The article is about the company Anderson and Renewal by Anderson leaking customer data. The data included pictures of homes and layout of homes, names, addresses, emails and contact details. There were close to 300,000 documents on the cloud that were exposed. In addition to the personal data being leaked, the customer’s physical client’s signatures that were hashed, making it easy to impersonate.
Anderson neither confirmed or denied it owned the database where the leak occurred and stated their systems have not been compromised. did not come from within their IT systems. They use Azure storage blob, which is cloud storage.
In the article, there are several points on how companies using Azure storage blob can prevent data leaks and include the following: Access control, network security, encryption, auditing and logging, regular review, and employee training.
NIST Retires 27-Year-Old Widely Used Cryptographic Algorithm: SHA-1
Last month, NIST announced that it is formally retiring the SHA-1 cryptographic algorithm. While hashes are designed to be irreversible, i.e. it should be impossible to reconstruct the original message from the fixed-length enciphered text. The lack of collision resistance in SHA-1 made it possible to generate the same hash value for two different inputs. Besides urging users relying on the algorithm to migrate to SHA-2 or SHA-3 for securing electronic information, NIST is also recommending for SHA-1 be entirely phased out by December 31, 2030
The Zodiac Killer (or the Zodiac) is a pseudonym for the highly infamous serial killer active in Northern California in the late 1960s who has never officially been caught to this day. There are 5 murders officially associated with the Zodiac Killer along with 2 attempted murders. The killer himself claimed to have killed 37 people.
He is well known for creating ciphers (a series of symbols) that were sent with his numerous letters. A total of four ciphers were produced, sent between 1969 and 1974. The first was sent in three parts to make up the Z408 cipher. The second, known as the Z340 cipher, was only recently decoded in 2020. The third cipher, sent in April 1970, had 13 symbols (known as Z13) and was alleged to contain the Zodiac’s name, but has never been solved. The last cipher, sent in June 1970 and known as the Z32 cipher, was meant to lead to the location of the Zodiac’s bomb but has never been decoded.
White House to boost support for quantum technology while boosting cybersecurity
The U.S. and other nations are in a race to develop quantum technology, which could fuel advances in artificial intelligence, materials science and chemistry. Quantum computers, a main focus of the effort, can operate millions of times faster than today’s advanced supercomputers. Unlike a classic computer, which performs calculations one at a time, a quantum computer can perform many calculations at the same time.
Charlie Munger Urges US Government to Ban Crypto Like China Has Done
Warren Buffett’s right-hand man and the vice chairman of Berkshire Hathaway, Charlie Munger, has urged the U.S. government to ban cryptocurrencies like China has done. “A cryptocurrency is not a currency, not a commodity, and not a security. Instead, it’s a gambling contract with a nearly 100% edge for the house,” he stressed.
Password Dependency: How to Break the Cycle
A report from NordPass reveals that millions of people still haven’t broken the habit of using easy-to-remember but easy-to-crack passwords. Among the 200 most common passwords. Among the 200 most common passwords, “password” comes first and can be cracked in less than one second. Other popular passwords include “guest” and “123456”. Most of today’s data breaches are preceded by credential-gathering activities followed by a crash attack. Hackers can spread out and scour the network looking for privileged accounts and credentials to help them steal an organization’s infrastructure and sensitive data. Therefore, organizations need additional measures to ensure secure access – Zero Trust Network Access (ZTNA) when granting access to valuable data and critical systems. This approach can help to break password dependency by providing a more secure way of accessing resources and services on a network. They should place the Assess Application Usage Prior to ZTNA Implementation, Define Granular Access Policies, Eliminate Standing Application Entitlements, Establish a Continuous Feedback Loop, Assure User and Business Leader Buy-In, and Select Best-of-Breed Solutions. While there are multiple ways to break the dependency on passwords, ZTNA would provide a more secure and flexible solution for accessing network resources, helping to break password dependency and ensuring the productivity and efficiency of their employees.
Breaking people of bad password practices is a never ending issue and one of my personal and professional pet peeves. NIST is largely to blame for creating the problem in the first place by publishing a poorly researched draft password policy in a final publication without adequate review. That misstep enshrined the 1 upper case, 1 number, 1 symbol, password into stone and is why passwords like “D@vespring2023” and “GoEagles2023!” just wont die.
I am constantly trying to push users toward password managers to address this issue. They really are the solution until passwordless, zero trust architecture matures.
A major credit agency once again fails to protect critical customer data. This is an embarrassing situation that is all but a textbook example of what not to do. A critical, reported, and known vulnerability was allowed to remain live for over a month and lead to leaking of important personal information. Credit scores are one of the most financially impactful pieces of a person’s digital portfolio and yet, the credit agencies are not keeping us safe. What will it take to get a proper response?
