Skip to main content

Friday Five: 9/20 Edition

by Chris Brook on Friday September 20, 2019

Contact Us
Free Demo

A popular password manager fixes a bug, a 20 million person breach, and more - catch up on the week's infosec and privacy news with this week's Friday Five!

1. Password-exposing bug purged from LastPass extensions by Dan Goodin

Important news if you use the password manager LastPass. The company was forced to issue an update to resolve a bug that could have let a malicious website extract a previous password entered by the service's browser extension. One of the more infamous researchers on Google's Project Zero team, Tavis Ormandy, discovered the bug. Ormany's bug report went live this week but LastPass fixed the issue in version 4.33.0 of the password manager last week. "Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab," Ormandy wrote in his Project Zero writeup. "That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab."

Read more

2. Ecuador Investigates Data Breach of Up to 20 Million People by Palko Karasz and Anatoly Kurmanaev

A breach disclosed this week appears to have compromised the data of not just every citizen in Ecuador but even the country's deceased. According to vpnMentor, a VPN company that tipped authorities in the country off to the breach, names, social security numbers, and contact information - data apparently leaked from Ecuadorean government registries, an automobile association, and a state-owned bank, was implicated. Data on 20 million people was made available online but Ecuador only has a population of 16 million people. Officials there took in a legal representative of Novaestrat, an online data consulting firm in the country, for questioning earlier this week. Novaestrat, according to VPNmentor, owns a server in Miami that was left unsecured.

Read more

3. Internet Association pushes Congress to pass national privacy law by Ina Fried

Now that much of the book on the California Consumer Privacy Act has been written - California's legislature closed up shop for the year last week ensuring not much of the law will change when it goes into effect Jan. 1 - the tech industry is shifting its efforts to convince Congress to pass a national privacy law. The latest trade group to push the agenda is the Internet Association, a group that represents Reddit, Spotify, LinkedIn, Microsoft, and Google. This Axios piece is really just a quick primer, it doesn't dig into the campaign that the group is launching, Privacy For All Americans, to try to get Congress to act - for more on that head to the group's press release. It’s of course too early to tell if the group’s actions will actually move the dial on the issue; the CCPA is only a couple of months away from going into effect, meaning it’d take a truly valiant effort to preempt the law.

Read more

4. Millions of Americans’ Medical Images and Data Are Available on the Internet. Anyone Can Take a Peek by Jack Gillum, Jeff Kao and Jeff Larson

A sprawling, slightly depressing investigative read on just how insecure servers have become these days. This ProPublica piece, which was reported alongside Bayerischer Rundfunk, a German public broadcaster, reveals how easy it is to gain access to millions of patient X-rays and MRIs. What's embarrassing is that the servers lack even the most basic defenses. The researchers in the story found problems in 52 countries and in America in particular found data from more than 13.7 million medical tests, 400,000 that had X-rays associated with them. The extent of the exposure varies according to the piece; two companies remedied issues with their servers prior to publication, other problems stem from an archaic standard, DICOM, that's used by picture archiving and communication systems (PACS) without a VPN or firewall.

Read more

5. This Article Is Spying on You by Timothy Libert

Lest you forget that only a handful of companies track a large chunk of traffic on all news sites, we’ve got a good read that sums it up here. It’s a double-edged sword, Timothy Libert, a faculty member in computer science at Carnegie Mellon University, writes in the New York Times this week, acknowledging that even companies that offer a public service, like the Times, are tracking users. The fact that tracking users across the internet is pervasive isn’t a surprise, especially if you recall reading this article, also via the Times' Privacy Project earlier this summer, but Libert points out that news organizations aren’t to blame really – they’ve had to stand by and accept the idea of the online advertising industry becoming more and more centralized: “In a rush to stop the bleeding, many news outlets partnered with ad tech companies to gain entry to their expanding networks. These early decisions put news organizations on a path whereby they sacrificed reader privacy, reduced their ability to maintain direct relationships with advertisers and ultimately put their survival in the hands of middlemen like Google.” It's worth noting the Times has taken great lengths - Libert mentions it in his piece - around disclosing how it handles user privacy on its website.

Read more

Tags:  Healthcare Privacy Data Breaches

Recommended Resources

The Definitive Guide to DLP

All the essential information you need about DLP in one eBook.

The Ultimate Guide to Data Protection

Everything you need to know about data protection but were afraid to ask.