and courses in states including Arizona, Michigan, Texas, Utah, and California.  According to vpnMentor, the records contained within were backed up from September 2020, but some were created before this time.  The unsecured Amazon S3 bucket contained a variety of PII including ID card and driver license copies, as well as CVs, revealing names, dates of birth, genders, photos of students, home addresses, phone numbers, email addresses, and both professional and educational summaries.  In addition, over 27,000 tracking forms were found that in some cases contained the last four digits of Social Security numbers, as well as student transcripts and training certificate scans. 
vpnMentor

vpnMentor

vpnMentor’s team, led by Noam Rotem and Ran Locar, estimates that between 27,000 — 50,000 people, including course applicants and attendees, were impacted. The researchers informed Phlebotomy Training Specialists of their findings on September 7, three days after the S3 bucket’s discovery. Further attempts at contact were made but there was no response. The team then attempted to contact Amazon before reaching out to USA Cert on September 20.  The researchers told ZDNet that two buckets were eventually found, one of which has been closed — but the other remains open.ZDNet has reached out to Phlebotomy Training Specialists for comment and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has signed a new deal with the US Air Force Research Laboratory (AFRL) that will see scientists and engineers there use Google Workspace. The US Air Force Research Laboratory supports both the US Air Force and the US Space Force while providing new technologies for the US military. According to Google, the lab focuses on everything from laser-guided optics enabling telescopes to see deeper into the universe to fundamental science that helped create innovations in quantum computing and artificial intelligence. The US Air Force Research Laboratory will now use Smart Canvas, Google Meet, and Google Cloud technology in their work. “COVID-19 significantly limited the physical presence of researchers in the lab,” said Dr. Joshua Kennedy, a research physicist at AFRL. “Google Workspace eliminated what would have otherwise been almost a total work stoppage. In fact, new insights into 2D nanomaterials, critical to future Department of the Air Force capabilities, were discovered using Workspace that would have otherwise been impossible.” Maj. Gen. Heather Pringle added that the move was part of her efforts to modernize the technology used by AFRIL. She said the lab started experimenting with Google Workspace to supplement existing capabilities, noting that it has “revolutionized” their collaboration ability with external partners.”Our mantra is ‘collaborate to innovate.’ We want our alpha nerds to be very connected, and we really want to up their proficiency as a digital workforce where data becomes a third language,” Pringle said. “We’re incorporating digital engineering into everything we do in science and technology and have a data-informed human capital strategy.”Alongside the news of the US Air Force deal, Google Cloud vice president Mike Daniels announced that Google Workspace achieved FedRAMP High and IL4 authorization from the Defense Information Systems Agency (DISA), meaning the company will be able to collaborate more with the US military.

“Expanding our list of compliance certifications and adding security and compliance resources is a critical part of Google Cloud’s mission to deliver agile, open architectures, unified data and analytics, and leading security solutions — along with productivity tools that support an increasingly hybrid workforce,” Daniels said in a blog post, explaining that in the US, FedRAMP and NIST frameworks “set the bar for the security of society’s most vital systems.””The weight of this responsibility is reflected in the high bar that must be met to receive FedRAMP High authorization. This is a major milestone in our longstanding commitment to serving the needs of the public sector and to making the world a safer place for everyone.”Daniels added that with the certifications, the US federal government can now deploy Google Workspace within a variety of projects. “With FedRAMP High authorization across Workspace’s public cloud offering, any customer can rest assured that they are collaborating at this high level of security, without having to purchase and deploy a separate ‘gov cloud’ instance. It also means they can operate seamlessly with relevant government agencies without additional overhead,” Daniels explained. “Another key security standard at the federal level is the Impact Level 4 (IL4) designation, which applies to controlled unclassified information (CUI). Today, we’re proud to announce that Google has earned IL4 authorization from the Defense Information Systems Agency (DISA), allowing CUI to be stored and processed across key Google Cloud services, including our compute, storage and networking offerings, data analytics, virtual private cloud, and identity and access management technologies, when used with Assured Workloads.”In April, the technology giant announced that four other products have also received FedRAMP High authorization, including Google’s Admin Console, Cloud Identity, Identity and Access Management, and the Virtual Private Cloud tools. Daniels noted that the configuration is supported in all seven US regions and “ensures IL4 workloads are supported by US personnel while being stored and processed in the United States.” “Our new IL4 and FedRAMP authorizations join other Google Cloud data privacy and security features that allow customers to comply with the FBI’s Criminal Justice Information Services (CJIS) standard and the IRS’ Publication 1075 (IRS 1075),” Daniels said.”While these are exciting developments for us, we are most excited about what it means for our public sector customers, who are working hard to achieve their missions and can now use cloud-first solutions to deliver on their mandates.” More