The article goes on to speak about how “It became the subject of public fascination as it floated over nuclear silos of Montana, then was spotted near Kansas City and met its cinematic end when a Sidewinder missile took it down over shallow waters off the coast of South Carolina. Not surprisingly, now it is coveted by military and intelligence officials who desperately want to reverse-engineer whatever remains the Coast Guard and the Navy can recover.” The article goes on to state “the Pentagon said there was another one in flight, over South America. And it noted a long history of Chinese balloons flying over the United States (which the Pentagon, somehow, never wanted to talk about before, until this incident forced it to).”
The Quant-ID project aimed at researching the development of methods and systems that guarantee cryptographic security in quantum random numbers and post-quantum cryptography has been launched. It started in September 2022 and will run for three years. Four partners made up of Quant-X Security and Coding GmbH, Fraunhofer Institute for Photonic Microsystems IPMS, MTG AG, and the University of Regensburg is involved in this project.
At the end of the project, the digital identities and quantum-safe authorization will be tested.
What interests me the most is the motivation is to build up an interdisciplinary project team, establish partnerships in Germany for overall solutions, and make safeguarding technologies against attacks by quantum computers accessible to everyone.
Dr. Alexander Noack, group leader at Fraunhofer states that “their goal is to develop quantum-safe authorization of users in an IAM (Identity Access Management) architecture with the help of quantum random numbers and post-quantum cryptography,”
Ransomware hacking campaign targets Europe and North America, Italy warns
Italy’s National Cybersecurity Agency (ACN) warned of a large-scale campaign to spread ransomware on thousands of computer servers across Europe and North America.
The attack targets vulnerabilities in VMware ESXi technology that were previously discovered but that still leave many organizations vulnerable to intrusion by hackers.
“a crypto scam stole 4m by just taking a photo of a trust wallet screen, with no seed phrases or any private info on sight”
Ahad Shams, the co-founder of the Web3 metaverse game engine “Webaverse”, was recently robbed of $4 million worth of cryptocurrency from Trust Wallet (he claimed the thief could not see his private key and was not connected to a public WiFi network.) Shams believes the thief somehow gained access to the wallet while taking pictures of its balance. After Shams reported the attack, investigators need more technical information to determine the medium of the attack. The letter was shared on Twitter, where it was widely assumed that taking the photo was not the cause of the missing funds, with some speculating that perhaps the Trust Wallet Shams downloaded on another phone for security was a fake. However, Trust Wallet responded that the case was not caused by its app.
UK Banks Still Failing on Digital Security – Report
According to a recent Which? report, UK banking clients are unnecessarily vulnerable to fraud and account compromise due to weak internet security.
From September to November 2022, Red Maple Technologies will evaluate the online banking websites and applications of 13 current account providers on behalf of the consumer protection organization. Login, navigation, and logout, account management, and encryption were the four main topics considered in the study.
Virgin Money received a combined score of 52% online and 54% for its app, placing it at the bottom of the list. Six out-of-date bank online apps that have possible security flaws were discovered during the examination. Red Maple Technologies claims that the lender acknowledged three flaws and promised to fix them.
With an 82% rating for internet banking and an 80% rating for its app, Starling came out on top. With 80% of the vote for its online banking platform and 82% for its app, HSBC came in second place overall.
The deployment of the most robust security measures by banking applications and websites to protect users is essential for ensuring consumer protection. Rob Stemp, CEO of Red Maple Technologies, claimed that although mobile apps can instantly prevent and inspect transactions, they cannot come at the expense of security.
It was fascinating to observe that the more recent, app-based banks have more extensive safeguards in place than some of the older, more traditional institutions. Having worked for some of these huge companies, we are aware of the complexity problems in their IT infrastructure and the central legacy systems that plague them.
Industry data shows that remote banking fraud losses in the first half of 2022 were about £85 million, down 36% from the same period last year.
The article I chose for this week is about NIST retiring a 27-Year-Old widely used Cryptographic Algorithm SHA-1. This is an old article from last year December. I decided to share it for those who may not be aware of this development. The main reason for its retirement is because it has been deemed broken owing to the risk of collision attacks. SHA-1 lacked collision resistance which made it possible to generate the same hash value for two different inputs. However, hashes are designed to be irreversible which means it should be impossible to reconstruct the original message from the fixed-length enciphered text.
Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/
The article reports on a large-scale ransomware attack that is targeting VMware ESXi servers worldwide. The ransomware, known as ESXiargs, encrypts the victim’s files and demands payment in exchange for the decryption key. The attackers are using various methods to gain initial access to the vulnerable servers, including exploiting unpatched software and brute-forcing login credentials. This attack highlights the importance of regularly patching software and implementing strong security measures to protect against ransomware.
Netflix has estimated that over 100 million users across the globe use shared login credentials of another subscriber. They have added a feature saying that there must be a home device logged into every 31 days or you will be logged out. Netflix will prompt any user who signs into that account elsewhere to register for their or a second account instead. The password change is implemented to ensure the security of one’s account and make sure that there are no unwanted users on others accounts.
When an organization subscribes to SaaS, who exactly is responsible for ensuring data security? The instinct answer is to rely on the SaaS provider. However, it is important to bear in mind that SaaS data breaches and ransomware attacks do occur. The proposed solution is to construct a table that lists roles as rows and responsible, accountable, consulted, informed as columns. This is known as RACI table. Additionally, the SaaS App owners have to have an adequate infrastructure including a SaaS security communication platform. This platform should alert both the security team and the app owners of any misconfigurations found. It should also provide steps required for remediation.
Andersen Corporation leaks customer home photos and addresses | Cybernews
https://cybernews.com/security/andersen-leak-home-photos-addresses/
The article is about the company Anderson and Renewal by Anderson leaking customer data. The data included pictures of homes and layout of homes, names, addresses, emails and contact details. There were close to 300,000 documents on the cloud that were exposed. In addition to the personal data being leaked, the customer’s physical client’s signatures that were hashed, making it easy to impersonate.
Anderson neither confirmed or denied it owned the database where the leak occurred and stated their systems have not been compromised. did not come from within their IT systems. They use Azure storage blob, which is cloud storage.
In the article, there are several points on how companies using Azure storage blob can prevent data leaks and include the following: Access control, network security, encryption, auditing and logging, regular review, and employee training.
NIST Retires 27-Year-Old Widely Used Cryptographic Algorithm: SHA-1
Last month, NIST announced that it is formally retiring the SHA-1 cryptographic algorithm. While hashes are designed to be irreversible, i.e. it should be impossible to reconstruct the original message from the fixed-length enciphered text. The lack of collision resistance in SHA-1 made it possible to generate the same hash value for two different inputs. Besides urging users relying on the algorithm to migrate to SHA-2 or SHA-3 for securing electronic information, NIST is also recommending for SHA-1 be entirely phased out by December 31, 2030
https://thehackernews.com/2022/12/goodbye-sha-1-nist-retires-27-year-old.html
Cold Case File: The Zodiac Killer
The Zodiac Killer (or the Zodiac) is a pseudonym for the highly infamous serial killer active in Northern California in the late 1960s who has never officially been caught to this day. There are 5 murders officially associated with the Zodiac Killer along with 2 attempted murders. The killer himself claimed to have killed 37 people.
He is well known for creating ciphers (a series of symbols) that were sent with his numerous letters. A total of four ciphers were produced, sent between 1969 and 1974. The first was sent in three parts to make up the Z408 cipher. The second, known as the Z340 cipher, was only recently decoded in 2020. The third cipher, sent in April 1970, had 13 symbols (known as Z13) and was alleged to contain the Zodiac’s name, but has never been solved. The last cipher, sent in June 1970 and known as the Z32 cipher, was meant to lead to the location of the Zodiac’s bomb but has never been decoded.
https://forensicsciencesociety.com/thedrip/the-zodiac-killer
White House to boost support for quantum technology while boosting cybersecurity
The U.S. and other nations are in a race to develop quantum technology, which could fuel advances in artificial intelligence, materials science and chemistry. Quantum computers, a main focus of the effort, can operate millions of times faster than today’s advanced supercomputers. Unlike a classic computer, which performs calculations one at a time, a quantum computer can perform many calculations at the same time.
Read more at:
https://cio.economictimes.indiatimes.com/news/next-gen-technologies/white-house-to-boost-support-for-quantum-technology-while-boosting-cybersecurity/91317084
Charlie Munger Urges US Government to Ban Crypto Like China Has Done
Warren Buffett’s right-hand man and the vice chairman of Berkshire Hathaway, Charlie Munger, has urged the U.S. government to ban cryptocurrencies like China has done. “A cryptocurrency is not a currency, not a commodity, and not a security. Instead, it’s a gambling contract with a nearly 100% edge for the house,” he stressed.
