Search This Blog

Showing posts with label Privacy. Show all posts

Cyber Agencies: Beware of State Actors Levelling up Attacks on Managed Service Providers

 

The United States, the United Kingdom, Australia, and Canada's cybersecurity agencies issued a second advisory this week, stating that cyberattacks against managed service providers (MSPs) are expected to escalate. 

According to the advice, if an attacker is able to access a service provider's infrastructure, ransomware or espionage activity could be carried out against the provider's customers. 

The nations advised, "Whether the customer's network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects." 

"NCSC-UK, ACSC, CCCS, CISA, NSA, and FBI expect malicious cyber actors -- including state-sponsored advanced persistent threat groups -- to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships." 

The MSP definition covers IaaS, PaaS, SaaS, process and support services, as well as cybersecurity services, for the purposes of this advice. The first piece of obvious advice is to avoid getting compromised in the first place. Beyond that, users should follow standard suggestions such as improving monitoring and logging, updating software, having backups, employing multi-factor authentication, segregating internal networks, using the least privilege approach, and removing old user accounts. Users should verify contracts for clauses that ensure MSPs have adequate security safeguards in place.

Further, the advisory stated, "Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. Note: contracts should detail how and when MSPs notify the customer of an incident affecting the customer's environment."
 
"MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery."

NIA Starts Probe into Malware Attacks on Social Media of Defense Personnels

NIA (National Investigation Agency) has started an inquiry into the use of fake Facebook profile through which various defense personnel was contacted and their devices hacked using malware for personally identifiable information. NIA suspects that the main account was being handled from Pakistan. Vijaywada Counter Intelligence Cell first found the spying campaign in 2020, after which it registered a case under several provisions of IPC, Official Secrets Act, Information Technology Act, and UAPA (Unlawful Activities Prevention Act). 

According to the allegation, confidential information related to national security was hacked via remotely deploying a hidden malware into electronic devices, which includes mobile phones and computers, belonging to defense personnels and other defense agencies via a FB account with the profile name "Shanti Patel." Actors handling the account added concerned personnel via private Facebook messenger chats on the web. 

The victims' devices were hacked using malware to get unauthorized access to confidential data of computer resources and steal sensitive information with an aim to carry out acts of terrorism and threaten the unity, integrity, and sovereignty of India. As per the report from Counter Intelligence Cell, the threat actors distributed the malware by sending a folder that contained photos of a woman to the defense personnels. The evidence suggests that malware originated somewhere from Islamabad. A similar case happened last year where the police arrested army personnel in Rajasthan, the accused was posted in Sikkim. 

The Hindu reports "on October 31, 2020, following a tip-off from the Military Intelligence, the Rajasthan police nabbed one Ramniwas Gaura, a civilian working with a Military Engineering Services (MES) unit. The accused had been contacted using a Facebook profile by someone using pseudonyms Ekta and Jasmeet Kour. They then remained in touch on Whatsapp. "In the recent years, multiple attacks targeting defense agencies using social media have surfaced." The handlers usually send money to the information providers through the ‘hawala’ channel. Several preventive measures have been taken by the agencies concerned,” an official said," says the Hindu.

Heroku Admits to Customer Database Hack after OAuth Token Theft

 

On Thursday Heroku disclosed that users’ passwords were stolen during a cyberattack that occurred a month ago, confirming that the attack also involved the code repository GitHub. Heroku revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database. 

Following the attack, the organization has notified its customer that the company is going to reset their passwords on May 4 unless they change passwords beforehand. In this process, the company has also warned its users that the existing API access tokens will also be inactive and new ones have to be generated for future work. 

"We appreciate your collaboration and trust as we continue to make your success our top priority. The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key," GitHub said.

"Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above." 

The attack in question relates to the theft of OAuth tokens that GitHub saw in April, which impacted four OAuth applications related to Heroku Dashboard and one from Travis CI. 

By stealing these OAuth tokens, malicious actors could access and download data from GitHub repositories belonging to those who authorized the compromised Heroku or Travis CI OAuth apps with their accounts. However, GitHub’s infrastructure, private repositories, and systems themselves were not impacted by the attack. 

While reporting that they had informed Heroku and Travis-CI of the incident on April 13 and 14, GitHub said, it "contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users."

Will VPN Providers and the Indian Government Clash Over New Rules on User Data Collection?


The Ministry of Electronics and Information Technology, which administers CERT-in, has mandated all VPN providers and cryptocurrency exchanges save user records for five years. Some of the most well-known VPN providers, such as NordVPN and ExpressVPN, claim to collect only the most basic information about their customers and to provide ways for them to stay relatively anonymous by accepting Bitcoin payments. 

