Daily Archives: June 1, 2020

Critical VMware Cloud Director Flaw Lets Hackers Take Over Corporate Servers

Cybersecurity researchers today disclosed details for a new vulnerability in VMware's Cloud Director platform that could potentially allow an attacker to gain access to sensitive information and control private clouds within an entire infrastructure. Tracked as CVE-2020-3956, the code injection flaw stems from an improper input handling that could be abused by an authenticated attacker to

Lean into zero trust to ensure security in times of agility

Bad actors are rapidly mounting phishing campaigns, setting up malicious websites and sending malicious attachments to take full advantage of the pandemic and users’ need for information, their fears and other emotions. More often than not, the goal is the compromise of login credentials. Many organizations grant more trust to users on the intranet versus users on the internet. Employees working from home – while unknowingly browsing potentially malicious websites and clicking on doctored COVID-19 … More

The post Lean into zero trust to ensure security in times of agility appeared first on Help Net Security.

How to successfully operationalize your micro-segmentation solution

Introducing a new security model into your existing infrastructure can be challenging. The task becomes even more daunting when starting with a new host-based or micro-segmentation solution. If you’ve decided on a host-based approach to segmentation, I’d like to share, based on personal experience, some advice and best practices on using this type of solution in your organization. Discovery The business case that drove your organization to adopt a host-based segmentation solution will serve as … More

The post How to successfully operationalize your micro-segmentation solution appeared first on Help Net Security.

Got Backups?

Eventually, we all have an accident or get hacked. And when we do, backups are often the only way to recover. Backups are cheap and easy; make sure you are backing up all of your personal information at home (such as family photos) on a regular basis.

Not all IT budgets are being cut, some are increasing

At a high level—and contrary to conventional wisdom – not all IT budgets are being cut. Even with the economic challenges that COVID-19 has posed for businesses, almost 38 percent of enterprises are keeping their IT budgets unchanged (flat) or actually increasing them. Yellowbrick Data received responses from more than 1,000 enterprise IT managers and executives, uncovering their infrastructure priorities during this era of economic uncertainty and disruption. “The survey brought to light some trends … More

The post Not all IT budgets are being cut, some are increasing appeared first on Help Net Security.

Security remains a major concern for enterprise IoT integration

Most companies see strong business drivers to adopt IoT as part of a broader digital transformation process. Improved efficiency and productivity, improved product/service quality, and improved customer retention and experience ranked highest as objectives. Implementation concerns, particularly around security, remain, Syniverse reveals. The study was conducted across 200 enterprise executives in North America and Europe in several key vertical industries already using or in the process of deploying IoT, including financial services, retail, manufacturing, healthcare … More

The post Security remains a major concern for enterprise IoT integration appeared first on Help Net Security.

How businesses are adapting IT strategies to meet the demands of today

Businesses are are adapting IT strategies, reprioritizing cloud adoption and automated database monitoring due to the effects of a global lockdown, remote working and a focus on business continuity, according to Redgate. The report, which surveyed nearly 1,000 respondents in April 2020, reveals that while performance monitoring and backups remain the most common responsibilities for database professionals, managing security and user permissions have leapt to third and fourth place, respectively. However, there seems to be … More

The post How businesses are adapting IT strategies to meet the demands of today appeared first on Help Net Security.

Save almost 50% on CISSP training: Offer ends June 15

With the globally recognized (ISC)² CISSP certification, you prove your cybersecurity expertise to the world. Save nearly 50% on CISSP Online Instructor-Led Training when bundled with your exam. Now thru June 15, 2020, you can purchase both for just $1,995. Promotional pricing is $1,296 for the course (normally $2,495!) plus $699 for the certification exam. Use the coupon code EXAMBUNDLECISSP at checkout. The training & exam bundle includes: Online Instructor-Led Training course completed over 8 … More

The post Save almost 50% on CISSP training: Offer ends June 15 appeared first on Help Net Security.

Cybersecurity Must be an Integral Part of any Pandemic Response Plan from Now On

Sometimes the best way to inform ourselves about how cybersecurity is dealing with a new threat, technology, or situation is to just ask. COVID-19, and the resulting lockdowns, quarantines and economic changes certainly counts as a ‘situation’ for cybersecurity. While it would be nice if cybersecurity could temporarily take a backseat while people and organizations […]… Read More

The post Cybersecurity Must be an Integral Part of any Pandemic Response Plan from Now On appeared first on The State of Security.

Zyxel launches USG FLEX series of mid-range firewalls for small- and medium-sized businesses

As remote working becomes the new normal, businesses face the challenge of keeping their business secure while meeting the needs of a more flexible workforce. Zyxel Networks announced USG FLEX, a new series of mid-range firewalls designed for small- and medium-sized businesses (SMBs) to keep up with the workplace mobility, connectivity and security requirements post-pandemic. Zyxel’s new USG FLEX 100, USG FLEX 200 and USG FLEX 500 firewalls feature upgraded hardware and software power that … More

The post Zyxel launches USG FLEX series of mid-range firewalls for small- and medium-sized businesses appeared first on Help Net Security.

Aruba’s AI-powered infrastructure optimizes customers’ reimagined work environments

Aruba, a Hewlett Packard Enterprise company, unveiled a suite of innovative workplace solutions and a new vision for three return to work scenarios – returning to the office and venues, working from home, and ultimately, the office reimagined. With Aruba’s AI-powered, cloud-native networking solutions as their foundation, each scenario provides pragmatic steps organizations can take today to expedite business recovery and implement contact tracing and touchless solutions that enhance the health and wellness of employees … More

The post Aruba’s AI-powered infrastructure optimizes customers’ reimagined work environments appeared first on Help Net Security.

New BitSight capabilities enable more effective third-party cyber risk management

BitSight, the Standard in Security Ratings, announced several new, innovative capabilities within its BitSight for Third-Party Risk Management solution that provide intelligent recommendations, operational guidance, and risk prioritization to enable more effective third-party cyber risk management. The enhanced platform helps organizations achieve greater operational efficiency and measurably reduce risk across their extended business ecosystem. “Third-party ecosystems are expanding rapidly and organizations of all shapes and sizes struggle to create effective risk management programs,” said Dave … More

The post New BitSight capabilities enable more effective third-party cyber risk management appeared first on Help Net Security.

