Infosec in brief The US Federal Trade Commission has secured its first data broker settlement agreement, prohibiting X-Mode Social from sharing or selling sensitive location data.
In its complaint, the FTC accused X-Mode, which sold its assets to successor firm Outlogic in 2021, of selling raw non-anonymized location data collected through its own apps and an SDK for embedding in third-party applications.
The X-Mode SDK has been found in hundreds of apps downloaded billions of times on both Apple and Android devices.
According to the FTC complaint [PDF], X-Mode/Outlogic has for years collected and sold data associated with mobile advertising IDs, which can easily be matched to an individual mobile device to figure out what locations an individual has visited.
If that sounds familiar, it's the same allegations the FTC leveled against data broker Kochava when it filed a complaint against that company in 2022.
According to the FTC's complaints against Kochava and Outlogic, data collected and sold by the companies could easily be used to link individuals to places of worship, homeless and domestic violence shelters, addiction facilities, reproductive health clinics, and other sensitive locations.
The threat of data misuse by governments and individuals since the overturning of Roe vs Wade has made the collection of this data type an even more pressing issue to address.
Per the settlement [PDF], Outlogic will be required to delete all data it has previously collected, and requires the company to honor opt-out requests.
The FTC said the company had not previously asked users for consent to have their location data collected.
Outlogic will be required to maintain a list of sensitive locations for which it won't gather data, and must implement procedures to ensure buyers of its location data can't associate what they've purchased with sensitive locations.
CVSS 9.8 - Multiple CVEs: Siemens SIMATIC CN 4100 devices running software prior to v2.7 contain a series of vulnerabilities that could allow an attacker to login as root or cause denial of service.
CVSS 9.6 - Multiple CVEs: Rapid Software's Rapid SCADA, v5.8.4 and prior, contain a bunch of vulnerabilities that could give an attacker RCE capabilities, privilege escalation, and the like.
CVSS 8.3 - CVE-2023-44250: Fortinet's FortiOS and FortiProxy HA cluster are improperly managing privileges, allowing an authenticated attacker to elevate their actions.
CVSS 9.8 - CVE-2023-29300: Some versions of Adobe ColdFusion are affected by a deserialization of untrusted data vulnerability that could result in arbitrary code execution.
The nasty code was capable of snooping on all sorts of sensitive data, as well as taking recordings from device microphones and cameras.
Kaspersky said in an update to its breakdown of the TriangleDB malware, that it looks like the miscreants behind it were abusing Apple's own error correction code to gain access to a device's memory.
Russian officials previously accused Apple of working with US officials to develop spyware targeting devices in the country.
Breached healthcare firm says it can't figure out what data hackers took.
Texas-based healthcare services provider HMG is the latest medical organization to be hit by a data breach, but one with a twist: The company said it has no idea what data was actually stolen.
Attackers reportedly gained access to a server containing unencrypted files including medical records and other information such as patient names, dates of birth, SSNs, and additional sensitive personal and healthcare data.
This Cyber News was published on go.theregister.com. Publication date: Mon, 15 Jan 2024 16:13:04 +0000