Cybersecurity News

Recent Articles

Newest
  • Newest
  • Oldest
Article Image

SolarWinds hack bears similarities to tool used by Russian hackers

Researchers say the code deployed was similar to one used by a known Russian hacking group

Investigators said Monday that the hackers behind the global SolarWinds incident used computer code with links to known Russian spying tools, Reuters reports. 

It recently came to light that cyber criminals hacked SolarWinds to gain access to at least 18,000 government and private networks. It is believed that the cyberattackers’ goal was to collect intelligence. 

Now, researchers at Moscow-based cybersecurity company Kaspersky said the attackers deployed code that closely resembled malware associated with a Russian hacking group known as “Turla.” 

The way in which the SolarWinds hack was carried out had three notable similarities to a hacking tool called “Kazuar,” which is used by Turla, according to Costin Raiu, head of global research and analysis at Kaspersky.

Similarities were noted in how the hackers identified their victims and how they avoided being detected through the use of a specific formula to calculate periods with the viruses lying dormant. Additionally, both pieces of malware attempted to obscure their functions from security analysts.  

“One such finding could be dismissed,” Raiu said. “Two things definitely make me raise an eyebrow. Three is more than a coincidence.”

Connection likely

Raiu said the similarities point to the likelihood of a link between the two hacking tools, but they don’t necessarily imply that Turla played a role in the SolarWinds hack. He said there’s a possibility that the hackers behind the SolarWinds hack were merely inspired by Kazuar, or that they deliberately planted “false flags” in order to throw off investigators. 

Although Moscow has denied involvement in the hack, U.S. intelligence agencies have said that the hackers were “likely Russian in origin.” Security firms in the U.S. and other countries are continuing to investigate the incident in order to determine its full scope, and the Department of Justice has vowed to take serious action. 

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said last week. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

Investigators said Monday that the hackers behind the global SolarWinds incident used computer code with links to known Russian spying tools, Reuters repor...

Article Image

Justice Department confirms that it was part of the SolarWinds hack

The agency calls the attack a major incident and vows to take serious action

After sitting on the news for almost two weeks, the U.S. Department of Justice (DOJ) has confirmed that its email systems fell prey to the same band of cyberattackers linked to the global SolarWinds incident that has affected government and private sector businesses.

"On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment,” DOJ spokesman Marc Raimondi said in a statement.

Raimondi went on to say that the number of affected email boxes was limited to around 3 percent and that the agency has no indication that any of its classified systems were impacted.

“A major incident”

According to a joint statement issued by the recently organized Cyber Unified Coordination Group -- which includes the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence, and the National Security Agency -- the hackers are “likely Russian in origin” and “responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.”

The group’s investigation is ongoing, and it’s possible they could turn up additional government victims. In the group’s estimation, the hackers’ goal appeared to be collecting intelligence, rather than anything destructive.

Nonetheless, the attack on the DOJ was serious enough that it’s vowing to take serious action.

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

After sitting on the news for almost two weeks, the U.S. Department of Justice (DOJ) has confirmed that its email systems fell prey to the same band of cyb...

Article Image

President Trump bans WeChat Pay and several other Chinese apps

The Trump administration says the apps raise national security concerns

President Trump has signed an executive order banning several Chinese payment apps, including Alipay and WeChat Pay. 

A senior administration official said the order, which was signed late in the day on Tuesday, aims to keep American user data from being shared with the Chinese government. The Trump administration cited the possibility that the apps mentioned in the order could be used as a “mass tool for global oppression.”

"The United States must take aggressive action against those who develop or control Chinese connected software applications to protect our national security," the order said.

In total, eight Chinese apps are banned under the order: Tencent QQ, CamScanner, SHAREit, VMate, WPS Office, QQ Wallet, Alipay, and WeChat Pay. 

National security concerns

The U.S. government has concluded that the apps named in the order automatically capture “sensitive personally identifiable... and private information” from millions of users in the United States.” President Trump is concerned that the apps could be used to track and build dossiers of personal information on federal employees.

