Author: rescue@crimefire.in

Female participation in cybercrime is far higher than for all types of crime, according to a new report which raises some interesting questions about possible gender bias in investigations.
Trend Micro used machine learning web service Gender Analyzer V5 to analyze text written by 50 random users of the Russian-language XSS forum and 50 users of the English-language Hackforums site.
It revealed that 30% of those XSS forum users were women, rising to 36% of Hackforums users.
“Our control group consisted of 10 aliases that posted their gender profiles online and identified themselves as women from XSS and Hackforums,” the report noted. “When we ran posts from these users through the text analyzer, results indicated that all the aliases were classified as female with an average classifier percentage of 82.4%.”
The report authors also used a separate AI tool to ascertain the gender of cybercrime forum users. Semrush is billed as a search engine marketing solution. It uses machine learning algorithms to analyze data from social networks and other third-party sources, in order to determine the demographic information of web users, such as gender.
Its analysis claimed an even higher percentage of dark web forum users were women: 41% of XSS users and 40% of Hackforums users.
By contrast, 4–8% of the prison population in the UK, Russia and US is female, according to data cited in the report.
If accurate, the findings would also indicate that a higher percentage of women participate in cybercrime than currently work in the cybersecurity industry. The latest estimates from ISC2 put this figure at around 24%, although it does rise to 30% in the under-30s.
Trend Micro argued that the cybercrime economy appears generally welcoming of all individuals as long as they have the right skills and experience.
That should be a reminder to investigators never to assume a malicious actor’s gender, it concluded.
“It is our recommendation for all investigators to avoid assumptions of male personas while carrying out their work (such as referring to a suspect as ‘he’ or ‘his’) as this creates an inherent bias as they progress their case,” the report noted.
“We suggest instead to use ‘they,’ which will not only cover any gender involved, but also force investigators to factor in that more than one person may be behind a single moniker under investigation.”