YouAttest’s cloud-based tool automates reporting and auditing services for Okta’s Identity Cloud

YouAttest, an innovator in the Identity Governance & Administration (IGA) market, announced the general availability of YouAttest’s Identity Compliance Solution (ICS), the first cloud-based tool which automates reporting and auditing services for Okta‘s Identity Cloud. YouAttest has joined the Okta Integration Network (OIN) and its ICS products have completed certification with the Okta SSO and security methodology. This solution automates and accelerates verification of security roles and permissions, used by organizations for a wide range … More

The post YouAttest’s cloud-based tool automates reporting and auditing services for Okta’s Identity Cloud appeared first on Help Net Security.

nCipher provides control of customer-managed keys and critical assets in Azure

nCipher Security, an Entrust Datacard company, announces its support for new key import method (BYOK) for Azure Key Vault, allowing customers to generate and transfer encryption keys to Azure Key Vault using an on-premises or as a service nShield HSM, giving them complete control over both their keys and their data security. While cloud service providers follow best practices to protect data, subscribers are still ultimately responsible for the security of their data in the … More

The post nCipher provides control of customer-managed keys and critical assets in Azure appeared first on Help Net Security.

Arc integrates with Akamai, Catchpoint and MuleSoft to enhance its capabilities for enterprise customers

Arc Publishing, the premier content management platform from The Washington Post, announces it has expanded its integration with industry-leading software from Akamai, Catchpoint and MuleSoft, greatly enhancing its capabilities for enterprise customers worldwide to ensure they have access to the best-in-class tools on the market. These additions build on Arc’s advanced integration of Amazon Web Services (AWS) and position the business for continued growth among enterprise brands and media companies. “Operational continuity, ease of use, … More

The post Arc integrates with Akamai, Catchpoint and MuleSoft to enhance its capabilities for enterprise customers appeared first on Help Net Security.

oneM2M welcomes new members to accelerate IoT market development through interoperability

International standards initiative oneM2M announced it has welcomed a range of new members as organizations around the world seek to accelerate the development of the Internet of Things (IoT) market through greater interoperability. A cybersecurity specialist, research institutes, service providers and the Universidad Politécnica de Madrid’s faculty of computer science are among the latest companies to join the organization. The newest additions to oneM2M’s vast membership come from America, Asia, Europe and Russia, demonstrating the … More

The post oneM2M welcomes new members to accelerate IoT market development through interoperability appeared first on Help Net Security.

CirrusHQ secures £400,000 growth investment, appoints Alastair Mills as Chairman

CirrusHQ announced it has secured a £400,000 growth capital investment plus the appointment of Alastair Mills as the company’s new Chairman. CirrusHQ will use the funds to build its presence in the UK, most notably in the education sector where it is the first and only UK Consulting Partner to hold the AWS Education Competency and the Well Architected Framework certification. The company also specialises in public sector and enterprise deployments. CirrusHQ focuses exclusively on … More

The post CirrusHQ secures £400,000 growth investment, appoints Alastair Mills as Chairman appeared first on Help Net Security.

Cygilant appoints Kevin Gannon as new Vice President of Engineering

Cygilant, provider of Cybersecurity-as-a-Service to mid-sized organizations, announced that Kevin Gannon has joined the Cygilant team as the company’s new Vice President of Engineering. Based in the company’s newly opened Belfast office and reporting directly to Cygilant’s CEO, Kevin is responsible for leading the company’s engineering efforts. In this role, Kevin will build out a strong and diverse software engineering center of excellence, drive forward the company’s R&D agenda, and ultimately ensure a high quality … More

The post Cygilant appoints Kevin Gannon as new Vice President of Engineering appeared first on Help Net Security.

Safeguarding Connectivity: The Security Implications of Telecoms

Telecommunications, the exchange of information by electronic means, helps keep the world connected. You can thank modern telecom companies (think AT&T, Verizon, etc.) for that, as they’ve helped form economies and entire business infrastructures. From email and messaging to phone calls and video calls, telecoms have become an intrinsic part of our lives, allowing users to interact no matter where they are, which is important now more than ever.

Because their networks are so extensive, telecoms are a big target for hackers hoping to gain access to their business and wide customer base. Therefore, it’s important both businesses and consumers become aware of the potential threats to telecoms. Let’s take a look.

The Challenges Faced by Telecoms

While advancements in technology help improve many facets of our everyday lives, they’ve consequentially created challenges for telecoms when it comes to their security. Take the internet of things, for example. From virtual assistants to smartphones, IoT devices help us complete tasks more efficiently and live our lives to the fullest while on-the-go. But as users become more reliant on IoT devices, these gadgets become an equally enticing target for hackers to exploit. Whether it’s gathering personal data from smart devices connected to users’ home networks or accessing corporate data from a remote employee’s laptop, security around IoT is a huge focus for telecoms companies.

AI has also created a huge shift in how businesses operate, and the telecoms industry is no exception. While many telecoms are using AI to improve their security defenses, criminals are also using AI as a means to breach corporate networks – essentially fighting fire with fire.

The Security Risks Impacting Telecoms

Businesses, consumers, government agencies, and even whole countries rely on telecoms companies, so a security attack on one could have serious ramifications. Telecoms companies are finding themselves under fire for two specific types of attacks – one that aims to gain access to their organization, network operations, and data, and another that indirectly targets the company’s subscribers. But what exactly do the repercussions of these attacks entail?

While the prior could lead to a loss of valuable company information and impacted reputation, the latter could lead to a variety of damages. Say a hacker was somehow able to bypass a telecoms company’s security system through an advanced attack and gain access to its customer database – they could then be able to indirectly exploit customers’ mobile devices. Since many users often autosave private information like online account credentials and credit card information for mobile shopping, a hacker could consequentially use this information to conduct credit card fraud or identity theft.

Adding to that, some malware strains have been tailored to attack telecoms. According to ZDNet, Trickbot malware has been updated with a module that uses brute force attacks against a handful of specific targets – one of them being telecoms. The malware pre-selects targets based on IP addresses, indicating that the attackers are going after them specifically. Once Trickbot gains access, the criminals behind the attack can move around the network to steal credentials, sensitive information, and more.

How Telecom Security Can Be Improved

As the gatekeepers for vast amounts of information traveling through its networks, telecoms must prioritize the security of their infrastructures by staying up-to-date on the rapidly evolving security landscape. However, the responsibility of security falls on both the service provider and the consumer. So, what can you do to protect yourself from any telecom-related threats? Start by following these tips:

Use a virtual private network (VPN)

Use a VPN, which allows you to send and receive data across a public network as if it were a private network. A VPN encrypts – or scrambles – your information so others can’t read it, helping to safeguard your data.

Monitor your online accounts

Use ID monitoring tools to be aware of changes or actions that you did not make. These may have been caused by malware and could indicate that your phone or account has been compromised.

