Cyber Risk News
Security experts are warning of growing dark web demand for access to users’ YouTube accounts.
Etay Maor, CSO at cyber-intelligence firm IntSights, explained that in recent weeks his team has noticed an uptick in demand for stolen credentials for prominent accounts on the video site.
While account access can be used to spread malware and launch fraud scams against viewers, it is also used to blackmail the account owner.
“YouTube accounts from compromised computers or from logs of credentials can be of high value,” explained Maor.
“While smaller channels may not be as lucrative as larger ones, YouTubers rely on them as revenue streams and might be willing to pay money to attackers to get their content and access to their channels back.”
One snap poll run by an underground forum revealed that 80% of members wanted to see more YouTube credentials put up for sale. Another screenshot posted by IntSights showed a seller auctioning over 680 accounts for a starting price of $400, some of which had as many as 40,000 subscribers.
These auctions are often given a time limit of just 24 hours so that the credentials can be used before their owner has had a chance to contact YouTube support.
As mentioned, most of the log-ins are taken from either malware-infected computers or databases of Google credentials.
“In the past, attackers used sophisticated phishing campaigns in combination with reverse proxy toolkits like Modlishka to defeat Google’s two-step verification. However, none of the current sellers mention 2FA, which may mean these accounts did not opt in for this additional security step,” concluded Maor.
“While 2FA is not a silver bullet against cyber-criminals, it is highly recommended to opt in to this additional security step, have a properly patched computer, understand the risks and types of phishing attacks and use a recovery phone number or email.”
The winners of the annual European Cybersecurity Blogger Awards have been announced.
With over a 1000 names put forward, the shortlists for the 12 awards were put to the public vote, and winners were announced via a video conference. The awards were organized by Eskenzi PR and sponsored by Qualys. Yvonne Eskenzi said: “The European Cybersecurity Blogger Awards celebrate the brilliant bloggers, vloggers and podcasters that inform and educate our industry.
“In the true spirit of the event, we didn't let COVID-19 stop us this year; and thanks to the headline sponsor, Qualys, we were able to deliver a fun, virtual event complete with a cocktail making experience. Congratulations to all the very deserving winners!”
Anne Lenoir, corporate communications and events director EMEA at Qualys, said: "The security sector relies on information sharing to keep ahead of attacks, ensure that new vulnerabilities are understood properly, and that we can all help organizations keep their IT operations protected. There’s a great community of bloggers and podcasters in the security sector that help this process, sharing their expertise and insight to help people in their roles.
"Whether it’s about sharing experiences around the personal issues and skills side, or deep technical knowledge on new problems, the security community helps everyone keep improving. We are really happy to be sponsoring this year’s Cybersecurity Bloggers Awards and support that community development."
The winners were announced as follows:
Best New Cybersecurity Podcast - Weegiecast
Best New, Up-and-Coming Cybersecurity Blog - Security Queens
Best Corporate Blog - Sophos Naked Security
Best Corporate Twitter - Infosecurity Magazine @InfosecMag
Best Podcast - Darknet Diaries
Best Cybersecurity Video OR Cybersecurity Video Blog- Troy Hunt’s Weekly Update
Special Mention: IT Security Guru Rant of the Week, featuring Quentyn Taylor
Best Personal Security Blog - ZeroSec
Special Mention: Andy Gill
Most Entertaining Blog - Thom Langford – the Lost CISO
Most Educational Blog for User Awareness - Jenny Radcliffe Human Factor
Special mention: KnowBe4
Best Technical Blog - Security Affairs
Special Mention: ObjectiveSee
Best Personal Twitter - Kevin Beaumont @GossitheDog
Legends of Cybersecurity: Best Overall Blog - Sophos Naked Security
Resilience and adaptability are key to organizations coming through the COVID-19 crisis, according to Uber CIO, Shobhana Ahluwalia, speaking at the Infosec Europe 20 Virtual Conference. She described to the audience how the company has had to display perseverance and agility on a number of occasions during the last five years in order to be successful, and must continue this mindset in regard to the current crisis, which has caused unprecedented levels of damage to the business.
In the first phase of Uber’s recent journey, the company had to respond to its rapid growth across the world, such as in terms of technological capacity; in the second, it responded to and survived frequent criticisms about the company’s culture, ensuring the business adapted and continued in light of this negativity. In the third, the brand evolved to meet a changing environment in areas such as regulations throughout the world, and finally, the current COVID-19 crisis. Ahluwalia acknowledged that the latter of these is the toughest challenge of all, resulting in a large decline in revenue and the enforced laying off 20-25% of its staff.