VPNs reroute users' internet connections through a separate network; this can be done for a variety of reasons, such as connecting to a workplace network that is not available from the general internet or accessing prohibited websites by using servers in other nations. 

Another characteristic of VPNs several VPN companies like Nord promote as a selling factor is privacy. They frequently claim to keep no logs; Nord's no-logs policy has been examined by PriceWaterhouseCoopers regularly. However, the IT Ministry's ruling would force the corporation to deviate from such a guideline for servers in India.

What sort of data does the government expect firms to preserve? 
  • Names of subscribers/customers who have hired the services have been verified.
  • Hire period, including dates.
  • IP addresses assigned to/used by members.
  • At the moment of registration/onboarding, the email address, IP address, and time stamp were utilized. 
  • Why are users hiring services? 
  • Validated contact information and addresses.
  • Subscriber/customer ownership patterns when hiring services.

Official orders from CERT-In, the government agency in charge of investigating and archiving national cybersecurity incidents, have generated controversy. It was announced in a press release for all "Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers" would be bound to maintain a variety of user data for at least five years after the service was canceled or discontinued. 

VPN industry's comment on user data?

ExpressVPN stated, that their apps and VPN servers have been meticulously designed to completely erase sensitive data. As a result, ExpressVPN will never be forced to give non-existent client data.

"Our team is currently analyzing the latest Indian government decree to determine the best course of action. Because the law will not take effect for at least two months, we are continuing to work as usual. We are committed to protecting our clients' privacy, thus if no other options exist, we may withdraw our servers from India," Patricija Cerniauskaite, a spokesman for NordVPN stated.

If NordVPN leaves India, would you still be able to use it?

Users will most likely be able to connect to NordVPN's servers in other countries even if the company decides to leave India. According to reports, NordVPN has 28 servers in India which users in India and other countries can connect to. Surprisingly, NordVPN's Indian servers provide access to websites that are normally restricted in India.

India enters an unfortunate list of other large countries where Nord and other VPN providers have either pulled servers or never had a presence: Russia, where Nord and other VPN providers pulled servers just after the country ordered VPN firms to provide backdoor access to government on demand in 2019; and China, where VPN providers are subject to stringent controls. 

The Internet Freedom Foundation, a New Delhi-based digital rights advocacy group, claimed in a comprehensive statement released Thursday afternoon, the requirements were "extreme" and would impair VPN users' "individual liberty and privacy."

Mental Health Apps Fail Privacy Guidelines Spectacularly, Says Mozilla

An inquiry into mental health and prayer apps disclosed a problematic lack of concern around user security and privacy. Last Monday, Mozilla published the findings of new research about these kinds of apps, which mostly deal with sensitive issues like depression, anxiety, mental health awareness, PTSD, domestic violence, etc., and religion-based services. Mozilla's recent "Privacy Not Included," guide says that even though these apps manage personal information, they regularly share data, allow easy passwords, pick vulnerable users via targeted ads, and show poorly written and vague privacy policies. 

In a study consisting of 32 applications focused on mental health and religion, Mozilla identified 25 apps that failed to meet its Minimum Security Standards. The privacy standards work as the main highlight for the Privacy Not Included reports. The unauthorized sharing and selling of user data, poor data management services, poor encryption, weak password guidelines, inaccurate vulnerability management system, and different lax privacy policies can lead to the downgrading of a vendor product in accordance with Mozilla's standards. 

Once an app fails to touch these minimum standards, they are labeled with a "the privacy not included" warning tag. Mental health and healing-related applications have received an accolade, but they can't be covered. To protect users' privacy and security, these applications are the worst in any product category that Mozilla experts have investigated or reviewed in the past six years. The examined apps include Better Help, Talkspace, Calm, 7 Cups, Glorify, Wysa, Headspace, and Better Stop Suicide. 

As a result, every one of these apps now has a dedicated slot that users can access to know more about the app's privacy and security rating. According to ZDNet, "while the app gathers some personal information and says that users can reach out to them if they have further queries, they did not respond to Mozilla's attempts at contact and did not mention who "trusted partners'" were when data sharing. Only two applications on the list, PTSD Coach and the AI chatbot Wysa seemed to take data management and user privacy seriously."

Survey: 89% Firms Experienced One or More Successful Email Breach

 

During the past 12 months, 89 percent of firms had one or more successful email intrusions, resulting in significant expenses. 

The vast majority of security teams believe that their email protection measures are useless against the most significant inbound threats, such as ransomware. This is according to a survey of business customers using Microsoft 365 for email commissioned by Cyren and conducted by Osterman Research. The survey examined issues with phishing, business email compromise (BEC), and ransomware threats, attacks that became costly incidents, and readiness to cope with attacks and incidents. 