Update your software

Developers are always actively working to identify and address security issues. Frequently update your device’s operating systems and apps so that they have the latest fixes and security protections.

Defend your devices with security software

Comprehensive security software across all devices continues to be a strong defensive measure to protect your data and privacy from online threats.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Safeguarding Connectivity: The Security Implications of Telecoms appeared first on McAfee Blogs.

Malwarebytes hires Dariusz Paczuski as senior vice president of marketing

Malwarebytes announced that it has hired Dariusz Paczuski as senior vice president of marketing, to help scale the company’s consumer and enterprise businesses. Paczuski joins Malwarebytes from Verizon Media where he served as vice president of consumer growth marketing, leading global brand, creative, product, and performance marketing for their $7.5B advertising, media, commerce, and subscription businesses – serving nearly 900 million people around the world. “Malwarebytes is at an exciting stage where marketing will help … More

The post Malwarebytes hires Dariusz Paczuski as senior vice president of marketing appeared first on Help Net Security.

Inside Job at Clinics: Mobile Phone Used for Fraud

Worker Sentenced in Case Involving Theft of Patient Data
A former administrative employee of a medical marijuana clinic and several other clinics was recently sentenced to serve time in federal prison after pleading guilty to identity theft and wire fraud. The case illustrates the potential risks posed by employees inappropriately using personal devices.

Researcher Discloses ‘Sign in with Apple’ Zero-Day Flaw

Bug Bounty Hunter Reveals Critical Issue Affecting Third-Party Applications
An independent security researcher disclosed a zero-day vulnerability contained in the "Sign in with Apple" feature that, if exploited, could have resulted in a full account takeover. The vulnerability has been patched, and Apple says it found no account misuse tied to it.

Umbrella with SecureX built-in: Coordinated Protection

This blog was written by David Gormley, Cloud Security Product Marketing Manager at Cisco.

Cybercriminals have been refining their strategies and tactics for over twenty years and attacks have been getting more sophisticated. A successful cyberattack often involves a multi-step, coordinated effort. Research on successful breaches shows that hackers are very thorough with the information they collect and the comprehensive plans they execute to understand the environment, gain access, infect, move laterally, escalate privileges and steal data.

An attack typically includes at least some of the following steps:

  • reconnaissance activities to find attractive targets
  • scanning for weaknesses that present a good entry point
  • stealing credentials
  • gaining access and privileges within the environment
  • accessing and exfiltrating data
  • hiding past actions and ongoing presence

This whole process is sometime called the “attack lifecycle” or “kill chain” and a successful attack requires a coordinated effort throughout the process. The steps above involve many different elements across the IT infrastructure including email, networks, authentication, endpoints, SaaS instances, multiple databases and applications. The attacker has the ability to plan in advance and use multiple tactics along the way to get to the next step.

Security teams have been busy over the past couple of decades as well.  They have been building a robust security practice consisting of tools and processes to track activities, provide alerts and help with the investigation of incidents.  This environment was built over time and new tools were added as different attack methods were developed. However, at the same time, the number of users, applications, infrastructure types, and devices has increased in quantity and diversity.  Networks have become decentralized as more applications and data have moved to the cloud. In most instances, the security environment now includes over 25 separate tools spanning on-prem and cloud deployments. Under these conditions, it’s difficult to coordinate all of the activities necessary to block threats and quickly identify and stop active attacks.

As a consequence, organizations are struggling to get the visibility they need across their IT environment and to maintain their expected level of effectiveness. They are spending too much time integrating separate products and trying to share data and not enough time quickly responding to business, infrastructure, and attacker changes.  The time has come for a more coordinated security approach that reduces the number of separate security tools and simplifies the process of protecting a modern IT environment.

Cisco Umbrella with SecureX can make your security processes more efficient by blocking more threats early in the attack process and simplifying the investigation and remediation steps. Umbrella handles over 200 billion internet requests per day and uses fine-tuned models to detect and block millions of threats. This “first-layer” of defense is critical because it minimizes the volume of malicious activity that makes its way deeper into your environment.  By doing this, Umbrella reduces the stress on your downstream security tools and your scarce security talent.  Umbrella includes DNS Security, a secure web gateway, cloud-delivered firewall, and cloud access security broker (CASB) functionality. But no one solution is going to stop all threats or provide the quickly adapting environment described above. You need to aggregate data from multiple security resources to get a coordinated view of what’s going on in your environment but can’t sink all your operating expenses into simply establishing and maintaining the integrations themselves.

That’s where Cisco SecureX comes in. Cisco SecureX connects the breadth of Cisco’s integrated security portfolio – including Umbrella– and your other security tools for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications. Let’s explore some of the capabilities of SecureX, the Cisco security platform and discuss what they mean in the context of strengthening breach defense.

  • Visibility: Our SecureX platform provides visibility with one consolidated view of your entire security environment. The SecureX dashboard can be customized to view operational metrics alongside your threat activity feed and the latest threat intelligence. This allows you to save time that was otherwise spent switching consoles. With the Secure threat response feature, you can accelerate threat investigation and take corrective action in under two clicks.
  • Automation: You can increase the efficiency and precision of your existing security workflows via automation to advance your security maturity and stay ahead of an ever-changing threat landscape. SecureX pre-built, customizable playbooks enable you to automate workflows for phishing and threat hunting use cases. SecureX automation allows you to build your own workflows including collaboration and approval workflow elements to more effectively operate as a team.   It enables your teams to share context between SecOps, ITOps, and NetOps to harmonize security policies and drive stronger outcomes.
  • Integration: With SecureX, you can advance your security maturity by connecting your existing security infrastructure via out-of-the-box interoperability with third party solutions. In addition to the solution-level integrations we’ve already made available; new, broad, platform-level integrations have also been and continue to be developed. In short, you’re getting more functionality out of the box so that you can multiply your use cases and realize stronger outcomes.

Pre-built playbooks focus on common security use cases, and you can easily build your own using an intuitive, drag-and-drop interface. One example of the coordination between Umbrella and SecureX is in the area of phishing protection and investigation. Umbrella provides protection against a wide range of phishing attacks by blocking connections to known bad domains and URLs. SecureX extends this protection with a phishing investigation workflow that allows your users to forward suspicious email messages from their inbox. In addition, a dedicated inspection mailbox starts an automated investigation and enrichment process. This includes data from multiple solutions including Umbrella, email security, endpoint protection, threat response and malware analysis tools. Suspicious email messages are scraped for various artifacts and inspected in the Threat Grid sandbox. If malicious artifacts are identified, a coordinated response action, including approvals, is carried out automatically, in alignment with your regular operations process.

