In one look.
- Web-exposed Kubernetes API servers.
- A real estate company settles a data breach complaint for $1.2 million.
- Subsidiary of Google AI accused of sharing patient data without consent.
- The product of a commercial spyware publisher exploits zero-days.
The majority of Kubernetes API servers exposed on the web.
Researchers from the non-profit cybersecurity organization Shadowserver Foundation have determined that more than 380,000 Kubernetes API servers, or 84% of all global Kubernetes API instances observable online, are exposed on the Internet. safety week reports that Shadowserver performed daily scans on the IPv4 infrastructure using HTTP GET requests, looking for IP addresses that respond with an HTTP 200 OK status, indicating that the request was successful. Shadowserver’s report states, “While this does not mean that these instances are fully open or vulnerable to attack, it is likely that this level of access was not intended, and these instances are an unnecessary attack surface. exposed. They also allow leaks of version and build information. More than half of the exposed cases are in the United States, with many also in Western Europe, Southeast Asia and Australia. dark reading Remarks that the findings support recent research indicating that many organizations are unprotected from potential API attacks. According to Salt Security’s recent “State of API Security 2022” report, approximately 34% of organizations do not have an API security policy in place, and an additional 27% say they only have a basic policy that requires minimal scanning and no API security state management.
A real estate company settles a data breach complaint for $1.2 million.
Weichert Co, a residential and commercial real estate franchise based in the US state of New Jersey, reached a $1.2 million settlement this week for three data breaches that compromised the personal data of nearly 11,000 consumers and employees. Weichert faced allegations that the company misrepresented consumer security practices and that the company’s inadequate security measures allowed unauthorized access to its network, violating the New Jersey Consumer Fraud Act, Identity Theft Protection Act and the Gramm-Leach-Bliley Act. NJBIZ Explain an intruder allegedly gained unauthorized access to Weichert’s network on multiple occasions between July 2016 and July 2018, exposing personal data including social security numbers, credit card information, passport numbers, accounts financial and driver’s license details. Weichert disputes the claims but accepted the settlement, which also requires the company to retain the services of an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of the this consent order. Announcing the settlement, Acting Attorney General Matthew Platkin said, “Taking appropriate steps to protect customers’ personal information isn’t just part of a good business model, it’s law. This regulation should send a clear message to companies that skimp on data security as a cost-saving measure.
Subsidiary of Google AI accused of sharing patient data without consent.
On Tuesday, a single plaintiff filed a lawsuit in the High Court of England and Wales against Google and DeepMind Technologies, a British artificial intelligence subsidiary of Alphabet Inc, for misuse of private data on patients. Lawyer Explain The case involves a 2015 collaboration between DeepMind and the Royal Free London National Health Service (NHS) Foundation Trust to develop Streams, an app designed to help doctors and nurses with the prognosis of acute kidney injury. The data-sharing agreement gave DeepMind access to five years of confidential data on more than 1.6 million patients covered by the NHS. However, in 2017, the UK Information Commissioner’s Office (ICO) concluded that the agreement, which did not allow patients to opt out, breached data protection law, leading to led the ICO to sanction the NHS. The ICO investigation determined that DeepMind’s use of patient data to test the clinical safety of Streams differed from reasonable patient expectations and was not “necessary and proportionate” for app testing. Google was able to avoid legal liability because the NHS was technically at fault for sharing patient data, and last August it decided to decommission Streams. Mishcon de Reya, the law firm representing current plaintiff Andrew Prismall, said it filed a lawsuit seeking a fair close for compromised patients and clarifying the technology companies’ use of patient data.
Google rates a commercial spyware threat “with high confidence”.
Recent discussions (and investigations) of commercial spyware and its alleged abuse by governments and other actors have focused on NSO Group and its Pegasus product. But NSO is not the only player in the field.
Google’s Threat Analysis Group yesterday described five days zero–CVE-2021-37973, CVE-2021-37976, CVE-2021-38000and CVE-2021-38003 in Chrome and CVE-2021-1048 in Android – which were used against Android users. Google believes North Macedonian lawful interception vendor Cytros is responsible for creating the tools used to exploit the vulnerabilities.
“We assess with great confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to various government-backed actors who used them in at least the three campaigns described below,” the report wrote. Google Threat Analysis Group. “Consistent with results from CitizenLab,” they add, “we assess that the government-backed actors purchasing these exploits are located in (at least) Egypt, Armenia, Greece, Madagascar, Ivory Coast, Serbia, Spain and Indonesia.
Companies like Cytrox are deploying capabilities once only achievable by governments, but if you look at the list of customers, they are effectively operating as contractors. “Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically used only by governments with the technical expertise to develop and operationalize exploits.”
Google completely disapproves of the way this industry does business. “Addressing the harmful practices of the commercial surveillance industry will require a robust and comprehensive approach that includes cooperation between threat intelligence teams, network defenders, academic researchers and technology platforms,” they conclude. . “We look forward to continuing our work in this space and advancing the safety and security of our users around the world.”