MITRE, which publishes a list of top software vulnerabilities in conjunction with US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), has now published a list of the most important hardware weaknesses, too.MITRE publishes the the Common Weakness Enumeration (CWE) for software flaws, but this year has run a survey to create its first ever equivalent list for hardware flaws. 

The 2021 Hardware List aims to boost awareness of common hardware flaws and to prevent hardware security issues by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle.SEE: Gartner releases its 2021 emerging tech hype cycle: Here’s what’s in and headed out”Security analysts and test engineers can use the list in preparing plans for security testing and evaluation. Hardware consumers could use the list to help them to ask for more secure hardware products from their suppliers. Finally, managers and CIOs can use the list as a measuring stick of progress in their efforts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate a wide class of vulnerabilities by eliminating the underling root cause,” MITRE said. The list was determined by a survey of the CWE Team and members of the hardware special interest group.The list, which isn’t in any particular order, includes bugs that affect a range of devices including smartphones, Wi-Fi routers, PC chips, and cryptographic protocols for protecting secrets in hardware, flaws in protected memory areas, Rowhammer-style bit-flipping bugs, and firmware update failures. 

The hardware weaknesses list is meant to serve as “authoritative guidance for mitigating and avoiding them” and is a companion to its annual 25 most dangerous software weaknesses list.One submitted by Intel engineers, CWE-1231, regards “improper prevention of lock bit modification” that can be introduced during the design of integrated circuits. SEE: Cloud security in 2021: A business guide to essential tools and best practices”In integrated circuits and hardware intellectual property (IP) cores, device configuration controls are commonly programmed after a device power reset by a trusted firmware or software module (e.g., BIOS/bootloader) and then locked from any further modification,” MITRE notes. “This behavior is commonly implemented using a trusted lock bit. When set, the lock bit disables writes to a protected set of registers or address regions. Design or coding errors in the implementation of the lock bit protection feature may allow the lock bit to be modified or cleared by software after it has been set. Attackers might be able to unlock the system and features that the bit is intended to protect.” The entries also include past examples of the types of flaws, such as CVE-2017-6283, that affected the NVIDIA Security Engine. It contained a “vulnerability in the RSA function where the keyslot read/write lock permissions are cleared on a chip reset, which may lead to information disclosure.”CWE-1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)CWE-1191On-Chip Debug and Test Interface With Improper Access ControlCWE-1231Improper Prevention of Lock Bit ModificationCWE-1233Security-Sensitive Hardware Controls with Missing Lock Bit ProtectionCWE-1240Use of a Cryptographic Primitive with a Risky ImplementationCWE-1244Internal Asset Exposed to Unsafe Debug Access Level or StateCWE-1256Improper Restriction of Software Interfaces to Hardware FeaturesCWE-1260Improper Handling of Overlap Between Protected Memory RangesCWE-1272Sensitive Information Uncleared Before Debug/Power State TransitionCWE-1274Improper Access Control for Volatile Memory Containing Boot CodeCWE-1277Firmware Not UpdateableCWE-1300Improper Protection of Physical Side Channels More

Despite the arrest of individuals connected with the spread of the Mekotio banking Trojan, the malware continues to be used in new attacks. 

On Wednesday, Check Point Research (CPR) published an analysis on Mekotio, a modular banking Remote Access Trojan (RAT) that targets victims in Brazil, Chile, Mexico, Spain, and Peru — and is now back with new tactics for avoiding detection. In October, law enforcement made 16 arrests in relation to Mekotio and the Grandoreiro Trojans across Spain. The suspects allegedly sent thousands of phishing emails to distribute the Trojan, then used to steal banking and financial service credentials.  Local media reports suggest that 276,470 euros were stolen, but transfer attempts — thankfully, blocked — worth 3,500,000 euros were made.  CPR researchers Arie Olshtein and Abedalla Hadra say that the arrests only managed to disrupt distribution across Spain, and as the group likely collaborated with other criminal outfits, the malware continues to spread.  Once the Spanish Civil Guard announced the arrests, Mekotio’s developers, suspected of being located in Brazil, rapidly rehashed their malware with new features designed to avoid detection.  Mekotio’s infection vector has stayed the same, in which phishing emails either contain links to or have a malicious .ZIP archive attached that contains the payload. However, an analysis of over 100 attacks taking place in recent months has revealed the use of a simple obfuscation method and a substitution cipher to circumvent detection by antivirus products. 