The SecureX platform is included with Cisco security solutions to advance the value of your investment. It connects Cisco’s integrated security portfolio, your other security tools and existing security infrastructure with out-of-the-box interoperability for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications.

Sign up to the SecureX waitlist so you can be first to receive sign-on instructions when it becomes generally available later in June at Cisco.com/go/SecureX 

The post Umbrella with SecureX built-in: Coordinated Protection appeared first on Cisco Blogs.

Cyber Security Roundup for June 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2020.

EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed.  


Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability.  City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some. 

Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays." 

It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry.  Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000.

The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic.  The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
  • 86% of data breaches for financial gain - up from 71% in 2019 
  • 43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
  • 67% of data breaches resulted from credential theft, human error or social attacks. 
  • Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime 
  • On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
The vast majority of breaches continue to be caused by external actors.
  • 70% with organised crime accounting for 55% of these. 
  • Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
    • 37% of credential theft breaches used stolen or weak credentials,
    • 25% involved phishing
    • Human error accounted for 22%
The 2020 DBIR highlighted a two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases. Ransomware had a slight increase, found in 27% of malware incidents compared to 24% in the 2019 DBIR with 18% of organisations reported blocking at least one piece of ransomware last year.

REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few. 

Pitney Bowes was hit with ransomware for the second time in 7 monthsPitney Bowes said attackers breached company systems and accessed “a limited set of corporate file shares” that “contained information used by our business teams and functional groups to conduct business-related activities.” News reports state the Maze ransomware group is behind the attack, threatening to post confidential if Pitney Bowes does not pay up.

Amazon's UK website was defaced with racist abuse,  which appeared on multiple listings on its UK website. Amazon has not disclosed how long the racist language remained on the site, but it sparked outrage on Twitter, Amazon said: "We investigated, removed the images in question and took action against the bad actor".

LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Bell prepares for year-end spectrum auction by selling 25 data centres to Equinix

    Bell Canada Enterprises (BCE) sold 25 data centres held in 13 data centre sites for CA$1.04 billion to U.S. data centre company Equinix. The transaction ranks Bell Business Markets as the first Equinix Platinum Partner in Canada, and it also means that Bell enterprise customers will gain access to Equinix’s global integrated network and cloud…

    Major Upgrade for Channel Island’s Telecom Network

    Major Upgrade for Channel Island's Telecom Network

    Guernsey is to benefit from a major performance upgrade and security enhancement to its telecom network.

    British technology and network services company Telent Technology Services Ltd. (telent) has been awarded a contract by Sure to upgrade the service provider’s core network.

    Under the contract, Telent will replace Sure’s existing 10G core network with a 100G Juniper Networks core network. The upgrade is being undertaken to allow Sure to deliver faster, more reliable internet connectivity to its consumer and business customers across the island as increasing bandwidth usage and data consumption create what Telent described as "unprecedented demand."

    “Growing data consumption means demand for higher network capacity and speed is growing and service providers must ensure they are delivering on that,” said Shani Latif, sales director at Telent. 

    “This upgrade for Sure will incorporate the latest technologies to ensure a future-proof network, while our experience and knowledge of the service provider market will minimize customer disruption and ensure work is completed efficiently.”

    Once complete, the move to 100G will produce benefits to folks beyond the island's sandy beaches and picturesque bays. As a core network, it will also deliver increased capacity to London and Paris, connecting the Channel Islands to the rest of the world.

    The upgrade will provide extra capacity for growth, future-proofing the network as growing and new technologies, including Fiber-to-the-Home (FTTH) and 5G, are rolled out commercially. 

    Mindful of the need for cybersecurity, Telent will implement a joint Juniper-Corero Distributed Denial of Service (DDoS) solution to provide real-time, automated DDoS protection.

    Sure Group CEO Ian Kelly said that ensuring people can stay connected is more important than ever as the COVID-19 health crisis limps on. 

    “The current situation is a clear reminder that telecoms are a key and growing component of our economy and daily lives,” said Kelly. 

    “This network upgrade is a significant long-term investment to ensure we can continue to meet customer expectations now and in the future. We are pleased to be working with Telent which has a long history and strong reputation in the design, upgrade, build and maintenance of critical networks.”

    Work on the project has already started and is expected to be completed by early 2021.

    Minneapolis City and Police Websites Attacked

    Minneapolis City and Police Websites Attacked

    Police and city websites in Minneapolis have come under cyber-attack as both lawful protests and illegal rioting continue across America. 

    The nationwide social upheaval was triggered by the death of Houston native George Floyd in the city a week ago. Floyd died after 44-year-old police officer Derek Chauvin arrested him and kneeled on his neck for nearly nine minutes despite the handcuffed man's pleas that he could not breathe.

    Floyd, who had recently lost his job due to the COVID-10 pandemic, was arrested after allegedly using forged money to pay a bill at a grocery store. 

    Following Floyd's tragic death, filmed by bystanders who sadly let the chance to intervene slip through their fingers, Chauvin was fired from his job. The former cop was arrested and charged with third-degree murder and second-degree manslaughter on May 29.

    Chauvin's arrest has not put an end to the peaceful protests inspired by the police officer's failure to uphold a sworn promise to protect and serve the public. Nor has it doused the outbreaks of looting and vandalism that have seen American businesses, churches, and educational establishments raided, torched, and destroyed.  

    Some of the city of Minneapolis' public websites and systems were hit by a cyber-attack on Thursday morning. A city spokesperson told The Hill that a denial of service (DoS) attack had resulted in the temporary shutdown of some websites and systems. 

    Within hours of the incident, 95% of affected systems and sites were back up and running. It is not known whether the attack was specifically linked to the protests over Floyd's death or simply timed to exploit a city in turmoil. 

    “Although these types of attacks are not completely unavoidable, they are fairly common, and the City of Minneapolis has proactive measures in place to respond to and mitigate disruptions when they do occur,” the spokesperson said. 

    “The City of Minneapolis IT continues to monitor its cyber platforms to ensure further disruption doesn't happen again.”

    A DoS attack was also levied at the state level. In a news briefing delivered yesterday, Minnesota governor Tim Walz said Minnesota's computers were assaulted on Saturday night.

    "Before our operation kicked off last night, a very sophisticated denial of service attack on all state computers was executed," said Walz.

    The Advanced Protection Program comes to Google Nest



    The Advanced Protection Program is our strongest level of Google Account security for people at high risk of targeted online attacks, such as journalists, activists, business leaders, and people working on elections. Anyone can sign up to automatically receive extra safeguards against phishing, malware, and fraudulent access to their data.

