A recent report by Osterman Research, commissioned by Silverfort, has shed light on the vulnerability of organizations to identity attacks. The report emphasizes that organizations are failing to adequately protect themselves from identity threats, leaving security gaps that can be exploited by cybercriminals. The researchers define identity attacks as those that use compromised credentials to gain unauthorized access to resources, such as account takeover, lateral movement, and internal ransomware spread.
According to the report, more than 80% of organizations surveyed admitted to experiencing an identity-related breach that exploited compromised credentials. Shockingly, nearly 50% of these breaches occurred within the past year alone. Despite these alarming statistics, over 65% of organizations surveyed do not have strong enough multifactor authentication (MFA) protection in place. Additionally, only one in eight organizations have more than 70% of their resources and access methods protected with MFA.
The lack of visibility over service accounts also poses a significant threat, with the report revealing that only 5.7% of organizations have full visibility of these accounts. This limited visibility makes it easier for threat actors to use service accounts to gain unauthorized access in real time. Furthermore, the study highlighted the difficulties that organizations face in implementing privileged account management (PAM) solutions, with nearly three-quarters of organizations struggling to fully implement these controls due to a lack of resources.
The report concludes that the presence of MFA and PAM technologies alone cannot guarantee the full protection of an organization’s identity attack surface. The findings undermine the assumption that these technologies are enough to safeguard against identity threats. It is clear that organizations need to strengthen their authentication protocols and invest in robust privileged account management solutions to fortify their defenses against identity attacks.
In another alarming discovery, researchers at Sonar have uncovered a critical vulnerability in Proton Mail, an encrypted email solution used by nearly 70 million people. The vulnerability allowed hackers to download users’ emails and impersonate them. The issue stemmed from a Cross-Site Scripting bug caused by a piece of open-source code. This bug allowed threat actors to bypass encryption and exfiltrate users’ decrypted email messages.
To exploit the vulnerability, attackers sent two emails to victims, with some victims not even having to click on malicious links for the hack to be triggered. Simply viewing the emails was enough to activate the hack. Sonar discovered the issue and reported it to Proton Mail on June 3, 2023. The platform swiftly deployed a fix by July 6, 2023. Notably, Sonar also found vulnerabilities in email platforms Skiff and Tutanota, which will be discussed in forthcoming blog posts.
In yet another privacy breach, Mozilla’s *Privacy Not Included project has revealed that new internet-connected car models from major manufacturers, including BMW, Ford, and Tesla, fail to meet even the most basic privacy standards. The project analyzed twenty-five brands and found that all of them collected extensive amounts of driver data, including driving habits, destinations, race, facial expressions, sexual activity, and even immigration status. This revelation highlights the erosion of privacy in modern cars, with all models becoming “privacy nightmares on wheels” that collect vast amounts of personal information.
The worst privacy violator identified by Mozilla was Nissan, which collects various data, including health diagnoses and genetic information. Nissan’s privacy policy also reserves the right to share and sell personal data to third parties. Kia, another standout, reserves the right to monitor the driver’s “sex life,” while Mercedes-Benz comes with the privacy-plagued app TikTok pre-installed on its infotainment system. Despite claims by the Alliance for Automotive Innovation that signatory carmakers adhere to Consumer Privacy Protection Principles, these promises are considered vague and non-binding.
In a disclosure by Johnson & Johnson Health Care Systems, Inc. (“Janssen”), it was revealed that a vulnerability was discovered that could have allowed unauthorized access to an application and third-party database supporting Janssen CarePath. IBM manages both the app and database on behalf of Janssen. An investigation by IBM found that an unauthorized party accessed personal information stored in the database on August 2, 2023. The extent of the compromised data remains uncertain but may include names, contact information, date of birth, health insurance information, and details about medications and associated conditions.
Industry experts have weighed in on this incident, emphasizing the importance of monitoring the security posture of third-party vendors. They highlight the need for ongoing vendor cyber readiness audits and strict data retention policies. The breach highlights the trust placed in vendors and the potential consequences if their security measures falter.
Experts also caution individuals whose data may have been compromised to be cautious of emails, phone calls, and text messages referencing past medical procedures or conditions. They stress the importance of not letting one’s guard down and implementing measures to protect against potential social engineering attacks. This breach serves as a reminder to organizations to have a plan in place to deal with vendor issues proactively.
In conclusion, the reports underscore the pressing need for organizations to prioritize identity threat defenses, tighten their security measures, and monitor the security practices of third-party vendors. The breaches of Proton Mail and the privacy issues in internet-connected cars highlight the growing vulnerabilities in our digital lives. It is crucial for individuals and organizations to maintain vigilance, implement robust security measures, and stay informed about the evolving threat landscape to protect against identity attacks and privacy violations.