For the three reporters who have written articles about this, and the one who provided invaluable guidance, my gratitude is endless. This post doesn't apply to you, nor "the feds", the cybersecurity experts, or #lawyers (including and especially @eff), who were extremely helpful. The rest, however, should take note.
I've willingly laid my neck on a chopping block, unprotected, for over six months.
My outreach has been exhaustive:
• Attempted to engage with over 150 journalists and #news organizations,
• Coordinated frequently with the Cybersecurity and Infrastructure Security Agency (#CISA or "the feds"),
• Consulted with numerous cybersecurity experts,
• Sought advice from multiple lawyers,
• Spoke with ten state and state court CISOs,
• Attempted to talk to several dozen state and county court clerks and judges,
• Sent emails to every Florida State Senator, State Representative, and Supreme Court justice, and to multiple governors,
• Discussed with the staff of multiple U.S. Senators and U.S. Representatives,
• Contacted twelve vendors and over 40 employees
I've offered to write articles -- for free.
I've had no fewer than eight background checks done on me.
I've been cyberstalked by the Arizona Supreme Court.
I've put my job and my family's livelihood at risk in more ways than one.
I've made a grand total of $0; in fact, I've invested several hundred.
When I'm able to sleep, it's with one eye open, always waiting for "that" knock on the door.
After my first #disclosure, I prepared for a week to deal with what I expected to be a #media circus. What I received was one preemptive email from a state court #CISO (who was not affected) and one kind person (who is not a #journalist) on the #fediverse.
I've spent over 900 hours discovering, documenting, reporting, and disclosing vulnerabilities, trying to get this fixed on a mass scale, and attempting to contact the above list. I see no signs of this slowing down any time soon. All of this for what is merely a #hobby.
I've done my part. It's time for reporters to step up. The real-world harm these vulnerabilities have caused — and continue to cause — cannot be overstated. The need for widespread awareness and action is urgent.
As the dust settles on last week’s final U.S SEC Climate #Disclosure Rule, commentary around the content of the final rule is getting increasingly pointed, & battle lines are being drawn. The implications can be split up into 3 main categories https://buff.ly/3VnpT0e
Offen zugängliche Patientinnendaten trotz ISO 27001-Zertifizierung bei Praxis-Terminplaner: Fast eine Million Patientinnen von Sicherheitslücke bei #Dubidoc betroffen
Mir hat jemand, der in Sicherheitsgremien unterwegs ist, gesagt, dass an Behörden gemeldete Sicherheitslücken erstmal bis zum Disclosure offensiv verwendet werden
Das hat eine gewisse Ironie in sich. Damit ist de-facto
Here’s a great way to destroy any trust your patients might have in you. Madeleine Damo reports:
"Staff at a western Sydney radiologist – recently hit with a cyber attack – were told to tell concerned patients the breach was “an operational IT issue”, while also fielding harassing phone calls from hackers themselves."
In other words: don’t tell patients that there was a ransomware attack in which their data was encrypted and their personal and protected health information acquired by the criminals?
This is yet another example of why we need firm laws requiring more honest and full disclosures and prohibiting deception or minimization in disclosures.
Beim Landessportbund #SachsenAnhalt waren Datenbank-Zugangsdaten einsehbar, der Datenbank Server war aus dem Internet erreichbar. So konnten Daten von den mehr als 130.000 Personen aus der IVY-Vereinsverwaltung eingesehen werden. Neben Namen, Adressen und Geburtsdaten, gab es auch Passwörter im Klartext
#Zebralog, "Agentur für crossmediale Bürgerbeteiligung", hat letztes Jahr ein noch gültiges OAuth-Token verloren. Mit diesem Token konnte auf etwa 600 Repositories zugegriffen werden.
Fred Hutchinson Cancer Center failed to reveal threats of potential swatting attacks until this site revealed the threat. Should they have disclosed it themselves?
If the purpose of a substitute notice under #HIPAA is to reach people the covered entity may not have sufficient or current contact information for, then burying the notice on the very bottom of the homepage and calling it a “privacy update” as if it is an update to the privacy policy is misleading at best.
Yesterday, I reported on a data breach disclosure by HMG Healthcare. You can read more here:
Hallo, hier, ich hab Zugriff auf Daten von 1 Mio. Patient*innen, CC an Landesdatenschutzbeauftragte.
Landesdatenschutzbeauftragte: [...] Sollten Sie nach einer angemessenen Frist von ca. 4 Wochen keine Antwort erhalten, bitte ich Sie bei uns offiziell Beschwerde einzureichen. [...] #disclosure
"Specifics of these attacks are rarely shared with the public as healthcare providers say they are bound by the Health Insurance Portability and Accountability Act — known as HIPAA — not to share protected patient information."
@euroinfosec Great! I think we need to identify what we consider the minimum necessary elements or conditions to be disclosed and also what kinds of deceptive language or possibly misleading language need to be flat-out prohibited.
Maybe you can do an OpEd on your site, too, and we can start to get more people publicly speaking up on this issue.