    Since we launched, one of our goals has been to bring Advanced Protection’s features to other Google products. Over the years, we’ve incorporated many of them into GSuite, Google Cloud Platform, Chrome, and most recently, Android. We want as many users as possible to benefit from the additional levels of security that the Program provides.

    Today we’re announcing one of the top requests we’ve received: to bring the Advanced Protection Program to Nest.  Now people can seamlessly use their Google Accounts with both Advanced Protection and Google Nest devices -- previously, a user could use their Google Account on only one of these at a time.

    Feeling safe at home has never been more important and Nest has announced a variety of new security features this year, including using reCAPTCHA Enterprise, to significantly lower the likelihood of automated attacks. Today’s improvement adds yet another layer of protection for people with Nest devices.

    For more information about using Advanced Protection with Google Nest devices, check out this article in our help center.

    Payment App Data Breach Exposes Millions of Indians’ Data

    Payment App Data Breach Exposes Millions of Indians' Data

    A major data breach at mobile payment app Bharat Interface for Money (BHIM) has exposed the personal and financial data of millions of Indians.

    The breach occurred after BHIM failed to securely store vast swathes of data collected from users and businesses during a sign-up campaign.

    On April 23, researchers at vpnMentor made the alarming discovery that all the data related to the campaign was publicly accessible after being stored in a misconfigured Amazon Web Services S3 bucket.

    "The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," wrote researchers.  

    Data exposed in the breach included scans of Ardaar cards (India’s national ID cards), Caste certificates, professional and educational certificates, photos used as proof of residence, Permanent Account Number (PAN) cards associated with Indian income tax services, and screenshots captured within financial and banking apps as proof of fund transfers—all documents needed to open a BHIM account.

    Private personal user data contained within these documents included names, dates of birth, age, gender, home address, Caste status, religion, biometric details, fingerprint scans, ID photos, and ID numbers for government programs and social security services.

    Over 7 million records dating from February 2019 were exposed, some of which belonged to people aged under 18 years old.

    After investigating the breach, vpnMentor's team found 409 GB of data stored insecurely by BHIM, which operates via the website www.cscbhim.in. Researchers traced the bucket back to BHIM as it was labeled “csc-bhim.”

    Researchers informed BHIM of their discovery but did not receive a response, so contacted India’s Computer Emergency Response Team (CERT-In). 

    "Many weeks later, we contacted CERT-In a second time," wrote researchers. "Shortly thereafter, the breach was closed."

    The Indian mobile payment app was launched in 2016 to facilitate instant e-payments and money transfers between bank accounts via a user's smartphone. By 2020, the popular app had been downloaded 136 million times, according to non-profit business consortium, the National Payments Corporation of India (NPCI).

    Big GDPR Fines in UK and Ireland: What’s the Holdup?

    Both Countries Have Each Issued Only a Single, Finalized Fine Under EU's Privacy Law
    The EU's General Data Protection Regulation was meant to finally bring in line organizations that didn't treat Europeans' personal data with respect. But two years after the regulation went into full effect, why have both the U.K. and Ireland each issued only one final GDPR fine to date?

    Defending our DoD Customers at Home

    Working from home

    When the COVID-19 pandemic began, I heard that many of our Defense customers would be working from home and immediately thought, “We have to help them do this securely.” Very quickly, however, another issue arose: How were some of them going to do it at all, as they were not set up to enable such an unparalleled transition to remote work environments?

    While DoD had virtual private networks (VPNs) in place, some services needed 10 times the number of available seats on those VPNs. We immediately went to work assisting them in managing these massive needs while maintaining security at the same time. Since then, we’ve continued to support our customers in whatever ways they’ve needed, so they can accomplish their mission with a secure, remote workforce.

    One way we’ve helped customers maintain their security is through an existing contract with DISA for DoD. Under the terms of this contract, McAfee enterprise software is installed on every managed endpoint across the DoD, and DoD employees have access to McAfee Total Protection software for their home use personal devices. Active DoD employees have access to a one-year subscription to McAfee Internet Security for PCs and Macs, preventing malicious attacks and keeping users safe while surfing and downloading files online.

    Not surprisingly, the Home Use Program has been very popular with subscribers in the past couple of months. Given the COVID-19 pandemic, we quickly decided to go beyond our contract requirements and extend the Home Use Program to DoD contractors as well. The Department relies on a talented group of private contractors who sit alongside public sector employees and often perform the same jobs. It made sense to offer them the same at-home protections at no charge, and so we did so.

    At McAfee we’ve been offering advice and assistance since day one of the pandemic. We’ve published several pieces containing advice for working remotely and staying safe, such as: “Working From Home? 5 Tips to Stay Secure,” “Staying Safe While Working Remotely,” and “Scams Facing Consumers in the New Digital WFH Landscape“.

    We’re constantly looking for new ways to help our customers adjust to the changes we’ve all had to make over the last few months – changes that will likely influence how we work and serve those who depend on us long into the future. We’re determined to do whatever we can to assist in these transitions and to ensure that security is a central part of them.

    For more information on the McAfee/DISA home use program, please see the DISA Antivirus for Home Use website: https://www.disa.mil/Cybersecurity/Network-Defense/Antivirus/Home-Use.

    The post Defending our DoD Customers at Home appeared first on McAfee Blogs.

    VMware addresses Fusion flaw introduced in the attempt to fix CVE-2020-3950 issue

    VMware has released an update to address a privilege escalation flaw in VMware for the macOS version of Fusion that was introduced by a previous patch.

    In March, VMware patched a high-severity privilege escalation vulnerability (CVE-2020-3950) in Fusion, Remote Console (VMRC) and Horizon Client for Mac.

    The CVE-2020-3950 is a privilege escalation vulnerability caused by the improper use of setuid binaries, it could be exploited by attackers to escalate privileges to root.

    The flaw was reported by Jeffball of GRIMM and Rich Mirch, VMware assigned it a CVSSv3 base score of 7.3 and rated it as Important severity. The issue impacts Fusion (11.x before 11.5.2), Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) macOS apps.

    Mirch and Jeffball, immediately noted that the patch issued by VMware was incomplete, VMware confirmed it a few days later and released a new patch at the end of March. Unfortunately the new fix introduced a new security issue.

    The vulnerability introduced by the second patch, tracked as CVE-2020-3957, is a time-of-check time-of-use (TOCTOU) issue that could allow attackers with low permissions to execute arbitrary code with root privileges.