“At this time, action must be taken to address the threat posed by these Chinese connected software applications,” Trump wrote. 

The order will take effect after 45 days, which leaves open the possibility that President-elect Joe Biden will revoke it. The incoming presidential administration has yet to say how it plans to handle the order. 

The Trump administration has previously attempted to ban Chinese-based apps like TikTok and WeChat over national security concerns. Both attempts were unsuccessful. 

In 2019, the administration launched a trade war against Beijing and blacklisted Huawei Technologies, ZTE, and Chinese firms over national security concerns. The Federal Communications Commission (FCC) has designated Huawei and ZTE as national security threats, but both companies have denied that they share data with the Chinese government.

President Trump has signed an executive order banning several Chinese payment apps, including Alipay and WeChat Pay. A senior administration official s...

Article Image

T-Mobile admits to its fourth data breach in three years

Customers were much luckier this time than they have been in the past

T-Mobile’s cybersecurity team is once again being put to the test. On Monday, the phone carrier announced that it experienced its fourth data breach in three years. 

The company did not say what portion of its nearly 100 million user accounts were at risk, but it did confirm that the data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax IDs, passwords, or PINs.

“Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account,” said Matt Staneff, the Chief Marketing Officer of T-Mobile USA.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”

What happened?

In a letter to customers, Staneff said T-Mobile’s cybersecurity team detected -- then shut down -- “malicious, unauthorized access” to “some” information related to T-Mobile accounts. Staneff qualified “some” as customer proprietary network information (CPNI). Collecting CPNI data is a permission given to phone companies by the Federal Communications Commission (FCC) and typically includes call information like the date, duration of the call, the phone number called, and the type of network a consumer subscribes to -- in short, the type of information that appears on a customer's phone bill.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers,” Staneff said.

T-Mobile users weren’t so lucky in March 2020 when a data breach allowed hackers to gain access to T-Mobile employee email accounts. That, in turn, opened up access to customers’ names, addresses, Social Security numbers, financial account information, phone numbers, billing and account information, and rate plans. 

T-Mobile offers to answer any questions

Staneff said the company is ready to answer additional questions if a customer wants further details. Customers can either contact the company online, ask questions at one of the company’s stores, or go through the customer service team at 1-800-937-8997. 

“We are sorry for any inconvenience this may cause you. We take the security of customer information seriously and, while we have a number of safeguards in place to protect customer information from unauthorized access, we will continue to work to further enhance security so we can mitigate this type of activity,” Staneff promised.

T-Mobile’s cybersecurity team is once again being put to the test. On Monday, the phone carrier announced that it experienced its fourth data breach in thr...

Article Image

Microsoft says at least 40 organizations were targeted in massive cyber breach

The company says the list of victims is likely to keep growing

In a blog post on Thursday, Microsoft said it identified more than 40 organizations that were targeted by attackers using “sophisticated measures.”

Most victims of the attack (80 percent) were located in the U.S. The other targeted groups were spread across seven other countries: Canada, Mexico, Belgium, Spain, the U.K., Israel, and the United Arab Emirates. Microsoft said it has started working with the groups identified as victims. 

Those affected were running problematic versions of a third-party software platform called SolarWinds Orion. Hackers were able to escalate intrusions with additional, second-stage payloads. Microsoft said it discovered the intrusions using data from its Microsoft Defender antivirus product, which is built into all Windows installations.

"It's a certainty that the number and location of victims will keep growing," said Microsoft President Brad Smith. 

Microsoft targeted

Microsoft itself was among those targeted by hackers, but the company denied claims that its production systems were compromised or that the attack affected its business customers and end-users. 

"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed," the statement said.

Microsoft said the attack “represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them.” 

The company said the attack is being “actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft." Smith said it’s become clear that stronger international rules are needed to help prevent future attacks of this magnitude. 