source

Comments closed.
Due to the sensitive and/or legal subject matter of some of the content on globalnews.ca, we reserve the ability to disable comments from time to time.
Please see our Commenting Policy for more.
A significant data breach at Indigo affecting both current and former employees is raising questions about what rights Canadian workers have if their personal information was possibly exposed in a leak.
But lawyers and privacy experts who spoke to Global News say there is little legislation in Canada covering what obligations an employer has with its employees’ data, and few paths for compensation open to those who might have been affected.
Indigo said this week it would not pay the ransom to hackers involved in its breach and that affected employee data could start to appear on the “dark web” as early as Thursday. Among potentially compromised data were workers’ names, email addresses, social insurance numbers and banking information, the bookseller said in an earlier letter to affected individuals seen by Global News.
Read more: Telus says it’s investigating claims employee information was posted on ‘dark web’
Indigo is not the only high-profile company recently facing a breach possibly affecting employee data.
Telus told Global News last week that it was investigating claims that employee data was leaked and posted on the “dark web,” but has not responded to followup inquiries about the kind of information that might have been exposed.
Sobeys parent company Empire Co., the Liquor Control Board of Ontario (LCBO) and Toronto’s Hospital for Sick Children are among the other corporate and public organizations that have recently been hit with cybersecurity incidents.
Lawyers at McCarthy Tétrault LLP have been getting a growing number of calls about data breaches in recent months, says Barry Sookman, senior counsel at the Toronto-based firm.
These kinds of cases were once rare occurrences, he tells Global News, but are now “rampant.”
“With data breach cases, it’s almost like we get a new one every day,” he says. “It’s just so, so prevalent.”
What separates cases like Indigo and the possible leak at Telus is that, usually, it’s customer data being breached — not employees’ — Sookman says. He spoke generally about similar situations but did not comment directly on either case to Global News.
There isn’t a lot of case law to draw on for incidents where employee data is compromised, he adds, but a recent ruling at the Ontario Court of Appeal puts a damper on the prospect of a class-action lawsuit in such cases.
Lawyers at McCarthy Tétrault wrote that a series of decisions late last year, including cases involving data breaches at Equifax Canada and Marriott International, “firmly shuts the door” on being able to launch class-action lawsuits against companies hit by data breaches.
Read more: Quebec court approves $200.9M settlement against Desjardins over data breach
Sookman explains that it can be difficult to hold companies liable after they themselves have been hit by a breach. It would be different if the company itself had played a role in the misconduct, he says.
There are arguments to be made that an employer could have a duty of confidence with respect to a worker’s sensitive information, Sookman says, but he adds that these are also difficult grounds to establish liability.
“The question is, if there’s a third-party hack, has the employer breached the duty of confidence? It’s a tough argument,” he says.
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) does provide some safeguards for employee information. But Sookman notes this only applies to federally regulated industries such as banking or transportation, not to private industry.
When a data breach happens that falls under PIPEDA, complaints can be made to the Office of the Privacy Commissioner. If the commissioner investigates and finds a cause of action, that can open the door to seeking damages — but Sookman says this amount is not usually “significant.”
The Office of the Privacy Commissioner confirmed to Global News in a statement last week that it had received notice of a breach from Indigo and are in communication with the company about next steps.
A spokesperson for the privacy commissioner confirmed again on Wednesday that the office had not received any complaints about the matter.
Privacy legislation in Canada covering the workplace tends to vary from province to provinces, so it’s hard to make general statements about what’s allowed and what’s not under the law.
Speaking for Alberta, Calgary-based employment lawyer Karen Tereposky with Samfiru Tumarkin LLP says privacy legislation tends to protect companies against violations that are in “good faith.”
“Unless it’s in bad faith, then they’re protected from legal action. It’s hard to know where that standard is. It’s pretty subjective,” she says. “But in general, the privacy legislation in Alberta protects organizations from these types of incidents.”
The landscape is different south of the border, Tereposky says, where companies are more often opened up to lawsuits when they compromise someone’s data.
She suspects that if there were a push to reform legislation to address recent breaches, it would be to regulate and standardize compensation for affected parties, rather than open companies up to more legal action.
“In Canada, we tend to want to regulate things more than to just have litigation flowing,” she says.
Indigo offered credit monitoring services to possibly affected employees in the wake of the breach.
Sookman says that, unless the offer came with specific language waiving rights to sue for damages after accepting those services or any other compensation, accepting services like that would not affect an individual’s right to participate in a potential future legal action.
Ann Cavoukian, the former Ontario privacy commissioner, says that, in addition to typical cybersecurity hygiene like changing account passwords, affected individuals should monitor their online spaces for suspicious activities like phishing attempts.
Read more: ‘Grandparent scams’ cost seniors over $9.2M last year. Here’s how to protect yourself
There’s little employees can do to be proactive about safeguarding their data when it’s in their employer’s hands, Cavoukian tells Global News, as few employment contracts have those kinds of protections baked into their terms.
But that doesn’t mean you can’t try to hold them to account on how they handle that data.
“I would urge them to talk to their boss and to the head of Indigo, and just say, ‘What are you doing to protect my data? What are you doing to ensure that my data isn’t misused or inappropriately accessed?’” she says.
Tereposky says there’s no set time limit for how long an employer can keep your information on file after you’re gone — like a lot of privacy law, it comes down to a “reasonableness” standard.
If you were to request your data be deleted, and then it were subject to a hack, that could help prove your claim in a future case, she adds.
In a similar vein, if you do find an account was compromised or your identity was stolen following a data breach, Cavoukian says it’s important to notify the police to document the occurrence and lay the groundwork for future claims.
“That’s what people have to be very aware of. You have to … demonstrate in some way that what you’re claiming is real,” she says.
While many companies have taken plenty of time to safeguard customer data, cases like Indigo might show the same level of care is not often taken for employees, Sookman says.
“Companies should be looking at their policies and processes and make sure they contemplate there could actually be mischief that affects employee data and that they should be taking the same at least the same measures for employee data as they take for other data,” he says.
Cavoukian hopes the recent breaches are a wake-up call to companies who need to shore up their internal cybersecurity practices. Having strong processes in place up front can deter hackers from ever attempting to breach a company’s defences, she argues, in the same way security companies leave a sticker in your window when they’ve secured your home.
“Make sure your company is one where the hackers want to just move on because the protections are too strong,” she says.
“Do you have a strong privacy policy combined with security? If you don’t, get on it. Drop everything else. Create a very strong privacy policy that protects your data, your employees’ data, your customers’ data. All of this has to be protected.”
— with files from Global News’s Sean Boynton
Get a roundup of the most important and intriguing national stories delivered to your inbox every weekday.
Get a roundup of the most important and intriguing national stories delivered to your inbox every weekday.