She emphasised how the soft skills of resilience and perseverance are traits that trump all others at a time such as this: “Understanding, and coming to terms with instability, unfairness, and change being a constant in life no matter your station – that flexibility is key,” Ahluwalia noted.
In response to an audience question, Ahluwalia went on to describe the status and importance of cybersecurity personnel to Uber’s success: “In tech, security is the new noble job because you have to succeed every time at locking – you have to have a 100% success rate to protect the company and IP, as the attackers have to get through just once to succeed,” she said.
She also outlined her belief that a collaborative approach to security is one that needs to be employed across the sector: “Our teams have a lot of relationships in the industry where they work with several different organizations, which help us be secure. I believe security is one of those areas where we are stronger when we are together,” she stated.
Finally, the importance of mentorship for those working in the cybersecurity industry as they progress in their careers was strongly advised by Ahluwalia. In particular, she highlighted the female CIO group that she is part of.
She commented: “We meet every quarter and we have certain rituals like talking about something personal we are struggling with and something professional we are struggling with and there is so much outpouring of support from people who are doing the same thing or who might have struggled with it in the past.”
New York City's cybersecurity bootcamp partner is offering free introductory training courses to all American citizens.
As a result of lockdown measures introduced to slow the spread of COVID-19, over 30 million Americans have been left without work.
The free training program was originally scheduled to become available in late 2020 to specifically support under-served New York City residents. However, Fullstack brought the launch forward to today and expanded the program nationwide to help people across the US recover from the economic impacts of the novel coronavirus pandemic.
"Cybersecurity is one of the fastest growing sectors in New York City," said James Patchett, president and CEO of the New York City Economic Development Corporation (NYCEDC).
"Fullstack's free training courses will introduce New Yorkers to a field that provides good-paying jobs. As the city faces a long economic recovery, programs like this, which offer an opportunity to learn in-demand skills and a path to a new or better job, are key."
Fullstack's program gives Americans the chance to participate in nearly 40 hours of entry-level cybersecurity training courses free of charge.
Those who take advantage of the opportunity can take a self-paced Hacking 101 course online, complete a Linux Command Line for Beginners course, and get to take part in a live 3-hour practical hacking workshop online.
Those who wish to continue their education can enroll in the full Fullstack Cyber Bootcamp, where they can learn the skills necessary to become an employable cybersecurity professional in 17 weeks.
"Fullstack Cyber Bootcamp has already become a national leader in cybersecurity training since opening its first campus in New York City last year," said Nimit Maru, co-founder and co-CEO of Fullstack Academy.
"Our partnership with NYCEDC enables us to support the country's economic recovery, introducing Americans to new careers, while also filling the significant skills gap in the cybersecurity industry."
WatchGuard announced the signing of a definitive agreement to purchase Panda in March 2020. Three months on, 30-year-old company Panda is now a wholly owned subsidiary of WatchGuard.
In a statement released today, the combined company said the completed deal will "enable current and future customers and partners to consolidate their fundamental security services for protection from network to endpoint under a single company."
CEO of WatchGuard Prakash Panjwani said the finalized deal would bring both immediate and long-term benefits.
“Our customers and partners need access to enterprise-grade security built for the unique needs and requirements of the midmarket. WatchGuard is focused on delivering these security services via an MSP-focused security platform that simplifies every aspect of security delivery and solidifying our position as the de facto security solution for the midmarket,” said Panjwani.
“The completed acquisition of Panda Security, and the subsequent integration of its portfolio into WatchGuard Cloud, represents a significant milestone for the company and will result in both immediate and long-term benefits for our customers and partners that will address common challenges with security complexity, rapidly changing network topologies, purchasing models, and more.”
One of the first orders of business for the new combined company will be to provide partners and customers from both companies access to the newly expanded portfolio of security solutions.
By integrating portfolios, the company hopes that partners and customers will benefit from advanced threat detection and response functionality fueled by modern AI capabilities, behavior-profiling techniques, and cutting-edge security event correlation, as well as additional operational benefits such as a centralized management across network and endpoint security.