    Last week, the company releases version 11.5.5, but the issue for VMRC and Horizon Client for Mac are yet to be approved.

    Pierluigi Paganini

    (SecurityAffairs – Fusion, cybersecurity)

    The post VMware addresses Fusion flaw introduced in the attempt to fix CVE-2020-3950 issue appeared first on Security Affairs.

    Webcast: Linux Command-Line Dojo II — Return Of The Sensei

    Last month’s Linux webcast with Hal was a rousing success! He actually broke the record for the most live attendees on a Black Hills webcast. So, of course, we asked him to come back. The crowd in the Command Line Dojo was so large that some of the questions got lost in the shuffle. Sensei […]

    The post Webcast: Linux Command-Line Dojo II — Return Of The Sensei appeared first on Black Hills Information Security.

    How to Create a Culture of Kick-Ass DevSecOps Engineers

    Much like technology itself, the tools, techniques, and optimum processes for developing code evolve quickly. We humans have an insatiable need for more software, more features, more functionality… and we want it faster than ever before, more qualitative, and on top of that: Secure. With an estimated 68% of organizations experiencing zero-day attacks from undisclosed/unknown vulnerabilities

    Joomla Resources Directory (JRD) Portal Suffers Data Breach

    Joomla, one of the most popular Open-source content management systems (CMS), last week announced a new data breach impacting 2,700 users who have an account with its resources directory (JRD) website, i.e., resources.joomla.org. The breach exposed affected users' personal information, such as full names, business addresses, email addresses, phone numbers, and encrypted passwords. The

    Passenger Railroad Service Says Data Breach Might Have Affected PII

    A passenger railroad service announced that a data breach might have affected some passengers’ personally identifiable information (PII). In a “Notice of Data Breach” letter sent to the Attorney General’s Office of Vermont, Amtrak revealed that it had discovered the data breach on April 16 2020. Amtrak looked into the matter and discovered that an […]… Read More

    The post Passenger Railroad Service Says Data Breach Might Have Affected PII appeared first on The State of Security.

    Password Changing After a Breach

    This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password.

    Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts. Ideally, affected companies should strongly encourage this behavior and have mechanisms in place to mitigate harm. In order to make recommendations to companies about how to help their users perform these and other security-enhancing actions after breaches, we must first have some understanding of the current effectiveness of companies' post-breach practices. To study the effectiveness of password-related breach notifications and practices enforced after a breach, we examine­ -- based on real-world password data from 249 participants­ -- whether and how constructively participants changed their passwords after a breach announcement.

    Of the 249 participants, 63 had accounts on breached domains;only 33% of the 63 changed their passwords and only 13% (of 63)did so within three months of the announcement. New passwords were on average 1.3× stronger than old passwords (when comparing log10-transformed strength), though most were weaker or of equal strength. Concerningly, new passwords were overall more similar to participants' other passwords, and participants rarely changed passwords on other sites even when these were the same or similar to their password on the breached domain.Our results highlight the need for more rigorous password-changing requirements following a breach and more effective breach notifications that deliver comprehensive advice.

    News article.

    EDITED TO ADD (6/2): Another news aricle. Slashdot thread.

    Aussie Football Site Leaks 70 Million Records

    Aussie Football Site Leaks 70 Million Records

    An Australian football fan site has been found leaking 70 million records, including users’ personal details and racist private messages, via an unprotected Elasticsearch instance.

    The 132GB leak was discovered by SafetyDetectives researchers led by Anurag Sen and is linked to BigFooty.com, a website and mobile app dedicated to Aussie Rules Football, which has around 100,000 members.

    Although the information found in the leak wasn’t always personally identifiable as users are mainly anonymous, some of the private messages seen by the researchers contained email addresses, mobile phone numbers and usernames and passwords for the site and live streams.

    If discovered by cyber-criminals probing for misconfigured databases, the latter may have been useful for credential stuffing attacks on other sites.

    Some user messages featured in the leak contained personal threats and racist content, which could be used by hackers to blackmail the individuals, SafetyDetectives argued.

    “Private messages are fully exposed in the leak and can be traced back to specific users. This includes some high-profile users such as Australian police officers and government employees,” it said.

    “Private information belonging to such individuals, including chat transcripts and email addresses, were found on the database which thereby creates a significant vulnerability in terms of potential blackmail and other reputational damage that could be caused.”

    Technical data relating to the site including IP addresses, access logs, server and OS information and GPS data were also leaked, potentially allowing hackers to compromise other parts of the IT infrastructure, the firm added.

    Although BigFooty didn’t respond to outreach from Sen and his team, the leak was closed shortly after they contacted government agency the Australian Cyber Security Center.

    Over the past few months, SafetyDetectives has discovered similar accidental leaks at two popular money-saving websites and, perhaps most alarmingly, an adult live streaming site.

    Facebook to verify identities on accounts that churn out viral posts

    Hopefully it's a COVID-19 version of what it did post-2016 elections, when it required verification of those buying political or issue ads.

    The team behind the Joomla CMS discloses a data breach

    Maintainers at the Joomla open-source content management system (CMS) announced a security breach that took place last week.

    Last week a member of the Joomla Resources Directory (JRD) team left an unencrypted full backup of the JRD site (resources.joomla.org) on an unsecured Amazon Web Services S3 bucket operated by the company.

    The company did not reveal is third-parties have found and accessed to the S3 bucket.

    “JRD full site backups (unencrypted) were stored in a third-party company Amazon Web Services S3 bucket. The third-party company is owned by a former Team Leader, still Member of the JRD team at the time of the breach.” reads the data breach notification. “Known to the current Team Leader at the time of the breach. (https://volunteers.joomla.org/teams/resource-directory-team) Each backup copy included a full copy of the website, including all the data.”

    The backup contained details for approximatively 2,700 users who registered and created profiles on the JRD website.

    The Joomla Resources Directory portal allows professionals and developers to advertise their services.

    Joomla team is investigating the data leak said they are still investigating the incident. It is currently unclear if anyone found and download the data from the third-party company’s S3 server.

    The Joomla team also carried out a full security audit of the portal.

    “The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters,” continues the notification.

    Data contained in the backup includes :

    • Full name
    • Business address
    • Business email address
    • Business phone number
    • Company URL
    • Nature of business
    • Encrypted password (hashed)
    • IP address
    • Newsletter subscription preferences

    The data breach notification states that most of the data was public, because it was a public directory, anyway private data (unpublished, unapproved listings, tickets) was exposed in the breach.

    The Joomla team is urging JRD users to change their password on the JRD portal and on other sites where they share the login credentials.

    “Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons.” concludes the notification.