source

On February 10, 2023, Evergreen Treatment Services (“ETS”) filed notice of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights (“HHS-OCR”) after learning that a recent cyberattack resulted in confidential patient information being leaked. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to patients’ names, addresses, dates of birth, Social Security Numbers and treatment information. After confirming that consumer data was leaked, ETS began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
Before you received services from Evergreen Treatment Services, the company asked you for your personal information. If you’re like most people, you didn’t have a second thought about providing Evergreen Treatment with everything it asked for. However, in the wake of the recent data breach, many current and past patients are starting to question whether the company did everything possible to protect the personal information in its possession. As we’ve discussed in prior posts, companies like Evergreen Treatment are the first and last lines of defense against a data breach. And, if the pending investigation into the ETS data breach confirms that the company was negligent in how it handled your information, you may be able to pursue a claim for financial compensation against Evergreen Treatment Services.
The available information regarding the Evergreen Treatment breach comes from the company’s filing with the HHS-OCR as well as a notice posted on the company’s website. According to this source, ETC recently discovered a cybersecurity incident that impacted the company’s IT systems. Evergreen did not disclose the dates of the attack or when the company realized it had been the victim of a cyberattack. However, in response to learning about the incident, Evergreen began working with third-party cybersecurity experts to investigate the incident and determine what, if any, patient information was affected.
Evergreen’s investigation confirmed that an unauthorized party was able to access the company’s computer network, including files containing confidential patient data.
Upon discovering that sensitive patient data was made available to an unauthorized party, Evergreen Treatment began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, date of birth, Social Security Number and treatment information. According to the HHS-OCR, the ETS data breach affected 21,325 past and current patients.
On February 10, 2023, Evergreen Treatment sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1973, Evergreen Treatment Services is a substance abuse treatment facility based in Seattle, Washington. Evergreen Treatment had four locations, including the company’s Seattle Clinic, South King County Clinic, South Sound Clinic and Reach Clinic. The company uses evidence-based treatment approaches for those experiencing substance abuse disorder and also connects residents who are experiencing homelessness with social services. Evergreen Treatment employs more than 267 people and generates approximately $11.4 million in annual revenue.
 
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Console and Associates, P.C. | Attorney Advertising
Refine your interests »
Back to Top
Explore 2023 Readers’ Choice Awards
Copyright © JD Supra, LLC

source

LastPass, which in December 2022 disclosed a severe data breach that allowed threat actors to access encrypted password vaults, said it happened as a result of the same adversary launching a second attack on its systems.
The company said one of its DevOps engineers had their personal home computer hacked and infected with a keylogger as part of a sustained cyber attack that exfiltrated sensitive data from its Amazon AWS cloud storage servers.
“The threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack,” the password management service said.
This intrusion targeted the company’s infrastructure, resources, and the aforementioned employee from August 12, 2022, to October 26, 2022. The original incident, on the other hand, ended on August 12, 2022.
The August breach saw the intruders accessing source code and proprietary technical information from its development environment by means of a single compromised employee account.
In December 2022, LastPass revealed that the threat actor leveraged the stolen information to access a cloud-based storage environment and get hold of “certain elements of our customers’ information.”
Later in the same month, the unknown attacker was disclosed as having obtained access to a backup of customer vault data that it said was protected using 256-bit AES encryption. It did not divulge how recent the backup was.
GoTo, the parent company of LastPass, also fessed up to a breach last month stemming from unauthorized access to the third-party cloud storage service.
Now according to the company, the threat actor engaged in a new series of “reconnaissance, enumeration, and exfiltration activities” aimed at its cloud storage service between August and October 2022.
“Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud storage environment,” LastPass said, adding the engineer “had access to the decryption keys needed to access the cloud storage service.”
This allowed the malicious actor to obtain access to the AWS S3 buckets that housed backups of LastPass customer and encrypted vault data, it further noted.
The employee’s passwords are said to have been siphoned by targeting the individual’s home computer and leveraging a “vulnerable third-party media software package” to achieve remote code execution and plant a keylogger software.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” LastPass said.
LastPass did not reveal the name of the third-party media software used, but indications are that it could be Plex based on the fact that it suffered a breach of its own in late August 2022.
In the aftermath of the incident, LastPass said it upgraded its security posture by rotating critical and high privilege credentials and reissuing certificates obtained by the threat actor, and that it applied extra S3 hardening measures to put in place logging and alerting mechanisms.
LastPass users are highly recommended to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.
Plex shared the following statement with The Hacker News after the publication of the story –
We have not been contacted by LastPass so we cannot speak to the specifics of their incident. We take security issues very seriously, and frequently work with external parties who report issues big or small using our guidelines and bug bounty program. When vulnerabilities are reported following responsible disclosure we address them swiftly and thoroughly, and we’ve never had a critical vulnerability published for which there wasn’t already a patched version released. And when we’ve had incidents of our own, we’ve always chosen to communicate them quickly. We are not aware of any unpatched vulnerabilities, and as always, we invite people to disclose issues to us following the guidelines linked above. Given recent articles about the LastPass incident, although we are not aware of any unpatched vulnerabilities, we have reached out to LastPass to be sure.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