“Security team managers are most concerned that current email security solutions do not block serious inbound threats (particularly ransomware), which requires time for response and remediation by the security team before dangerous threats are triggered by users,” according to the report.

Less than half of those surveyed felt their companies can prevent email threats from being delivered. Whereas, less than half of firms consider their current email security solutions to be efficient. Techniques to detect and stop mass-mailed phishing emails are seen as the least effective, followed by safeguards against impersonation attacks. 

As a result, it's perhaps unsurprising that nearly every company polled has experienced one or more sorts of email breaches. Overall, successful ransomware attacks have climbed by 71% in the last three years, Microsoft 365 credential compromise has increased by 49%, and successful phishing assaults have increased by 44%, according to the report. 

Email Defences 

When the firms looked into where email defence falls short, they discovered that, surprisingly, the use of email client plug-ins for users to flag questionable communications is on the upswing. According to a 2019 survey, half of the firms now employ an automatic email client plug-in for users to flag questionable email messages for review by skilled security personnel, up from 37% in 2019. The most common recipients of these reports are security operations centre analysts, email administrators, and an email security vendor or service provider, however, 78 percent of firms alert two or more groups. 

In addition, most firms now provide user training on email dangers, according to the survey: More than 99% of companies provide training at least once a year, and one out of every seven companies provides email security training monthly or more regularly. 

“Training more frequently reduces a range of threat markers Among organizations offering training every 90 days or more frequently, the likelihood of employees falling for a phishing, BEC or ransomware threat is less than organizations only training once or twice a year,” as per the report.

Furthermore, the survey discovered that more regular training leads to a higher number of suspicious messages being reported, as well as a higher percentage of these messages being reported as such. The survey also revealed that firms are utilising at least one additional security product to supplement Microsoft 365's basic email protections. However, the survey discovered that their implementation efficacy differs. 

The report explained, “Additive tools include Microsoft 365 Defender, security awareness training technology, a third-party secure email gateway or a third-party specialized anti-phishing add-on. There is a wide range of deployment patterns with the use of these tools.”

The firms came to the conclusion that these kinds of flaws, as well as weak defences in general, result in significant expenses for businesses.

“Costs include post-incident remediation, manual removal of malicious messages from inboxes, and time wasted on triaging messages reported as suspicious that prove to be benign. Organizations face a range of other costs too, including alert fatigue, cybersecurity analyst turnover, and regulatory fines” the report further read.

Spam with an SMS Group Offering Freebies in Return for Direct Debit

 
Unsolicited and unwanted messages which are referred to as spam, are rarely sent from another phone. They often originate on a computer and are delivered to your phone via email or instant messaging. Scammers can transmit them cheaply and easily since they are sent over the internet. Robotexts are a sort of spam text; however, because they are simpler to ignore than robocalls, they are less intrusive. 

Spam texts and robotexts are frequently the beginning of a scam in which the sender hopes to collect personal information about the user to utilize it for fraudulent purposes. These texts put you in danger of identity theft and raise the chances of you installing malware onto your phone unintentionally. 

Spam text messages are often not scams, although they are sometimes. Scammers will deploy a variety of content to deceive you which includes luring keywords like "You've won a prize, a gift card, or a voucher", which you must use, or "You've been offered a credit card with a low or no interest rate". You must take action because there is an issue with your payment information. There's a delivery package notification  potentially requesting you to reschedule a delivery slot or pay a delivery fee to obtain it. If you weren't the one who made the purchase or transaction, you'll be alerted and asked to respond.
  • Remember any reputable organizations will not approach you out of the blue by text message and ask you to reveal personal or financial information. 
  • There are grammatical and spelling mistakes. In client correspondence, legitimate businesses rarely make obvious spelling or grammatical problems. 
  • Is the message of any interest to you? Did you order or expect anything, for example, if it alerts you about a parcel delivery? Did you enter a competition if it informs you about a prize? Is it a gift card from a store where one previously purchased something? 
Why do People continue receiving spam texts, they may utilize technologies to generate numbers automatically, so you may obtain both robocalls and robotexts even if you have a different phone number. Users' data is sold on social networking sites as prominent and well-known social networking sites watch your online behavior and sell such data for advertising. What can one do if they receive a spam text message, don't respond, avoid clicking on any links, and don't give out any personal details. Furthermore, directly go to the company's website and report the scammer. 

