password security | Breaking Cybersecurity News | The Hacker News

The new  Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)  requires CISA to create rules regarding cyber incident reporting by critical infrastructure organizations. The RFI and hearings precede a Notice of Proposed Rulemaking (NPRM) that CISA must publish sooner than  24 months  from the enactment of CIRCIA, which the President signed into law  in March . The sessions and NPRM are steps toward creating the new rule.  CISA is  soliciting expert opinion on what to include  in a report but is taking steps to implement the change soon. Here's what that change means for businesses in the US and what you can do about it now.  Overview of the CISA reporting rule  Owners and operators of critical infrastructure must file cyber incident reports with CISA  within 72 hours . They must report ransom payments for ransomware attacks  within 24 hours . Other businesses can take part voluntarily.  The CISA D...

The breach of LA Unified School District (LAUSD) highlights the prevalence of password vulnerabilities, as criminal hackers continue to use breached credentials in increasingly frequent ransomware attacks on education. The Labor Day weekend breach of LAUSD brought significant  districtwide disruptions to access to email , computers, and applications. It's unclear what student or employee data the attackers exfiltrated. There is a significant trend in ransomware breaches in education, a highly vulnerable sector. The transitory nature of students leaves accounts and passwords vulnerable. The open environments schools create to foster student exploration and the relative naivete in the sector regarding cybersecurity invite attacks.  The breach at LAUSD and what happened afterward Four days post-breach, reports came that criminals had offered credentials for accounts inside the school district's network  for sale on the dark web  months before the attack. The stolen...

Password management solution LastPass shared more details pertaining to the security incident last month, disclosing that the threat actor had access to its systems for a four-day period in August 2022. "There is no evidence of any threat actor activity beyond the established timeline," LastPass CEO Karim Toubba  said  in an update shared on September 15, adding, "there is no evidence that this incident involved any access to customer data or encrypted password vaults." LastPass in late August  revealed  that a breach targeting its development environment resulted in the theft of some of its source code and technical information, although no further specifics were offered. The company, which said it completed the probe into the hack in partnership with incident response firm Mandiant, noted the access was achieved using a developer's compromised endpoint. While the exact method of initial entry remains "inconclusive," LastPass noted the adversary...

A recent report revealed that ecommerce provider,  Shopify uses particularly weak password policies  on the customer-facing portion of its Website. According to the report, Shopify's requires its customers to use a password that is at least five characters in length and that does not begin or end with a space.  According to the report, Specops researchers analyzed a list of a billion passwords that were known to have been breached and found that 99.7% of those passwords adhere to Shopify's requirements. While this is not meant to suggest that Shopify customers' passwords have been breached, the fact that so many known breached passwords adhere to Shopify's minimum password requirements does underscore the dangers associated with using weak passwords. The danger of weak passwords in your Active Directory  A recent study by Hive Systems  echoes the dangers of using weak passwords. The study examines the amount of time that would be required to brute force crac...

So far 2022 confirms that passwords are not dead yet. Neither will they be anytime soon. Even though Microsoft and Apple are championing passwordless authentication methods, most applications and websites will not remove this option for a very long time. Think about it, internal apps that you do not want to integrate with third-party identity providers, government services, legacy applications, and even SaaS providers may not want to invest in new integrations or restrict their existing authentication methods. After all, online businesses are interested in user traction, and security usually brings friction. For example, a few days ago,  Kickstarter sent out millions of password reset  emails "simplifying its login process," including for people that used social login without a password.  Though you may be able to remove passwords from many enterprise components, a large portion of third-party providers, government portals, business suppliers, and SaaS services will st...

Password management service LastPass confirmed a security incident that resulted in the theft of certain source code and technical information. The security breach is said to have occurred two weeks ago, targeting its development environment. No customer data or encrypted passwords were accessed, although the company provided no further details regarding the hack and what source code was stolen. "An unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information," LastPass CEO Karim Toubba  said . Amidst ongoing investigation into the incident, the company said it has engaged the services of a leading cybersecurity and forensics firm and that it has implemented additional countermeasures. LastPass, however, didn't elaborate on the exact mitigation techniques that it used to strengthen its environment. It also reiterated that...

Credential theft is clearly still a problem. Even after years of warnings, changing password requirements, and multiple forms of authentication,  password  stealing remains a top attack method used by cyber criminals. The latest  report  from the Ponemon Institute shares that 54% of security incidents were caused by credential theft, followed by ransomware and DDoS attacks. 59% of organizations aren't revoking credentials that are no longer needed, meaning passwords can go unattended and dormant like a sitting duck (similar to what happened with Colonial Pipeline). And  Verizon's Data Breach Investigations Report  cites that nearly 50% of all data breaches were caused by stolen credentials. The stats don't lie. Cybercriminals are advancing, there's no doubt, but if there's an option to take the path of least resistance, they'll take it. Too often, that means compromising passwords and exploiting vulnerable access points.  Credential Theft and Criti...

Password security is only as strong as the password itself. Unfortunately, we are often reminded of the danger of weak, reused, and compromised passwords with major cybersecurity breaches that start with stolen credentials. For example, in May 2022, the popular wedding planning site, Zola, was the victim of a significant cybersecurity breach where hackers used an attack known as  credential stuffing . It resulted in fraudulent activity tied to customer accounts. Let's look at the Zola breach and why it emphasizes the need for organizations to bolster their password security and protect against various types of password attacks. What happened with the Zola attack? Instead of going after Zola's core business-critical infrastructure, hackers went after customer accounts with the May attack. Attackers used an age-old technique called  credential stuffing  to compromise several Zola customer accounts. With access to the compromised accounts, they attempted to purchase gift ...