A Chinese crime operation bypassed the password clues of Texas.gov by using stolen identity information to fraudulently obtain replacement driver’s licenses.
by Karen Brooks Harper Feb. 27, 20231 PM Central
Sign up for The Brief, The Texas Tribune’s daily newsletter that keeps readers up to speed on the most essential Texas news.
The Texas Department of Public Safety was duped into shipping at least 3,000 Texas driver’s licenses to a Chinese organized crime group that targeted Asian Texans, DPS Director Steve McCraw told a Texas House committee on Monday.
The organization was then selling the licenses, obtained using the personal information of Texas drivers, to people in the country illegally, McCraw said.
The fraudsters worked through the state’s government portal, Texas.gov. The agency, which discovered the scheme in December, will begin notifying victims in letters to be sent out this week, the DPS chief said. More victims are still being identified, he said.
“We’re not happy at all, I can tell you that, one bit,” McCraw said in testimony to a House Appropriations subcommittee. “They should have had — controls should have been in place, and they never should have happened.”
The crime organization, which McCraw did not name, was able to get its hands on the Texas driver’s licenses by first pulling personal data on individuals with Asian surnames from the “dark web” and other underground data-trading portals.
That info, including previous addresses and family names, allowed thieves to correctly answer password security questions on the Texas.gov site and use stolen credit cards to order duplicate copies of active licenses — such as those ordered by people who misplace their licenses or report them stolen. A replacement license costs $11.
The state-run Texas.gov site is the central portal for Texans wanting to renew licenses, obtain driving records and registration, and obtain birth and death certificates, among other things.
The investigation into the stolen driver’s licenses spans at least four states and also involves fraudulent licenses duplicated from victims in other states as well as Texas. The FBI and the Department of Homeland Security are also investigating, according to the DPS letter to lawmakers.
House Appropriations Vice Chair Mary González, an El Paso Democrat, blasted DPS agency chiefs for letting so much time lapse while Texans were unaware that their identities were being used fraudulently.
“Somebody could be going around as Mary González right now for two months, and nobody’s been notified, I [wouldn’t have been] notified,” González said.
DPS officials are not calling the incident a “data breach” because they say no hacking was involved and vast amounts of data were not being stolen. Instead, the crime group used data obtained from underground sources to bypass a simple password security system — laying bare a security vulnerability that “should never have happened,” McCraw said.
Texas.gov is operated not by DPS, but by the Texas Department of Information Resources.
DPS officials declined to provide details about the security loophole that left the site open to fraud but told lawmakers that it had been closed.
DIR spokesperson Brittney Booth Paylor dismissed the notion that the incident was a cybersecurity breach, calling it “a case of fraudulent criminal activity based on factors unrelated to state systems.”
In an email to The Texas Tribune, Paylor explained that before the fraudulent activity took place, state agencies had the option to require the security (CVV) code and ZIP code for every credit card transaction that goes to their agency on Texas.gov.
She stopped short of saying that was the weak spot used by the criminals and declined to specify whether the DPS had put the practice in place. DPS officials declined to comment further, citing the investigation.
DPS declined to discuss specific details of the investigation in the hearing, including whether arrests had been made in connection with the Texas thefts, but in a letter to lawmakers, McCraw said “several subjects have been identified in this criminal enterprise.”
The criminal operation had not been made public before Monday’s hearing.
DPS officials also did not specify or speculate whether the thieves could have used the password login scheme to obtain other things, like birth certificates.
The problem was first detected in December when a third-party Texas.gov payment vendor “alerted DPS to an increase in customers challenging credit card charges for online transactions,” according to a February letter sent to lawmakers from the DPS. The credit cards used to buy the fraudulent copies were also stolen, authorities said.
Before investigators shut down the operation, McCraw said, the license thieves were able to use the site, billed as “the official website of the State of Texas,” to obtain driver’s licenses that are “Real ID compliant” — not cheap copies, McCraw said.
These stolen licenses can pass verification methods and be used fraudulently all over the country because they are real driver’s licenses being used by people who can pass for the photo on the original card, McCraw said.
González also asked whether the fact that Asian Americans were being targeted would constitute a hate crime.
McCraw, without committing either way, said they appeared to be targeted because their names and photos would most closely resemble the people the syndicate would be selling the licenses to, according to what the agency’s investigation has uncovered so far.
Letters set to go out to affected Texans this week explain that if they suspect their ID is being used fraudulently, their cases will be given priority status. Also, the department will send affected licensees replacement licenses free of charge.
kharper@texastribune.org
@kbrooksharper
Perhaps it goes without saying — but producing quality journalism isn’t cheap. At a time when newsroom resources and revenue across the country are declining, The Texas Tribune remains committed to sustaining our mission: creating a more engaged and informed Texas with every story we cover, every event we convene and every newsletter we send. As a nonprofit newsroom, we rely on members to help keep our stories free and our events open to the public. Do you value our journalism? Show us with your support.
Loading content …
Loading content …