“The defense of democracy requires that governments and technology companies work together in new and important ways – to share information, strengthen defenses and respond to attacks,” he wrote. “As we put 2020 behind us, the new year provides a new opportunity to move forward on all these fronts.” 

In a blog post on Thursday, Microsoft said it identified more than 40 organizations that were targeted by attackers using “sophisticated measures.”Most...

Article Image

Security researchers find malicious code in 28 Chrome and Edge extensions

Over three million users are advised to disable or uninstall the extensions right away

More than three million Google Chrome and Microsoft Edge users are believed to have installed extensions that contain malicious code, according to security firm Avast. 

Avast researchers said users who installed one of 28 third-party extensions containing hidden malicious JavaScript could be at risk of data theft and phishing attacks. 

The extensions in question are primarily designed to help users download multimedia content from social networks including Facebook, Instagram, Vimeo, or Spotify. But Avast said users could end up being redirected to a site where the attacker gets paid for user visits. In other cases, users could end up on phishing sites. 

“Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit,” the security firm explained.

Names of extensions

Avast said it found evidence that some of the malicious extensions had been active since at least December 2018. The researchers discovered the code hidden in the apps last month and reported their findings to Google and Microsoft. 

Both companies have said they are investigating the extensions. In the meantime, Avast has recommended that users disable or uninstall the extensions. 

Here is the list of Chrome extensions that contain malicious code, according to Avast: 

  • Direct Message for Instagram

  • DM for Instagram

  • Invisible mode for Instagram Direct Message

  • Downloader for Instagram

  • App Phone for Instagram

  • Stories for Instagram

  • Universal Video Downloader

  • Video Downloader for FaceBook™

  • Vimeo™ Video Downloader

  • Zoomer for Instagram and FaceBook

  • VK UnBlock. Works fast.

  • Odnoklassniki UnBlock. Works quickly.

  • Upload photo to Instagram™

  • Spotify Music Downloader

  • The New York Times News

Avast said the following Edge extensions contain malicious code: 

  • Direct Message for Instagram™

  • Instagram Download Video & Image

  • App Phone for Instagram

  • Universal Video Downloader

  • Video Downloader for FaceBook™

  • Vimeo™ Video Downloader

  • Volume Controller

  • Stories for Instagram

  • Upload photo to Instagram™

  • Pretty Kitty, The Cat Pet

  • Video Downloader for YouTube

  • SoundCloud Music Downloader

  • Instagram App with Direct Message DM

More than three million Google Chrome and Microsoft Edge users are believed to have installed extensions that contain malicious code, according to security...

Article Image

Facebook takes out full-page ads to slam Apple’s upcoming privacy changes

The social media giant claims Apple’s update threatens millions of small businesses

It looks like Facebook has unfriended Apple. On Wednesday, the social media platform took out full-page ads in the New York Times, Washington Post, and Wall Street Journal to denounce Apple’s upcoming iOS privacy changes. Facebook claims that it’s “standing up to Apple for small businesses everywhere.”

The barrel of ink Facebook is throwing Apple’s way is supposedly related to Apple’s iOS 14 privacy changes, which will require app developers like Facebook to “provide information about some of your app’s data collection practices on your product page.” The change will also require Facebook to “ask users for their permission to track them across apps and websites owned by other companies.”

Facebook comes out swinging

Facebook didn’t come right out and say it, but Apple’s disclosure shift will impact Facebook’s ad business, especially its ad network for developers and businesses if end users opt out of being tracked.

In the ad, Facebook maintains that Apple’s changes will be “devastating to small businesses” that rely on its ad network to leverage clicks and sales. The newspaper ads that Facebook took out ask small businesses to check out the platform’s “speak up for small business” site that features a series of business owners speaking out on Apple’s changes. Some of those comments are pretty shaming -- things like “This is going to affect me and my family,” and “We could lose our business.”