WatchGuard is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. The company describes itself as a leading global provider of network security and intelligence, secure Wi-Fi, and multi-factor authentication.
Prior to its acquisition by WatchGuard, Panda was owned by Investing Profit Wisely (IPW), an investment company focused exclusively on software publishing companies and based in Spain. Panda is headquartered in Madrid and Bilbao.
A Virginia software company specializing in cloud-based solutions has agreed to be acquired by private equity firm Thoma Bravo.
Exostar was developed as a joint venture between some of the world’s leading businesses, including BAE Systems, Boeing, Lockheed Martin, Raytheon, Rolls-Royce, and, more recently, Merck.
Initially formed as a B2B aerospace and defense industry exchange, the company’s secure platform now serves over 150,000 organizations in over 150 different countries in not only aerospace and defense, but the life sciences and healthcare markets as well.
After 20 years of joint-venture ownership by five global aerospace and defense industry leaders and one of the world’s largest pharmaceutical companies, Exostar has reached an agreement to be acquired by Thoma Bravo.
A spokesperson for Exostar said that the owners “whose careful guidance has been integral to Exostar’s success”—BAE Systems, Boeing, Lockheed Martin, Merck, Raytheon Technologies, and Rolls-Royce—will “remain actively engaged as valued customers and trusted advisors.”
Exostar CEO and president Richard Addi said that the planned transaction “reflects the logical next step in our company’s evolution.”
“Thoma Bravo’s strategic investment positions us to more rapidly expand our community and deliver the digital trust that must exist between an enterprise and its suppliers, customers and partners,” said Addi.
“We can leverage Thoma Bravo’s deep technology and security experience to take full advantage of our unique market position. Together, we plan to accelerate time-to-market for the Exostar suite of solutions that enable global enterprises to execute their mission-critical supply chain and drug development initiatives.”
Carl Press, a principal at Thoma Bravo, said the PE firm was thrilled to partner with Addi and the Exostar team.
“Exostar’s identity access management and secure collaboration software is utilized by some of the most respected and well-known enterprise customers in aerospace and defense, life sciences and healthcare,” said Press.
“The company’s understanding of complex organizations’ procurement and collaboration needs is a key differentiator inherent in its products.”
Thoma Bravo said it was hoping to expand Exostar's capabilities, particularly in the realm of cybersecurity.
The transaction is subject to customary closing conditions and regulatory approvals. Terms of the transaction were not disclosed.
Enterprise mobile phishing encounters increased by 37% in the first quarter of 2020 compared with quarter four of 2019, according to the Lookout 2020 State of Mobile Phishing Spotlight Report. The rate of growth was especially high in North America, at 66.3%, exacerbated by the unprecedented rise in people working from home due to the COVID-19 crisis.
While the authors acknowledged that organizations have sought to combat the threat of phishing by educating employees and deploying email phishing security software, cyber-criminals have increasingly been targeting mobile devices. Using this method, phishing risks no longer need to simply hide in email, they can instead target users through SMS, messaging apps and social media platforms. This is a particular issue at the moment, with many employees working remotely using personal devices such as smartphones and tablets to be productive.
In addition, Lookout noted that detecting the characteristics of a phishing link via mobile is harder than with email due to having a smaller form factor and simplified user experience. This results in a higher success rate for cyber-criminals attacking mobile devices compared to desktops.
“Phishing has evolved into a massive problem that expands far beyond the traditional email bait and hook,” explained Phil Hochmuth, program vice-president of enterprise mobility at IDC. “On a small screen and with a limited ability to vet links and attachments before clicking on them, consumers and business users are exposed to more phishing risks than ever before. In a mobile-first world, with remote work becoming the norm, proactive defense against these attacks is critical.”
The report also calculated that unmitigated mobile phishing threats have the potential to cost businesses with 50,000 mobile devices up to $150m per incident.
David Richardson, vice-president of product management at Lookout, commented: “Smartphones and tablets are trusted devices that sit at the intersection of their owner’s personal and professional identity. Cyber-criminals are exploiting the ability to socially engineer victims on their mobile device in order to steal their credentials or sensitive private data.”
The COVID-19 crisis has highlighted how home working makes organizations particularly vulnerable to phishing campaigns.
With the acquisition, Thycotic adds three new products to its PAM portfolio to further protect enterprise cloud apps and ensure remote worker productivity.