source

Russia’s war in Ukraine has shaken cyberspace at every level, from nation-state advanced persistent threats (APTs) on down to low-grade carders on Dark Web forums.
A new report from Recorded Future highlights the many effects that the Russian invasion of Ukraine, now one year past, has had in cyberspace. Threat actors have been pulled away from their computers. Allies have become enemies. Cybercrime activity has shifted and power structures have been reorganized, not least because people have been physically moving.
It all amounts to a kind of grand, multifaceted dissolution. A breakdown of the cybercrime state of affairs. Will the digital underworld ever be the same again?
The Internet breaks down barriers. Even thousands of miles can’t prevent a hacker in Russia or Ukraine from breaching the database of a corporation in France or Canada. And yet, physical movement in the wake of the war has had lasting impacts on how cybercriminals are operating.
On one hand, of course, Ukrainians have emigrated from their country en masse.
“We believe that some threat actor groups based in Ukraine also fled when the war began, similar to their Russian counterparts,” Alex Leslie, associate threat intelligence analyst at Recorded Future, tells Dark Reading.
The report refers to the case of Mark Sokolovsky, core developer for Raccoon Stealer — an information-stealing malware — who fled Ukraine to avoid conscription.
“While this is only one case study,” Leslie says, “we believe it is indicative of a larger trend in which threat actors have fled Russia, Ukraine, and even Belarus to avoid conflict.”
Meanwhile, Russia has been experiencing, as the authors say, a “brain drain,” with IT and cybersecurity professionals leaving the country for neighboring Georgia, Kazakhstan, Finland, and Estonia. Further, the drafting of young men of fighting age has led threat actors from behind screens to the front lines.
As a result, the country “has begun to deplete its hacker reserves,” Leslie explains. “What we identify is that the overall volume of activities, particularly on Russian cybercriminal forums, marketplaces, and social media channels, has decreased dramatically in waves. These waves being immediately before and after the war began, during waves of mobilization, and coinciding with Russians leaving the country.”
The reordering of so many lives has led to “a bit more decentralization, both geographically and in terms of hegemonic groups and sources of activity,” Leslie says.
Cybercriminals come from every corner of the world, but no corner more than in Russia and Eastern Europe. Many of the great cyberattacks of history have come courtesy of criminals in Russia and Ukraine. Russian APTs have become notorious for their attacks against Ukraine but this represents a change: Russian cybercriminals have historically worked hand-in-hand with their comrades across the border.
This kumbaya attitude was quashed on Feb. 24, 2022, when Russia invaded Ukraine and those on both sides were inspired to pledge allegiances. Most famously, the Conti group fully backed the Putin regime, then retracted, then halfway retracted its retraction. This support for the invasion was perhaps uncoincidentally attended by a giant leak of the Conti source code, tipping over a slow demise for Russia’s most prominent ransomware gang.
“We do not believe that Conti’s dissolution was a direct result of the leaks,” the authors wrote, “but rather that the leaks catalyzed the dissolution of an already fracturing threat group.”
Far beyond just Conti, cybercrime elements which once worked together have since split over political differences, according to Recorded Future. The authors wrote that “the so-called ‘brotherhood’ of Russian-speaking threat actors located in the CIS [Commonwealth of Independent States] has been damaged by insider leaks and group splintering, due to declarations of nation-state allegiance both in support of and opposed to Russia’s war against Ukraine.”
All the uprooting and fighting has caused fractures in the very structure of the cybercrime underground, researchers concluded.
“Russian-language Dark Web marketplaces have taken a major hit,” Leslie claims. “These marketplaces have also fractured and become more diffuse,” a trend compounded by the seizure of the world’s No. 1 cybercrime forum, Hydra.
He adds, “We speculate that the epicenter of cybercrime may shift to English-speaking Dark Web forums, shops, and marketplaces over the next year.”

Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

The Home of the Security Bloggers Network
Home » Security Bloggers Network » How Does a Data Breach Take Place in an Organization?
Recent incidents of data breaches have become a great concern for organizations. Regardless of the organization’s size, threat actors are targeting every business type. Threat actors have also started targeting medical organizations. The latest incidents with Medibank have shown how worse it can be. As per the reports, 9.7 million people (Medibank customers) were affected by the data breach and the data was worth 200GB.
Breached data is exposed to the public. And this data leak can result in the loss of billions of confidential records and impacts not merely the breached organization but also the individuals whose private data may have been stolen by cybercriminals. However, the risk of such data breaches can be mitigated using proactive strategies.   


To stop such cyber-attacks, we have to understand the root cause of such incidents, like how threat actors operate, what loopholes they target, and how they monitor activity. We will discuss all these methods and try to understand how such data breaches happened. 
We are going to discuss every cause step by step and will understand how threat actors use them to attack an organization. 
Application vulnerability is the major cause of data breaches in an organization. If we look at the data, we can see that most attacks were successful because of the vulnerable application running by the organization. Although there are so many application bugs that can cause highly severe vulnerabilities, we will talk about the simplest bugs which can cause some big impact.
To prevent data breaches, businesses need to oversee high-risk application vulnerabilities like –
During our pentest at Kratikal, we have seen most web applications we audit were running the default credentials, most of these vulnerabilities occur when organizations have set up their server and have not changed the default settings which causes most attacks.
The below screenshot shows an example of a default apache/tomcat error report which is also leaking server version information. This gives the attacker an idea if the server version is vulnerable to any available exploits which can be found at exploit-db or on Github also.
Another reason for a data breach is using the default configuration, and this can cause attacks such as directory listening and leaking of sensitive files. An attacker can get access to these files by brute forcing directories. In the screenshot below it can be seen that the server is leaking its directory which gives an idea to the attacker about the structure of a webpage. 
Here we can see it’s leaking the server logs which are showing IRC logs that can also reveal sensitive information. And for application security, no logs should ever be visible publicly.
These security flaws are easy to find because an attacker just needs to use an automated tool on the vulnerable website which doesn’t require expertise and knowledge of the hack and can be exploited by a threat actor to gain access inside your highest privileged accounts.
Not every data breach happened due to vulnerable web applications, recent cyber-attack on GoDaddy happened because the attacker was able to install malware inside their organization. According to GoDaddy, this led to the redirection of their customer website. 
Let’s try to understand how malware gets inside an organization that led to such cyber-attacks and data breaches. 
In the below video, we have made a PoC to show how a threat actor can create a fake activator to infect your system with ransomware.
As we are talking about data breaches there is a way a threat tries to get inside your organization, they use previously leaked or breached passwords to gain access inside your organization. 
Here’s how this happened: The threat actor got the leaked password database from a breach forum or some dark web forum. They try to log in with those credentials inside an admin panel or to some employee account and if the employee is using the same password again this will lead to unauthorized access to that threat actor.
A recent Paypal data breach tells us shows an example of credential stuffing where the hacker has compromised at least 35,000 users.
These hackers get these leaked credentials from an old data breach or hack forums. These hackers sell these data on such forums which other blackhats use for their malicious purpose.
The below screenshot shows a threat actor sharing the leaked username and password of Twitter accounts on a leaked forum. 
This is the most challenging for organizations, insider threats are someone from inside the companies and organizations where someone from inside gives access to malicious actors or intentionally leaks the data online to someone on the dark web.
That’s where social engineering comes in, threat actors use this method to lure the target by exploiting the “people” vulnerability. This social engineering technique can be phishing, vishing, or smishing. These threat actors monitor the user activity and then deploy the attack based on the user’s profile. 
Such insider threats are called The Pawn. For example, if an organization’s HR has posted a candidate requirement on LinkedIn, then based on the profile requirement the threat actor can prepare a strong candidate profile and contact the HR. The threat actor can send some malicious type of payload in the form of “doc” which when the HR downloads and opens will give the threat actor unauthorized access to the threat actor.
Below is a simple example of such phishing attempts where a threat actor tries to phish a user with the fake Adobe login form. 
A data breach or security breach occurs in an organization when a malicious actor invades a data source and steals sensitive information. The reason behind it is the poor security posture of the organization and lack of cyber security awareness. 
To strengthen the security posture of your organization, trust Kratikal, a CERT-In-empanelled firm. We hold years-rich experience in VAPT and compliance and have served over 600 SMEs and 100 big enterprises. We believe in delivering robust vulnerability assessment and pentest to ensure the security of IT infra and conducting compliance audits within the organizations to assist them in maintaining seamless business operations and functions and avoid penalties and data breach possibilities. 
Take action to secure your business with us right away.
The post How Does a Data Breach Take Place in an Organization? appeared first on Kratikal Blogs.
*** This is a Security Bloggers Network syndicated blog from Kratikal Blogs authored by Prachi Tiwari. Read the original post at: https://kratikal.com/blog/how-does-a-data-breach-take-place-in-an-organization/
More Webinars