    Pierluigi Paganini

    (SecurityAffairs – data breach, hacking)

    The post The team behind the Joomla CMS discloses a data breach appeared first on Security Affairs.

    New propagation module makes Trickbot more stealthy

    Trickbot infections of Domain Controller (DC) servers has become more difficult to detect due to a new propagation module that makes the malware run from memory, Palo Alto Networks researchers have found. That also means that the malware infection can’t survive a shutdown or reboot of the system, but the stealth vs persistence tradeoff is likely to work in the attackers’ favor since servers are rarely shut down or rebooted. Trickbot’s evolution Trickbot started as … More

    The post New propagation module makes Trickbot more stealthy appeared first on Help Net Security.

    Trump Plans to Ban Chinese Students with Military Ties

    Trump Plans to Ban Chinese Students with Military Ties

    The Trump administration is reportedly accelerating plans to ban Chinese students with military ties from attending university in the US, as Beijing prepares its own national security law for Hong Kong.

    American officials with knowledge of the discussions at the top of government told the New York Times that the long-mooted plan would involve cancelling student visas for Chinese students who took their undergraduate courses at military-affiliated institutions back home.

    The fear is that many of these individuals may be actively selected by the Chinese government, and required to collect information from the research projects they end up working on. There’s a double threat from those same graduates then landing jobs at high-profile US tech companies and continuing their espionage activities.

    It’s unclear how widespread the practice actually is, and students engaged in wrongdoing would certainly try to hide their affiliation.

    Back in January, the Department of Justice (DoJ) indicted a People’s Liberation Army lieutenant who lied about her background and secured a position studying at Boston University’s (BU) Department of Physics, Chemistry and Biomedical Engineering from October 2017 to April 2019. There, she allegedly stole info for military research projects and profiled US scientists for her bosses.

    Estimates suggest only around 3000 individuals would be affected by the mooted plans out of a potential 360,000 Chinese students in the US, although if they are formally announced it would come at a significant juncture.

    Washington is currently mulling how to respond to Beijing’s newly announced plans to force a national security law on Hong Kong, which would allow China’s fearsome secret police to be stationed in the supposedly semi-autonomous region.

    Rebecca Bernhard, partner at international law firm Dorsey & Whitney, explained that the US plans only affect those on F and J visas, although more may be caught up in trying to prove themselves innocent.

    “Due to the scrutiny to determine which students will be suspended from entry, all students and scholars will face a lot of questions and the burden will likely be on the students and scholars to document that their research program is not subject to the bar – it appears the presumption is that the bar applies and the student or scholar will need to document that it does not,” she argued. 

    “Unfortunately, this suggests to me that there will be even more delays at US consulates when they finally re-open for all Chinese graduate students and scholars in engineering."

    Analysing the (Alleged) Minneapolis Police Department “Hack”

    Analysing the (Alleged) Minneapolis Police Department

    The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted me to tweet this out earlier today:

    I was CC'd into a bunch of threads that were redistributing the alleged email addresses and passwords, most of them referring to a data breach (or "leak") of some kind allegedly perpetrated by "Anonymous". I've now seen several versions of the same set of email addresses and passwords albeit with different attribution up the top of the file. This is one of the more popular ones that links a hack of the MPD website to leaked credentials:

    Analysing the (Alleged) Minneapolis Police Department

    I've got a lot of "allegedly" and air quotes throughout this post because a lot of it is hard to substantiate, but certainly there's a lot of this sort of thing spreading online at the moment:

    Just to be clear: there's not necessarily a direct link between whoever put the video above together and the data now doing the rounds and attribution is tricky once you get a bunch of different people under different accounts and pseudonyms all flying the "Anonymous" banner. What I'm interested in whether the data I referred to earlier is actually from the MPD or, as I speculated, from elsewhere:

    So let's dig into it. There are 798 email addresses in the data set but only 689 unique ones. 87 of the email addresses appear multiple times, usually twice, but one of them 7 times over. I'll come back to the passwords associated with that account in a moment, what I will say for now is that it's extremely unusual to see the same email address with multiple different passwords in a legitimate data breach as most systems simply won't let an address register more than once.

    Of the 689 unique email addresses, 654 of them are already in Have I Been Pwned. That's a hit rate of 95% which is massively higher than any all-new legitimate breach. If you have a browse through the HIBP Twitter account, you'll see the percentage of previously breached accounts next to each tweet and it's typically in the 60% to 80% range for services based in the US (lower rates for areas of the world that are underrepresented in HIBP, for example Indonesia and Japan).

    Next up is the distribution of addresses across breaches and I'll share a couple of snippets from one of the tools I use to help attribute data such as this:

    Analysing the (Alleged) Minneapolis Police Department

    HIBP presently has a ratio of just over 2 breaches per email address in the system. However, what we're seeing here is a very high prevalence of each address appearing not just in 2 breaches, but in an average of 5.5 breaches. In other words, these accounts are breached way more than usual. When we look at which incidents they've been breached in, they're very heavily weighted towards data aggregators, with a couple of notable exceptions:

    Analysing the (Alleged) Minneapolis Police Department

    The People Data Labs breach is in the top spot and it's presently the 4th largest breach in HIBP. Verifications.io is the second largest and Anti Public the 6th largest. The conclusion I draw from this is that a huge amount of the data is coming from aggregated lists known to be in broad circulation. LinkedIn is a bit of an outlier here because whilst the data is in very broad circulation, it's not an aggregation of multiple sets rather a single, discrete breach. Which brings me to next tweet in my thread:

    Two of the passwords in the data clearly tie it back to the LinkedIn breach, one literally being the word "LinkedIn" and the other an all lowercase version of that. It's difficult to imagine someone creating an MPD account with that password. Then again, people do stupid things with passwords (yes, even police officers) so it's possible. What's less likely is that a current day official police department system would allow an all lowercase 8-character password. Not convinced? The following passwords are also present:

    1. le (yes, with just 2 characters)
    2. 1603 (which looks like a PIN)
    3. password
    4. 123456

    As with the LinkedIn passwords, it's possible these are from an official police system, but the likelihood is extremely low. So where could they be from? Let's run them all against Pwned Passwords and see.

