Mon Dieu! Nearly half the French population have data nabbed in massive breach

Trending 2 weeks ago

Infosec In Brief Nearly half nan citizens of France person had their information exposed successful a monolithic information breach astatine 2 third-party healthcare costs servicers, nan French information privateness watchdog disclosed past week.

Payments outfits Viamedis and Almerys some knowledgeable breaches of their systems successful precocious January, nan National Commission connected Informatics and Liberty (CNIL) revealed, starring to nan theft of information belonging to much than 33 cardinal customers. Affected information connected customers and their families includes dates of birth, marital status, societal information numbers and security information. No banking info, aesculapian information aliases interaction accusation was compromised, nan CNIL added.

"This is nan first clip that location has been a usurpation of this magnitude [in France]," Yann Padova, integer information protection lawyer and erstwhile caput wide of nan CNIL told French power web Franceinfo. Padova believes nan breach is nan largest successful France's history.

Viamedis was reportedly compromised done a phishing onslaught that targeted healthcare professionals, and utilized credentials stolen from specified professionals to summation entree to its systems. Almerys didn't disclose really its discuss occurred, but it's imaginable nan ingress was akin successful quality – it admitted nan attacker gained entree done a portal utilized by healthcare providers.

The CNIL said that it's moving pinch Viamedis and Almerys to guarantee those affected are informed – arsenic is required nether nan EU's General Data Protection Regulation – but it'll apt return immoderate clip to get nan connection retired to astir half nan country.

In nan meantime, French officials are informing that nan stolen information could beryllium mixed pinch information from different breaches to beryllium utilized successful phishing attacks aliases societal engineering schemes. An investigation has been opened, nan CNIL said, to find whether either statement is astatine responsibility for nan breach.

Juniper reportedly leaks customer info

Networking biz Juniper reportedly leaked accusation astir nan devices its customers owned, according to a Krebs connected Security report.

The root of nan leak was Juniper's support portal, which was apparently recovered by a 17-year-old intern to let searches connected nan sanction of immoderate customer – and past to nutrient a database of devices they had acquired and registered pinch Juniper.

Juniper has fixed nan flaw, which appears to stem from improper configuration of nan Salesforce SaaS it uses to powerfulness its support site.

– Simon Sharwood

Critical vulnerabilities of nan week

Cisco is warning of immoderate superior cross-site petition forgery vulnerabilities successful its Expressway Series devices that could springiness an attacker nan expertise to execute arbitrary actions connected compromised devices.

There are 3 CVEs to beryllium concerned with: CVE-2024-20252, CVE-2024-20254 and CVE-2024-20255, each of which impact nan API for nan collaboration hardware. "These vulnerabilities are owed to insufficient CSRF protections for nan web-based guidance interface of an affected system," Cisco explained. Patches are available, truthful get 'em installed connected some Expressway-C and Expressway-E devices.

Elsewhere:

  • CVSS 9.8 – Multiple CVEs: ProPump and Controls Osprey Pump Controller package anterior to merchandise 20230518 is affected by a full slew of vulnerabilities that could springiness an attacker administrative control.

In known exploited vulnerability news:

  • CVSS 10.0 – CVE-2023-22527: Arctic Wolf information researchers opportunity exploitation of previously reported Atlassian Confluence Server vulnerabilities is continuing, pinch controllers of C3RB3R ransomware now trying to make usage of nan template injection flaw.
  • CVSS 8.8 – CVE-2023-4762: A known type disorder bug successful Chromium's V8 JavaScript motor (in Chrome versions anterior to 116.0.5845.179) that was previously exploited to instal Predator spyware is still being exploited.

No much tricks: Canada wants to prohibition nan Flipper Zero

Canadian citizens who want to get their hands connected nan "multi-tool instrumentality for geeks" known arsenic nan Flipper Zero ought to move accelerated – nan authorities wants to prohibition them for fearfulness they're being utilized to thief criminals bargain cars.

The authorities plans to prosecute "all avenues to prohibition devices utilized to bargain vehicles by copying nan wireless signals for distant keyless entry, specified arsenic nan Flipper Zero," Canadian nationalist information officials declared aft a acme this week connected combating car theft.

The Flipper is simply a cool portion of hardware that's capable to do a batch of worldly – but anyone acquainted pinch nan miniscule instrumentality is astir apt already shaking their caput astatine nan thought that nan device, pinch its sub-GHz antenna, tin thief crooks bargain cars.

Yes, some models are vulnerable to having wireless cardinal fob codes sniffed. But astir modern cars can't beryllium cracked by nan Flipper acknowledgment to nan usage of rolling codes – supposing they're decently implemented, that is.

Besides, why hack a car erstwhile you tin bargain a Kia pinch immoderate brute unit and an aged USB cable?

Florida man sentenced for acheronian web ID theft strategy … while already successful prison

No, he didn't get caught pinch a mini Linux container moving Tor from nether his mattress. Damien Dennis's agelong tally arsenic a con creator is conscionable still catching up pinch him.

Currently serving 12 years successful situation for slope fraud and aggravated personality theft successful Florida, Dennis pled guilty this week to further aggravated ID theft charges retired of Georgia that look related to his erstwhile conviction.

Dennis was sentenced successful Florida successful 2022 for utilizing clone IDs populated pinch existent accusation to unfastened slope accounts and return retired fraudulent loans, successful 1 lawsuit making disconnected pinch $20k successful rate utilizing different person's identity.

Dennis didn't conscionable bargain and usage stolen PII, though – he besides crafted it into profiles to waste to different criminals, and offered guidance connected really to usage nan dodgy dossiers to perpetrate slope fraud.

The DoJ has added 2 years to Dennis's condemnation for nan problem and fined him $250,000 arsenic well. ®