One important question that needs to be addressed is: What steps can be taken to protect yourself against spam texts? In order to avoid being scammed via spam texts, users are advised to only give out their personal cell phone number if it is really necessary. Online forms frequently ask for phone numbers, however, users must bear in mind that the information they provide could end up on marketing lists or databases. To help decrease the number of unwanted messages and calls, do not give out your phone number unless it is absolutely necessary, besides, do not make your cell phone number available to the public. For example, avoid putting your mobile phone number on your Facebook, Twitter, or other social media pages. Additionally, keep a close check on your phone bill which includes examining your phone bill regularly. 

Users must note that if they are unsure, they should check the provider's website to see if they are offering freebies in exchange for payment. Although it is more than likely they aren't, it is still preferable to click any of them to find out.

Hotel WiFi Across MENA Compromised, Private Information Leaked

 

Etizaz Mohsin, a Pakistani cybersecurity researcher, was in a hotel room in Qatar when he accidentally discovered a technical vulnerability in the company's internet infrastructure, compromising the personal information of hundreds of hotels and millions of tourists worldwide. 

Mohsin explained, “I discovered that there is an rsync [file synchronisation tool] service running on the device that allows me to dump the device’s files to my own computer. I was able to gain access to all other hotels’ sensitive information that was being stored on the FTP [file transfer protocol] server for backup purposes.” 

He was able to get network configurations for 629 significant hotels in 40 countries, as well as millions of customers' personal information, such as room numbers, emails, and check-in and check-out dates. Information from major hotel chains in Qatar,, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain, as well as the Kempinski, Millennium, Sheraton, and St Regis in Qatar, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain was included in the research. 

The hotels all use AirAngel's HSMX Gateway internet technology, which is a British company. Some of the world's most well-known hotel chains are among its clients. Most hotels, stores, restaurants, and cafés need guests to set up an account and fill out their personal information before they may use the internet. It does, however, have some disadvantages. 

Mohsin added, “A public WiFi network is inherently less secure than the one you use at home. It gives hackers access to critical information like banking credentials and account passwords by allowing them to monitor and intercept data transferred across the network.”

Seven years ago, researchers discovered a flaw in hotel routers that affected 277 devices in hotels and convention centres in the US, Singapore, the United Kingdom, the United Arab Emirates, and 25 other countries.

Horde Webmail Software has a 9-year-old Unsecure Email Theft Risk

 

A nine-year-old unsecure security flaw in the Horde Webmail functionality might be exploited to acquire total access to the email accounts merely by viewing an attachment. Horde Webmail is a Horde project-developed free, enterprise-ready, browser-based communication package. Universities and government institutions use this webmail option extensively. 

According to Simon Scannell, a vulnerability researcher at SonarSource, "it provides the hackers to gain access to all confidential and possibly classified documents a user has recorded in an email address and might allow them to obtain further access to an organization's internal services." 

SonarSource detected a stored Xss attack which was implemented with commit 325a7ae, which was 9 years ago. Since the commit on November 30, 2012, the bug has affected all versions. The vulnerability can be exploited by previewing a specially designed OpenOffice document and allowing a malicious JavaScript payload to be executed. The attacker can take all emails sent and received by the victim by exploiting the flaw. 
"An attacker can create an OpenOffice document which will launch a malicious JavaScript payload when converted to XHTML by Horde for preview." the report continues "When a targeted person sees an attached OpenOffice document in the browser, the vulnerability is activated." according to SonarSource experts.

Worse, if an executive account with a personalized, phishing email is successfully hacked, the attacker might use this unprecedented access to take control of the entire webmail service. Despite the vendor's confirmation of the problem, no fixes have been given to the project managers as of August 26, 2021. Horde was contacted for more comments, but none were made to address the situation.

Meanwhile, Horde Webmail users should deactivate the rendering of OpenOffice attachments by adding the 'disable' => true configuration option to the OpenOffice mime handler in the config/mime drivers.php file.

Google Announces Privacy Sandbox on Android to Restrict Sharing of User Data

 

Google announced on Wednesday that it will extend its Privacy Sandbox activities to Android in an effort to broaden its privacy-focused, but less disruptive, advertising technologies beyond the desktop web. To that aim, Google stated it will work on solutions that prohibit cross-app tracking, similar to Apple's App Tracking Transparency (ATT) framework, essentially restricting the exchange of user data with third parties as well as removing identifiers like advertising IDs from mobile devices. 

Anthony Chavez, vice president of product management for Android security and privacy, stated, "The Privacy Sandbox on Android builds on our existing efforts on the web, providing a clear path forward to improve user privacy without putting access to free content and services at risk." 

Google's Privacy Sandbox, which was announced in 2019, is a collection of technologies that will phase out third-party cookies and limit covert monitoring, such as fingerprinting, by reducing the number of information sites that can access to keep track of users online behavior. 

