Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Crisis Communications Vital When Handling Privacy Breaches

Two stories over the weekend demonstrate the importance of having a good crisis communications plan in place before a privacy breach occurs. In fact, the two cases - which involve government agencies - could almost be case studies in how not to respond to a privacy breach.

In the first case, NT Health, the health department of the Northern Territory (Australia), apparently mismanaged the transfer of patient health records as part of a software upgrade. Over 50,000 patients had their records transferred between two government departments in 2018 and 2019, but more than 3,000 identifiable records - some classed as very-high or high clinical risk, such as psychological reports, psychiatric facility visits, pregnancy terminations and stillbirth records and ECT records - were subsequently transferred to global software vendor Intersystems.

Then-health minister - now Territory Chief Minister - Natasha Fyles never made the privacy breach public. Instead, the breach was managed "in-house" and patients were never notified. There appears to be some disagreement between the Information Commissioner, Peter Shoyer, who claims his department provided only "brief advice ... on potential further steps" and NT Health Chief Executive Marco Briceno, who said his department "consulted extensively at the time with the information commissioner".

In the second case, Fire Rescue Victoria (FRV) was attacked in December of last year and its emergency dispatch system taken offline (and remains offline at time of writing, in late May!). However, in early March, applicants for firefighter positions received a letter disclosing that "FRV has reasonable grounds to believe that the personal information of firefighter recruit applicants may have been accessed or stolen by a malicious third party". The letter stated that the data had been shared on the dark web but offered no further details.

In fact, not only was identification and contact information compromised as part of a ransomware attack, but also medical records, passport and driver's licence details, Medicare numbers, Centrelink numbers, healthcare identifiers and potentially health information and superannuation details.

By not providing the affected people with full details of the personal information that had been compromised, FRV denied them the opportunity to take steps to protect themselves against further loss, such as obtaining new driver's licences and other identifiers. It is not clear how many individuals are affected, but they certainly number in the thousands - potentially every applicant for firefighter recruitment, and there are more than 5,000 applications each year.

Whether the agencies' handling of these incidents complies with the requirements of the Privacy Act 1988 (Cth) and, specifically, the Notifiable Breaches scheme is a matter for the Information Commissioner, but both involve personal health information and would seem to fall within the definition of a serious data breach. In any case, a reasonable person would expect to be notified when their personal information - especially health records - are compromised, so there is an argument that notification is simply a matter of applying due care.

Both cases, however, highlight the need for a well-considered data breach policy and incident response plan which covers crisis communcations and reputation repair. Failure to notify individuals seriously reduces public trust and confidence in the breached organizations - especially when a perceived cover-up makes the headlines. There is some evidence that full disclosure and transparency leads affected individuals to correctly attribute blame to cybercriminals and side - to a limited extent - with the affected organization, especially if it provides them with assistance and contacts to limit the damage.

Hislop, Jack, NT information commissioner seeks to distance himself from privacy breach of public health files, ABC News, 27 May 2023. Available online at https://www.abc.net.au/news/2023-05-27/nt-information-commissioner-privacy-breach-public-health-files/102397744.

Rizmal, Zalika, Fire Rescue Victoria's cyber-hack response a 'lesson in how not to communicate', ABC News, 27 May 2023. Available online at https://www.abc.net.au/news/2023-05-27/fire-rescue-victoria-data-hack-privacy/102400672.

Benoit, William L. “Image Repair Discourse and Crisis Communication.” Public Relations Review 23, no. 2 (June 1, 1997): 177–86.

Rikki Don't Lose That Phone

We all know that improper media sanitization before disposal leads to second-hand devices being sold with data intact and recoverable by the new owners. And, of course, if your device is stolen, there goes the opportunity to delete data and do a factory reset - so that devices bought from pawn shops and online trading sites have an even higher proportion of personal data on them.

But if you really want to cheaply acquire a lot of sensitive information, here's a source you may not have thought of: buying cellphones which are auctioned off by US police departments. It makes sense: phones which police have seized will often contain evidence of criminal activity - and in some cases, the police may have helpfully used forensic tools to provide privileged levels of access to information which would normally be protected, passing this information on to the new owner. If you're a drug dealer looking for new customers, your local police department could be a useful source of contacts!

Richard Roberts and his colleagues at the University of Maryland bought 228 police-auctioned cellphones at an average price of just $US18.00. Of these, 49 were completely unlocked and another used easily-guessable passcodes. In one case, police had used GrayKey mobile device forensics software to break into the phone, and had noted the passcode.

Several phones had stored credit card details - some legitimate and some stolen. The researchers also found scans of 5 passports and 14 driver's licences, as well as a few scans of government-issued identity credentials and some communication between sex workers and clients. As one might expect, there were also personal text messages, not to mention nude photographs.

With one phone, the researchers struck the motherlode: 24 credit reports, along with the related identity, bank account details, social security numbers and employment records - probably the work materials of an identity fraudster.

The fact that police forces do not destroy these devices or at least sanitize them is surprising, to say the least. It also highlights the importance of securing portable devices as well as the use of mobile device management software to remotely delete sensitive data when the device is lost or stolen - although subsequent use of forensic tools may defeat even that.

Roberts, Richard, Julio Poveda, Raley Roberts and Dave Levin, Blue Is the New Black (Market): Privacy Leaks and
Re-Victimization from Police-Auctioned Cellphones, preprint, IEEE Security & Privacy 2023. Available online at http://richard.technology/research/publications/ieeesp23_auctions.pdf.

Researchers Close Google CloudSQL Hole

Cloud applications often require a separate persistent data store, and so the cloud service providers typically offer both a NoSQL cloud-native database and a choice of the more popular SQL relational database engines, such as MySQL and Microsoft SQL Server. One problem service providers face is adapting and especially securing these databases for the cloud environment - they were originally developed for stand-alone operating system platforms. In the case of the open-source products like MySQL and PostgreSQL, the availability of the source code helps, but SQL Server is proprietary, and so cloud security needs to be added 'on top' rather than tightly integrated.

Understanding this led researchers at Dig Security to discover a rather nasty vulnerability in Google's CloudSQL implementation of SQL Server. The vulnerability allowed privilege escalation from basic CloudSQL user to becoming a full-fledged administrator on the SQL Server container. This was achieved in two steps: first, escalating from CustomerDbRootRole to DbRootRole, which is a Google Cloud Platform admin role, followed by exploitation of a misconfiguration which allowed a further escalation to the Sysadmin role.

This would grant full access to all data in the SQL server, as well as full access to the underlying operating system - not to mention access to service agents and some URL's which could allow pivoting to other environments.

Fortunately, the researchers collaborated with Google to resolve the underlying issues, presumably earning a nice bug bounty in the process.

Balassiano, Ofir and Ofir Shaty, GCP CloudSQL Vulnerability Leads to Internal Container Access and Data Exposure, blog post, 24 May 2023. Available online at https://www.dig.security/post/gcp-cloudsql-vulnerability-leads-to-internal-container-access-and-data-exposure.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.