Slack said it took the step of resetting passwords for about 0.5% of its users after a flaw exposed salted password hashes when creating or revoking shared invitation links for workspaces. "When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members," the enterprise communication and collaboration platform  said  in an alert on 4th August. Hashing refers to a cryptographic technique that transforms any form of data into a fixed-size output (called a hash value or simply hash).  Salting  is designed to add an extra security layer to the hashing process to make it resistant to brute-force attempts. The Salesforce-owned company, which reported more than  12 million daily active users  in September 2019, didn't reveal the exact  hashing algorithm  used to safeguard the passwords. The bug is said to have impacted all users who created or revoked shared invitation links between 17 ...

Image via Keeper Right Now, Get 50% Off Keeper, the Most Trusted Name in Password Management. In one way or another, almost every aspect of our lives is online, so it's no surprise that hackers target everything from email accounts to banks to smart home devices, looking for vulnerabilities to exploit. One of the easiest exploits is cracking a weak password. That's why using a strong, unique password for each individual account is so important. But creating and remembering strong, unique passwords for dozens of accounts is nearly impossible – unless you're using  a top-rated password manager like Keeper . The Problem With Weak Passwords Image via Keeper A strong password  should  be a minimum of 12 characters long, with uppercase and lowercase letters, numbers, and one or more special characters. More importantly, it shouldn't contain dictionary words or personal information like birthdays or names. But the average American has  100 passwords . Maybe that's why...

Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting  the Questions For Confluence  app for Confluence Server and Confluence Data Center. The flaw, tracked as CVE-2022-26138 , arises when the app in question is enabled on either of two services, causing it to create a Confluence user account with the username "disabledsystemuser." While this account, Atlassian says, is to help administrators migrate data from the app to Confluence Cloud, it's also created with a hard-coded password, effectively allowing viewing and editing all non-restricted pages within Confluence by default. "A remote, unauthenticated attacker with knowledge of the hard-coded password could exploit this to log into Confluence and access any pages the  confluence-users group  has access to," the company  said  in an advisory, adding that "the hard-coded password is trivial to obtain after downloading an...

In any organization, there are certain accounts that are designated as being privileged. These privileged accounts differ from standard user accounts in that they have permission to perform actions that go beyond what standard users can do. The actions vary based on the nature of the account but can include anything from setting up new user accounts to shutting down mission-critical systems. Privileged accounts are essential tools. Without these accounts, the IT staff would be unable to do its job. At the same time, privileged accounts can pose a serious threat to an organization's security. Added risk of a privileged account  Imagine for a moment that a hacker manages to steal a standard user's password and is able to log in as that user. Even though the hacker would have access to certain resources at that point, they would be constrained by the user's privileges (or lack thereof). In other words, the hacker would be able to browse the Internet, open some applications, and ac...

Malicious actors can gain unauthorized access to users' online accounts via a new technique called "account pre-hijacking," latest research has found. The attack takes aim at the account creation process that's ubiquitous in websites and other online platforms, enabling an adversary to perform a set of actions before an unsuspecting victim creates an account in a target service. The study was led by independent security researcher Avinash Sudhodanan in collaboration with Andrew Paverd of the Microsoft Security Response Center (MSRC). Pre-hijacking banks on the prerequisite that an attacker is already in possession of a unique identifier associated with a victim, such as an email address or phone number, information which can be obtained either from scraping the target's social media accounts or credential dumps circulating on the web as a result of countless data breaches. The attacks can then play out in five different ways, including the use of the same em...

A new research published by academics from KU Leuven, Radboud University, and the University of Lausanne has revealed that users' email addresses are exfiltrated to tracking, marketing, and analytics domains before such information is submitted and without prior consent. The study  involved  crawling 2.8 million pages from the top 100 websites, and found that as many as 1,844 websites allowed trackers to capture email addresses before form submission in the European Union, a number that jumped to 2,950 when the same set of websites were visited from the U.S. "Emails (or their hashes) were sent to 174 distinct domains ( eTLD+1 ) in the U.S. crawl, and 157 distinct domains in the EU crawl," the researchers  said . Furthermore, 52 websites were determined to be collecting passwords in the same manner, an issue that has since been addressed following responsible disclosure. LiveRamp, Taboola, Adobe, Verizon, Yandex, Meta Platforms, TikTok, Salesforce, Listrak, and Oracle...

Cybersecurity researchers have dissected the inner workings of an information-stealing malware called Saintstealer that's designed to siphon credentials and system information. "After execution, the stealer extracts username, passwords, credit card details, etc.," Cyble researchers  said  in an analysis last week. "The stealer also steals data from various locations across the system and compresses it in a password-protected ZIP file." A 32-bit C# .NET-based executable with the name "saintgang.exe," Saintstealer is equipped with anti-analysis checks, opting to terminate itself if it's running either in a sandboxed or virtual environment. The malware can capture a wide range of information that ranges from taking screenshots to gathering passwords, cookies, and autofill data stored in Chromium-based browsers such as Google Chrome, Opera, Edge, Brave, Vivaldi, and Yandex, among others. It can also steal Discord multi-factor authentication toke...