source

Image from Unsplash
One of the earliest mentions of the cybersecurity talent shortage was in January 2011, when ESG analyst Jon Oltsik asked, “Will there be a shortage of cybersecurity professionals in 2011?” 11 years later, leaders in the industry are still talking about the very same topic. Organizations have had a decade to address and overcome this growing problem, yet the talent shortage is far worse today than ever. In fact, data from CyberSeek shows that there are nearly 715,000 cybersecurity job openings in the U.S. right now.
Where is the cybersecurity industry going wrong? This is a loaded question, as there are a number of things that the industry needs to fix to overcome the cybersecurity talent shortage. Let’s focus on the broken employment process—because this is where all the problems start.
The harsh reality today is that human resources (HR) teams, cybersecurity hiring managers and even chief information security officers (CISOs) are out of touch with the modern requirements of the cybersecurity profession.
The hiring process within many companies goes something like this: The CISO mandates that the security hiring manager fill open entry-level positions and relies on said hiring manager to get the job done with little oversight. To start the hiring process, the HR team tells the hiring manager to come up with a list of job responsibilities and requirements, so they can find and recruit qualified professionals to interview. And, all too often, the hiring manager has unreal expectations, wanting a “unicorn” to fill their team’s needs. Without any pushback, the HR team compares the job description provided by the hiring manager with the corporate structure and pay scale, and, before you know it, the entry-level position mandates qualifications typically possessed by senior security professionals — for example, someone with a four-year degree, three to five years of industry experience and security certifications, such as a CISSP.
Organizations won’t find entry-level candidates with three to five years of experience. Many might not even hold a college degree or security certification. And, on the flip side, no experienced security professional is going to apply for an entry-level position. Given this juxtaposition, a major misalignment emerges between the entry-level job role and the candidates qualified to apply for it — so it’s no wonder organizations can’t fill these open positions.
To bridge this divide, hiring managers need to stop trying to hire themselves; HR teams need to stop trying to fit legacy hiring restrictions (e.g., degrees, certifications and years of experience) on modern cybersecurity roles; and CISOs need to be more involved from the start. Here are a few specific ways companies can improve the cybersecurity hiring process.
To be honest, cybersecurity positions short of a director role do not require a four-year college degree. If an individual has drive, aptitude and a willingness to learn, they can be trained to be successful in the cybersecurity industry. Once a company slaps a degree requirement on a job posting, they eliminate a vast majority of candidates — many of which are entirely qualified to fill an entry-level position.
When hiring managers include certifications from specific organizations in the required qualifications for a cybersecurity role, they could be excluding qualified applicants who have certifications from other organizations. The EdTech market has exploded recently, and there are now myriad companies that provide anyone with an interest in cybersecurity with options to get the knowledge and training they need to enter the field. Hiring managers and HR teams need to recognize that certifications may come from around the industry and write their job descriptions to include many sources of qualified talent.
Similar to modern cybersecurity education and training, there are now new ways that individuals can gain security experience. There are a number of online lab platforms available that offer virtual environments for current and prospective cybersecurity professionals to practice penetration testing — and it can all be done at home, on the keyboard. Hiring managers and HR teams need to understand that hands-on experience through these online training platforms is equally valuable to legacy cognitive options.
Hiring managers and HR teams need to be on the same page when it comes to drafting job descriptions and associated qualifications, or the disconnect will move from the job responsibilities/requirements combination to between these two parties. Additionally, CISOs need to be more involved in the hiring process from the beginning, working with hiring managers and HR teams to keep a pulse on how cybersecurity roles are changing, how qualifications are evolving right alongside them, and what this means for filling vacant positions within their company.
There are so many things the cybersecurity needs to do to overcome the ongoing cybersecurity talent shortage, but it all starts with the employment process. It’s time organizations start looking beyond resumes and qualifications and accepting people that lack the traditional path to cybersecurity into the industry. The good news here is that the above best practices are all things that companies can implement today to make an immediate difference. If the cybersecurity industry can collectively move in this direction, hopefully, very soon, that sky-high number of open cybersecurity positions will drastically decrease.