While Apple has yet to publicly respond to Facebook’s ads, the company did respond to similar Facebook claims in November, accusing Facebook of a “disregard for user privacy.” Apple is steadfast in its position that the upcoming privacy policies will be enforced when they go into effect in early 2021. The company said it is “committed to ensuring users can choose whether or not they allow an app to track them.”

Facebook’s call for support

Facebook said it hopes the Direct Marketing Association (DMA) will also set boundaries for Apple. 

“Apple controls an entire ecosystem from device to app store and apps, and uses this power to harm developers and consumers, as well as large platforms like Facebook,” a Facebook spokesperson said in a statement to CNBC. “

If Facebook’s game is to play two ends against the middle, maybe it should have first asked the DMA if it had its back. “We respect your privacy – and so do our members,” is the organization’s promise to consumers.” (Our Association of National Advertisers) ensures that consumers have choices about unwanted marketing offers. Our members honor consumers who don’t want to be contacted. You have choices about the type of marketing you receive.”

It looks like Facebook has unfriended Apple. On Wednesday, the social media platform took out full-page ads in the New York Times, Washington Post, and Wal...

Article Image

FTC demands that social media giants come clean about user data collection

One commissioner is crying foul because the agency left off other social media companies like Apple and LinkedIn

The Federal Trade Commission (FTC) turned up the heat on the social media big wigs on Monday. In a new mandate, the Commission will now require nine tech firms to disclose exactly how they collect and use data from their users.

Called on the carpet are the usual suspects -- Amazon, Facebook, and Twitter -- along with Google’s YouTube, TikTok’s owner ByteDance, Discord, Facebook’s WhatsApp, Reddit, and Snap. The companies have until January 28, 2021 to respond.

What is the FTC looking for?

Specifically, the FTC is leveraging Section 6(b) of the FTC Act, which gives it the authority to ask about how the companies “compile data concerning the privacy policies, procedures, and practices of [such] providers, including the method and manner in which they collect, use, store, and disclose information about users and their devices.”

Moving past the legalese, the FTC said that what it’s trying to ascertain is really more consumer-oriented. The questions it wants answered are:

  • “How social media and video streaming services collect, use, track, estimate, or derive personal and demographic information;

  • How they determine which ads and other content are shown to consumers;

  • Whether they apply algorithms or data analytics to personal information;

  • How they measure, promote, and research user engagement; and

  • How their practices affect children and teens.”

The commissioners weigh in

After making their demands, the FTC commissioners said that the agency is seeking more information in the best interest of consumers.

“Never before has there been an industry capable of surveilling and monetizing so much of our personal lives. Social media and video streaming companies now follow users everywhere through apps on their always-present mobile devices,” Commissioners Rohit Chopra, Rebecca Kelly Slaughter, and Christine S. Wilson said in a statement. 

“This constant access allows these firms to monitor where users go, the people with whom they interact, and what they are doing. But to what end? Is this surveillance used to build psychological profiles of users? Predict their behavior? Manipulate experiences to generate ad sales? Promote content to capture attention or shape discourse? Too much about the industry remains dangerously opaque.”

Commissioner Noah Joshua Phillips was the dissenting vote among the commissioners, saying that the move was an “undisciplined foray into a wide variety of topics.” He called his peers out for omitting other companies engaged in business practices similar to the nine companies named. Phillips asked why Apple, Gab, GroupMe, LinkedIn, Parler, Rumble, Tumblr, and WeChat weren’t also named. He answered his own question rather snarkily. 

“The only plausible benefit to drawing the lines the Commission has is targeting a number of high profile companies and, by limiting the number to nine, avoiding the review process required under the Paperwork Reduction Act...which is not triggered if fewer than ten entities are subject to request.”

The Federal Trade Commission (FTC) turned up the heat on the social media big wigs on Monday. In a new mandate, the Commission will now require nine tech f...