The Alphabet Inc. company, which makes the majority of its revenue from advertising, says it can safeguard phone users' data while still providing marketers and app developers with new technology to deliver targeted promotions and measure outcomes. According to Anthony Chavez, vice president of product management for Android Security & Privacy, the proposed tools for the Android mobile operating system would limit the app makers' ability to share a person's information with third parties and prohibit data monitoring across several apps. Google stated the tools would be available in beta by the end of 2022, followed by "scaled testing" in 2023. Chavez said in an interview that the best path forward is an approach “that improves user privacy and a healthy mobile app ecosystem. We need to build new technologies that provide user privacy by default while supporting these key advertising capabilities." 

Google is aiming to strike a balance between the financial needs of developers and marketers and the expanding demands of privacy-conscious consumers and regulators. The company is gathering feedback on the proposal, similar to how its Privacy Sandbox effort is gradually building a new online browsing privacy standard. Google's initial idea was met with derision from UK authorities and lawmakers, but the corporation has subsequently proposed serving adverts based on themes a web user is interested in that are erased and replaced every three weeks. 

Meta Platforms Inc., the parent company of Facebook, has been at odds with Apple over the company's App Monitoring Transparency tool, which allows iPhone users to turn off tracking across all of their apps. According to executives, Google's YouTube has taken a minor financial hit as a result of the technology. In other words, it makes it more difficult for marketers to verify whether their iPhone advertising was effective. 

According to Chavez, the Android Privacy Sandbox would enable tailored advertising based on recent "topics" of interest, and enable attribution reporting, which will tell marketers if their ad was effective.

ICO Struck by 2650% Rise in Email Attacks in 2021

 

The UK's Information Commissioner's Office (ICO) reported a whopping 2650% spike in email attacks in 2021, as per official numbers acquired by the Parliament Street think tank following a Freedom of Information request, 

Email attacks on the UK's privacy and data protection regulator increased from 150,317 in January to 4,135,075 in December, according to the findings. For each month last year, the data refers to the volume of phishing emails discovered, malware detected and prevented, and spam detected and blocked by the ICO. 

The majority of the attacks were caused by spam emails, which increased by 2775 % from January to December. During this time, the number of phishing emails climbed by 20%, while malware increased by 423 percent. 

In December, the statistics revealed a significant increase in email attacks, with 4,125,992 spam messages, 7886 phishing emails, and 1197 malware cases. This increase is likely to be linked to the Omicron variant's rapid spread in the UK at the end of the year, with threat actors able to use issues like testing and immunizations as bait. This is in addition to the Christmas scams that proliferate in the build-up to the holidays. 

Edward Blake, area vice president EMEA of Absolute Software, commented: “Cyber-attacks are targeting organizations across the globe at an alarming rate, once again reminding businesses of the need to re-evaluate and revamp their security protection if it is not up to scratch. Cybersecurity is not just about protecting endpoints via anti-malware or email cybersecurity solutions. While these are important, there are now a variety of access points for cyber-criminals to capitalize on that IT leaders need to be aware of. These include vulnerable unpatched applications and network vulnerabilities, stolen or illegally purchased log-in credentials or even by hacking unprotected smart devices.” 

Barracuda Networks' manager, Steven Peake, expressed similar concerns, saying: “The pandemic continues to be a catalyst for opportunistic cyber-criminals to try and prey on unsuspecting, vulnerable people. Our recent research showed a 521% surge in COVID-19 test-related phishing attacks, so it is hardly surprising to see major organizations, such as the ICO, hit by such a high volume of threats as they represent lucrative targets. Phishing emails, malware, and spam, in particular, account for a large proportion of the threats these organizations face, so they need to implement measures to protect themselves. These cyber-attackers aren’t going anywhere anytime soon.” 

As part of its plans to reform the country's data sector, the UK government announced plans to revamp the ICO's structure last year.

More than 90% of Russians do not Finish Reading User Agreements on the Internet

A study by the information security company ESET showed that Russian Internet users do not read user agreements on websites in 81% of cases. 

13% of respondents said that they completely ignore the submitted contracts and agree with them without looking. Nearly half of Russians (49%) are either vague about user agreements on the Internet or have no idea what they mean. The absolute majority (92%) do not worry if their data is transferred to third parties: they do not try to leave the site or application, in the user agreement of which such a function is indicated. 

In comparison with citizens of Europe and the United States, Russians, in general, are less responsible for reading user agreements, said Fedor Muzalevsky, Director of the technical department of RTM Group. Experts noted that the reason for the digital illiteracy of Russians maybe those user agreements in the Russian Federation began to be applied later than in Western countries. 