In addition, the developers have included a batch file redesigned with multiple layers of obfuscation, a new PowerShell script that runs in memory to perform malicious actions, and the use of Themida — a legitimate application to prevent cracking or reverse engineering — to protect the final Trojan payload.  Once installed on a vulnerable machine, Mekotio will attempt to exfiltrate access credentials for banks and financial services and will transfer them to a command-and-control (C2) server controlled by its operators.  “One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection,” the researchers say. “CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of AVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s Information Commissioner has found that Clearview AI breached Australia’s privacy laws on numerous fronts, after a bilateral investigation uncovered that the company’s facial recognition tool collected Australians’ sensitive information without consent and by unfair means. The investigation, conducted by the Office of the Australian Information Commissioner (OAIC) and the UK Information Commissioner’s Office (ICO), found that Clearview AI’s facial recognition tool scraped biometric information from the web indiscriminately and has collected data on at least 3 billion people. The OAIC also found that some Australian police agency users, who were Australian residents and trialled the tool, searched for and identified images of themselves as well as images of unknown Australian persons of interest in Clearview AI’s database.By considering these factors together, Australia’s Information Commissioner Angelene Falk concluded that Clearview AI breached Australia’s privacy laws by collecting Australians’ sensitive information without consent and by unfair means. In her determination [PDF], Falk explained that consent was not provided, even though facial images of affected Australians are already available online, as Clearview AI’s intent in collecting this biometric data was ambiguous.”I consider that the act of uploading an image to a social media site does not unambiguously indicate agreement to collection of that image by an unknown third party for commercial purposes,” the Information Commissioner wrote. “Consent also cannot be implied if individuals are not adequately informed about the implications of providing or withholding consent. This includes ensuring that an individual is properly and clearly informed about how their personal information will be handled, so they can decide whether to give consent.”Read more: ‘Booyaaa’: Australian Federal Police use of Clearview AI detailed

Other breaches of Australia’s privacy laws found by Falk were that Clearview AI failed to take reasonable steps to either notify individuals of the collection of personal information or ensure that personal information it disclosed was accurate. She also slammed the company for not taking reasonable steps to implement practices, procedures, and systems to ensure compliance with the Australian Privacy Principles. These breaches were due to Clearview AI removing access to an online form for Australians to opt out from being searchable on the company’s facial recognition platform. The form itself also contained privacy issues as it required Australians to submit a valid email address and an image of themselves which would then be converted into an image vector, which Falk said allowed Clearview AI to collect additional information about Australians.The form was created at the start of 2020, but now Australians can only make opt-out requests via email, Falk said. After making these findings, Falk has ordered Clearview AI to destroy existing biometric information it has collected from Australia. She has also ordered for the company to cease collecting facial images and biometric templates from individuals in Australia. “The covert collection of this kind of sensitive information is unreasonably intrusive and unfair,” Falk said. “It carries significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose images can be searched on Clearview AI’s database.” Despite the investigation being finalised, the exact number of affected Australians is unknown. Falk expressed concern that the number was likely to be very large given that it may include any Australian individual whose facial images are publicly accessible on the internet.Providing an update on another Clearview AI-related investigation, Falk said she was currently in the process of finalising a separate investigation into the Australian Federal Police (AFP) trialling Clearview AI’s facial recognition tool.In April last year, the AFP admitted to trialling the Clearview AI platform from October 2019 to March 2020. State police from Victoria and Queensland also trialled the tool, with all three law enforcement agencies admitting to successfully conducting searches using facial images of individuals located in Australia with the tool. Falk said she would provide a determination regarding whether the AFP breached the Australian Government Agencies Privacy Code to assess and mitigate privacy risks soon. Related Coverage More