Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Latitude Breach Goes from Bad to Worse

I doubt that readers are surprised, but: the number of customer records stolen from consumer lender Latitude Financial is far larger than initially disclosed. Latitude has revealed that the data accessed by the attacker now totals:

• 6.1 million customer records - the vast bulk provided before 2013 - including names, addresses, phone numbers and dates of birth
• 7.9 million Australian and New Zealand drivers' licence numbers
• 53,000 passport numbers

Retail customers of major chains including JB Hi-Fi, The Good Guys and Harvey Norman - all of whom use Latitude - could be affected, and some of the data goes back as far as 2005.

We've said it before, but it bears repeating: despite much infosec lore categorising data as information assets, this kind of personally identifiable information is not an asset - it is a liability. There is no business advantage to keeping identity verification data once verification has been accomplished - it does not contribute to business revenue or profit. On the contrary, it exposes the business to increased losses due to reputation damage, not to mention fines and judgements under privacy law.

There are also lessons here about the dangers of prematurely stating that either information has not been compromised or that a breach is small; later revelations simply reduce consumer confidence. There is also a lot to be said for better education of C-suites and boards about incident response, not to mention cyber risk management more generally.

Barrett, Jonathan, Latitude Financial cyber-attack worse than first thought with 14m customer records stolen, The Guardian, 24 March 2023. Available online at https://www.theguardian.com/australia-news/2023/mar/27/latitude-financial-cyber-data-breach-hack-14m-customer-records-stolen.

Patch and Update Exchange Servers, or Get Throttled

Microsoft's Exchange mail and calendar server has suffered from a lot of high-profile vulnerabilities and exploits recently - think of ProxyLogon and ProxyShell - but it seems that Exchange admins (or, more likely, their managers) are not getting the message. The Internet still has many Exchange servers which are lagging behind the latest, or even quite old, security patches - and there are still enterprises running old versions of the software that are well beyond end-of-life support, such as Exchange 2010 and even Exchange 2007.

One problem is the tragedy of the commons: my security depends, at least in part, on you not relaying malware email attachments and other malmail to my systems. We're all in this together.

Now Microsoft is raising the stakes for those who are running unpatched and insecure Exchange servers, with the introduction of a new enforcement system to Exchange Online - the Redmondites' cloud mail system - that will:

• Report details to admins about any unsupported or out-of-date Exchange servers in their environment that connect to Exchange Online to send email
• Throttle emails sent from these servers if they are not remediated, progressively increasing the throttling duration over time
• Block email from unremediated servers after a suitable period.

The enforcement actions will ramp up over time - see the table below:

Enforcement stages (Image: Microsoft)

Admins can request a pause on blocking for up to 90 days per year, but this will provide only temporary relief. Enforcement actions will be introduced against Exchange 2007 servers only at first, but others will follow. The fact that this will induce customers to spend up on new Exchange licences is purely coincidental.

The Exchange Team,  Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online, Exchange Team Blog, 23 March 2023. Available online at https://techcommunity.microsoft.com/t5/exchange-team-blog/throttling-and-blocking-email-from-persistently-vulnerable/ba-p/3762078.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.