https://news.bitcoin.com/charlie-munger-urges-us-government-to-ban-crypto-like-china-has-done/
Password Dependency: How to Break the Cycle
A report from NordPass reveals that millions of people still haven’t broken the habit of using easy-to-remember but easy-to-crack passwords. Among the 200 most common passwords. Among the 200 most common passwords, “password” comes first and can be cracked in less than one second. Other popular passwords include “guest” and “123456”. Most of today’s data breaches are preceded by credential-gathering activities followed by a crash attack. Hackers can spread out and scour the network looking for privileged accounts and credentials to help them steal an organization’s infrastructure and sensitive data. Therefore, organizations need additional measures to ensure secure access – Zero Trust Network Access (ZTNA) when granting access to valuable data and critical systems. This approach can help to break password dependency by providing a more secure way of accessing resources and services on a network. They should place the Assess Application Usage Prior to ZTNA Implementation, Define Granular Access Policies, Eliminate Standing Application Entitlements, Establish a Continuous Feedback Loop, Assure User and Business Leader Buy-In, and Select Best-of-Breed Solutions. While there are multiple ways to break the dependency on passwords, ZTNA would provide a more secure and flexible solution for accessing network resources, helping to break password dependency and ensuring the productivity and efficiency of their employees.
https://www.securityweek.com/password-dependency-how-to-break-the-cycle/
Breaking people of bad password practices is a never ending issue and one of my personal and professional pet peeves. NIST is largely to blame for creating the problem in the first place by publishing a poorly researched draft password policy in a final publication without adequate review. That misstep enshrined the 1 upper case, 1 number, 1 symbol, password into stone and is why passwords like “D@vespring2023” and “GoEagles2023!” just wont die.
I am constantly trying to push users toward password managers to address this issue. They really are the solution until passwordless, zero trust architecture matures.
https://krebsonsecurity.com/2023/01/experian-glitch-exposing-credit-files-lasted-47-days/
A major credit agency once again fails to protect critical customer data. This is an embarrassing situation that is all but a textbook example of what not to do. A critical, reported, and known vulnerability was allowed to remain live for over a month and lead to leaking of important personal information. Credit scores are one of the most financially impactful pieces of a person’s digital portfolio and yet, the credit agencies are not keeping us safe. What will it take to get a proper response?
Interesting article about Pentesters jailed for work they were employed to do and paid for.
https://arstechnica.com/information-technology/2020/01/criminal-charges-dropped-against-2-pentesters-who-broke-into-iowa-courthouse/
Balloon Incident Reveals More Than Spying as Competition With China Intensifies
The article I have chosen to highlight this week is one that is taking the nation by storm. It speaks to China’s “Weather Balloon”, and the possible nefarious intent behind it. Many in the counter-intelligence community including former CIA Director/Secretary of Defense Leon Panetta criticized Biden’s slow action against the balloon. (https://www.mediaite.com/politics/fmr-obama-sec-def-leon-panetta-biden-shouldve-shot-down-spy-balloon-before-it-was-allowed-to-transverse-the-entire-country/)
The article goes on to speak about how “It became the subject of public fascination as it floated over nuclear silos of Montana, then was spotted near Kansas City and met its cinematic end when a Sidewinder missile took it down over shallow waters off the coast of South Carolina. Not surprisingly, now it is coveted by military and intelligence officials who desperately want to reverse-engineer whatever remains the Coast Guard and the Navy can recover.” The article goes on to state “the Pentagon said there was another one in flight, over South America. And it noted a long history of Chinese balloons flying over the United States (which the Pentagon, somehow, never wanted to talk about before, until this incident forced it to).”
https://www.nytimes.com/2023/02/05/us/politics/balloon-china-spying-united-states.html
The Quant-ID project aimed at researching the development of methods and systems that guarantee cryptographic security in quantum random numbers and post-quantum cryptography has been launched. It started in September 2022 and will run for three years. Four partners made up of Quant-X Security and Coding GmbH, Fraunhofer Institute for Photonic Microsystems IPMS, MTG AG, and the University of Regensburg is involved in this project.
At the end of the project, the digital identities and quantum-safe authorization will be tested.
What interests me the most is the motivation is to build up an interdisciplinary project team, establish partnerships in Germany for overall solutions, and make safeguarding technologies against attacks by quantum computers accessible to everyone.
Dr. Alexander Noack, group leader at Fraunhofer states that “their goal is to develop quantum-safe authorization of users in an IAM (Identity Access Management) architecture with the help of quantum random numbers and post-quantum cryptography,”
Reference
https://www.eenewseurope.com/en/project-to-ensure-quantum-safe-identities/
Ransomware hacking campaign targets Europe and North America, Italy warns
Italy’s National Cybersecurity Agency (ACN) warned of a large-scale campaign to spread ransomware on thousands of computer servers across Europe and North America.