Article Image

Russian hackers accused of hacking into government and private sector businesses again

Microsoft says that its user base and systems are safe

Russian hackers, believed to be working on behalf of the Kremlin, were apparently behind an attack into computer systems at the departments of the U.S. Treasury and Commerce that may have gone on for months before being detected. To make matters worse, people familiar with the matter feel that this situation just may be the tip of the iceberg.

According to U.S. officials and a report by National Public Radio (NPR), the Russian hackers broke into the email systems at those two government departments, and it was so consequential that it led to a National Security Council meeting at the White House on Saturday, one of the people familiar with the matter told Reuters.

It may not come to anyone’s surprise that Russia denies any involvement. The Russian foreign ministry took to Facebook to say the allegations were nothing more than another “unfounded attempt” by the American media to blame Russia for cyberattacks directed at U.S. agencies.”

Malicious actors

In the Department of Homeland Security’s response to the “known compromise,” it said that the hack involved SolarWinds Orion network monitoring products being exploited by malicious actors.

“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners -- in the public and private sectors -- to assess their exposure to this compromise and to secure their networks against any exploitation,” the DHS’ Cybersecurity and Infrastructure Security Agency said in a statement.

The Commerce Department and the National Security Council both confirmed the breach, but the agencies didn’t give any extra information about the extent of the hack or the measures that have been taken to secure the email accounts.

The private sector is also in danger

In addition to the government breaches, the hackers also wormed their way into the computer system bowels of private companies. 

More than 400 of the U.S. Fortune 500 companies use SolarWinds products, according to KrebsOnSecurity. That list includes all branches of the military, as well as all ten of the Top 10 communications companies, all five of the Top 5 accounting firms, and hundreds of colleges.

Security firm FireEye, which also happened to be hit by the hack, said cyber criminals inserted malware into SolarWinds updates that “(went) to significant lengths to observe and blend into normal network activity.” It also concluded that the breach is a “global campaign” and had confirmed intrusions in North America, Europe, Asia, and the Middle East. 

In a blog post late Sunday, Microsoft echoed FireEye’s assessment, saying that it believes the hack represents “nation-state activity at significant scale, aimed at both the government and private sector." The company also had words for its own users.

“We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations. As part of our ongoing threat research, we monitor for new indicators that could signal attacker activity,” the company said.

Russian hackers, believed to be working on behalf of the Kremlin, were apparently behind an attack into computer systems at the departments of the U.S. Tre...

Article Image

Cybersecurity firm FireEye suffers major cyber attack

Russian hackers are reportedly being investigated as the likely culprit

FireEye, one of the nation’s leading cybersecurity firms, has shared details of a hack targeting its “Red Team” tools, which it uses to test customers’ security. The firm said there is concern that the hackers could publicly release the tools they accessed or use them to carry out other attacks. 

In a blog post, FireEye CEO Kevin Mandia said the attack was “different from the tens of thousands of incidents we have responded to throughout the years.” 

“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus,” Mandia wrote. “They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.” 

Russia reportedly a suspect

FireEye said it doesn’t currently have evidence that any customer information was taken. 

Although the company didn’t say in its report who it believes is responsible for the attack, the Wall Street Journal reported that state-sponsored Russian hackers are a likely suspect. A source familiar with the matter told the Journal that Russia is currently being viewed by investigators as “the most likely culprit.” 

“Moscow’s foreign-intelligence service, known as the SVR and one of two Russian groups that hacked the Democratic National Committee ahead of the 2016 presidential election, is believed to be responsible, the person said,” according to the Journal. 

FireEye didn’t specify when the hack took place or when it became aware of it. The hack is currently being investigated by FireEye, as well as the FBI and industry partners like Microsoft.

Since becoming aware of the attack, FireEye said it’s developed hundreds of countermeasures that can detect or block the use of any of its stolen tools. The firm said it has integrated the measures into its own security products and shared them with “colleagues in the security community.” 

FireEye said it will “continue to share and refine any additional mitigations for the Red Team tools as they become available.” 

FireEye, one of the nation’s leading cybersecurity firms, has shared details of a hack targeting its “Red Team” tools, which it uses to test customers’ sec...