Neal Bridges brings more than two decades of cybersecurity experience to his role as Chief Information Security Officer (CISO) for Query.AI. He’s also the founder of the Cyber Insecurity podcast, where he discusses the latest cyber news and trends, and gives career advice to listeners who are new to the cybersecurity industry.
You must have JavaScript enabled to enjoy a limited number of articles over the next 30 days.
Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company. Interested in participating in our Sponsored Content section? Contact your local rep.
ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe. 
Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe. 
 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 
Copyright ©2023. All Rights Reserved BNP Media.
Design, CMS, Hosting & Web Development :: ePublishing

source

By Apurva Venkat
Principal Correspondent, CSO |
Password management company LastPass, which was hit by two data breaches last year, has revealed that data exfiltrated during the first intrusion, discovered in August, was used to target the personal home computer of one of its devops engineers and launch a second successful cyberatttack, detected in November.
The threat actor involved in the breaches infected the engineer’s home computer with a keylogger, which recorded information that enabled a cyberattack that exfiltrated sensitive information from the company’s AWS cloud storage servers, LastPass said in a cybersecurity incident update Monday.
The company had divulged information about the data breaches last year; the update reveals for the first time that the same threat actor was responsible for both breaches.
The first intrusion ended on August 12 last year. However, LastPass now says that the threat actor was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity aimed at the company’s the cloud storage environment from August 12 to October 26, 2022. 
“The observed tactics, techniques, and procedures (TTPs), as well as the indicators of compromise (IOCs) of the second incident were not consistent with those of the first. While proximal in terms of timeline, it was not initially obvious that the two incidents were directly related,” LastPass said in its update. There has been no activity by the threat actor after October 26, the company added.
The developer whose home computer was infected with the keylogger was only one of four devops engineers in the company who had access to the decryption keys of encrypted Amazon S3 buckets.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the devops engineer’s LastPass corporate vault,” LastPass said. 
The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups. 
The use of valid credentials made it difficult for the company’s investigators to detect the threat actor’s activity. 
In the first intrusion, in August, a software engineer’s corporate laptop was compromised, allowing the  threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets, LastPass CEO Karim Toubba said in a blog addressed to customers. 
No customer data or vault data was stolen during this incident, as LastPass did not have any customer or vault data in the development environment. 
“We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident,” Toubba said. 
During the first incident, the threat actor was able to access on-demand, cloud-based development and source code repositories of 14 out of 200 software repositories.
Internal scripts from the repositories — which contained company secrets and certificates as well as internal documentation including technical information that described how the development environment operated — were also accessed by the threat actor.
In the second incident, the threat actor used the information stolen in the first intrusion to target a senior devops engineer and exploit vulnerable third-party software to install a keylogger, Toubba said.  
The threat actor leveraged information from the keylogger malware, including the engineer’s credentials, to bypass and ultimately gain access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted customer data, the company said. 
The threat actor also accessed devops secrets including information used to gain access to cloud-based backup storage. Access to a backup of the LastPass multifactor authentication (MFA) and federation database that contained copies of the company’s authenticator seeds, telephone numbers used for MFA backup, as well as a split-knowledge component (the K2 “key”) used for LastPass federation, was also gained by threat actor, LastPass said. 
The identity of the threat actor and their motivation is unknown. There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident, LastPass said. 
 There have been several steps that LastPass has taken to strengthen its security in the wake of the incidents. “We invested a significant amount of time and effort hardening our security while improving overall security operations,” the CEO said. 
Some of this included assisting devops engineers with hardening the security of their home network and personal resources, rotating critical and high privilege credentials, and enabling custom analytics that can detect ongoing abuse of AWS resources. LastPass says it has  have millions of users and more than 100,000 businesses as customers. 

Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

February 28, 2023
SC StaffMarch 27, 2023
Kroger’s mail-order pharmacy Postal Prescription Services, video software firm SundaySky, Blue Cross Blue Shield of Arizona, and Illinois-based Top of the World Ranch Treatment Center have been impacted by separate health data breaches, HealthITSecurity reports.
SC StaffMarch 27, 2023
TechCrunch reports that iD Tech, a tech coding camp providing online and on-campus tech courses for children, has yet to confirm a data breach that resulted in the theft of thousands of users’ personal information.
On-Demand Event
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.

source