Negligent attitude to user agreements can be fraught with consequences, warned Kirill Podgorny, Director of the ESET Marketing Department. According to him, there are sometimes exotic or impossible conditions in contracts. 

"A good example is the experiment of the British wireless Internet operator Purple, which introduced the clause "I undertake to go to voluntary work on cleaning public toilets" into the agreement. Out of 22 thousand users who agreed with the terms of service, only one noticed this point and complained to the provider," the experts said. 

However, far more often there are potentially dangerous ones. Thus, a condition on automatic consent to the processing of personal data is illegally added to user agreements, said Lyudmila Kurovskaya, head of the Center for Legal Assistance to Citizens in the Digital Environment.

"When citizens submit their data without going into the purpose of its processing, automatically check the boxes on websites and report excessive information about themselves, it can create conditions for leakage of their personal data," she said.

Experts Named the Most Popular Passwords of Russians

 

Passwords consisting of simple sequences of letters and numbers became the most popular passwords in Runet in 2021. Combinations qwerty123, qwerty1 and 123456 take top lines of the rating, the fourth place goes to a11111 and fifth place to 123456789. It is noted that among Cyrillic passwords, the most common are "password", "love", "hello" and "natasha". 

Analysts have studied 35.5 billion unique pairs of logins and passwords, including 250 million new ones. According to their data, only 3.5 percent of passwords can be called complex, and 16.5 percent are long. 

According to Alexei Drozd, head of information security at SerchInform, users risk losing access to their pages and personal accounts on various resources using easy passwords in the absence of two-factor authentication. He warned that it's especially dangerous if fraudsters gain access to a person's main mailbox. Then attackers will have an opportunity to take possession of more information, resetting the password from other services. 

For example, passwords are checked for security every time users enter them to access Yandex services: a database of 1.2 billion compromised credentials is used for this purpose. The same check is carried out in VKontakte. Google said that they are advised to think up a password length of at least 12 characters, such as a quote from a movie or a line from your favorite poem. 

Sergei Ivanov, Director of Product Strategy at T1 Group, said that the most common password-guessing technique is called brute force, which has long been used by cybercriminals. It is when anthologies of popular passwords and word directories are attached to the software code. He specified that a combination of six Latin letters of the same case can be found in 31 seconds, assuming the search speed of 10 million passwords per second. It would take only 95 minutes to crack a password consisting of six symbols (letters in different registers and numbers). If the password contains 10 symbols, it will take 2.5 years.

Due to Security Reasons, Chrome will Limit Access to Private Networks

 

Google has announced that its Chrome browser will soon ban websites from querying and interacting with devices and servers inside local private networks, due to security concerns and past abuse from malware. 

The transition will occur as a result of the deployment of a new W3C specification known as Private Network Access (PNA), which will be released in the first half of the year. The new PNA specification introduces a feature to the Chrome browser that allows websites to request permission from computers on local networks before creating a connection.

“Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true,” as perEiji Kitamura and Titouan Rigoudy, Google. 

Internet websites will be prohibited from connecting if local hardware such as servers or routers fails to respond. One of the most important security features incorporated into Chrome in recent years is the new PNA specification. 

Cybercriminals have known since the early 2010s that they can utilize browsers as a "proxy" to relay connections to a company's internal network. For example, malicious code on a website could attempt to reach an IP address such as 192.168.0.1, which is the standard address for most router administrative panels and is only reachable from a local network. 

When users visit a fraudulent site like this, their browser can issue an automatic request to their network without their permission, transmitting malicious code that can evade router authentication and change router settings. 

These types of attacks aren't simply theoretical; they've happened previously, as evidenced by the examples provided here and here. Other local systems, such as internal servers, domain controllers, firewalls, or even locally-hosted apps (through the http://localhost domain or other locally-defined domains), could be targeted by variations of these internet-to-local network attacks. Google aims to prevent such automated attacks by incorporating the PNA specification into Chrome and its permission negotiation system. 

According to Google, PNA was included in Chrome 96, which was published in November 2021, but complete support will be available in two parts this year, with Chrome 98 (early March) and Chrome 101 (late May).

City of Grass Valley, California, Suffers Data Breach

 

After discovering about the breach, Grass Valley stated that they took quick steps to safeguard their networks, alerted law enforcement, and launched an investigation with the help of a cybersecurity firm.

The information of employees, citizens, and others was duplicated and transmitted to another network, according to more details about a significant data breach at the City of Grass Valley, California. The city council previously admitted that "unauthorised access" to its networks occurred between April 13 and July 1, 2021, according to a statement. 