Article Image

Google researcher demonstrates serious iPhone security flaw

A since-fixed vulnerability could have given an attacker complete access to an iPhone within Wi-Fi range

A Google researcher has demonstrated an Apple security vulnerability that could have allowed hackers to gain full access to a person’s iPhone. A cyberattacker could have exploited the flaw without having the user download malware or click on a suspicious link. To fall victim, a user would have only had to be within Wi-Fi range. 

Ian Beer -- a security researcher with Google’s Project Zero -- explained in a video this week that it was possible for a Raspberry Pi setup with off-the-shelf Wi-Fi adapters to steal photos from an iPhone in a different room in a matter of minutes. The same security vulnerability also allowed Beer to repeatedly reboot 26 iPhones at the same time. 

Apple fixed the vulnerability in May, but Beer said he spent six months looking into the issue.

"Imagine the sense of power an attacker with such a capability must feel," Beer said in a blog post. "As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target."

Full access to a device

Through his extensive research, Beer found a “wormable radio-proximity exploit” that allowed him to gain “complete control over any iPhone in my vicinity.” He said he was able to view phones, read emails, copy private messages, and monitor everything that happens on a device in real-time. 

“The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine,” he wrote. “Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.”

Beer said he hadn’t seen any evidence that the flaw was exploited prior to being fixed, but he said consumers can never be too careful when it comes to the security of their mobile devices. Issues like these are likely to surface again. 

"As things stand now in November 2020, I believe it's still quite possible for a motivated attacker with just one vulnerability to build a sufficiently powerful weird machine to completely, remotely compromise top-of-the-range iPhones," Beer said.

A Google researcher has demonstrated an Apple security vulnerability that could have allowed hackers to gain full access to a person’s iPhone. A cyberattac...

Article Image

Hacker sells email credentials of ‘hundreds’ of high level executives

Stolen account credentials are being sold for $100 to $1500 each

A hacker is reportedly selling access to email accounts belonging to “hundreds” of high level executives across the world. The accounts are going for $100 to $1500 each, depending on the value of each account. The targets include CEOs, vice presidents, and directors. 

The email and password combinations are being sold on a “closed-access underground forum for Russian-speaking hackers named Exploit.in,” according to ZDNet. The seller did not disclose how he obtained the login credentials, but he claimed to have hundreds of additional accounts to sell. 

ZDNet said a cybersecurity source has confirmed the validity of the stolen data. That source has begun the process of notifying all the affected companies. 

Scam potential 

If corporate executive login credentials fall into the wrong hands, both the executives and their workers could be affected. Cybercriminals can use compromised corporate email credentials for a variety of money-making schemes, KELA Product Manager Raveed Laeb explained to ZDNet. 

"Attackers can use them for internal communications as part of a 'CEO scam' - where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme,” Laeb said.

Stolen login credentials can also be “exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion," Laeb added.

To reduce the likelihood of such events unfolding, cybersecurity experts highly recommend using two-step verification or two-factor authentication for online accounts. Attackers won’t be able to do anything with stolen login details in cases where the user has set up 2SV or 2FA. 

A hacker is reportedly selling access to email accounts belonging to “hundreds” of high level executives across the world. The accounts are going for $100...

Article Image

‘Password’ and ‘123456’ top list of worst passwords in 2020

Experts say these weak passwords have been cracked millions of times by hackers

Password manager NordPass has released its annual list of the worst passwords, and 2020’s list includes many of the same weak passwords as years prior. 

Consumers are still protecting their data with simple passwords that are infamous for being easy to crack, according to this year’s list. For example, NordPass found that millions of people are still using “password" and “123456” as passwords. The firm said the latter has been breached more than 23 million times. 

Many people may choose variations of the number bar because it’s quick and easy to type, but research has found that these frequently used passwords take less than a second to crack. Combinations of adjacent keys, such as “asdfghjkl” or “qwertyuiop,” have also been found to be highly vulnerable to cracking. 