Commenting on the deal, James Legg, president and CEO at Thycotic, said that with the sudden growth of remote workforces across the globe, privileged access security controls must account for ordinary business users who are accessing sensitive and privileged corporate data from untrusted devices on untrusted networks.
“With the addition of Onion ID, we are now able to implement fine-tuned role-based access controls across any web-based application, IaaS console and cloud-hosted database, while providing flexible multi-factor authentication that gives security leaders a significantly easier way to ensure secure access paths for remote employees,” Legg added.
Anirban Banerjee, CEO and founder, Onion ID, said: “By joining forces with Thycotic, we are enhancing our commitment to delivering user-friendly authentication, authorization and auditing to cloud servers, databases and applications. We are launching a diverse set of next-generation PAM 2.0 offerings in the market which will enable enterprise customers to elevate their security controls above and beyond current best of breed solutions and reduce costs with secure remote access.”
Financial terms of the acquisition have not been disclosed but, as part of the transaction, Onion ID will operate under Thycotic brand and leadership.
The fourth year of the government-backed online cybersecurity training program Cyber Discovery will begin earlier than planned.
Capitalizing on the thousands of young people who are currently unable to attend school, Cyber Discovery officially opened registration today to allow students to take part at home.
Aimed at 13-18-year-olds, led by the Department for Digital, Culture, Media and Sport (DCMS) and delivered by global IT security training organization SANS Institute, Cyber Discovery allows participants to participate in their own time and is comprised of four phases: an initial assessment stage called CyberStart Assess, CyberStart Game and CyberStart Essentials, designed to enhance the skills of those who have made it through the initial assessment stage.
The CyberStart Assess phase will begin during the summer, and those successful participants will qualify for the advanced learning phases of the program beginning in October.
Digital Infrastructure Minister Matt Warman said: “This initiative gives teenagers something fun and educational to do from home and provides a glimpse into the life of a cybersecurity professional.
“We have a world-leading cyber-sector protecting the country and our digital economy and we must continue to inspire the next generation of talent to help maintain this position. As the assessment phase opens I encourage all teens who enjoy a challenge to put their skills to the test."
James Lyne, CTO at SANS Institute and co-creator of the program, said the third year of the Cyber Discovery program saw many highly talented young people take part, many of whom are now motivated to pursue a career in cybersecurity. “With so many young people spending time away from school as a result of the coronavirus pandemic, we were happy to bring forward the all-new assessment phase of the 2020/21 program.
“This is an ideal opportunity for students to put their problem-solving skills to the test with a range of fun, interactive challenges where they’ll get to try out cracking codes and solving tricky problems. Those that are successful will then go on to enhance their skills in the core stages of Cyber Discovery. The UK needs cyber-defenders and technologists to secure our increasingly digital future. Help us get young people involved and let’s see if they have what it takes!”
Security experts are warning of a potential deluge of mobile SMS-based phishing (smishing) attacks as the UK’s Test and Trace service launches to mitigate a potential second wave of COVID-19 infections.
The government scheme will require contact tracers to proactively reach out via email, text or phone call to anyone they believe has been in contact with someone with the virus, to ask them to self-isolate.
The NHS has said that anyone contacted in this way “will not be asked to provide any passwords, bank account details or PIN numbers” or asked to download anything. However, they may require full name, date of birth, sex, NHS Number, home postcode and house number, telephone number and email address — more than enough to craft highly effective follow-on attacks and identity fraud.
There are therefore fears that especially older and more vulnerable members of society may still be tricked into handing over their details or unwittingly downloading malware.
In fact, experts are already warning of unsolicited text messages claiming the recipient may have been in contact with a COVID sufferer and urging them to click through on a malicious link to find out more.
Bogus text messages were also sent out during the trial of the UK's contact tracing app on the Isle of Wight.
One UK-based social engineering company, The AntiSocial Engineer, explained in a blog post over the weekend how easy it is to register legitimate-looking but fake domains and spoof Sender IDs to launch a smishing campaign.
“We have closely followed SMS-based scams since our company was founded and sadly many contributing factors seem to be exacerbating text message fraud. One key trend is that email security is getting better and it’s harder for criminals to reach the inboxes and conduct phishing scams,” he explained.
“SMS is the perfect solution to this problem as only the bare minimum is being done in this sector to stop fraudsters. Messages land straight in the target’s inbox all the same. Criminals can reach out to thousands of people at once and if you don’t understand about Sender ID spoofing you are an easy target.”
