Infosec In Brief Google will soon end its “Dark Web Report”, an email service that alerts users when their personal information appears on the internet’s dark underbelly.
The Chocolate Factory started sending the report in 2023, but last week said it will end the service. Google has no issue with the service’s efficacy – it did a good job of flagging the exposure of user IDs, passwords, and other sensitive info in breach dumps and other data exposure attacks – but feels it didn’t provide the actionable advice it thinks users need.
“While the report offered general information, feedback showed that it didn’t provide helpful next steps,” the company said. “We’re making this change to instead focus on tools that give you more clear, actionable steps to protect your information online.”
What those tools may be is anyone’s guess as Google only pointed users to existing tools for securing their Google accounts, like performing a security checkup, enabling a passkey, Google’s own password manager, and other tools.
“We encourage you to also use Results about you,” Google said, pointing users to its tool that flags occurrences of a person’s name and other personal information in Google Search results. Signing up for Results about you requires the submission of quite a bit of personal information, we note.
Google will stop scanning the dark web for new data breaches on January 15, and will stop reporting what it finds on February 16. Those looking for an alternative can turn to the likes of Experian, Equifax, Illion, and TransUnion.
French cops make email intrusion arrest
It only took a week for French law enforcement to identify and apprehend a 22-year-old suspected of breaking into the Interior Ministry’s email server, and there might be a good reason why.
In a statement [PDF] released last Thursday, the French Prosecutor’s Office said that it had arrested the unnamed individual on charges of attacking a state-owned automated personal data processing system, which could land the suspect derrière les barreaux for up to a decade.
Officials noted last week that the attack compromised files, including criminal records, which might be the very reason for the intrusion. According to the Prosecutor’s Office, the individual they apprehended was already known to law enforcement, having been convicted of “similar offenses” earlier this year.
In other words, the suspect is a known hacker – just not a very good one.
The cloud is full of holes
Cloud security firm Wiz hosted a competition in London recently looking for zero-day vulnerabilities in cloud infrastructure, and its findings weren’t encouraging.
“In just two days, researchers uncovered critical Remote Code Execution (RCE) vulnerabilities across the foundational layers of cloud infrastructure,” Wiz said in a post-competition writeup. “They earned $320,000 in rewards and achieved an 85 percent success rate across all live hacking attempts.”
The event produced “one of the highest counts of publicly disclosed CVEs” specific to foundational open-source cloud infrastructure components, Wiz added, with vulns found in Redis, PostgreSQL, MariaDB, and Linux.
One of the Linux exploits involved a container escape vulnerability that could let an attacker break out of a compromised cloud account and gain access to the underlying infrastructure managing all user accounts, Wiz said.
AWS, Microsoft, and Google sponsored the competition, which should mean they will rapidly implement fixes.
UK hospital breaches its own data
We’ve covered plenty of data breaches at UK hospitals and NHS suppliers in the past few years thanks to ransomware attacks and other incidents, but it’s not often we get to report a self-inflicted data breach like this one.
Thousands of current and former staff at the Royal Cornwall Hospitals Trust were informed last week that their personal data tied to a sickness absence data list was inadvertently exposed by the organization during a Freedom of Information Act (FOI) response.
Per the letter, obtained by Cornwall Live, the hospital provided electronic records as part of the FOI request that contained “hidden data” including staff records for employees who worked at the facility between April 2020 and May 2023.
“We take the security of personal information extremely seriously,” the hospital reportedly said in the letter. “This incident has reinforced our commitment to learning and improving our processes to maintain the highest standards of data protection.”
Texas sues smart TV makers for spying on owners
Sony, Samsung, LG, Hisense, and TCL stand accused of spying on their customers and illegally collecting their data, per a lawsuit launched by Texas Attorney General Ken Paxton.
The suit claims that automated content recognition (ACR) technology used in smart televisions determines the content displayed on screen, collects that data, and then serves ads.
“ACR in its simplest terms is an uninvited, invisible digital invader,” the AG’s office said, adding that TV owners aren’t given informed consent of the presence of the software.
“Companies … have no business illegally recording Americans’ devices inside their own homes,” Paxton said. “This conduct is invasive, deceptive, and unlawful.”
The lawsuits, filed individually against each company, seek monetary damages of $10,000 per violation of the Texas Deceptive Trade Practices Act, plus an end to use of ACR technology in the companies’ TVs. ®