Worst passwords of 2020

NordPass’s full list contains 200 of the most commonly used passwords, ranked by metrics such as how many times each password has been exposed and how long it would take an unauthorized party to crack it. 

Below are the top 20 worst passwords of the year. 

  • 123456

  • 123456789

  • picture1

  • password

  • 12345678

  • 111111

  • 123123

  • 12345

  • 1234567890

  • senha

  • 1234567

  • qwerty

  • abc123

  • Million2

  • 000000

  • 1234

  • iloveyou

  • aaron431

  • password1

  • qqww1122

Protecting your data

To keep sensitive data from being exposed, NordPass recommends making sure all passwords are unique and complex. This can be made easier through the use of a password manager or a third-party service like LastPass or Apple’s iCloud Keychain. 

NordPass also suggests enabling two-factor authentication when possible and deleting any old or inactive accounts. 

Password manager NordPass has released its annual list of the worst passwords, and 2020’s list includes many of the same weak passwords as years prior....

Article Image

Microsoft says Russian and North Korean hackers attacked COVID-19 vaccine makers

The company says most of the attacks were throttled by its own security software

In all the hoopla regarding new vaccine test success from Moderna and Pfizer, Microsoft has uncovered a series of cyber attacks coming from Russia and North Korea targeted at research companies doing those tests.

In a blog post, Microsoft says the attacks targeted seven major pharmaceutical companies and researchers in Canada, France, India, and South Korea, and the U.S. Microsoft didn’t say which companies were targeted or what type of information may have actually been compromised or stolen, but officials said they had notified the organizations and offered help where the attacks were successful.

“Two global issues will help shape people’s memories of this time in history – COVID-19 and the increased use of the internet by malign actors to disrupt society. It’s disturbing that these challenges have now merged as cyberattacks are being used to disrupt health care organizations fighting the pandemic,” wrote Microsoft’s Tom Burt, Corporate Vice President, Customer Security & Trust.

“We think these attacks are unconscionable and should be condemned by all civilized society. Today, we’re sharing more about the attacks we’ve seen most recently and are urging governments to act.”

The attacks and the protection

There are actually three key players in the attacks: “Strontium,” an actor originating from Russia, and two actors originating from North Korea that Microsoft has dubbed “Zinc” and “Cerium.”

Strontium uses “password spray” and brute force login attempts to steal personal login credentials. The software it uses conducts millions of rapid attempts to crack a third-party’s personal data. Zinc’s game is to use spear-phishing lures for credential theft by sending messages with fabricated job descriptions pretending to be recruiters. And Cerium? The angle it works is spear-phishing with email lures using COVID-19 themes while masquerading as World Health Organization representatives. 

Luckily, Burt says the “majority” of the attacks have been blocked by security protections built into the company’s products. The company is continuing to make its threat notification service, “AccountGuard,” available for free to health care and human rights organizations working on COVID-19. 

The company says that 195 health care-related groups have enrolled in the service, and it now protects 1.7 million email accounts that those organizations serve.

In all the hoopla regarding new vaccine test success from Moderna and Pfizer, Microsoft has uncovered a series of cyber attacks coming from Russia and Nort...

Article Image

Microsoft urges users to stop using phone-based multi-factor authentication

A company executive says app-based authentication is more secure

A Microsoft executive is urging users to move away from phone-based multi-factor authentication (MFA) mechanisms and instead embrace newer security technologies, like app-based authenticators and security keys.

In a blog post, Alex Weinert, Director of Identity Security at Microsoft, said app-based two-factor authentication provides greater security.

Weinert said telephone-based multi-factor authentication (MFA) solutions -- like one-time codes sent via SMS and voice calls -- are “based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.” 

“That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages,” he said. “Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.” 

MFA is ‘essential’

In 2019, Weinert penned a blog post in which he said that internal Microsoft statistics showed that users who enabled MFA blocked around 99.9 percent of automated attacks against their Microsoft accounts. 