RSA Security’s district manager UK & Ireland, Ben Tuckwell, argued that UK adults are “sitting ducks” for such scams, that exploit a heightened sense of concern over the virus.
“Consumers can protect themselves by acting smart and pausing to consider each communication they receive, while remembering the three key smishing don’ts: don’t respond to texts from unknown or unusual numbers; don’t click on any links in text messages; and don’t share any banking information, usernames or passwords or other personal details after receiving a text message, unless you can verify who you are speaking with,” he added.
A new survey from iProov out today reveals that a quarter (26%) of Brits feel more vulnerable to hackers as a result of COVID-19.
Law enforcement activity over recent years is eroding trust on the dark web and forcing cyber-criminals to try new tactics, according to new Trend Micro research.
The security vendor’s latest report, Shifts in Underground Markets, charts changes over the past five years, which has seen the takedowns of numerous marketplaces including Evolution, AlphaBay and Hansa.
Trend Micro found widespread concern among cyber-criminals frequenting such sites that police may be monitoring them or the administrators themselves may try an exit scam. Others complained of login problems and frequent DDoS attacks, which may also stem from law enforcement efforts.
In the absence of a stable and secure forum to advertise their wares, some cyber-criminals are taking to gaming comms platform Discord and e-commerce platform Shoppy.gg to buy and sell.
Trend Micro principal security strategist, Bharat Mistry, argued that the firm expects to see new tools and techniques flood dark web sites going forward.
“AI will be at the centre of these efforts. Just as it’s being used by Trend Micro and other companies to root out fraud, sophisticated malware and phishing, it could be deployed in bots designed to predict roll patterns on gambling sites. It could also be used in deepfake services developed to help buyers bypass photo ID systems, or launch sextortion campaigns against individuals,” he explained.
“Some emerging trends are less hi-tech but no less damaging. Access to devices, systems and accounts is so common today that we’re already seeing it spun out in ‘as-a-service’ cybercrime offerings. Prices for access to Fortune 500 companies can hit as much as $10,000.”
A security researcher has been awarded $100,000 by Apple after disclosing a critical flaw in the firm’s sign-in process for third-party sites.
Bhavuk Jain discovered the zero-day bug in Sign in with Apple, the Cupertino giant’s supposedly more privacy-centric version of Login with Facebook and Sign in with Google.
The system works in a similar way to OAuth 2.0: users can be authenticated with either a JSON Web Token (JWT), or a code generated by an Apple server which is then used to generate a JWT.
Once the authorization request has been submitted, Apple provides the user with an option, to share their Apple Email ID with the third-party app they’re trying to sign-in to, or not.
“If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID. Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this Email ID which is then used by the third-party app to login a user,” explained Jain.
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
The repercussions are pretty serious: an attacker could have used this technique to effect a full takeover of user accounts.
Jain warned that, if popular third-party apps such as Dropbox, Spotify and Airbnb didn’t put in place their own authentication security measures, their users may have been exposed by the bug.
“Apple also did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability,” he explained.
The researcher received the money by disclosing responsibly to the Apple Security Bounty Program.
Guernsey is to benefit from a major performance upgrade and security enhancement to its telecom network.
British technology and network services company Telent Technology Services Ltd. (telent) has been awarded a contract by Sure to upgrade the service provider’s core network.
Under the contract, Telent will replace Sure’s existing 10G core network with a 100G Juniper Networks core network. The upgrade is being undertaken to allow Sure to deliver faster, more reliable internet connectivity to its consumer and business customers across the island as increasing bandwidth usage and data consumption create what Telent described as "unprecedented demand."
“Growing data consumption means demand for higher network capacity and speed is growing and service providers must ensure they are delivering on that,” said Shani Latif, sales director at Telent.
“This upgrade for Sure will incorporate the latest technologies to ensure a future-proof network, while our experience and knowledge of the service provider market will minimize customer disruption and ensure work is completed efficiently.”
Once complete, the move to 100G will produce benefits to folks beyond the island's sandy beaches and picturesque bays. As a core network, it will also deliver increased capacity to London and Paris, connecting the Channel Islands to the rest of the world.
The upgrade will provide extra capacity for growth, future-proofing the network as growing and new technologies, including Fiber-to-the-Home (FTTH) and 5G, are rolled out commercially.