The scope of the attack has now been determined, with the malicious actor transferring files outside of the city's network, including the financial and personal information of "individuals associated with Grass Valley," according to the investigation. The following information was accessed: 
  • Grass Valley employees, former employees, spouses, dependents, and individual vendors, name and one or more of the following: Social Security number, driver’s license number, and limited medical or health insurance information. 
  • Individual vendors that were employed by the city, name, and Social Security number. 
  • Individuals whose information may have been provided to the Grass Valley Police Department, name and one or more of the following: Social Security number, driver’s license number, financial account information, payment card information, limited medical or health insurance information, passport number, and username and password credentials to an online account.
  • Individuals whose data was provided to the Grass Valley Community Development Department in loan application documents, name and one or more of the following: Social Security number, driver’s license number, financial account numbers, and payment card numbers. 
Grass Valley stated it started contacting those affected on January 7 and has notified the appropriate authorities, including law enforcement. For everyone affected by the hack, the city is also providing free credit monitoring services. 

It noted, “Grass Valley sincerely regrets that this incident occurred and apologizes for any inconvenience or concern. To help prevent something like this from happening again, Grass Valley continues to review its systems and is taking steps to enhance existing security protocols.”

Swiss Army Bans WhatsApp at Work

 

A spokesman for the Swiss army announced Thursday that the use of WhatsApp while on duty has been prohibited, in favour of a Swiss messaging service regarded more safe in terms of data security. 

Using other messaging applications like Signal and Telegram on soldiers' personal phones during service activities is likewise barred. 

Commanders and chiefs of staff got an email from headquarters at the end of December advising that their troops switch to the Swiss-based Threema. According to army spokesman Daniel Reist, the recommendation applies "to everyone," including conscripts serving in the military and those returning for refresher courses. 

Switzerland is known for its neutrality. However, the landlocked European country's long-standing position is one of armed neutrality and has mandatory conscription for men.

During operations to assist hospitals and the vaccination campaign in Switzerland's efforts to prevent the Covid-19 pandemic, the concern of using messaging apps on duty came up, as per Reist. The Swiss army will bear the cost of downloading Threema, which is already used by other Swiss public agencies, for four Swiss francs ($4.35, 3.85 euros). 

Other messaging services, such as WhatsApp, are governed by the US Cloud Act, which permits US authorities to access data held by US operators, even if it is stored on servers located outside of the nation. Threema, which claims to have ten million users, describes itself as an instant messenger that collects as little data as possible. It is not supported by advertisements. 

The company states on its website, "All communication is end-to-end encrypted, and the app is open source." 

According to an army spokesman mentioned in a Tamedia daily report, data security is one of the reasons for the policy change. As per local surveys, WhatsApp is the most popular messenger app among 16- to 64-year-olds in Switzerland.

Morgan Stanley to Pay $60M to Resolve Data Security Lawsuit

 

Morgan Stanley agreed to pay $60 million in a preliminary settlement of a class-action lawsuit filed against the company on Friday, according to Reuters, for allegedly neglecting to secure customers' personal data before retiring outdated information technology. 

The settlement offer awaits the approval of New York District Judge Analisa Torres. The lawsuit was filed on behalf of around 15 million Morgan Stanley clients in response to two separate occurrences that occurred in 2016 and 2019. 

Morgan Stanley decommissioned two wealth management data centres in the first incident. Before removing the unencrypted computer equipment from the centres, the bank's vendor, Triple Crown, was tasked with deleting or destroying it. Even after it had left the vendor's control, this device was later discovered to contain data. According to Morgan Stanley, the vendor removed the devices and resold them to a third party without permission. 

As part of a hardware refresh programme, the second incident entailed the replacement and removal of branch office equipment. The bank was unable to discover some of these devices, which could have retained previously deleted information on discs in an unencrypted version due to a software error. 

Customers will receive a minimum of two years of fraud insurance coverage as part of the proposed settlement, as well as compensation for up to $10,000 in related out-of-pocket losses. The bank also stated that it would improve its data security procedures. 

Morgan Stanley maintains that there was no wrongdoing on its part, even though it is seeking a settlement. In a move to dismiss the complaint filed in August 2021, the bank said that despite extensive investigations and ongoing surveillance over the years, it has not discovered a single instance of data misuse generated from any of its own sources. Morgan Stanley was fined $60 million in civil penalties in October 2020 for failing to adequately supervise the decommissioning of its data centres in 2016. 

The Office of the Comptroller of the Currency imposed the penalty after discovering that the bank: failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.