In a follow up blog post earlier this week, he stressed that MFA itself is essential -- but the way people use it should change. If users have to choose between multiple MFA mechanisms, he said they should avoid phone-based MFA which can be intercepted by attackers. 

Weinert said a good place to start is by using Microsoft’s Authenticator MFA app. For even greater security, hardware security keys can be used. 

A Microsoft executive is urging users to move away from phone-based multi-factor authentication (MFA) mechanisms and instead embrace newer security technol...

Article Image

FTC requires Zoom to enhance its security practices in new settlement

The company was accused of following deceptive and unfair practices

The Federal Trade Commission (FTC) announced a settlement with video conferencing platform Zoom on Monday that will require the company to implement a sturdier information security program. The FTC alleged that Zoom engaged in a series of “deceptive and unfair practices” that essentially undermined the security of its users.

The FTC’s complaint dates back to 2016 when the agency alleged that Zoom deceived users by falsely promising that it offered “end-to-end, 256-bit encryption” to secure users’ communications. Regulators said the falsehood created the possibility that other people (including Zoom) could read a user’s content. 

In the FTC’s eyes, Zoom also erroneously told users who wanted to store recorded meetings on the company’s cloud storage that those meetings were encrypted immediately after their meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.

Enter COVID-19

The matter was complicated further during the COVID-19 pandemic. Zoom’s reach skyrocketed from 10 million in December 2019 to 300 million in April 2020, putting even more users’ privacy at risk. 

Earlier this summer, the company attempted to soften the FTC’s angst by improving its security for all users versus only its paying subscribers, but those actions seemingly weren’t enough to appease regulators.

“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

What changes Zoom users will see

The FTC’s laundry list of changes that Zoom users are supposed to see thanks to the settlement include:

  • The annual assessment and documentation of any potential internal and external security risks and develop ways to safeguard against such risks;

  • Implementation of a vulnerability management program; and

  • Deployment of safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and taking steps to prevent the use of known compromised user credentials.

The FTC didn’t stop there, though. On top of those three key changes, Zoom agreed to review any software updates for potential security flaws and must ensure that software updates will not hamper third-party security features. The company has also agreed not misrepresent to the public its collection and use of personal information, and it will have an assessment of security program made by an independent third party every other year.

The Federal Trade Commission (FTC) announced a settlement with video conferencing platform Zoom on Monday that will require the company to implement a stur...

Article Image

Platform used by Hotels.com and Expedia leaks data of ‘millions’ of guests

Security researchers don’t know whether the data has already been found by a cybercriminal

The hotel reservation firm Prestige Software has exposed the data of millions of guests worldwide, Website Planet reports

Prestige Software -- a platform that enables hotels to automate their availability on booking websites like Expedia and Booking.com -- reportedly stored files dating as far back as 2013 without any protection in place. 

Exposed information included names, credit card details, ID numbers, and reservation details. In some cases, logs contained personally identifiable information for multiple members included in a single booking.

No evidence of third party access 

At this time, it’s not known how long the trove of data was left unsecured or if any third parties accessed it. If the data was found by a cybercriminal, the party could steal identities, carry out phishing scams, or even hijack a reservation.

“Millions of people were potentially exposed in the data breach, from all over the world. We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” said researcher Mark Holden. “So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”

Website Planet said the firm quickly fixed the vulnerability after being alerted to the issue. 

Holden said that due to the sheer number of hotel and travel websites involved in the breach, it’s “impossible to help anyone already exposed if somebody found the data before us.” Clients of Prestige Software include Booking.com, Expedia, Hotels.com, and many others. 

“If you’re a customer of any of the websites listed in this report and are concerned about how this leak might impact you, contact the company directly to determine what steps it’s taking to protect your data,” Website Planet said.

The hotel reservation firm Prestige Software has exposed the data of millions of guests worldwide, Website Planet reports. Prestige Software -- a platf...