Specialists of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) warned…
“What was most alarming to us was that two of the four cases in the advisory were perpetrated by prominent cybersecurity vendors. These are vendors that enterprises rely on to safeguard their data”, — said Jeff Costlow, ExtraHop CISO.
The ExtraHop report describes four such cases recorded in 2018-2019.
They do not notify their customers about transferring of the data: an endpoint security solution, equipment for management of hospital software, surveillance cameras, and security analysis software used by an unnamed financial institution.
Even worse, after examining the cases of a hospital and financial institutions, analysts concluded that due to data transfer there are potential legal risks associated with the disclosure of confidential information to third parties.
Overall, the researchers recorded:
Researchers note that collecting and transmitting data is not illegal in itself, but if it happens correctly and while informing the client. Unfortunately, in the discovered cases, everything was completely wrong.
Read also: 66% of information security specialists believe that cloud protection technologies do not work
For example, security cameras transmit data to an IP address in China, which was previously associated with the spread of malware, and analytical software seems to have violated the Graham-Lich-Bliley law by transferring personal data to foreign citizens. In another case, the experts found that the solution, which ended the trial period, continued to collect information for at least another two months.
“It is likely that security solution providers are communicating with their home servers for legitimate purposes, given their architecture or design, or it is generally the result of a misconfiguration. However, it is a very disturbing fact that large amounts of data are transferred from the customer’s environment to the supplier without the knowledge or consent of the customer”, – summarizes Jeff Costlow.
ExtraHop’s security advisory recommends that companies take the following actions to mitigate these kinds of phoning-home risks:
Pectorsed.com is a site that tries to trick you into clik to its browser notifications…
News-wogago.com is a site that tries to force you into subscribing to its browser notifications…
Grimpoaltoumpa.com is a site that tries to force you into subscribing to its browser notifications…
News-cekufa.com is a site that tries to force you into clik to its browser notifications…
News-nevawo.com is a domain that tries to trick you into clik to its browser notifications…
News-vuyexu.com is a domain that tries to force you into subscribing to its browser notifications…