    There are 795 rows with passwords in the data. That's 3 less than the total number of email addresses as the first 3 lines are addresses only which is also a bit odd. Then again, those first 3 addresses are all @minneapolis.mn.us whereas all the other addresses are @ci.minneapolis.mn.us which feels more like a human error by whoever collated the list rather than the natural output of a dumped database. Of the passwords, 767 of them are distinct (that's a case sensitive distinct) with the dupes being passwords such as:

    1. goldie (4 occurrences)
    2. minneapolis (3 occurrences)
    3. 123456 (2 occurrences)

    Frankly, the individual occurrences of those in the data set are quite low, it's the prevalence of the passwords in existing data breaches that's more interesting. Only 86 of the 795 total rows didn't return a hit so in other words, 89% of them have been seen before. Not only seen before, but massively seen before - here's their prevalence in Pwned Passwords:

    1. 123456 (23,547,453 occurrences)
    2. qwerty (3,912,816 occurrences)
    3. password (3,730,471 occurrences)
    4. abc123 (2,855,057 occurrences)
    5. password1 (2,413,945 occurrences)
    6. sunshine (412,385 occurrences)
    7. shadow (343,769 occurrences)
    8. linkedin (291,385 occurrences)
    9. andrew (265,776 occurrences)
    10. joshua (262,771 occurrences)
    11. loveme (233,835 occurrences)
    12. freedom (221,713 occurrences)
    13. friends (218,341 occurrences)
    14. summer (214,360 occurrences)
    15. samantha (211,498 occurrences)
    16. maggie (211,290 occurrences)
    17. batman (206,795 occurrences)
    18. harley (197,503 occurrences)
    19. jasmine (192,023 occurrences)
    20. martin (188,772 occurrences)

    I want to go back to the email address I mentioned earlier on, the same one that appeared 7 times over. That address appeared once with the alias precisely represented as the password, once with it almost precisely as the password, once with "mickey23", once with "mickey23mikmonkhou", once with "32yekcim" (try reversing it...), once with "mickey2" and once with a "mickey23" prefix followed by a string that created an email address at a college. Why so many times? Because the data has almost certainly been pulled out of existing data breaches in an attempt to falsely fabricate a new one:

    These may well be legitimate MPD email addresses and the passwords may well have been used along with those email addresses on other systems, but they almost certainly didn't come from an MPD system and aren't the result of the police department being "hacked".

    And why is this happening? Because people are outraged at the situation in Minneapolis and they want this to be true:

    I want to be really clear about something at this point: events in the US at present are tragic and people should damn well be angry. But anger shouldn't mean throwing logic and reason out the window and I cannot think of a time where fact-checking has ever been more important than now, not just because of the Minneapolis situation, but because so much of what we see online simply can't be trusted. So by all means, be angry, but don't spread disinformation and right now, all signs point to just that - the alleged Minneapolis Police Department "breach" is fake.

    One last note: Please keep any commentary on this blog post focused on the data and don't let it descend into politics or emotional responses. This analysis is intended to be data-centric and cut through the FUD that so quickly spreads around highly emotive issues. Disinformation spreads very quickly online, especially so in situations like this where people get "caught up in the excitement".

    Apparently Coronavirus-tracing scammers won’t sound professional… (Yeah, right!)

    Some members of the UK public will soon start receiving text messages and emails claiming to come from the NHS Test and Trace Service, as part of the country’s fight against the Coronavirus pandemic.

    The problem is that many of them won’t know if the communication is genuine, or from a scammer.

    And the UK Government’s advice isn’t helping.

    Amtrak Guest Rewards Breach Affects Personal Info

    Amtrak Guest Rewards Breach Affects Personal Info

    Amtrak has revealed that some customers may have had their personal information and log-ins stolen after it detected unauthorized access of rewards accounts by a third party.

    Also known as the National Railroad Passenger Corporation, the state-backed US transportation provider revealed the news in a regulatory filing with the Office of the Vermont Attorney General.

    “On the evening of April 16, 2020, Amtrak determined that an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts,” it noted. “We have determined that compromised usernames and passwords were used to access certain accounts and some personal information may have been viewed. No financial data, credit card information or Social Security numbers were compromised.”

    The statement claimed that Amtrak’s IT security team terminated the unauthorized access “within a few hours,” reset passwords for affected accounts and hired outside security experts to contain the incident and put safeguards in place.

    The firm is also offering affected customers a free year’s membership for the Experian IdentityWorks fraud monitoring service, although such offerings only flag suspicious account activity after the event and won’t be able to stop the potential follow-on phishing attacks that could target users.

    It’s unclear how the attacker got hold of Amtrak Guest Reward usernames and passwords in the first place, although the credentials may have been breached in another incident and were being reused by customers across multiple sites/accounts.

    This isn’t the first time the railroad giant has been forced to alert the authorities about a suspected breach. In 2018, it revealed that service provider Orbitz had suffered a security incident exposing customers’ personal information.

    A year later, critical vulnerabilities were discovered in the Amtrak mobile application which researchers said could lead to a data breach of at least six million Amtrak Guest Rewards accounts.

    It’s unclear how many passengers were affected in the latest data breach incident.

    KingNull leaks DB of Daniel’s Hosting dark web hosting provider

    Earlier this year a hacker breached Daniel’s Hosting, the largest free web hosting provider for dark web hidden services and now leaked its DB.

    A threat actor has leaked the database of Daniel’s Hosting (DH), the largest free web hosting provider for dark web hidden services.

    The hacker has stolen the data in March when he breached the hosting provider, almost 7,600 dark web portals have been taken offline following the security breach.

    Daniel Winzen, a German software developer that operated the service, revealed that attackers accessed the backend of the hosting provider and deleted all the databases of the websites hosted by Daniel’s Hosting.

    Winzen definitively shut down the service on March 26.

    Today ZDNet reported that a hacker that goes online with the moniker ‘KingNull’ uploaded a copy of Daniel’s Hosting database on a file-hosting site.

    “According to a cursory analysis of today’s data dump, the leaked data includes 3,671 email addresses, 7,205 account passwords, and 8,580 private keys for .onion (dark web) domains.” reported ZDNet.

    Threat intelligence firm Under the Breach that analyzed the leaked database told ZDNet that the archive includes sensitive information on the owners and users of thousands of darknet sites. IP addresses of administrators and users were not included in the archive.

    The database could allow law enforcement agencies to deanonymize administrators of dark web services that were involved in illegal activities.

    Unfortunately, the leak could put in danger activists and dissidents that use the darknets to avoid the censorship applied by regimes.

    In November 2018, Daniel’s Hosting provider was victims of another incident, attackers hacked the service and deleted 6,500+ sites.

    ZDNet revealed that Winzen plans to launch again the hosting service in several months.

    Pierluigi Paganini

    (SecurityAffairs – dark web, hacking)

    The post KingNull leaks DB of Daniel’s Hosting dark web hosting provider appeared first on Security Affairs.