Mindful of the need for cybersecurity, Telent will implement a joint Juniper-Corero Distributed Denial of Service (DDoS) solution to provide real-time, automated DDoS protection.
Sure Group CEO Ian Kelly said that ensuring people can stay connected is more important than ever as the COVID-19 health crisis limps on.
“The current situation is a clear reminder that telecoms are a key and growing component of our economy and daily lives,” said Kelly.
“This network upgrade is a significant long-term investment to ensure we can continue to meet customer expectations now and in the future. We are pleased to be working with Telent which has a long history and strong reputation in the design, upgrade, build and maintenance of critical networks.”
Work on the project has already started and is expected to be completed by early 2021.
Police and city websites in Minneapolis have come under cyber-attack as both lawful protests and illegal rioting continue across America.
The nationwide social upheaval was triggered by the death of Houston native George Floyd in the city a week ago. Floyd died after 44-year-old police officer Derek Chauvin arrested him and kneeled on his neck for nearly nine minutes despite the handcuffed man's pleas that he could not breathe.
Floyd, who had recently lost his job due to the COVID-10 pandemic, was arrested after allegedly using forged money to pay a bill at a grocery store.
Following Floyd's tragic death, filmed by bystanders who sadly let the chance to intervene slip through their fingers, Chauvin was fired from his job. The former cop was arrested and charged with third-degree murder and second-degree manslaughter on May 29.
Chauvin's arrest has not put an end to the peaceful protests inspired by the police officer's failure to uphold a sworn promise to protect and serve the public. Nor has it doused the outbreaks of looting and vandalism that have seen American businesses, churches, and educational establishments raided, torched, and destroyed.
Some of the city of Minneapolis' public websites and systems were hit by a cyber-attack on Thursday morning. A city spokesperson told The Hill that a denial of service (DoS) attack had resulted in the temporary shutdown of some websites and systems.
Within hours of the incident, 95% of affected systems and sites were back up and running. It is not known whether the attack was specifically linked to the protests over Floyd's death or simply timed to exploit a city in turmoil.
“Although these types of attacks are not completely unavoidable, they are fairly common, and the City of Minneapolis has proactive measures in place to respond to and mitigate disruptions when they do occur,” the spokesperson said.
“The City of Minneapolis IT continues to monitor its cyber platforms to ensure further disruption doesn't happen again.”
A DoS attack was also levied at the state level. In a news briefing delivered yesterday, Minnesota governor Tim Walz said Minnesota's computers were assaulted on Saturday night.
"Before our operation kicked off last night, a very sophisticated denial of service attack on all state computers was executed," said Walz.
A major data breach at mobile payment app Bharat Interface for Money (BHIM) has exposed the personal and financial data of millions of Indians.
The breach occurred after BHIM failed to securely store vast swathes of data collected from users and businesses during a sign-up campaign.
On April 23, researchers at vpnMentor made the alarming discovery that all the data related to the campaign was publicly accessible after being stored in a misconfigured Amazon Web Services S3 bucket.
"The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," wrote researchers.
Data exposed in the breach included scans of Ardaar cards (India’s national ID cards), Caste certificates, professional and educational certificates, photos used as proof of residence, Permanent Account Number (PAN) cards associated with Indian income tax services, and screenshots captured within financial and banking apps as proof of fund transfers—all documents needed to open a BHIM account.
Private personal user data contained within these documents included names, dates of birth, age, gender, home address, Caste status, religion, biometric details, fingerprint scans, ID photos, and ID numbers for government programs and social security services.
Over 7 million records dating from February 2019 were exposed, some of which belonged to people aged under 18 years old.
After investigating the breach, vpnMentor's team found 409 GB of data stored insecurely by BHIM, which operates via the website www.cscbhim.in. Researchers traced the bucket back to BHIM as it was labeled “csc-bhim.”
Researchers informed BHIM of their discovery but did not receive a response, so contacted India’s Computer Emergency Response Team (CERT-In).
"Many weeks later, we contacted CERT-In a second time," wrote researchers. "Shortly thereafter, the breach was closed."
The Indian mobile payment app was launched in 2016 to facilitate instant e-payments and money transfers between bank accounts via a user's smartphone. By 2020, the popular app had been downloaded 136 million times, according to non-profit business consortium, the National Payments Corporation of India (NPCI).