NCSC Urges Customers to Stay Aware About Scams On E-commerce Platforms

 

National Cyber Security Centre (NCSC) made a final request to customers prior to the busiest weekend before Christmas, to be aware of fraud and data theft attacks. The GCHQ agency requested customers to secure their devices, be informed about unsolicited messages, and reduce the size of information they input into online shopping websites and e-commerce websites. As per the banking body of UK Finance, around €22 bn was spent online on Christmas shopping last year because of the Covid-19 pandemic. 

Currently, with the rise of the Omicron variant, 2021 probably experienced a similar pattern, risking more customers vulnerable online. The attacks may come in many forms, it may include phishing emails having fake shipping details, and fake warnings about hacked accounts or fake gift cards which require the user to share personal details in order to use the offers. Customers may also be contacted through social media messages and emails having "unbelievable" offers for popular discount gift items, like electronics. Once the customer falls for these tricks, he loses his money along with banking details and personal information, which is stolen by the hackers. 

As per NCSC, the urge to buy last moment presents during a festival may be a reason that customers fall victim to such attacks easily. In order to be safe, users can follow some practical steps like having a strong password on websites before placing an order. It is advised to use strong, unique passwords with two-factor authentication for every account, especially banking, email and payment services. Online customers are also advised to avoid unsolicited notifications, particularly messages linked to suspicious websites, and platforms that depend on payment with a credit card. 

Lastly, customers should log in as guests while making a purchase to avoid revealing too much personal information. As per NCSC, "if you think your credit or debit card has been used by someone else, let your bank know straight away so they can block anyone using it. Always contact your bank using the official website or phone number. Don't use the links or contact details in the message you have been sent or given over the phone."

The State Duma supported the blocking of Tor in Russia

Since December 1, Russian users have started reporting problems connecting to the Tor network, which is used to connect anonymously to the Internet.

State Duma deputies believe that restricting access to the Tor browser in Russia will make it possible to resist crime more effectively, the blocking process itself will be lengthy and difficult, but Roskomnadzor is improving technologies.

"All over the world, there is a fight against the negative sides of the Internet: online fraud, the distribution of illegal content (child pornography), the sale of personal and payment data of users, the distribution of drugs and weapons," said Alexander Khinshtein, head of the State Duma Committee on Information Policy, Information Technology and Communications.

The parliamentarian recalled that Russia is working to combat cyber fraud systematically and quite effectively, a number of relevant laws have already come into force. For example, blocking mobile phones on the territory of correctional institutions, as well as blocking calls from fake numbers from abroad under the guise of Russian ones.

He also stressed that blocking the darknet is a necessary step towards creating a secure digital environment. According to him, the darknet is an obvious concentration of all the most negative, illegal things that exist in the real and digital world today.

In turn, Anton Gorelkin, the deputy chairman of the State Duma Committee on Information Policy, Information Technology and Communications, wrote in his Telegram channel that he welcomes the decision of Roskomnadzor to start blocking Tor. He added that 60% of Tor's costs are covered by funding from the US government.

The Tor developers themselves note that Russia is the second country in the world in terms of the number of browser users, it is used by more than 300 thousand Russians. "Blocking Tor will not hurt those who do not sell stolen personal and payment data of people, are not interested in child pornography and the purchase of drugs," Mr. Gorelkin stressed.

Russian users reported blocking Tor

 On December 1, users from Moscow began to report problems with access. It is claimed that Tor was blocked by Rostelecom. "On the night of December 3, several telecom operators, including Rostelecom, MTS, Tele 2 and others, reported network malfunctions," the OONI online censorship tracking project reported.

The expert noted that indirect signs such as meta-information in packets can be used to block traffic in Tor. He added that access to Tor can be blocked by blocking specific servers by IP.

"So far, the use of "bridges" helps <...>, but the lists of bridges are also quite public," Misbakh-Solovyov added. Bridges are anonymous user nodes that do not send information about their IP to the provider's servers. The developers claim that this connection method allows to connect to the network even in countries where Tor is officially blocked.

Anton Gorelkin, deputy chairman of the State Duma Committee on Information Policy, Information Technologies and Communications, said that "the restriction of VPNs and anonymizers will have a positive impact on the Russian segment of the network. It will protect Russians from discursive content, all scammers. The founders of Tor, hiding behind a pseudo-liberal agenda, created a service that became an infrastructure for fraudsters, drug sales. This is the entrance to the darknet, where stolen databases and fraudulent schemes are concentrated. Blocking Tor is not only about protecting citizens from destructive content. Blocking will improve the network climate in general. On one side of the scale are some pseudo-liberal values, and on the other side — drug sales, destructive content, scammers."

In 2017, anonymizers and blocking bypass tools were banned in Russia. Since June 2021, Roskomnadzor began blocking VPN services, arguing that their use retains access to child pornography, illegal information about drugs and extremism.