And fwiw, I think the #GDPR and Canadian laws are also too weak in terms of mandating disclosure and transparency. I actually got sued in a Canadian court and had a court order against me for reporting on a breach and disclosing info on it.
It didn't stop me, of course, but still, the presumption should be disclosure and transparency.
(For those who don't know me IRL, my dad always told me I was a "tough cookie." 😂 )
Seriously: who decides what "best practice(s)" is/are for incident response? And how is that determination made?
A law professor reportedly informed a student news outlet it was “best practice” to limit information about a breach claimed by threat actors until there was information on the full scope of the breach and the network was secure.
“Institutions do not want to get into a drip situation where they notify people of a breach, then later learn the breach was worse than understood, and then have to give more and more notices,” he wrote.
So "best practice" is defined as what is most convenient or in the entity's best interests instead of in the best interests of those whose data were stolen? I can understand the wanting to secure the network part, but it is not acceptable in the World According to Dissent to delay disclosure of a breach until you know the full scope if data are already being leaked on the internet or appear to be at plausible risk of imminent misuse.
Calling delays like this "best practices" seems to confer some legitimacy on delays that I don't think are all legitimate reasons.
Had a very interesting vuln disclosure experience today. I found a pre-auth RCE in F5-BIGIP admin panels (yes...the same one that's had RCE issues for years - there's more) with my coworker Thomas Hendrickson.
We went to report to F5 at the beginning of the month and had some back and forth with them over the disclosure timeline. We're not in a rush, we figured it would take a month or two to disclose, but they wanted to publish it in February 2024. That's a long time to wait for a pre-auth RCE bug, so we asked for it to be sooner, but with 48 hours notice so we could coordinate with our customers appropriately. They said they were fine with that.
Then last night at 8PM ET, we get an email that they're dropping the advisory + hotfix in 16 hours. We asked why and were told "we believe this vulnerability is now known outside of F5 and Praetorian thus forcing our hands at an immediate disclosure". The advisory was published a few hours ago - https://my.f5.com/manage/s/article/K000137353. No patch, but there's a hotfix you can run on some versions of F5s. A few versions have been marked as "will not fix", so this is a permanent way to pop them.
Simultaneously, a blog post that we referenced heavily for AJP Request Smuggling disappeared off the internet (the author locked every post they'd made since 2016). The posts were live 10 days or so ago.
Once the patch has had a little bit of time to be applied, we'll drop the rest of the technical information about the bug.
If anyone here is aware of this being exploited in the wild, I'd love to hear about it. Tagging a few folks who are a bit more in the know (apologies if this is spammy, but I'm curious).
On the IoC side it's a bit tricky because the bug relies on abusing a bug in Apache, so I have no idea what it actually looks like in the logs. The raw request will have "Transfer-Encoding: <a valid value>, chunked" as one of the headers. For example "Transfer-Encoding: gzip, chunked" or "Transfer-Encoding: chunked, chunked".
I know it's no #citrixbleed, but this is a pretty bad bug if you're one of the thousands of orgs that still has an F5 config panel on the internet.
"Team 12 Investigates uncovered that Mattituck-Cutchogue was one of six Long Island school districts to suffer from ransomware attacks in 2022. Three of those incidents were never publicly reported.
Through a records request, we found that cybercriminals hacked into surveillance systems at Merrick, North Merrick and New Hyde Park school districts in April of last year.
The ransomware compromised video servers, disabled lockdown systems and impacted badge access. Some of the systems were down for more than a week before district officials discovered the breach.
The districts reported that no public notification was required because no personal data was taken."
C'mon #KENS5 News in Texas: Don't call this a "recent" breach just because Baptist Health calls it "recent." It was more than a year ago! Don't help them downplay this.
Not just Clarence Thomas: Lower courts facing scrutiny over ethics, disclosures, too
...
"...only about 17% of the court system's disclosures for 2022 have been posted online, even though most of those reports were due months ago. About 21 of 155 active appeals court judges who were on the bench last year had their 2022 annual financial reports posted to the judiciary's online database..."
by Joshua Kaplan, Justin Elliott & Alex Mierjeski @ProPublica
#Thomas has attended at least two #Koch donor summits, putting him in the extraordinary position of having helped a #political network that has brought multiple #cases before the #SupremeCourt.
That puts #Thomas in the extraordinary position of having served as a #fundraising draw for a network that has brought cases before the #SupremeCourt, including one of the most closely watched of the upcoming term.
Thomas never reported the 2018 flight to PalmSprings on his annual #financial#disclosure form, an apparent #violation of #federal#law…. A #Koch network spox said the network did not pay for the #PrivateJet. Since Thomas didn’t disclose it, it’s not clear who did pay.
For the event that year, the #Koch network rented out the (entire) Renaissance Esmeralda Resort & Spa. On the main stage, #donors heard from Hall of Fame NFL cornerback Deion Sanders, who was working w/the Kochs on anti-poverty programs in Dallas. Another speaker delivered a report card on the group’s #political wins large & small: “repealed voter-approved #donor#disclosure initiative”; “retraction of #mining & #environmental overreach”; “stopped Albuquerque #PaidSickLeave mandate.”