The attack targets vulnerabilities in VMware ESXi technology that were previously discovered but that still leave many organizations vulnerable to intrusion by hackers.
https://www.politico.eu/article/ransomware-hacking-campaign-targets-europe-and-north-america-italy-warns/.
“a crypto scam stole 4m by just taking a photo of a trust wallet screen, with no seed phrases or any private info on sight”
Ahad Shams, the co-founder of the Web3 metaverse game engine “Webaverse”, was recently robbed of $4 million worth of cryptocurrency from Trust Wallet (he claimed the thief could not see his private key and was not connected to a public WiFi network.) Shams believes the thief somehow gained access to the wallet while taking pictures of its balance. After Shams reported the attack, investigators need more technical information to determine the medium of the attack. The letter was shared on Twitter, where it was widely assumed that taking the photo was not the cause of the missing funds, with some speculating that perhaps the Trust Wallet Shams downloaded on another phone for security was a fake. However, Trust Wallet responded that the case was not caused by its app.
https://cointelegraph.com/news/haunts-me-to-this-day-crypto-project-hacked-for-4m-in-a-hotel-lobby
UK Banks Still Failing on Digital Security – Report
According to a recent Which? report, UK banking clients are unnecessarily vulnerable to fraud and account compromise due to weak internet security.
From September to November 2022, Red Maple Technologies will evaluate the online banking websites and applications of 13 current account providers on behalf of the consumer protection organization. Login, navigation, and logout, account management, and encryption were the four main topics considered in the study.
Virgin Money received a combined score of 52% online and 54% for its app, placing it at the bottom of the list. Six out-of-date bank online apps that have possible security flaws were discovered during the examination. Red Maple Technologies claims that the lender acknowledged three flaws and promised to fix them.
With an 82% rating for internet banking and an 80% rating for its app, Starling came out on top. With 80% of the vote for its online banking platform and 82% for its app, HSBC came in second place overall.
The deployment of the most robust security measures by banking applications and websites to protect users is essential for ensuring consumer protection. Rob Stemp, CEO of Red Maple Technologies, claimed that although mobile apps can instantly prevent and inspect transactions, they cannot come at the expense of security.
It was fascinating to observe that the more recent, app-based banks have more extensive safeguards in place than some of the older, more traditional institutions. Having worked for some of these huge companies, we are aware of the complexity problems in their IT infrastructure and the central legacy systems that plague them.
Industry data shows that remote banking fraud losses in the first half of 2022 were about £85 million, down 36% from the same period last year.
https://www.infosecurity-magazine.com/news/uk-banks-still-failing-on-digital/
The article I chose for this week is about NIST retiring a 27-Year-Old widely used Cryptographic Algorithm SHA-1. This is an old article from last year December. I decided to share it for those who may not be aware of this development. The main reason for its retirement is because it has been deemed broken owing to the risk of collision attacks. SHA-1 lacked collision resistance which made it possible to generate the same hash value for two different inputs. However, hashes are designed to be irreversible which means it should be impossible to reconstruct the original message from the fixed-length enciphered text.
https://thehackernews.com/2022/12/goodbye-sha-1-nist-retires-27-year-old.html
Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide
https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/
The article reports on a large-scale ransomware attack that is targeting VMware ESXi servers worldwide. The ransomware, known as ESXiargs, encrypts the victim’s files and demands payment in exchange for the decryption key. The attackers are using various methods to gain initial access to the vulnerable servers, including exploiting unpatched software and brute-forcing login credentials. This attack highlights the importance of regularly patching software and implementing strong security measures to protect against ransomware.
Netflix has estimated that over 100 million users across the globe use shared login credentials of another subscriber. They have added a feature saying that there must be a home device logged into every 31 days or you will be logged out. Netflix will prompt any user who signs into that account elsewhere to register for their or a second account instead. The password change is implemented to ensure the security of one’s account and make sure that there are no unwanted users on others accounts.
https://www.indiewire.com/2023/02/netflix-new-password-sharing-protocol-linked-to-house-1234805758/
When an organization subscribes to SaaS, who exactly is responsible for ensuring data security? The instinct answer is to rely on the SaaS provider. However, it is important to bear in mind that SaaS data breaches and ransomware attacks do occur. The proposed solution is to construct a table that lists roles as rows and responsible, accountable, consulted, informed as columns. This is known as RACI table. Additionally, the SaaS App owners have to have an adequate infrastructure including a SaaS security communication platform. This platform should alert both the security team and the app owners of any misconfigurations found. It should also provide steps required for remediation.
https://thehackernews.com/2023/02/saas-in-real-world-whos-responsible-to.html