An Australian football fan site has been found leaking 70 million records, including users’ personal details and racist private messages, via an unprotected Elasticsearch instance.
The 132GB leak was discovered by SafetyDetectives researchers led by Anurag Sen and is linked to BigFooty.com, a website and mobile app dedicated to Aussie Rules Football, which has around 100,000 members.
Although the information found in the leak wasn’t always personally identifiable as users are mainly anonymous, some of the private messages seen by the researchers contained email addresses, mobile phone numbers and usernames and passwords for the site and live streams.
If discovered by cyber-criminals probing for misconfigured databases, the latter may have been useful for credential stuffing attacks on other sites.
Some user messages featured in the leak contained personal threats and racist content, which could be used by hackers to blackmail the individuals, SafetyDetectives argued.
“Private messages are fully exposed in the leak and can be traced back to specific users. This includes some high-profile users such as Australian police officers and government employees,” it said.
“Private information belonging to such individuals, including chat transcripts and email addresses, were found on the database which thereby creates a significant vulnerability in terms of potential blackmail and other reputational damage that could be caused.”
Technical data relating to the site including IP addresses, access logs, server and OS information and GPS data were also leaked, potentially allowing hackers to compromise other parts of the IT infrastructure, the firm added.
Although BigFooty didn’t respond to outreach from Sen and his team, the leak was closed shortly after they contacted government agency the Australian Cyber Security Center.
The Trump administration is reportedly accelerating plans to ban Chinese students with military ties from attending university in the US, as Beijing prepares its own national security law for Hong Kong.
American officials with knowledge of the discussions at the top of government told the New York Times that the long-mooted plan would involve cancelling student visas for Chinese students who took their undergraduate courses at military-affiliated institutions back home.
The fear is that many of these individuals may be actively selected by the Chinese government, and required to collect information from the research projects they end up working on. There’s a double threat from those same graduates then landing jobs at high-profile US tech companies and continuing their espionage activities.
It’s unclear how widespread the practice actually is, and students engaged in wrongdoing would certainly try to hide their affiliation.
Back in January, the Department of Justice (DoJ) indicted a People’s Liberation Army lieutenant who lied about her background and secured a position studying at Boston University’s (BU) Department of Physics, Chemistry and Biomedical Engineering from October 2017 to April 2019. There, she allegedly stole info for military research projects and profiled US scientists for her bosses.
Estimates suggest only around 3000 individuals would be affected by the mooted plans out of a potential 360,000 Chinese students in the US, although if they are formally announced it would come at a significant juncture.
Washington is currently mulling how to respond to Beijing’s newly announced plans to force a national security law on Hong Kong, which would allow China’s fearsome secret police to be stationed in the supposedly semi-autonomous region.
Rebecca Bernhard, partner at international law firm Dorsey & Whitney, explained that the US plans only affect those on F and J visas, although more may be caught up in trying to prove themselves innocent.
“Due to the scrutiny to determine which students will be suspended from entry, all students and scholars will face a lot of questions and the burden will likely be on the students and scholars to document that their research program is not subject to the bar – it appears the presumption is that the bar applies and the student or scholar will need to document that it does not,” she argued.
“Unfortunately, this suggests to me that there will be even more delays at US consulates when they finally re-open for all Chinese graduate students and scholars in engineering."
Amtrak has revealed that some customers may have had their personal information and log-ins stolen after it detected unauthorized access of rewards accounts by a third party.
Also known as the National Railroad Passenger Corporation, the state-backed US transportation provider revealed the news in a regulatory filing with the Office of the Vermont Attorney General.
“On the evening of April 16, 2020, Amtrak determined that an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts,” it noted. “We have determined that compromised usernames and passwords were used to access certain accounts and some personal information may have been viewed. No financial data, credit card information or Social Security numbers were compromised.”
The statement claimed that Amtrak’s IT security team terminated the unauthorized access “within a few hours,” reset passwords for affected accounts and hired outside security experts to contain the incident and put safeguards in place.
The firm is also offering affected customers a free year’s membership for the Experian IdentityWorks fraud monitoring service, although such offerings only flag suspicious account activity after the event and won’t be able to stop the potential follow-on phishing attacks that could target users.
It’s unclear how the attacker got hold of Amtrak Guest Reward usernames and passwords in the first place, although the credentials may have been breached in another incident and were being reused by customers across multiple sites/accounts.
This isn’t the first time the railroad giant has been forced to alert the authorities about a suspected breach. In 2018, it revealed that service provider Orbitz had suffered a security incident exposing customers’ personal information.
A year later, critical vulnerabilities were discovered in the Amtrak mobile application which researchers said could lead to a data breach of at least six million Amtrak Guest Rewards accounts.
It’s unclear how many passengers were affected in the latest data breach incident.
The 40-year-old one-time CEO of a Utah tech company is serving a custodial sentence after downloading over 13,000 images of child sexual abuse, bestiality, and rape.
Douglas Eugene Saltsman was sentenced yesterday to 210 days in prison and 48 months of probation by Utah 3rd District Judge Douglas Hogan after being convicted on three felony charges of sexual exploitation of a minor.
Addressing the virtual court, Saltsman said he had sought help from a psychiatrist after recognizing that he had illegal sexual tendencies.
The former CEO of the now defunct blockchain and cryptocurrency company Saltmine said he was unable to control himself despite being put on medication and enrolled in therapy.
Utah's Internet Crimes Against Children Task Force raided Saltsman's Sandy home on May 7 last year. A search of his laptop, computer, an SD card, and an SSD storage device turned up more than 13,000 files containing images of graphic sexual abuse.
One of the files consisted of a compilation video of girls from the ages of 3 to 8 years old being bound and raped. The files were seized and sent to the National Center for Missing and Exploited Children’s law enforcement clearinghouse in a bid to identify the victims.
Saltsman initially faced 11 felony counts of sexual exploitation of a minor, but in March 2020 he agreed to plead guilty to three felonies in exchange for the dismissal of the remaining seven charges.
Under the terms of the deal, Saltsman could only be handed the maximum recommended sentence for a first-time offender set 14 years ago by the Utah Sentencing Commission—210 days in jail and four years on probation.
An online petition to recall Judge Hogan has been signed by 114,000 people who felt Saltsman's sentence was too lenient and were presumably unaware of the agreed-upon deal.
Saltsman's sentencing comes just weeks after the former director of operations for Salt Lake City Airport, 69-year-old Randall Darwood Berg, was charged with 25 counts of sexual exploitation of a minor.
Berg, of Draper, is accused of possessing approximately 50,000 images of child sexual abuse. His residence was searched following the submission of eight separate Cybertip reports to the NCMEC alleging Berg was storing illegal files on a Google Photo account.
The University of Texas at San Antonio (UTSA) is to create and lead a new federal digital research institute that will devise ways to shield America's manufacturers from cyber-threats.
In addition to assisting US industry in blocking cyber-attacks, the Cybersecurity Manufacturing Innovation Institute (CyManII) will explore how to help manufacturers achieve energy efficiency.
Other areas of focus will include supporting technical innovation, job creation, and assisting manufacturers to be more competitive.
The National Security Collaboration Center (NSCC) at UTSA, with more than 25,000 square feet of space, has been dedicated as the home base for CyManII.
Explaining why UTSA was chosen for the institute, James Milliken, chancellor for the UT system said: “We selected UTSA to lead CyManII due to the university’s well-known strengths in cybersecurity and national connectivity in this space.”
In order to bring the project to life, UTSA will receive $70m over a five-year period under a cooperative agreement with the US Department of Energy.
The UT system will inject an additional $10m into the institute, and a further $30m will be contributed by other cost-sharing partners.
“CyManII leverages the unique research capabilities of the Idaho, Oak Ridge and Sandia National Laboratories as well as critical expertise across our partner cyber manufacturing ecosystem,” said UTSA president Taylor Eighmy. “We look forward to formalizing our partnership with the DOE to advance cybersecurity in energy-efficient manufacturing for the nation.”
Building a national program for education and workforce development, securing automation, and securing the supply-chain network are three high-priority areas on which CyManII will focus its national strategy.
“As United States manufacturers increasingly deploy automation tools in their daily work, those technologies must be embedded with powerful cybersecurity protections,” said Howard Grimes, CyManII chief executive officer and associate vice president and associate vice provost for institutional initiatives at UTSA.
“UTSA has assembled a team of best-in-class national laboratories, industry, nonprofit and academic organizations to cyber-secure the US manufacturing enterprise. Together, we will share the mission to protect the nation’s supply chains, preserve its critical infrastructure and boost its economy.”